Title: [206009] trunk
Revision
206009
Author
commit-qu...@webkit.org
Date
2016-09-16 00:33:44 -0700 (Fri, 16 Sep 2016)

Log Message

[Fetch API] Referrer and Origin header should not be considered as safe request headers
https://bugs.webkit.org/show_bug.cgi?id=161902

Patch by Youenn Fablet <you...@apple.com> on 2016-09-16
Reviewed by Sam Weinig.

LayoutTests/imported/w3c:

* web-platform-tests/fetch/api/cors/cors-preflight-referrer-expected.txt:
* web-platform-tests/fetch/api/cors/cors-preflight-referrer-worker-expected.txt:
* web-platform-tests/fetch/api/cors/cors-preflight-referrer.js:
(corsPreflightReferrer): Adding check of the preflight Access-Control-Request-Headers header value.
Added new tests to check for non-default referrer values.

Source/WebCore:

Test: http/tests/fetch/fetch-cors-with-referrer.html and updated WPT tests.

Removing Origin and Referrer from safe request headers.
Making referrer header setting after preflight for fetch API code path.

Ensuring that no ThreadableLoader client sets Origin or Referrer headers of the ResourceRequest, as they should use the proper mechanisms for that.

Handling no-referrer referrer special value by setting the referrer-policy to NoReferrer in FetchLoader.

* Modules/fetch/FetchLoader.cpp:
(WebCore::FetchLoader::start): Computing referrer value and handling special "client"and "no-referrer" cases.
Passing the value directly to ThreadableLoader.
* Modules/fetch/FetchRequest.cpp:
(WebCore::FetchRequest::internalRequest): Removing setting of ResourceRequest referrer header.
(WebCore::FetchRequest::clone): Removing obsolete FIXME.
* Modules/fetch/FetchRequest.h:
* loader/CrossOriginAccessControl.cpp:
(WebCore::isOnAccessControlSimpleRequestHeaderWhitelist): Removing Origin and Referrer headers.
* loader/DocumentThreadableLoader.cpp:
(WebCore::DocumentThreadableLoader::create): Updated to take a referrer as parameter.
(WebCore::DocumentThreadableLoader::DocumentThreadableLoader): Ditto.
* loader/DocumentThreadableLoader.h: Ditto.
* loader/ThreadableLoader.cpp: Ditto.
(WebCore::ThreadableLoader::create): Ditto.
* loader/ThreadableLoader.h: Ditto.
* loader/WorkerThreadableLoader.cpp: Ditto.
(WebCore::WorkerThreadableLoader::WorkerThreadableLoader): Ditto.
(WebCore::WorkerThreadableLoader::loadResourceSynchronously): Ditto.
* loader/WorkerThreadableLoader.h: Ditto.
(WebCore::WorkerThreadableLoader::create): Ditto.
* platform/network/ResourceRequestBase.cpp:
(WebCore::ResourceRequestBase::hasHTTPReferrer): Added to enable asserting that no threadable loader client sets the referrer in the request.
* platform/network/ResourceRequestBase.h:

LayoutTests:

* http/tests/fetch/fetch-cors-with-referrer-expected.txt: Added.
* http/tests/fetch/fetch-cors-with-referrer.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (206008 => 206009)


--- trunk/LayoutTests/ChangeLog	2016-09-16 00:56:14 UTC (rev 206008)
+++ trunk/LayoutTests/ChangeLog	2016-09-16 07:33:44 UTC (rev 206009)
@@ -1,3 +1,13 @@
+2016-09-16  Youenn Fablet  <you...@apple.com>
+
+        [Fetch API] Referrer and Origin header should not be considered as safe request headers
+        https://bugs.webkit.org/show_bug.cgi?id=161902
+
+        Reviewed by Sam Weinig.
+
+        * http/tests/fetch/fetch-cors-with-referrer-expected.txt: Added.
+        * http/tests/fetch/fetch-cors-with-referrer.html: Added.
+
 2016-09-13  Jer Noble  <jer.no...@apple.com>
 
         [media-source] web-platform-test/media-source/mediasource-remove.html test failing

