Skip to site navigation (Press enter)

[webkit-changes] [225574] trunk

commit-queue Wed, 06 Dec 2017 09:14:02 -0800

Title: [225574] trunk

Revision: 225574
Author: commit-qu...@webkit.org
Date: 2017-12-06 09:13:35 -0800 (Wed, 06 Dec 2017)

Log Message

Service Worker fetch should filter HTTP headers that are added by CachedResourceLoader/CachedResource
https://bugs.webkit.org/show_bug.cgi?id=180462


Patch by Youenn Fablet <you...@apple.com> on 2017-12-06
Reviewed by Geoffrey Garen.

LayoutTests/imported/w3c:

* web-platform-tests/service-workers/service-worker/fetch-response-taint.https-expected.txt:

Source/WebCore:

Coved by rebased test.

* loader/CrossOriginAccessControl.cpp:
(WebCore::cleanRedirectedRequestForAccessControl): Accept header is a safe header so it is fine to keep it.
* workers/service/context/ServiceWorkerFetch.cpp:
(WebCore::ServiceWorkerFetch::dispatchFetchEvent): Cleaning headers added by CachedResourceLoader/CachedResource.

Modified Paths

trunk/LayoutTests/imported/w3c/ChangeLog
trunk/LayoutTests/imported/w3c/web-platform-tests/service-workers/service-worker/fetch-response-taint.https-expected.txt
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/loader/CrossOriginAccessControl.cpp
trunk/Source/WebCore/workers/service/context/ServiceWorkerFetch.cpp

Diff

Modified: trunk/LayoutTests/imported/w3c/ChangeLog (225573 => 225574)


--- trunk/LayoutTests/imported/w3c/ChangeLog	2017-12-06 11:46:50 UTC (rev 225573)
+++ trunk/LayoutTests/imported/w3c/ChangeLog	2017-12-06 17:13:35 UTC (rev 225574)
@@ -1,3 +1,12 @@
+2017-12-06  Youenn Fablet  <you...@apple.com>
+
+        Service Worker fetch should filter HTTP headers that are added by CachedResourceLoader/CachedResource
+        https://bugs.webkit.org/show_bug.cgi?id=180462
+
+        Reviewed by Geoffrey Garen.
+
+        * web-platform-tests/service-workers/service-worker/fetch-response-taint.https-expected.txt:
+
 2017-12-05  Chris Dumez  <cdu...@apple.com>
 
         ServiceWorkerGlobalScope prototype chain should be immutable

Modified: trunk/LayoutTests/imported/w3c/web-platform-tests/service-workers/service-worker/fetch-response-taint.https-expected.txt (225573 => 225574)


--- trunk/LayoutTests/imported/w3c/web-platform-tests/service-workers/service-worker/fetch-response-taint.https-expected.txt	2017-12-06 11:46:50 UTC (rev 225573)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/service-workers/service-worker/fetch-response-taint.https-expected.txt	2017-12-06 17:13:35 UTC (rev 225574)
@@ -39,10 +39,10 @@
 PASS url:"https://127.0.0.1:9443/service-workers/service-worker/resources/fetch-access-control.py?" mode:"cors" credentials:"omit" should fail. 
 PASS url:"https://127.0.0.1:9443/service-workers/service-worker/resources/fetch-access-control.py?" mode:"cors" credentials:"same-origin" should fail. 
 PASS url:"https://127.0.0.1:9443/service-workers/service-worker/resources/fetch-access-control.py?" mode:"cors" credentials:"include" should fail. 
-FAIL fetching url:"https://127.0.0.1:9443/service-workers/service-worker/resources/fetch-access-control.py?ACAOrigin=*" mode:"cors" credentials:"omit" should succeed. promise_test: Unhandled rejection with value: object "TypeError: Type error"
-FAIL fetching url:"https://127.0.0.1:9443/service-workers/service-worker/resources/fetch-access-control.py?ACAOrigin=*" mode:"cors" credentials:"same-origin" should succeed. promise_test: Unhandled rejection with value: object "TypeError: Type error"
+PASS fetching url:"https://127.0.0.1:9443/service-workers/service-worker/resources/fetch-access-control.py?ACAOrigin=*" mode:"cors" credentials:"omit" should succeed. 
+PASS fetching url:"https://127.0.0.1:9443/service-workers/service-worker/resources/fetch-access-control.py?ACAOrigin=*" mode:"cors" credentials:"same-origin" should succeed. 
 PASS url:"https://127.0.0.1:9443/service-workers/service-worker/resources/fetch-access-control.py?ACAOrigin=*" mode:"cors" credentials:"include" should fail. 
-FAIL fetching url:"https://127.0.0.1:9443/service-workers/service-worker/resources/fetch-access-control.py?ACAOrigin=https://localhost:9443&ACACredentials=true" mode:"cors" credentials:"include" should succeed. promise_test: Unhandled rejection with value: object "TypeError: Type error"
+FAIL fetching url:"https://127.0.0.1:9443/service-workers/service-worker/resources/fetch-access-control.py?ACAOrigin=https://localhost:9443&ACACredentials=true" mode:"cors" credentials:"include" should succeed. assert_equals: expected "username1s" but got "undefined"
 PASS fetching url:"https://localhost:9443/?url="" mode:"same-origin" credentials:"omit" should succeed. 
 PASS fetching url:"https://localhost:9443/?url="" mode:"same-origin" credentials:"same-origin" should succeed. 
 PASS fetching url:"https://localhost:9443/?url="" mode:"same-origin" credentials:"include" should succeed.

