[webkit-changes] [217069] trunk

Thu, 18 May 2017 15:09:33 -0700

Title: [217069] trunk
Revision
217069
Author
[email protected]
Date
2017-05-18 14:53:59 -0700 (Thu, 18 May 2017)

Log Message

Improve error message for Access-Control-Allow-Origin violation due to misconfigured server
https://bugs.webkit.org/show_bug.cgi?id=162819
<rdar://problem/28575938>

Reviewed by Joseph Pecoraro.

LayoutTests/imported/w3c:

Update expected result.

* web-platform-tests/fetch/api/cors/cors-multiple-origins-expected.txt:
* web-platform-tests/fetch/api/cors/cors-multiple-origins-worker-expected.txt:

Source/WebCore:

Inspired by Blink change:
<https://src.chromium.org/viewvc/blink?view=revision&revision=163406>

At most one Access-Control-Allow-Origin header may be in an HTTP response. Improve the
error message emitted on a CORS failure when Access-Control-Allow-Origin contains more
than one origin, indicated by the presence of a ',', as a way to help web developers/server
administrators differentiate between a misconfigured Access-Control-Allow-Origin header
and a misconfigured server.

* loader/CrossOriginAccessControl.cpp:
(WebCore::passesAccessControlCheck): Defined a local variable to hold the value of securityOrigin.toString()
and referenced this variable throughout the code to avoid computing the stringified security
origin more than once. Switched to using makeString() to concatenate error message when the
origin of the page does not match the value of the Access-Control-Allow-Origin header.

LayoutTests:

Add more tests when Access-Control-Allow-Origin has more than one value and group
with existing tests. Update expected results.

* http/tests/xmlhttprequest/origin-exact-matching-expected.txt:
* http/tests/xmlhttprequest/resources/origin-exact-matching-iframe.html: Also extracted
the origin string for the page into a local variable called pageOrigin, making use of document.origin,
and referenced this variable instead of duplicating its value. Fixed various style nits.

Modified Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (217068 => 217069)


--- trunk/LayoutTests/ChangeLog	2017-05-18 21:50:04 UTC (rev 217068)
+++ trunk/LayoutTests/ChangeLog	2017-05-18 21:53:59 UTC (rev 217069)
@@ -1,3 +1,19 @@
+2017-05-18  Daniel Bates  <[email protected]>
+
+        Improve error message for Access-Control-Allow-Origin violation due to misconfigured server
+        https://bugs.webkit.org/show_bug.cgi?id=162819
+        <rdar://problem/28575938>
+
+        Reviewed by Joseph Pecoraro.
+
+        Add more tests when Access-Control-Allow-Origin has more than one value and group
+        with existing tests. Update expected results.
+
+        * http/tests/xmlhttprequest/origin-exact-matching-expected.txt:
+        * http/tests/xmlhttprequest/resources/origin-exact-matching-iframe.html: Also extracted
+        the origin string for the page into a local variable called pageOrigin, making use of document.origin,
+        and referenced this variable instead of duplicating its value. Fixed various style nits.
+
 2017-05-18  John Wilander  <[email protected]>
 
         Resource Load Statistics: Grandfather domains for existing data records

Modified: trunk/LayoutTests/http/tests/xmlhttprequest/origin-exact-matching-expected.txt (217068 => 217069)