Added: trunk/LayoutTests/http/tests/fetch/fetch-cors-with-referrer-expected.txt (0 => 206009)


--- trunk/LayoutTests/http/tests/fetch/fetch-cors-with-referrer-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/http/tests/fetch/fetch-cors-with-referrer-expected.txt	2016-09-16 07:33:44 UTC (rev 206009)
@@ -0,0 +1,3 @@
+
+PASS Ensure setting a referrer does not cause preflighting 
+

Added: trunk/LayoutTests/http/tests/fetch/fetch-cors-with-referrer.html (0 => 206009)


--- trunk/LayoutTests/http/tests/fetch/fetch-cors-with-referrer.html	                        (rev 0)
+++ trunk/LayoutTests/http/tests/fetch/fetch-cors-with-referrer.html	2016-09-16 07:33:44 UTC (rev 206009)
@@ -0,0 +1,22 @@
+<!doctype html>
+<html>
+  <head>
+    <meta charset="utf-8">
+    <title>Fetching a cross origin resource with a given referrer</title>
+    <script src=""
+    <script src=""
+  </head>
+  <body>
+    <script>
+promise_test(function(t) {
+    var url = ""
+    return fetch(url, {"mode": "cors", "referrer": "http://127.0.0.1:8000/referrer"}).then((response) => {
+        assert_equals(response.type, "cors");
+        return response.arrayBuffer().then((arrayBuffer) => {
+            assert_true(arrayBuffer.byteLength > 0);
+        });
+    });
+}, 'Ensure setting a referrer does not cause preflighting');
+    </script>
+  </body>
+</html>

Modified: trunk/LayoutTests/imported/w3c/ChangeLog (206008 => 206009)


--- trunk/LayoutTests/imported/w3c/ChangeLog	2016-09-16 00:56:14 UTC (rev 206008)
+++ trunk/LayoutTests/imported/w3c/ChangeLog	2016-09-16 07:33:44 UTC (rev 206009)
@@ -1,3 +1,16 @@
+2016-09-16  Youenn Fablet  <you...@apple.com>
+
+        [Fetch API] Referrer and Origin header should not be considered as safe request headers
+        https://bugs.webkit.org/show_bug.cgi?id=161902
+
+        Reviewed by Sam Weinig.
+
+        * web-platform-tests/fetch/api/cors/cors-preflight-referrer-expected.txt:
+        * web-platform-tests/fetch/api/cors/cors-preflight-referrer-worker-expected.txt:
+        * web-platform-tests/fetch/api/cors/cors-preflight-referrer.js:
+        (corsPreflightReferrer): Adding check of the preflight Access-Control-Request-Headers header value.
+        Added new tests to check for non-default referrer values.
+
 2016-09-14  Chris Dumez  <cdu...@apple.com>
 
         Add support hr.color IDL attribute

Modified: trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-preflight-referrer-expected.txt (206008 => 206009)


--- trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-preflight-referrer-expected.txt	2016-09-16 00:56:14 UTC (rev 206008)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-preflight-referrer-expected.txt	2016-09-16 07:33:44 UTC (rev 206009)
@@ -1,7 +1,12 @@
 
-PASS Referrer policy: no-referrer 
-PASS Referrer policy: "" 
-PASS Referrer policy: origin 
-PASS Referrer policy: origin-when-cross-origin 
-PASS Referrer policy: unsafe-url 
+PASS Referrer policy: no-referrer ('myreferrer' referrer) 
+PASS Referrer policy: no-referrer (default referrer) 
+PASS Referrer policy: "" ('myreferrer' referrer) 
+PASS Referrer policy: "" (default referrer) 
+PASS Referrer policy: origin ('myreferrer' referrer) 
+PASS Referrer policy: origin (default referrer) 
+PASS Referrer policy: origin-when-cross-origin ('myreferrer' referrer) 
+PASS Referrer policy: origin-when-cross-origin (default referrer) 
+PASS Referrer policy: unsafe-url ('myreferrer' referrer) 
+PASS Referrer policy: unsafe-url (default referrer) 
 

Modified: trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-preflight-referrer-worker-expected.txt (206008 => 206009)


--- trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-preflight-referrer-worker-expected.txt	2016-09-16 00:56:14 UTC (rev 206008)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-preflight-referrer-worker-expected.txt	2016-09-16 07:33:44 UTC (rev 206009)
@@ -1,7 +1,12 @@
 
-PASS Referrer policy: no-referrer 
-PASS Referrer policy: "" 
-PASS Referrer policy: origin 
-PASS Referrer policy: origin-when-cross-origin 
-PASS Referrer policy: unsafe-url 
+PASS Referrer policy: no-referrer ('myreferrer' referrer) 
+PASS Referrer policy: no-referrer (default referrer) 
+PASS Referrer policy: "" ('myreferrer' referrer) 
+PASS Referrer policy: "" (default referrer) 
+PASS Referrer policy: origin ('myreferrer' referrer) 
+PASS Referrer policy: origin (default referrer) 
+PASS Referrer policy: origin-when-cross-origin ('myreferrer' referrer) 
+PASS Referrer policy: origin-when-cross-origin (default referrer) 
+PASS Referrer policy: unsafe-url ('myreferrer' referrer) 
+PASS Referrer policy: unsafe-url (default referrer) 
 

Modified: trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-preflight-referrer.js (206008 => 206009)


--- trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-preflight-referrer.js	2016-09-16 00:56:14 UTC (rev 206008)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-preflight-referrer.js	2016-09-16 07:33:44 UTC (rev 206009)
@@ -5,12 +5,15 @@
   importScripts("../resources/utils.js");
 }
 
-function corsPreflightReferrer(desc, corsUrl, referrerPolicy, expectedReferrer) {
+function corsPreflightReferrer(desc, corsUrl, referrerPolicy, referrer, expectedReferrer) {
   var uuid_token = token();
   var url = ""
   var urlParameters = "?token=" + uuid_token + "&max_age=0";
   var requestInit = {"mode": "cors", "referrerPolicy": referrerPolicy};
 
+  if (referrer)
+      requestInit.referrer = referrer;
+
   /* Force preflight */
   requestInit["headers"] = {"x-force-preflight": ""};
   urlParameters += "&allow_headers=x-force-preflight";
@@ -23,19 +26,27 @@
         assert_equals(resp.headers.get("x-did-preflight"), "1", "Preflight request has been made");
         assert_equals(resp.headers.get("x-preflight-referrer"), expectedReferrer, "Preflight's referrer is correct");
         assert_equals(resp.headers.get("x-referrer"), expectedReferrer, "Request's referrer is correct");
+        assert_equals(resp.headers.get("x-control-request-headers"), "", "Access-Control-Allow-Headers value");
       });
     });
-  }, desc);
+  }, desc + (referrer ? " (default referrer)" : " ('myreferrer' referrer)"));
 }
-
 var corsUrl = get_host_info().HTTP_REMOTE_ORIGIN  + dirname(location.pathname) + RESOURCES_DIR + "preflight.py";
 var origin = get_host_info().HTTP_ORIGIN + "/";
 
-corsPreflightReferrer("Referrer policy: no-referrer", corsUrl, "no-referrer", "");
-corsPreflightReferrer("Referrer policy: \"\"", corsUrl, "", location.toString())
+corsPreflightReferrer("Referrer policy: no-referrer", corsUrl, "no-referrer", undefined, "");
+corsPreflightReferrer("Referrer policy: no-referrer", corsUrl, "no-referrer", "myreferrer", "");
 
-corsPreflightReferrer("Referrer policy: origin", corsUrl, "origin", origin);
-corsPreflightReferrer("Referrer policy: origin-when-cross-origin", corsUrl, "origin-when-cross-origin", origin);
-corsPreflightReferrer("Referrer policy: unsafe-url", corsUrl, "unsafe-url", location.toString());
+corsPreflightReferrer("Referrer policy: \"\"", corsUrl, "", undefined, location.toString())
+corsPreflightReferrer("Referrer policy: \"\"", corsUrl, "", "myreferrer", new URL("myreferrer", location).toString());
 