Modified: trunk/Source/WebCore/ChangeLog (225573 => 225574)


--- trunk/Source/WebCore/ChangeLog	2017-12-06 11:46:50 UTC (rev 225573)
+++ trunk/Source/WebCore/ChangeLog	2017-12-06 17:13:35 UTC (rev 225574)
@@ -1,3 +1,17 @@
+2017-12-06  Youenn Fablet  <you...@apple.com>
+
+        Service Worker fetch should filter HTTP headers that are added by CachedResourceLoader/CachedResource
+        https://bugs.webkit.org/show_bug.cgi?id=180462
+
+        Reviewed by Geoffrey Garen.
+
+        Coved by rebased test.
+
+        * loader/CrossOriginAccessControl.cpp:
+        (WebCore::cleanRedirectedRequestForAccessControl): Accept header is a safe header so it is fine to keep it.
+        * workers/service/context/ServiceWorkerFetch.cpp:
+        (WebCore::ServiceWorkerFetch::dispatchFetchEvent): Cleaning headers added by CachedResourceLoader/CachedResource.
+
 2017-12-06  Zan Dobersek  <zdober...@igalia.com>
 
         [CoordGraphics] Introduce Nicosia::PaintingContext, add Cairo implementation

Modified: trunk/Source/WebCore/loader/CrossOriginAccessControl.cpp (225573 => 225574)


--- trunk/Source/WebCore/loader/CrossOriginAccessControl.cpp	2017-12-06 11:46:50 UTC (rev 225573)
+++ trunk/Source/WebCore/loader/CrossOriginAccessControl.cpp	2017-12-06 17:13:35 UTC (rev 225574)
@@ -123,7 +123,6 @@
     request.clearHTTPReferrer();
     request.clearHTTPOrigin();
     request.clearHTTPUserAgent();
-    request.clearHTTPAccept();
     request.clearHTTPAcceptEncoding();
 }

Modified: trunk/Source/WebCore/workers/service/context/ServiceWorkerFetch.cpp (225573 => 225574)


--- trunk/Source/WebCore/workers/service/context/ServiceWorkerFetch.cpp	2017-12-06 11:46:50 UTC (rev 225573)
+++ trunk/Source/WebCore/workers/service/context/ServiceWorkerFetch.cpp	2017-12-06 17:13:35 UTC (rev 225574)
@@ -28,6 +28,7 @@
 
 #if ENABLE(SERVICE_WORKER)
 
+#include "CrossOriginAccessControl.h"
 #include "EventNames.h"
 #include "FetchEvent.h"
 #include "FetchRequest.h"
@@ -94,8 +95,13 @@
 {
     ASSERT(globalScope.isServiceWorkerGlobalScope());
 
+    auto httpReferrer = request.httpReferrer();
+    // We are intercepting fetch calls after going through the HTTP layer, which adds some specific headers.
+    // Let's clean them so that cross origin checks do not fail.
+    cleanRedirectedRequestForAccessControl(request);
+
     auto requestHeaders = FetchHeaders::create(FetchHeaders::Guard::Immutable, HTTPHeaderMap { request.httpHeaderFields() });
-    auto fetchRequest = FetchRequest::create(globalScope, FetchBody::fromFormData(request.httpBody()), WTFMove(requestHeaders),  WTFMove(request), WTFMove(options), request.httpReferrer());
+    auto fetchRequest = FetchRequest::create(globalScope, FetchBody::fromFormData(request.httpBody()), WTFMove(requestHeaders),  WTFMove(request), WTFMove(options), WTFMove(httpReferrer));
 
     FetchEvent::Init init;
     init.request = WTFMove(fetchRequest);

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes