Title: [230495] trunk
Revision
230495
Author
you...@apple.com
Date
2018-04-10 15:16:27 -0700 (Tue, 10 Apr 2018)

Log Message

Beacon redirect responses should be CORS validated
https://bugs.webkit.org/show_bug.cgi?id=184378

Reviewed by Chris Dumez.

Source/WebKit:

Add CORS checks to any redirection response if mode is CORS.
Update response tainting and redirected accordingly.

* NetworkProcess/NetworkLoadChecker.cpp:
(WebKit::NetworkLoadChecker::checkRedirection):
(WebKit::NetworkLoadChecker::validateResponse):
* NetworkProcess/NetworkLoadChecker.h:
* NetworkProcess/PingLoad.cpp:
(WebKit::PingLoad::willPerformHTTPRedirection):

LayoutTests:

* TestExpectations:
* http/wpt/beacon/cors/cors-redirect-failure-expected.txt: Added.
* http/wpt/beacon/cors/cors-redirect-failure.html: Added.
* http/wpt/beacon/resources/redirect.py:
(main):

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (230494 => 230495)


--- trunk/LayoutTests/ChangeLog	2018-04-10 21:16:21 UTC (rev 230494)
+++ trunk/LayoutTests/ChangeLog	2018-04-10 22:16:27 UTC (rev 230495)
@@ -1,5 +1,18 @@
 2018-04-10  Youenn Fablet  <you...@apple.com>
 
+        Beacon redirect responses should be CORS validated
+        https://bugs.webkit.org/show_bug.cgi?id=184378
+
+        Reviewed by Chris Dumez.
+
+        * TestExpectations:
+        * http/wpt/beacon/cors/cors-redirect-failure-expected.txt: Added.
+        * http/wpt/beacon/cors/cors-redirect-failure.html: Added.
+        * http/wpt/beacon/resources/redirect.py:
+        (main):
+
+2018-04-10  Youenn Fablet  <you...@apple.com>
+
         webrtc/datachannel/bufferedAmountLowThreshold tests are failing on WK1
         https://bugs.webkit.org/show_bug.cgi?id=184427
 

Modified: trunk/LayoutTests/TestExpectations (230494 => 230495)


--- trunk/LayoutTests/TestExpectations	2018-04-10 21:16:21 UTC (rev 230494)
+++ trunk/LayoutTests/TestExpectations	2018-04-10 22:16:27 UTC (rev 230495)
@@ -1004,6 +1004,8 @@
 http/tests/websocket/tests/hybi/contentextensions [ Skip ]
 http/wpt/beacon/contentextensions [ Skip ]
 
+http/wpt/beacon/cors/cors-redirect-failure.html [ DumpJSConsoleLogInStdErr ]
+
 webkit.org/b/149072 svg/animations/svgboolean-animation-1.html [ Pass Failure ]
 
 webkit.org/b/143085 media/track/track-mode.html [ Pass Timeout ]

Added: trunk/LayoutTests/http/wpt/beacon/cors/cors-redirect-failure-expected.txt (0 => 230495)


--- trunk/LayoutTests/http/wpt/beacon/cors/cors-redirect-failure-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/http/wpt/beacon/cors/cors-redirect-failure-expected.txt	2018-04-10 22:16:27 UTC (rev 230495)
@@ -0,0 +1,4 @@
+
+PASS CORS redirection failure test 
+PASS CORS redirection success test 
+

Added: trunk/LayoutTests/http/wpt/beacon/cors/cors-redirect-failure.html (0 => 230495)


--- trunk/LayoutTests/http/wpt/beacon/cors/cors-redirect-failure.html	                        (rev 0)
+++ trunk/LayoutTests/http/wpt/beacon/cors/cors-redirect-failure.html	2018-04-10 22:16:27 UTC (rev 230495)
@@ -0,0 +1,66 @@
+<!doctype html>
+<html>
+  <head>
+    <meta charset="utf-8">
+    <title>SendBeacon CORS checks on redirect</title>
+    <script src=""
+    <script src=""
+  </head>
+  <body>
+    <script src=""
+    <script src=""
+    <script>
+var RESOURCES_DIR = "/WebKit/beacon/resources/";
+
+function pollResult(test, id) {
+  var checkUrl = RESOURCES_DIR + "beacon-preflight.py?cmd=get&id=" + id;
+
+  return new Promise(resolve => {
+    step_timeout(test.step_func(() => {
+      fetch(checkUrl).then(response => {
+        response.json().then(body => {
+          resolve(body);
+        });
+      });
+    }), 1000);
+  });
+}
+
+function testCORSRedirectFailure(what) {
+  var testBase = get_host_info().HTTP_REMOTE_ORIGIN + RESOURCES_DIR;
+  var id = self.token();
+  var target = encodeURIComponent(testBase + "beacon-preflight.py?allowCors=1&cmd=put&id=" + id);
+
+  var testUrl = testBase + "redirect.py?redirect_status=307&disallowCorsOnResponseNotPreflight&location=" + target;
+
+  promise_test(function(test) {
+    assert_true(navigator.sendBeacon(testUrl, what), "SendBeacon Succeeded");
+    return pollResult(test, id) .then(result => {
+      assert_equals(result['preflight'], 0, "Received preflight")
+      assert_equals(result['beacon'], 0, "Did not receive beacon")
+    });
+  }, "CORS redirection failure test");
+}
+
+function testCORSRedirectSuccess(what) {
+  var testBase = get_host_info().HTTP_REMOTE_ORIGIN + RESOURCES_DIR;
+  var id = self.token();
+  var target = encodeURIComponent(testBase + "beacon-preflight.py?allowCors=1&cmd=put&id=" + id);
+
+  var testUrl = testBase + "redirect.py?redirect_status=307&location=" + target;
+
+  promise_test(function(test) {
+    assert_true(navigator.sendBeacon(testUrl, what), "SendBeacon Succeeded");
+    return pollResult(test, id) .then(result => {
+      assert_equals(result['preflight'], 1, "Received preflight")
+      assert_equals(result['beacon'], 1, "Did not receive beacon")
+    });
+  }, "CORS redirection success test");
+}
+
+let blob = new Blob(["123"], {type: "text/plain-specific"});
+testCORSRedirectFailure(blob);
+testCORSRedirectSuccess(blob);
+    </script>
+  </body>
+</html>

Modified: trunk/LayoutTests/http/wpt/beacon/resources/redirect.py (230494 => 230495)


--- trunk/LayoutTests/http/wpt/beacon/resources/redirect.py	2018-04-10 21:16:21 UTC (rev 230494)
+++ trunk/LayoutTests/http/wpt/beacon/resources/redirect.py	2018-04-10 22:16:27 UTC (rev 230495)
@@ -8,9 +8,10 @@
                ("Cache-Control", "no-cache"),
                ("Pragma", "no-cache"),
                ("Access-Control-Allow-Credentials", "true")]
-    headers.append(("Access-Control-Allow-Origin", request.headers.get("Origin", "*")))
+    if not "disallowCorsOnResponseNotPreflight" in request.GET or request.method == "OPTIONS":
+        headers.append(("Access-Control-Allow-Origin", request.headers.get("Origin", "*")))
+
     token = None
-
     if "token" in request.GET:
         token = request.GET.first("token")
         data = ""

Modified: trunk/Source/WebKit/ChangeLog (230494 => 230495)


--- trunk/Source/WebKit/ChangeLog	2018-04-10 21:16:21 UTC (rev 230494)
+++ trunk/Source/WebKit/ChangeLog	2018-04-10 22:16:27 UTC (rev 230495)
@@ -1,3 +1,20 @@
+2018-04-10  Youenn Fablet  <you...@apple.com>
+
+        Beacon redirect responses should be CORS validated
+        https://bugs.webkit.org/show_bug.cgi?id=184378
+
+        Reviewed by Chris Dumez.
+
+        Add CORS checks to any redirection response if mode is CORS.
+        Update response tainting and redirected accordingly.
+
+        * NetworkProcess/NetworkLoadChecker.cpp:
+        (WebKit::NetworkLoadChecker::checkRedirection):
+        (WebKit::NetworkLoadChecker::validateResponse):
+        * NetworkProcess/NetworkLoadChecker.h:
+        * NetworkProcess/PingLoad.cpp:
+        (WebKit::PingLoad::willPerformHTTPRedirection):
+
 2018-04-10  Sihui Liu  <sihui_...@apple.com>
 
         Loading of multipart response was cancelled because of content policy set in WebFrameLoaderClient::dispatchDecidePolicyForResponse

Modified: trunk/Source/WebKit/NetworkProcess/NetworkLoadChecker.cpp (230494 => 230495)


--- trunk/Source/WebKit/NetworkProcess/NetworkLoadChecker.cpp	2018-04-10 21:16:21 UTC (rev 230494)
+++ trunk/Source/WebKit/NetworkProcess/NetworkLoadChecker.cpp	2018-04-10 22:16:27 UTC (rev 230495)
@@ -64,10 +64,16 @@
     checkRequest(WTFMove(request), WTFMove(handler));
 }
 
-void NetworkLoadChecker::checkRedirection(ResourceRequest&& request, ValidationHandler&& handler)
+void NetworkLoadChecker::checkRedirection(WebCore::ResourceResponse& redirectResponse, ResourceRequest&& request, ValidationHandler&& handler)
 {
     ASSERT(!isChecking());
 
+    auto error = validateResponse(redirectResponse);
+    if (!error.isNull()) {
+        handler(makeUnexpected(WTFMove(error)));
+        return;
+    }
+
     m_previousURL = WTFMove(m_url);
     m_url = request.url();
 
@@ -89,6 +95,31 @@
     checkRequest(WTFMove(request), WTFMove(handler));
 }
 
+ResourceError NetworkLoadChecker::validateResponse(ResourceResponse& response)
+{
+    if (m_redirectCount)
+        response.setRedirected(true);
+
+    if (m_isSameOriginRequest) {
+        response.setTainting(ResourceResponse::Tainting::Basic);
+        return { };
+    }
+
+    if (m_mode == FetchOptions::Mode::NoCors) {
+        response.setTainting(ResourceResponse::Tainting::Opaque);
+        return { };
+    }
+
+    ASSERT(m_mode == FetchOptions::Mode::Cors);
+
+    String errorMessage;
+    if (!WebCore::passesAccessControlCheck(response, m_storedCredentialsPolicy, *m_origin, errorMessage))
+        return ResourceError { errorDomainWebKitInternal, 0, m_url, WTFMove(errorMessage), ResourceError::Type::AccessControl };
+
+    response.setTainting(ResourceResponse::Tainting::Cors);
+    return { };
+}
+
 NetworkLoadChecker::RequestOrError NetworkLoadChecker::returnError(String&& error)
 {
     return makeUnexpected(ResourceError { String { }, 0, m_url, WTFMove(error), ResourceError::Type::AccessControl });

Modified: trunk/Source/WebKit/NetworkProcess/NetworkLoadChecker.h (230494 => 230495)


--- trunk/Source/WebKit/NetworkProcess/NetworkLoadChecker.h	2018-04-10 21:16:21 UTC (rev 230494)
+++ trunk/Source/WebKit/NetworkProcess/NetworkLoadChecker.h	2018-04-10 22:16:27 UTC (rev 230495)
@@ -51,8 +51,10 @@
     using RequestOrError = Expected<WebCore::ResourceRequest, WebCore::ResourceError>;
     using ValidationHandler = CompletionHandler<void(RequestOrError&&)>;
     void check(WebCore::ResourceRequest&&, ValidationHandler&&);
-    void checkRedirection(WebCore::ResourceRequest&&, ValidationHandler&&);
+    void checkRedirection(WebCore::ResourceResponse&, WebCore::ResourceRequest&&, ValidationHandler&&);
 
+    WebCore::ResourceError validateResponse(WebCore::ResourceResponse&);
+
     void setCSPResponseHeaders(WebCore::ContentSecurityPolicyResponseHeaders&& headers) { m_cspResponseHeaders = WTFMove(headers); }
 #if ENABLE(CONTENT_EXTENSIONS)
     void setContentExtensionController(WebCore::URL&& mainDocumentURL, std::optional<UserContentControllerIdentifier> identifier)

Modified: trunk/Source/WebKit/NetworkProcess/PingLoad.cpp (230494 => 230495)


--- trunk/Source/WebKit/NetworkProcess/PingLoad.cpp	2018-04-10 21:16:21 UTC (rev 230494)
+++ trunk/Source/WebKit/NetworkProcess/PingLoad.cpp	2018-04-10 22:16:27 UTC (rev 230495)
@@ -93,8 +93,7 @@
 
 void PingLoad::willPerformHTTPRedirection(ResourceResponse&& redirectResponse, ResourceRequest&& request, RedirectCompletionHandler&& completionHandler)
 {
-
-    m_networkLoadChecker->checkRedirection(WTFMove(request), [this, completionHandler = WTFMove(completionHandler)](auto&& result) {
+    m_networkLoadChecker->checkRedirection(redirectResponse, WTFMove(request), [this, completionHandler = WTFMove(completionHandler)](auto&& result) {
         if (!result.has_value()) {
             completionHandler({ });
             this->didFinish(result.error());
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to