+corsPreflightReferrer("Referrer policy: origin", corsUrl, "origin", undefined, origin);
+corsPreflightReferrer("Referrer policy: origin", corsUrl, "origin", "myreferrer", origin);
+
+corsPreflightReferrer("Referrer policy: origin-when-cross-origin", corsUrl, "origin-when-cross-origin", undefined, origin);
+corsPreflightReferrer("Referrer policy: origin-when-cross-origin", corsUrl, "origin-when-cross-origin", "myreferrer", origin);
+
+corsPreflightReferrer("Referrer policy: unsafe-url", corsUrl, "unsafe-url", undefined, location.toString());
+corsPreflightReferrer("Referrer policy: unsafe-url", corsUrl, "unsafe-url", "myreferrer", new URL("myreferrer", location).toString());
+
 done();

Modified: trunk/Source/WebCore/ChangeLog (206008 => 206009)


--- trunk/Source/WebCore/ChangeLog	2016-09-16 00:56:14 UTC (rev 206008)
+++ trunk/Source/WebCore/ChangeLog	2016-09-16 07:33:44 UTC (rev 206009)
@@ -1,3 +1,44 @@
+2016-09-16  Youenn Fablet  <you...@apple.com>
+
+        [Fetch API] Referrer and Origin header should not be considered as safe request headers
+        https://bugs.webkit.org/show_bug.cgi?id=161902
+
+        Reviewed by Sam Weinig.
+
+        Test: http/tests/fetch/fetch-cors-with-referrer.html and updated WPT tests.
+
+        Removing Origin and Referrer from safe request headers.
+        Making referrer header setting after preflight for fetch API code path.
+
+        Ensuring that no ThreadableLoader client sets Origin or Referrer headers of the ResourceRequest, as they should use the proper mechanisms for that.
+
+        Handling no-referrer referrer special value by setting the referrer-policy to NoReferrer in FetchLoader.
+
+        * Modules/fetch/FetchLoader.cpp:
+        (WebCore::FetchLoader::start): Computing referrer value and handling special "client"and "no-referrer" cases.
+        Passing the value directly to ThreadableLoader.
+        * Modules/fetch/FetchRequest.cpp:
+        (WebCore::FetchRequest::internalRequest): Removing setting of ResourceRequest referrer header.
+        (WebCore::FetchRequest::clone): Removing obsolete FIXME.
+        * Modules/fetch/FetchRequest.h:
+        * loader/CrossOriginAccessControl.cpp:
+        (WebCore::isOnAccessControlSimpleRequestHeaderWhitelist): Removing Origin and Referrer headers.
+        * loader/DocumentThreadableLoader.cpp:
+        (WebCore::DocumentThreadableLoader::create): Updated to take a referrer as parameter.
+        (WebCore::DocumentThreadableLoader::DocumentThreadableLoader): Ditto.
+        * loader/DocumentThreadableLoader.h: Ditto.
+        * loader/ThreadableLoader.cpp: Ditto.
+        (WebCore::ThreadableLoader::create): Ditto.
+        * loader/ThreadableLoader.h: Ditto.
+        * loader/WorkerThreadableLoader.cpp: Ditto.
+        (WebCore::WorkerThreadableLoader::WorkerThreadableLoader): Ditto.
+        (WebCore::WorkerThreadableLoader::loadResourceSynchronously): Ditto.
+        * loader/WorkerThreadableLoader.h: Ditto.
+        (WebCore::WorkerThreadableLoader::create): Ditto.
+        * platform/network/ResourceRequestBase.cpp:
+        (WebCore::ResourceRequestBase::hasHTTPReferrer): Added to enable asserting that no threadable loader client sets the referrer in the request.
+        * platform/network/ResourceRequestBase.h:
+
 2016-09-15  Dave Hyatt  <hy...@apple.com>
 
         [CSS Parser] Get CSSParserFastPaths.cpp compiling

Modified: trunk/Source/WebCore/Modules/fetch/FetchLoader.cpp (206008 => 206009)


--- trunk/Source/WebCore/Modules/fetch/FetchLoader.cpp	2016-09-16 00:56:14 UTC (rev 206008)
+++ trunk/Source/WebCore/Modules/fetch/FetchLoader.cpp	2016-09-16 07:33:44 UTC (rev 206009)
@@ -92,7 +92,14 @@
         return;
     }
 
-    m_loader = ThreadableLoader::create(context, *this, WTFMove(fetchRequest), options);
+    String referrer = request.internalRequestReferrer();
+    if (referrer == "no-referrer") {
+        options.referrerPolicy = FetchOptions::ReferrerPolicy::NoReferrer;
+        referrer = String();
+    } else
+        referrer = (referrer == "client") ? context.url().strippedForUseAsReferrer() : URL(context.url(), referrer).strippedForUseAsReferrer();
+
+    m_loader = ThreadableLoader::create(context, *this, WTFMove(fetchRequest), options, WTFMove(referrer));
     m_isStarted = m_loader;
 }
 

Modified: trunk/Source/WebCore/Modules/fetch/FetchRequest.cpp (206008 => 206009)


--- trunk/Source/WebCore/Modules/fetch/FetchRequest.cpp	2016-09-16 00:56:14 UTC (rev 206008)
+++ trunk/Source/WebCore/Modules/fetch/FetchRequest.cpp	2016-09-16 07:33:44 UTC (rev 206009)
@@ -304,10 +304,6 @@
     request.setHTTPHeaderFields(m_headers->internalHeaders());
     request.setHTTPBody(body().bodyForInternalRequest(*scriptExecutionContext()));
 
-    // FIXME: Support no-referrer and client. Ensure this case-sensitive comparison is ok.
-    if (m_internalRequest.referrer != "no-referrer" && m_internalRequest.referrer != "client")
-        request.setHTTPReferrer(URL(URL(), m_internalRequest.referrer).strippedForUseAsReferrer());
-
     return request;
 }
 
@@ -318,7 +314,6 @@
         return nullptr;
     }
 
-    // FIXME: Validate body teeing.
     return adoptRef(*new FetchRequest(context, FetchBody(m_body), FetchHeaders::create(m_headers.get()), FetchRequest::InternalRequest(m_internalRequest)));
 }
 

Modified: trunk/Source/WebCore/Modules/fetch/FetchRequest.h (206008 => 206009)


--- trunk/Source/WebCore/Modules/fetch/FetchRequest.h	2016-09-16 00:56:14 UTC (rev 206008)
+++ trunk/Source/WebCore/Modules/fetch/FetchRequest.h	2016-09-16 07:33:44 UTC (rev 206009)
@@ -92,6 +92,8 @@
     const FetchOptions& fetchOptions() const { return m_internalRequest.options; }
     ResourceRequest internalRequest() const;
 
+    const String& internalRequestReferrer() const { return m_internalRequest.referrer; }
+
 private:
     FetchRequest(ScriptExecutionContext&, FetchBody&&, Ref<FetchHeaders>&&, InternalRequest&&);
 

Modified: trunk/Source/WebCore/loader/CrossOriginAccessControl.cpp (206008 => 206009)


--- trunk/Source/WebCore/loader/CrossOriginAccessControl.cpp	2016-09-16 00:56:14 UTC (rev 206008)
+++ trunk/Source/WebCore/loader/CrossOriginAccessControl.cpp	2016-09-16 07:33:44 UTC (rev 206009)
@@ -51,8 +51,6 @@
     case HTTPHeaderName::Accept:
     case HTTPHeaderName::AcceptLanguage:
     case HTTPHeaderName::ContentLanguage:
-    case HTTPHeaderName::Origin:
-    case HTTPHeaderName::Referer:
         return true;
     case HTTPHeaderName::ContentType: {
         // Preflight is required for MIME types that can not be sent via form submission.