--- trunk/LayoutTests/http/tests/xmlhttprequest/origin-exact-matching-expected.txt	2017-05-18 21:50:04 UTC (rev 217068)
+++ trunk/LayoutTests/http/tests/xmlhttprequest/origin-exact-matching-expected.txt	2017-05-18 21:53:59 UTC (rev 217069)
@@ -12,12 +12,13 @@
 CONSOLE MESSAGE: line 1: XMLHttpRequest cannot load http://127.0.0.1:8000/xmlhttprequest/resources/access-control-allow-lists.php?origin=http%3A%2F%2Flocalhost%3A8000%23. Origin http://localhost:8000 is not allowed by Access-Control-Allow-Origin.
 CONSOLE MESSAGE: line 1: XMLHttpRequest cannot load http://127.0.0.1:8000/xmlhttprequest/resources/access-control-allow-lists.php?origin=http%3A%2F%2Flocalhost%3A8000%2523. Origin http://localhost:8000 is not allowed by Access-Control-Allow-Origin.
 CONSOLE MESSAGE: line 1: XMLHttpRequest cannot load http://127.0.0.1:8000/xmlhttprequest/resources/access-control-allow-lists.php?origin=http%3A%2F%2Flocalhost%3A8000%3A80. Origin http://localhost:8000 is not allowed by Access-Control-Allow-Origin.
-CONSOLE MESSAGE: line 1: XMLHttpRequest cannot load http://127.0.0.1:8000/xmlhttprequest/resources/access-control-allow-lists.php?origin=http%3A%2F%2Flocalhost%3A8000%2C%20*. Origin http://localhost:8000 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: line 1: XMLHttpRequest cannot load http://127.0.0.1:8000/xmlhttprequest/resources/access-control-allow-lists.php?origin=http%3A%2F%2Flocalhost%3A8000%00. Origin http://localhost:8000 is not allowed by Access-Control-Allow-Origin.
 CONSOLE MESSAGE: line 1: XMLHttpRequest cannot load http://127.0.0.1:8000/xmlhttprequest/resources/access-control-allow-lists.php?origin=HTTP%3A%2F%2FLOCALHOST%3A8000. Origin http://localhost:8000 is not allowed by Access-Control-Allow-Origin.
 CONSOLE MESSAGE: line 1: XMLHttpRequest cannot load http://127.0.0.1:8000/xmlhttprequest/resources/access-control-allow-lists.php?origin=HTTP%3A%2F%2Flocalhost%3A8000. Origin http://localhost:8000 is not allowed by Access-Control-Allow-Origin.
 CONSOLE MESSAGE: line 1: XMLHttpRequest cannot load http://127.0.0.1:8000/xmlhttprequest/resources/access-control-allow-lists.php?origin=-. Origin http://localhost:8000 is not allowed by Access-Control-Allow-Origin.
 CONSOLE MESSAGE: line 1: XMLHttpRequest cannot load http://127.0.0.1:8000/xmlhttprequest/resources/access-control-allow-lists.php?origin=**. Origin http://localhost:8000 is not allowed by Access-Control-Allow-Origin.
 CONSOLE MESSAGE: line 1: XMLHttpRequest cannot load http://127.0.0.1:8000/xmlhttprequest/resources/access-control-allow-lists.php?origin=%00*. Origin http://localhost:8000 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: line 1: XMLHttpRequest cannot load http://127.0.0.1:8000/xmlhttprequest/resources/access-control-allow-lists.php?origin=*%00. Origin http://localhost:8000 is not allowed by Access-Control-Allow-Origin.
 CONSOLE MESSAGE: line 1: XMLHttpRequest cannot load http://127.0.0.1:8000/xmlhttprequest/resources/access-control-allow-lists.php?origin=%27*%27. Origin http://localhost:8000 is not allowed by Access-Control-Allow-Origin.
 CONSOLE MESSAGE: line 1: XMLHttpRequest cannot load http://127.0.0.1:8000/xmlhttprequest/resources/access-control-allow-lists.php?origin=%22*%22. Origin http://localhost:8000 is not allowed by Access-Control-Allow-Origin.
 CONSOLE MESSAGE: line 1: XMLHttpRequest cannot load http://127.0.0.1:8000/xmlhttprequest/resources/access-control-allow-lists.php?origin=*%20*. Origin http://localhost:8000 is not allowed by Access-Control-Allow-Origin.
@@ -24,7 +25,6 @@
 CONSOLE MESSAGE: line 1: XMLHttpRequest cannot load http://127.0.0.1:8000/xmlhttprequest/resources/access-control-allow-lists.php?origin=*http%3A%2F%2F*. Origin http://localhost:8000 is not allowed by Access-Control-Allow-Origin.
 CONSOLE MESSAGE: line 1: XMLHttpRequest cannot load http://127.0.0.1:8000/xmlhttprequest/resources/access-control-allow-lists.php?origin=*http%3A%2F%2Flocalhost%3A8000. Origin http://localhost:8000 is not allowed by Access-Control-Allow-Origin.
 CONSOLE MESSAGE: line 1: XMLHttpRequest cannot load http://127.0.0.1:8000/xmlhttprequest/resources/access-control-allow-lists.php?origin=*%20http%3A%2F%2Flocalhost%3A8000. Origin http://localhost:8000 is not allowed by Access-Control-Allow-Origin.
-CONSOLE MESSAGE: line 1: XMLHttpRequest cannot load http://127.0.0.1:8000/xmlhttprequest/resources/access-control-allow-lists.php?origin=*%2C%20http%3A%2F%2Flocalhost%3A8000. Origin http://localhost:8000 is not allowed by Access-Control-Allow-Origin.
 CONSOLE MESSAGE: line 1: XMLHttpRequest cannot load http://127.0.0.1:8000/xmlhttprequest/resources/access-control-allow-lists.php?origin=%00http%3A%2F%2Flocalhost%3A8000. Origin http://localhost:8000 is not allowed by Access-Control-Allow-Origin.
 CONSOLE MESSAGE: line 1: XMLHttpRequest cannot load http://127.0.0.1:8000/xmlhttprequest/resources/access-control-allow-lists.php?origin=null%20http%3A%2F%2Flocalhost%3A8000. Origin http://localhost:8000 is not allowed by Access-Control-Allow-Origin.
 CONSOLE MESSAGE: line 1: XMLHttpRequest cannot load http://127.0.0.1:8000/xmlhttprequest/resources/access-control-allow-lists.php?origin=http%3A%2F%2Fexample.net. Origin http://localhost:8000 is not allowed by Access-Control-Allow-Origin.
@@ -33,6 +33,16 @@
 CONSOLE MESSAGE: line 1: XMLHttpRequest cannot load http://127.0.0.1:8000/xmlhttprequest/resources/access-control-allow-lists.php?origin=http%3A%2F%2Flocalhost%3A8000%2Fxmlhttprequest%2Fresources%2Forigin-exact-matching-iframe.html. Origin http://localhost:8000 is not allowed by Access-Control-Allow-Origin.
 CONSOLE MESSAGE: line 1: XMLHttpRequest cannot load http://127.0.0.1:8000/xmlhttprequest/resources/access-control-allow-lists.php?origin=http%3A%2F%2Flocalhost%3A8000%2Fxmlhttprequest%2Fresources%2F. Origin http://localhost:8000 is not allowed by Access-Control-Allow-Origin.
 CONSOLE MESSAGE: line 1: XMLHttpRequest cannot load http://127.0.0.1:8000/xmlhttprequest/resources/access-control-allow-lists.php?origin=http%3A%2F%2Flocalhost%3A8000%2Fxmlhttprequest%2Fresources%2Forigin-exact-matching-iframe.html. Origin http://localhost:8000 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: line 1: XMLHttpRequest cannot load http://127.0.0.1:8000/xmlhttprequest/resources/access-control-allow-lists.php?origin=http%3A%2F%2Flocalhost%3A8000%2C%20*. Access-Control-Allow-Origin cannot contain more than one origin.
+CONSOLE MESSAGE: line 1: XMLHttpRequest cannot load http://127.0.0.1:8000/xmlhttprequest/resources/access-control-allow-lists.php?origin=http%3A%2F%2Flocalhost%3A8000%2C*. Access-Control-Allow-Origin cannot contain more than one origin.
+CONSOLE MESSAGE: line 1: XMLHttpRequest cannot load http://127.0.0.1:8000/xmlhttprequest/resources/access-control-allow-lists.php?origin=*%2C%20http%3A%2F%2Flocalhost%3A8000. Access-Control-Allow-Origin cannot contain more than one origin.
+CONSOLE MESSAGE: line 1: XMLHttpRequest cannot load http://127.0.0.1:8000/xmlhttprequest/resources/access-control-allow-lists.php?origin=*%2Chttp%3A%2F%2Flocalhost%3A8000. Access-Control-Allow-Origin cannot contain more than one origin.
+CONSOLE MESSAGE: line 1: XMLHttpRequest cannot load http://127.0.0.1:8000/xmlhttprequest/resources/access-control-allow-lists.php?origin=http%3A%2F%2Flocalhost%3A8000%2Chttp%3A%2F%2Flocalhost%3A8000. Access-Control-Allow-Origin cannot contain more than one origin.
+CONSOLE MESSAGE: line 1: XMLHttpRequest cannot load http://127.0.0.1:8000/xmlhttprequest/resources/access-control-allow-lists.php?origin=http%3A%2F%2Flocalhost%3A8000%2Chttp%3A%2F%2Fexample.net. Access-Control-Allow-Origin cannot contain more than one origin.
+CONSOLE MESSAGE: line 1: XMLHttpRequest cannot load http://127.0.0.1:8000/xmlhttprequest/resources/access-control-allow-lists.php?origin=http%3A%2F%2Fexample.net%2Chttp%3A%2F%2Flocalhost%3A8000. Access-Control-Allow-Origin cannot contain more than one origin.
+CONSOLE MESSAGE: line 1: XMLHttpRequest cannot load http://127.0.0.1:8000/xmlhttprequest/resources/access-control-allow-lists.php?origin=%2C. Access-Control-Allow-Origin cannot contain more than one origin.
+CONSOLE MESSAGE: line 1: XMLHttpRequest cannot load http://127.0.0.1:8000/xmlhttprequest/resources/access-control-allow-lists.php?origin=%2Chttp%3A%2F%2Flocalhost%3A8000. Access-Control-Allow-Origin cannot contain more than one origin.
+CONSOLE MESSAGE: line 1: XMLHttpRequest cannot load http://127.0.0.1:8000/xmlhttprequest/resources/access-control-allow-lists.php?origin=http%3A%2F%2Flocalhost%3A8000%2C. Access-Control-Allow-Origin cannot contain more than one origin.
 