Modified: trunk/Source/WebCore/loader/DocumentThreadableLoader.cpp (206008 => 206009)


--- trunk/Source/WebCore/loader/DocumentThreadableLoader.cpp	2016-09-16 00:56:14 UTC (rev 206008)
+++ trunk/Source/WebCore/loader/DocumentThreadableLoader.cpp	2016-09-16 07:33:44 UTC (rev 206009)
@@ -76,9 +76,9 @@
     return loader;
 }
 
-RefPtr<DocumentThreadableLoader> DocumentThreadableLoader::create(Document& document, ThreadableLoaderClient& client, ResourceRequest&& request, const ThreadableLoaderOptions& options)
+RefPtr<DocumentThreadableLoader> DocumentThreadableLoader::create(Document& document, ThreadableLoaderClient& client, ResourceRequest&& request, const ThreadableLoaderOptions& options, String&& referrer)
 {
-    return create(document, client, WTFMove(request), options, nullptr, nullptr, String());
+    return create(document, client, WTFMove(request), options, nullptr, nullptr, WTFMove(referrer));
 }
 
 DocumentThreadableLoader::DocumentThreadableLoader(Document& document, ThreadableLoaderClient& client, BlockingBehavior blockingBehavior, ResourceRequest&& request, const ThreadableLoaderOptions& options, RefPtr<SecurityOrigin>&& origin, std::unique_ptr<ContentSecurityPolicy>&& contentSecurityPolicy, String&& referrer)
@@ -92,9 +92,12 @@
     , m_async(blockingBehavior == LoadAsynchronously)
     , m_contentSecurityPolicy(WTFMove(contentSecurityPolicy))
 {
-    // Setting an outgoing referer is only supported in the async code path.
-    ASSERT(m_async || request.httpReferrer().isEmpty());
+    // Setting a referrer header is only supported in the async code path.
+    ASSERT(m_async || m_referrer.isEmpty());
 
+    // Referrer and Origin headers should be set after the preflight if any.
+    ASSERT(!request.hasHTTPReferrer() && !request.hasHTTPOrigin());
+
     ASSERT_WITH_SECURITY_IMPLICATION(isAllowedByContentSecurityPolicy(request.url()));
 
     m_options.allowCredentials = (m_options.credentials == FetchOptions::Credentials::Include || (m_options.credentials == FetchOptions::Credentials::SameOrigin && m_sameOriginRequest)) ? AllowStoredCredentials : DoNotAllowStoredCredentials;

Modified: trunk/Source/WebCore/loader/DocumentThreadableLoader.h (206008 => 206009)


--- trunk/Source/WebCore/loader/DocumentThreadableLoader.h	2016-09-16 00:56:14 UTC (rev 206008)
+++ trunk/Source/WebCore/loader/DocumentThreadableLoader.h	2016-09-16 07:33:44 UTC (rev 206009)
@@ -49,7 +49,7 @@
         static void loadResourceSynchronously(Document&, ResourceRequest&&, ThreadableLoaderClient&, const ThreadableLoaderOptions&);
 
         static RefPtr<DocumentThreadableLoader> create(Document&, ThreadableLoaderClient&, ResourceRequest&&, const ThreadableLoaderOptions&, RefPtr<SecurityOrigin>&&, std::unique_ptr<ContentSecurityPolicy>&&, String&& referrer);
-        static RefPtr<DocumentThreadableLoader> create(Document&, ThreadableLoaderClient&, ResourceRequest&&, const ThreadableLoaderOptions&);
+        static RefPtr<DocumentThreadableLoader> create(Document&, ThreadableLoaderClient&, ResourceRequest&&, const ThreadableLoaderOptions&, String&& referrer = String());
 
         virtual ~DocumentThreadableLoader();
 

Modified: trunk/Source/WebCore/loader/ThreadableLoader.cpp (206008 => 206009)


--- trunk/Source/WebCore/loader/ThreadableLoader.cpp	2016-09-16 00:56:14 UTC (rev 206008)
+++ trunk/Source/WebCore/loader/ThreadableLoader.cpp	2016-09-16 07:33:44 UTC (rev 206009)
@@ -59,12 +59,12 @@
 {
 }
 
-RefPtr<ThreadableLoader> ThreadableLoader::create(ScriptExecutionContext& context, ThreadableLoaderClient& client, ResourceRequest&& request, const ThreadableLoaderOptions& options)
+RefPtr<ThreadableLoader> ThreadableLoader::create(ScriptExecutionContext& context, ThreadableLoaderClient& client, ResourceRequest&& request, const ThreadableLoaderOptions& options, String&& referrer)
 {
     if (is<WorkerGlobalScope>(context))
-        return WorkerThreadableLoader::create(downcast<WorkerGlobalScope>(context), client, WorkerRunLoop::defaultMode(), WTFMove(request), options);
+        return WorkerThreadableLoader::create(downcast<WorkerGlobalScope>(context), client, WorkerRunLoop::defaultMode(), WTFMove(request), options, referrer);
 
-    return DocumentThreadableLoader::create(downcast<Document>(context), client, WTFMove(request), options);
+    return DocumentThreadableLoader::create(downcast<Document>(context), client, WTFMove(request), options, WTFMove(referrer));
 }
 
 void ThreadableLoader::loadResourceSynchronously(ScriptExecutionContext& context, ResourceRequest&& request, ThreadableLoaderClient& client, const ThreadableLoaderOptions& options)

Modified: trunk/Source/WebCore/loader/ThreadableLoader.h (206008 => 206009)


--- trunk/Source/WebCore/loader/ThreadableLoader.h	2016-09-16 00:56:14 UTC (rev 206008)
+++ trunk/Source/WebCore/loader/ThreadableLoader.h	2016-09-16 07:33:44 UTC (rev 206009)
@@ -80,7 +80,7 @@
         WTF_MAKE_NONCOPYABLE(ThreadableLoader);
     public:
         static void loadResourceSynchronously(ScriptExecutionContext&, ResourceRequest&&, ThreadableLoaderClient&, const ThreadableLoaderOptions&);
-        static RefPtr<ThreadableLoader> create(ScriptExecutionContext&, ThreadableLoaderClient&, ResourceRequest&&, const ThreadableLoaderOptions&);
+        static RefPtr<ThreadableLoader> create(ScriptExecutionContext&, ThreadableLoaderClient&, ResourceRequest&&, const ThreadableLoaderOptions&, String&& referrer = String());
 
         virtual void cancel() = 0;
         void ref() { refThreadableLoader(); }

Modified: trunk/Source/WebCore/loader/WorkerThreadableLoader.cpp (206008 => 206009)


--- trunk/Source/WebCore/loader/WorkerThreadableLoader.cpp	2016-09-16 00:56:14 UTC (rev 206008)
+++ trunk/Source/WebCore/loader/WorkerThreadableLoader.cpp	2016-09-16 07:33:44 UTC (rev 206009)
@@ -50,10 +50,10 @@
 
 static const char loadResourceSynchronouslyMode[] = "loadResourceSynchronouslyMode";
 
-WorkerThreadableLoader::WorkerThreadableLoader(WorkerGlobalScope& workerGlobalScope, ThreadableLoaderClient& client, const String& taskMode, ResourceRequest&& request, const ThreadableLoaderOptions& options)
+WorkerThreadableLoader::WorkerThreadableLoader(WorkerGlobalScope& workerGlobalScope, ThreadableLoaderClient& client, const String& taskMode, ResourceRequest&& request, const ThreadableLoaderOptions& options, const String& referrer)
     : m_workerGlobalScope(workerGlobalScope)
     , m_workerClientWrapper(ThreadableLoaderClientWrapper::create(client))
-    , m_bridge(*new MainThreadBridge(m_workerClientWrapper.get(), workerGlobalScope.thread().workerLoaderProxy(), taskMode, WTFMove(request), options, workerGlobalScope.url().strippedForUseAsReferrer(), workerGlobalScope.securityOrigin(), workerGlobalScope.contentSecurityPolicy()))
+    , m_bridge(*new MainThreadBridge(m_workerClientWrapper.get(), workerGlobalScope.thread().workerLoaderProxy(), taskMode, WTFMove(request), options, referrer.isEmpty() ? workerGlobalScope.url().strippedForUseAsReferrer() : referrer, workerGlobalScope.securityOrigin(), workerGlobalScope.contentSecurityPolicy()))
 {
 }
 
@@ -70,7 +70,7 @@
     String mode = loadResourceSynchronouslyMode;
     mode.append(String::number(runLoop.createUniqueId()));
 
-    RefPtr<WorkerThreadableLoader> loader = WorkerThreadableLoader::create(workerGlobalScope, client, mode, WTFMove(request), options);
+    RefPtr<WorkerThreadableLoader> loader = WorkerThreadableLoader::create(workerGlobalScope, client, mode, WTFMove(request), options, String());
     MessageQueueWaitResult result = MessageQueueMessageReceived;
     while (!loader->done() && result != MessageQueueTerminated)
         result = runLoop.runInMode(&workerGlobalScope, mode);

Modified: trunk/Source/WebCore/loader/WorkerThreadableLoader.h (206008 => 206009)


--- trunk/Source/WebCore/loader/WorkerThreadableLoader.h	2016-09-16 00:56:14 UTC (rev 206008)
+++ trunk/Source/WebCore/loader/WorkerThreadableLoader.h	2016-09-16 07:33:44 UTC (rev 206009)
@@ -50,9 +50,9 @@
         WTF_MAKE_FAST_ALLOCATED;
     public:
         static void loadResourceSynchronously(WorkerGlobalScope&, ResourceRequest&&, ThreadableLoaderClient&, const ThreadableLoaderOptions&);
-        static Ref<WorkerThreadableLoader> create(WorkerGlobalScope& workerGlobalScope, ThreadableLoaderClient& client, const String& taskMode, ResourceRequest&& request, const ThreadableLoaderOptions& options)
+        static Ref<WorkerThreadableLoader> create(WorkerGlobalScope& workerGlobalScope, ThreadableLoaderClient& client, const String& taskMode, ResourceRequest&& request, const ThreadableLoaderOptions& options, const String& referrer)
         {
-            return adoptRef(*new WorkerThreadableLoader(workerGlobalScope, client, taskMode, WTFMove(request), options));
+            return adoptRef(*new WorkerThreadableLoader(workerGlobalScope, client, taskMode, WTFMove(request), options, referrer));
         }
 
         ~WorkerThreadableLoader();
@@ -120,7 +120,7 @@
             String m_taskMode;
         };
 
-        WorkerThreadableLoader(WorkerGlobalScope&, ThreadableLoaderClient&, const String& taskMode, ResourceRequest&&, const ThreadableLoaderOptions&);
+        WorkerThreadableLoader(WorkerGlobalScope&, ThreadableLoaderClient&, const String& taskMode, ResourceRequest&&, const ThreadableLoaderOptions&, const String& referrer);
 
         Ref<WorkerGlobalScope> m_workerGlobalScope;
         Ref<ThreadableLoaderClientWrapper> m_workerClientWrapper;

Modified: trunk/Source/WebCore/platform/network/ResourceRequestBase.cpp (206008 => 206009)


--- trunk/Source/WebCore/platform/network/ResourceRequestBase.cpp	2016-09-16 00:56:14 UTC (rev 206008)
+++ trunk/Source/WebCore/platform/network/ResourceRequestBase.cpp	2016-09-16 07:33:44 UTC (rev 206009)
@@ -288,6 +288,11 @@
     return httpHeaderField(HTTPHeaderName::Referer);
 }
 
+bool ResourceRequestBase::hasHTTPReferrer() const
+{
+    return m_httpHeaderFields.contains(HTTPHeaderName::Referer);
+}
+
 void ResourceRequestBase::setHTTPReferrer(const String& httpReferrer)
 {
     setHTTPHeaderField(HTTPHeaderName::Referer, httpReferrer);

Modified: trunk/Source/WebCore/platform/network/ResourceRequestBase.h (206008 => 206009)


--- trunk/Source/WebCore/platform/network/ResourceRequestBase.h	2016-09-16 00:56:14 UTC (rev 206008)
+++ trunk/Source/WebCore/platform/network/ResourceRequestBase.h	2016-09-16 07:33:44 UTC (rev 206009)
@@ -98,6 +98,7 @@
     void clearHTTPContentType();
 
     WEBCORE_EXPORT String httpReferrer() const;
+    bool hasHTTPReferrer() const;
     WEBCORE_EXPORT void setHTTPReferrer(const String&);
     WEBCORE_EXPORT void clearHTTPReferrer();
 
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to