 
 --------
@@ -85,7 +95,7 @@
 PASS xhr.send(null) threw exception NetworkError (DOM Exception 19):  A network error occurred..
 Should disallow origin: 'http://localhost:8000:80'
 PASS xhr.send(null) threw exception NetworkError (DOM Exception 19):  A network error occurred..
-Should disallow origin: 'http://localhost:8000, *'
+Should disallow origin: 'http://localhost:8000'
 PASS xhr.send(null) threw exception NetworkError (DOM Exception 19):  A network error occurred..
 Should disallow origin: 'HTTP://LOCALHOST:8000'
 PASS xhr.send(null) threw exception NetworkError (DOM Exception 19):  A network error occurred..
@@ -97,6 +107,8 @@
 PASS xhr.send(null) threw exception NetworkError (DOM Exception 19):  A network error occurred..
 Should disallow origin: '*'
 PASS xhr.send(null) threw exception NetworkError (DOM Exception 19):  A network error occurred..
+Should disallow origin: '*'
+PASS xhr.send(null) threw exception NetworkError (DOM Exception 19):  A network error occurred..
 Should disallow origin: ''*''
 PASS xhr.send(null) threw exception NetworkError (DOM Exception 19):  A network error occurred..
 Should disallow origin: '"*"'
@@ -109,8 +121,6 @@
 PASS xhr.send(null) threw exception NetworkError (DOM Exception 19):  A network error occurred..
 Should disallow origin: '* http://localhost:8000'
 PASS xhr.send(null) threw exception NetworkError (DOM Exception 19):  A network error occurred..
-Should disallow origin: '*, http://localhost:8000'
-PASS xhr.send(null) threw exception NetworkError (DOM Exception 19):  A network error occurred..
 Should disallow origin: 'http://localhost:8000'
 PASS xhr.send(null) threw exception NetworkError (DOM Exception 19):  A network error occurred..
 Should disallow origin: 'null http://localhost:8000'
@@ -127,6 +137,26 @@
 PASS xhr.send(null) threw exception NetworkError (DOM Exception 19):  A network error occurred..
 Should disallow origin: 'http://localhost:8000/xmlhttprequest/resources/origin-exact-matching-iframe.html'
 PASS xhr.send(null) threw exception NetworkError (DOM Exception 19):  A network error occurred..
+Should disallow origin: 'http://localhost:8000, *'
+PASS xhr.send(null) threw exception NetworkError (DOM Exception 19):  A network error occurred..
+Should disallow origin: 'http://localhost:8000,*'
+PASS xhr.send(null) threw exception NetworkError (DOM Exception 19):  A network error occurred..
+Should disallow origin: '*, http://localhost:8000'
+PASS xhr.send(null) threw exception NetworkError (DOM Exception 19):  A network error occurred..
+Should disallow origin: '*,http://localhost:8000'
+PASS xhr.send(null) threw exception NetworkError (DOM Exception 19):  A network error occurred..
+Should disallow origin: 'http://localhost:8000,http://localhost:8000'
+PASS xhr.send(null) threw exception NetworkError (DOM Exception 19):  A network error occurred..
+Should disallow origin: 'http://localhost:8000,http://example.net'
+PASS xhr.send(null) threw exception NetworkError (DOM Exception 19):  A network error occurred..
+Should disallow origin: 'http://example.net,http://localhost:8000'
+PASS xhr.send(null) threw exception NetworkError (DOM Exception 19):  A network error occurred..
+Should disallow origin: ','
+PASS xhr.send(null) threw exception NetworkError (DOM Exception 19):  A network error occurred..
+Should disallow origin: ',http://localhost:8000'
+PASS xhr.send(null) threw exception NetworkError (DOM Exception 19):  A network error occurred..
+Should disallow origin: 'http://localhost:8000,'
+PASS xhr.send(null) threw exception NetworkError (DOM Exception 19):  A network error occurred..
 PASS successfullyParsed is true
 
 TEST COMPLETE

Modified: trunk/LayoutTests/http/tests/xmlhttprequest/resources/origin-exact-matching-iframe.html (217068 => 217069)


--- trunk/LayoutTests/http/tests/xmlhttprequest/resources/origin-exact-matching-iframe.html	2017-05-18 21:50:04 UTC (rev 217068)
+++ trunk/LayoutTests/http/tests/xmlhttprequest/resources/origin-exact-matching-iframe.html	2017-05-18 21:53:59 UTC (rev 217069)
@@ -22,13 +22,15 @@
     shouldThrow("xhr.send(null)");
 }
 
-shouldPass('*');
-shouldPass(' *  ');
-shouldPass('	*');
-shouldPass(location.protocol + "//" + location.host);
-shouldPass(" "+location.protocol + "//" + location.host);
-shouldPass(" "+location.protocol + "//" + location.host + "   	 ");
-shouldPass("	"+location.protocol + "//" + location.host);
+var pageOrigin = document.origin;
+
+shouldPass("*");
+shouldPass(" *  ");
+shouldPass("	*");
+shouldPass(pageOrigin);
+shouldPass(" " + pageOrigin);
+shouldPass(" " + pageOrigin + "   	 ");
+shouldPass("	" + pageOrigin);
 shouldFail(location.protocol + "//www2." + location.host);
 shouldFail("//" + location.host);
 shouldFail("://" + location.host);
@@ -37,36 +39,46 @@
 shouldFail("http:/" + location.host);
 shouldFail("http:" + location.host);
 shouldFail(location.host);
-shouldFail(location.protocol + "//" + location.host + "?");
-shouldFail(location.protocol + "//" + location.host + "/");
-shouldFail(location.protocol + "//" + location.host + " /");
-shouldFail(location.protocol + "//" + location.host + "#");
-shouldFail(location.protocol + "//" + location.host + "%23");
-shouldFail(location.protocol + "//" + location.host + ":80");
-shouldFail(location.protocol + "//" + location.host + ", *");
-//shouldFail(location.protocol + "//" + location.host + "\0"); // Doesn't fail in chromium-linux. See http://wkbug.com/88688 and http://wkbug.com/88139
-shouldFail((location.protocol + "//" + location.host).toUpperCase());
+shouldFail(pageOrigin + "?");
+shouldFail(pageOrigin + "/");
+shouldFail(pageOrigin + " /");
+shouldFail(pageOrigin + "#");
+shouldFail(pageOrigin + "%23");
+shouldFail(pageOrigin + ":80");
+shouldFail(pageOrigin + "\0");
+shouldFail(pageOrigin.toUpperCase());
 shouldFail(location.protocol.toUpperCase() + "//" + location.host);
 shouldFail("-");
 shouldFail("**");
 shouldFail("\0*");
-//shouldFail("*\0"); // Doesn't fail in chromium-linux. http://wkbug.com/88688 and http://wkbug.com/88139
+shouldFail("*\0");
 shouldFail("'*'");
 shouldFail('"*"');
 shouldFail("* *");
 shouldFail("*" + location.protocol + "//" + "*");
-shouldFail("*" + location.protocol + "//" + location.host);
-shouldFail("* " + location.protocol + "//" + location.host);
-shouldFail("*, " + location.protocol + "//" + location.host);
-shouldFail("\0" + location.protocol + "//" + location.host);
-shouldFail("null " + location.protocol + "//" + location.host);
-shouldFail('http://example.net');
-shouldFail('null');
-shouldFail('');
+shouldFail("*" + pageOrigin);
+shouldFail("* " + pageOrigin);
+shouldFail("\0" + pageOrigin);
+shouldFail("null " + pageOrigin);
+shouldFail("http://example.net");
+shouldFail("null");
+shouldFail("");
 shouldFail(location.href);
 shouldFail(location.href.replace(/\/[^\/]*$/, '/'));
 shouldFail(location.href.replace(location.hostname, "localhost"));
 
+// Tests with multiple Access-Control-Allow-Origin headers (expected to fail)
+shouldFail(pageOrigin + ", *");
+shouldFail(pageOrigin + ",*");
+shouldFail("*, " + pageOrigin);
+shouldFail("*," + pageOrigin);
+shouldFail(pageOrigin + "," + pageOrigin);
+shouldFail(pageOrigin + ",http://example.net");
+shouldFail("http://example.net," + pageOrigin);
+shouldFail(",");
+shouldFail("," + pageOrigin);
+shouldFail(pageOrigin + ",");
+
 </script>
 <script src=""
 </body>

Modified: trunk/LayoutTests/imported/w3c/ChangeLog (217068 => 217069)


--- trunk/LayoutTests/imported/w3c/ChangeLog	2017-05-18 21:50:04 UTC (rev 217068)
+++ trunk/LayoutTests/imported/w3c/ChangeLog	2017-05-18 21:53:59 UTC (rev 217069)
@@ -1,3 +1,16 @@
+2017-05-18  Daniel Bates  <[email protected]>
+
+        Improve error message for Access-Control-Allow-Origin violation due to misconfigured server
+        https://bugs.webkit.org/show_bug.cgi?id=162819
+        <rdar://problem/28575938>
+
+        Reviewed by Joseph Pecoraro.
+
+        Update expected result.
+
+        * web-platform-tests/fetch/api/cors/cors-multiple-origins-expected.txt:
+        * web-platform-tests/fetch/api/cors/cors-multiple-origins-worker-expected.txt:
+
 2017-05-18  Chris Dumez  <[email protected]>
 
         Update web-platform-tests tools

Modified: trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-multiple-origins-expected.txt (217068 => 217069)


--- trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-multiple-origins-expected.txt	2017-05-18 21:50:04 UTC (rev 217068)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-multiple-origins-expected.txt	2017-05-18 21:53:59 UTC (rev 217069)
@@ -1,15 +1,15 @@
-CONSOLE MESSAGE: Origin http://localhost:8800 is not allowed by Access-Control-Allow-Origin.
-CONSOLE MESSAGE: Fetch API cannot load http://localhost:8801/fetch/api/resources/preflight.py?origin=%22%22%2C%20http%3A%2F%2Fexample.com%2C%20http%3A%2F%2Flocalhost%3A8800. Origin http://localhost:8800 is not allowed by Access-Control-Allow-Origin.
-CONSOLE MESSAGE: Origin http://localhost:8800 is not allowed by Access-Control-Allow-Origin.
-CONSOLE MESSAGE: Fetch API cannot load http://localhost:8801/fetch/api/resources/preflight.py?origin=%22%22%2C%20http%3A%2F%2Fexample.com%2C%20*. Origin http://localhost:8800 is not allowed by Access-Control-Allow-Origin.
-CONSOLE MESSAGE: Origin http://localhost:8800 is not allowed by Access-Control-Allow-Origin.
-CONSOLE MESSAGE: Fetch API cannot load http://localhost:8801/fetch/api/resources/preflight.py?origin=%22%22%2C%20http%3A%2F%2Flocalhost%3A8800%2C%20http%3A%2F%2Flocalhost%3A8800. Origin http://localhost:8800 is not allowed by Access-Control-Allow-Origin.
-CONSOLE MESSAGE: Origin http://localhost:8800 is not allowed by Access-Control-Allow-Origin.
-CONSOLE MESSAGE: Fetch API cannot load http://localhost:8801/fetch/api/resources/preflight.py?origin=*%2C%20http%3A%2F%2Fexample.com%2C%20*. Origin http://localhost:8800 is not allowed by Access-Control-Allow-Origin.
-CONSOLE MESSAGE: Origin http://localhost:8800 is not allowed by Access-Control-Allow-Origin.
-CONSOLE MESSAGE: Fetch API cannot load http://localhost:8801/fetch/api/resources/preflight.py?origin=*%2C%20http%3A%2F%2Fexample.com%2C%20http%3A%2F%2Flocalhost%3A8800. Origin http://localhost:8800 is not allowed by Access-Control-Allow-Origin.
-CONSOLE MESSAGE: Origin http://localhost:8800 is not allowed by Access-Control-Allow-Origin.
-CONSOLE MESSAGE: Fetch API cannot load http://localhost:8801/fetch/api/resources/preflight.py?origin=%2C%20http%3A%2F%2Fexample.com%2C%20https%3A%2F%2Fexample2.com. Origin http://localhost:8800 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: Access-Control-Allow-Origin cannot contain more than one origin.
+CONSOLE MESSAGE: Fetch API cannot load http://localhost:8801/fetch/api/resources/preflight.py?origin=%22%22%2C%20http%3A%2F%2Fexample.com%2C%20http%3A%2F%2Flocalhost%3A8800. Access-Control-Allow-Origin cannot contain more than one origin.
+CONSOLE MESSAGE: Access-Control-Allow-Origin cannot contain more than one origin.
+CONSOLE MESSAGE: Fetch API cannot load http://localhost:8801/fetch/api/resources/preflight.py?origin=%22%22%2C%20http%3A%2F%2Fexample.com%2C%20*. Access-Control-Allow-Origin cannot contain more than one origin.
+CONSOLE MESSAGE: Access-Control-Allow-Origin cannot contain more than one origin.
+CONSOLE MESSAGE: Fetch API cannot load http://localhost:8801/fetch/api/resources/preflight.py?origin=%22%22%2C%20http%3A%2F%2Flocalhost%3A8800%2C%20http%3A%2F%2Flocalhost%3A8800. Access-Control-Allow-Origin cannot contain more than one origin.
+CONSOLE MESSAGE: Access-Control-Allow-Origin cannot contain more than one origin.
+CONSOLE MESSAGE: Fetch API cannot load http://localhost:8801/fetch/api/resources/preflight.py?origin=*%2C%20http%3A%2F%2Fexample.com%2C%20*. Access-Control-Allow-Origin cannot contain more than one origin.
+CONSOLE MESSAGE: Access-Control-Allow-Origin cannot contain more than one origin.
+CONSOLE MESSAGE: Fetch API cannot load http://localhost:8801/fetch/api/resources/preflight.py?origin=*%2C%20http%3A%2F%2Fexample.com%2C%20http%3A%2F%2Flocalhost%3A8800. Access-Control-Allow-Origin cannot contain more than one origin.
+CONSOLE MESSAGE: Access-Control-Allow-Origin cannot contain more than one origin.
+CONSOLE MESSAGE: Fetch API cannot load http://localhost:8801/fetch/api/resources/preflight.py?origin=%2C%20http%3A%2F%2Fexample.com%2C%20https%3A%2F%2Fexample2.com. Access-Control-Allow-Origin cannot contain more than one origin.
 
 FAIL 3 origins allowed, match the 3rd (http://localhost:8800) promise_test: Unhandled rejection with value: object "TypeError: Type error"
 FAIL 3 origins allowed, match the 3rd ("*") promise_test: Unhandled rejection with value: object "TypeError: Type error"

Modified: trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-multiple-origins-worker-expected.txt (217068 => 217069)


--- trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-multiple-origins-worker-expected.txt	2017-05-18 21:50:04 UTC (rev 217068)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-multiple-origins-worker-expected.txt	2017-05-18 21:53:59 UTC (rev 217069)
@@ -1,9 +1,9 @@
-CONSOLE MESSAGE: Origin http://localhost:8800 is not allowed by Access-Control-Allow-Origin.
-CONSOLE MESSAGE: Origin http://localhost:8800 is not allowed by Access-Control-Allow-Origin.
-CONSOLE MESSAGE: Origin http://localhost:8800 is not allowed by Access-Control-Allow-Origin.
-CONSOLE MESSAGE: Origin http://localhost:8800 is not allowed by Access-Control-Allow-Origin.
-CONSOLE MESSAGE: Origin http://localhost:8800 is not allowed by Access-Control-Allow-Origin.
-CONSOLE MESSAGE: Origin http://localhost:8800 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: Access-Control-Allow-Origin cannot contain more than one origin.
+CONSOLE MESSAGE: Access-Control-Allow-Origin cannot contain more than one origin.
+CONSOLE MESSAGE: Access-Control-Allow-Origin cannot contain more than one origin.
+CONSOLE MESSAGE: Access-Control-Allow-Origin cannot contain more than one origin.
+CONSOLE MESSAGE: Access-Control-Allow-Origin cannot contain more than one origin.
+CONSOLE MESSAGE: Access-Control-Allow-Origin cannot contain more than one origin.
 
 FAIL 3 origins allowed, match the 3rd (http://localhost:8800) promise_test: Unhandled rejection with value: object "TypeError: Type error"
 FAIL 3 origins allowed, match the 3rd ("*") promise_test: Unhandled rejection with value: object "TypeError: Type error"

Modified: trunk/Source/WebCore/ChangeLog (217068 => 217069)


--- trunk/Source/WebCore/ChangeLog	2017-05-18 21:50:04 UTC (rev 217068)
+++ trunk/Source/WebCore/ChangeLog	2017-05-18 21:53:59 UTC (rev 217069)
@@ -1,3 +1,26 @@
+2017-05-18  Daniel Bates  <[email protected]>
+
+        Improve error message for Access-Control-Allow-Origin violation due to misconfigured server
+        https://bugs.webkit.org/show_bug.cgi?id=162819
+        <rdar://problem/28575938>
+
+        Reviewed by Joseph Pecoraro.
+
+        Inspired by Blink change:
+        <https://src.chromium.org/viewvc/blink?view=revision&revision=163406>
+
+        At most one Access-Control-Allow-Origin header may be in an HTTP response. Improve the
+        error message emitted on a CORS failure when Access-Control-Allow-Origin contains more
+        than one origin, indicated by the presence of a ',', as a way to help web developers/server
+        administrators differentiate between a misconfigured Access-Control-Allow-Origin header
+        and a misconfigured server.
+
+        * loader/CrossOriginAccessControl.cpp:
+        (WebCore::passesAccessControlCheck): Defined a local variable to hold the value of securityOrigin.toString()
+        and referenced this variable throughout the code to avoid computing the stringified security
+        origin more than once. Switched to using makeString() to concatenate error message when the
+        origin of the page does not match the value of the Access-Control-Allow-Origin header.
+
 2017-05-18  John Wilander  <[email protected]>
 
         Resource Load Statistics: Grandfather domains for existing data records

Modified: trunk/Source/WebCore/loader/CrossOriginAccessControl.cpp (217068 => 217069)


--- trunk/Source/WebCore/loader/CrossOriginAccessControl.cpp	2017-05-18 21:50:04 UTC (rev 217068)
+++ trunk/Source/WebCore/loader/CrossOriginAccessControl.cpp	2017-05-18 21:53:59 UTC (rev 217069)
@@ -153,12 +153,14 @@
     if (accessControlOriginString == "*" && includeCredentials == DoNotAllowStoredCredentials)
         return true;
 
-    // FIXME: Access-Control-Allow-Origin can contain a list of origins.
-    if (accessControlOriginString != securityOrigin.toString()) {
+    String securityOriginString = securityOrigin.toString();
+    if (accessControlOriginString != securityOriginString) {
         if (accessControlOriginString == "*")
-            errorDescription = "Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.";
+            errorDescription = ASCIILiteral("Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.");
+        else if (accessControlOriginString.find(',') != notFound)
+            errorDescription = ASCIILiteral("Access-Control-Allow-Origin cannot contain more than one origin.");
         else
-            errorDescription =  "Origin " + securityOrigin.toString() + " is not allowed by Access-Control-Allow-Origin.";
+            errorDescription = makeString("Origin ", securityOriginString, " is not allowed by Access-Control-Allow-Origin.");
         return false;
     }
 

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to