Diff
Modified: trunk/LayoutTests/ChangeLog (231039 => 231040)
--- trunk/LayoutTests/ChangeLog 2018-04-26 02:10:59 UTC (rev 231039)
+++ trunk/LayoutTests/ChangeLog 2018-04-26 03:21:55 UTC (rev 231040)
@@ -1,3 +1,45 @@
+2018-04-25 Youenn Fablet <[email protected]>
+
+ Use NetworkLoadChecker for all subresource loads except fetch/XHR
+ https://bugs.webkit.org/show_bug.cgi?id=184870
+ <rdar://problem/39370034>
+
+ Reviewed by Chris Dumez.
+
+ * TestExpectations:
+ * http/tests/security/contentSecurityPolicy/1.1/child-src/worker-redirect-blocked-expected.txt:
+ * http/tests/security/cross-origin-xsl-BLOCKED-expected.txt:
+ * http/tests/security/cross-origin-xsl-redirect-BLOCKED-expected.txt:
+ * http/tests/security/isolatedWorld/bypass-main-world-csp-worker-redirect-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/module-scriptnonce-redirect-expected.txt:
+ * http/tests/security/shape-image-cors-redirect-error-message-logging-1-expected.txt:
+ * http/tests/security/shape-image-cors-redirect-error-message-logging-2-expected.txt:
+ * http/tests/security/worker-cross-origin-expected.txt:
+ * http/tests/security/xss-DENIED-xml-external-entity-expected.txt:
+ * http/tests/security/xss-DENIED-xsl-document-expected.txt:
+ * http/tests/security/xss-DENIED-xsl-external-entity-expected.txt:
+ * http/tests/workers/worker-redirect-expected.txt:
+ * http/tests/xmlhttprequest/access-control-and-redirects-expected.txt:
+ * http/tests/xmlhttprequest/redirect-cross-origin-post-sync-expected.txt:
+ * http/tests/xmlhttprequest/redirect-cross-origin-sync-expected.txt:
+ * http/tests/xmlhttprequest/xmlhttprequest-unsafe-redirect-expected.txt:
+ * platform/mac-wk1/http/tests/security/contentSecurityPolicy/1.1/module-scriptnonce-redirect-expected.txt: Added.
+ * platform/mac-wk1/http/tests/security/shape-image-cors-redirect-error-message-logging-1-expected.txt: Added.
+ * platform/mac-wk1/http/tests/security/shape-image-cors-redirect-error-message-logging-2-expected.txt: Added.
+ * platform/mac-wk1/http/tests/workers/worker-redirect-expected.txt: Added.
+ * platform/mac-wk1/http/tests/security/contentSecurityPolicy/1.1/child-src/worker-redirect-blocked-expected.txt: Added.
+ * platform/mac-wk1/http/tests/security/isolatedWorld/bypass-main-world-csp-worker-redirect-expected.txt: Added.
+ * platform/mac-wk1/http/tests/security/worker-cross-origin-expected.txt: Added.
+ * platform/mac-wk2/TestExpectations:
+ * platform/win/http/tests/security/contentSecurityPolicy/1.1/module-scriptnonce-redirect-expected.txt: Added.
+ * platform/win/http/tests/security/shape-image-cors-redirect-error-message-logging-1-expected.txt: Added.
+ * platform/win/http/tests/security/shape-image-cors-redirect-error-message-logging-2-expected.txt: Added.
+ * platform/win/http/tests/workers/worker-redirect-expected.txt: Added.
+ * platform/win/http/tests/security/contentSecurityPolicy/1.1/child-src/worker-redirect-blocked-expected.txt: Added.
+ * platform/win/http/tests/security/isolatedWorld/bypass-main-world-csp-worker-redirect-expected.txt: Added.
+ * platform/win/http/tests/security/worker-cross-origin-expected.txt: Added.
+
+
2018-04-25 Chris Dumez <[email protected]>
window.postMessage() / focus() / blur() throw a TypeError when called on a RemoteDOMWindow
Modified: trunk/LayoutTests/TestExpectations (231039 => 231040)
--- trunk/LayoutTests/TestExpectations 2018-04-26 02:10:59 UTC (rev 231039)
+++ trunk/LayoutTests/TestExpectations 2018-04-26 03:21:55 UTC (rev 231040)
@@ -207,6 +207,7 @@
webkit.org/b/181900 imported/w3c/web-platform-tests/service-workers/service-worker/fetch-canvas-tainting-cache.https.html [ DumpJSConsoleLogInStdErr ]
imported/w3c/web-platform-tests/service-workers/service-worker/fetch-response-taint.https.html [ DumpJSConsoleLogInStdErr ]
imported/w3c/web-platform-tests/service-workers/service-worker/register-closed-window.https.html [ DumpJSConsoleLogInStdErr ]
+imported/w3c/web-platform-tests/service-workers/service-worker/registration-security-error.https.html [ DumpJSConsoleLogInStdErr ]
imported/w3c/web-platform-tests/service-workers/service-worker/fetch-request-redirect.https.html [ DumpJSConsoleLogInStdErr Slow ]
[ Debug ] imported/w3c/web-platform-tests/service-workers/service-worker/clients-matchall-order.https.html [ Slow ]
[ Debug ] imported/w3c/web-platform-tests/service-workers/service-worker/getregistrations.https.html [ Slow ]
Modified: trunk/LayoutTests/http/tests/contentextensions/subresource-redirect-blocked-expected.txt (231039 => 231040)
--- trunk/LayoutTests/http/tests/contentextensions/subresource-redirect-blocked-expected.txt 2018-04-26 02:10:59 UTC (rev 231039)
+++ trunk/LayoutTests/http/tests/contentextensions/subresource-redirect-blocked-expected.txt 2018-04-26 03:21:55 UTC (rev 231040)
@@ -1,4 +1,5 @@
-CONSOLE MESSAGE: Content blocker prevented frame displaying http://127.0.0.1:8000/contentextensions/subresource-redirect-blocked.html from loading a resource from http://127.0.0.1:8000/resources/square128.png
+CONSOLE MESSAGE: Blocked by content extension
+CONSOLE MESSAGE: Cannot load image http://127.0.0.1:8000/contentextensions/resources/subresource-redirect.php due to access control checks.
layer at (0,0) size 800x600
RenderView at (0,0) size 800x600
layer at (0,0) size 800x600
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/worker-redirect-blocked-expected.txt (231039 => 231040)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/worker-redirect-blocked-expected.txt 2018-04-26 02:10:59 UTC (rev 231039)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/worker-redirect-blocked-expected.txt 2018-04-26 03:21:55 UTC (rev 231040)
@@ -1,5 +1,6 @@
-CONSOLE MESSAGE: Unsafe attempt to load URL http://localhost:8000/security/contentSecurityPolicy/resources/alert-fail.js from frame with URL http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/child-src/worker-redirect-blocked.html. Domains, protocols and ports must match.
+CONSOLE MESSAGE: Unsafe attempt to load URL http://localhost:8000/security/contentSecurityPolicy/resources/alert-fail.js from origin http://127.0.0.1:8000. Domains, protocols and ports must match.
+CONSOLE MESSAGE: Cannot load http://localhost:8000/security/contentSecurityPolicy/resources/alert-fail.js due to access control checks.
This tests that the Content Security Policy of the page blocks loading a Web Worker's script from a different origin through a redirect.
On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/module-scriptnonce-redirect-expected.txt (231039 => 231040)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/module-scriptnonce-redirect-expected.txt 2018-04-26 02:10:59 UTC (rev 231039)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/module-scriptnonce-redirect-expected.txt 2018-04-26 03:21:55 UTC (rev 231040)
@@ -1,3 +1,3 @@
-CONSOLE MESSAGE: Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8000/security/contentSecurityPolicy/resources/alert-pass.js denied by Cross-Origin Resource Sharing policy: Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
CONSOLE MESSAGE: line 1: TypeError: Cross-origin script load denied by Cross-Origin Resource Sharing policy.
This tests whether a deferred script load caused by a redirect is properly allowed by a nonce.
Modified: trunk/LayoutTests/http/tests/security/cross-origin-xsl-BLOCKED-expected.txt (231039 => 231040)
--- trunk/LayoutTests/http/tests/security/cross-origin-xsl-BLOCKED-expected.txt 2018-04-26 02:10:59 UTC (rev 231039)
+++ trunk/LayoutTests/http/tests/security/cross-origin-xsl-BLOCKED-expected.txt 2018-04-26 03:21:55 UTC (rev 231040)
@@ -1,4 +1,4 @@
-CONSOLE MESSAGE: line 2: Unsafe attempt to load URL http://localhost:8000/security/resources/forbidden-stylesheet.xsl from frame with URL http://127.0.0.1:8000/security/resources/cross-origin-xsl.xml. Domains, protocols and ports must match.
+CONSOLE MESSAGE: line 2: Unsafe attempt to load URL http://localhost:8000/security/resources/forbidden-stylesheet.xsl from origin http://127.0.0.1:8000. Domains, protocols and ports must match.
This test loads the XML document in an iframe so that it can call dumpAsText(). This test passes if the iframe below does not contain a message starting with "FAIL".
Modified: trunk/LayoutTests/http/tests/security/cross-origin-xsl-redirect-BLOCKED-expected.txt (231039 => 231040)
--- trunk/LayoutTests/http/tests/security/cross-origin-xsl-redirect-BLOCKED-expected.txt 2018-04-26 02:10:59 UTC (rev 231039)
+++ trunk/LayoutTests/http/tests/security/cross-origin-xsl-redirect-BLOCKED-expected.txt 2018-04-26 03:21:55 UTC (rev 231040)
@@ -1,4 +1,4 @@
-CONSOLE MESSAGE: Unsafe attempt to load URL http://localhost:8000/security/resources/forbidden-stylesheet.xsl from frame with URL http://127.0.0.1:8000/security/resources/cross-origin-xsl-redirect.xml. Domains, protocols and ports must match.
+CONSOLE MESSAGE: Unsafe attempt to load URL http://localhost:8000/security/resources/forbidden-stylesheet.xsl from origin http://127.0.0.1:8000. Domains, protocols and ports must match.
This test loads the XML document in an iframe so that it can call dumpAsText(). This test passes if the iframe below does not contain a message starting with "FAIL".
Modified: trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-worker-redirect-expected.txt (231039 => 231040)
--- trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-worker-redirect-expected.txt 2018-04-26 02:10:59 UTC (rev 231039)
+++ trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-worker-redirect-expected.txt 2018-04-26 03:21:55 UTC (rev 231040)
@@ -1,5 +1,6 @@
-CONSOLE MESSAGE: Unsafe attempt to load URL http://localhost:8000/security/contentSecurityPolicy/resources/alert-fail.js from frame with URL http://127.0.0.1:8000/security/isolatedWorld/bypass-main-world-csp-worker-redirect.html. Domains, protocols and ports must match.
+CONSOLE MESSAGE: Unsafe attempt to load URL http://localhost:8000/security/contentSecurityPolicy/resources/alert-fail.js from origin http://127.0.0.1:8000. Domains, protocols and ports must match.
+CONSOLE MESSAGE: Cannot load http://localhost:8000/security/contentSecurityPolicy/resources/alert-fail.js due to access control checks.
This tests that in an isolated world that the Content Security Policy of the parent origin (this page) is bypassed and a CSP violation is not triggered when a Web Worker's script URL loads a different origin through a redirect. This test PASSED if there is no CSP violation console message and the redirect fails (since Web Workers can only load a script from the same origin).
PASS worker failed to load script URL.
Modified: trunk/LayoutTests/http/tests/security/shape-image-cors-redirect-error-message-logging-1-expected.txt (231039 => 231040)
--- trunk/LayoutTests/http/tests/security/shape-image-cors-redirect-error-message-logging-1-expected.txt 2018-04-26 02:10:59 UTC (rev 231039)
+++ trunk/LayoutTests/http/tests/security/shape-image-cors-redirect-error-message-logging-1-expected.txt 2018-04-26 03:21:55 UTC (rev 231040)
@@ -1,4 +1,4 @@
-CONSOLE MESSAGE: Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8080/security/resources/image-access-control.php?file=../../resources/square100.png&allow=false denied by Cross-Origin Resource Sharing policy: Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
Verify the error message in console in case of CORS failing checks.
Modified: trunk/LayoutTests/http/tests/security/shape-image-cors-redirect-error-message-logging-2-expected.txt (231039 => 231040)
--- trunk/LayoutTests/http/tests/security/shape-image-cors-redirect-error-message-logging-2-expected.txt 2018-04-26 02:10:59 UTC (rev 231039)
+++ trunk/LayoutTests/http/tests/security/shape-image-cors-redirect-error-message-logging-2-expected.txt 2018-04-26 03:21:55 UTC (rev 231040)
@@ -1,4 +1,4 @@
-CONSOLE MESSAGE: Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8080/security/resources/image-access-control.php?file=../../resources/square100.png&allow=false denied by Cross-Origin Resource Sharing policy: Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
Verify the error message in console in case of CORS failing checks.
Modified: trunk/LayoutTests/http/tests/security/worker-cross-origin-expected.txt (231039 => 231040)
--- trunk/LayoutTests/http/tests/security/worker-cross-origin-expected.txt 2018-04-26 02:10:59 UTC (rev 231039)
+++ trunk/LayoutTests/http/tests/security/worker-cross-origin-expected.txt 2018-04-26 03:21:55 UTC (rev 231040)
@@ -1,5 +1,6 @@
-CONSOLE MESSAGE: Unsafe attempt to load URL http://localhost:8000/security/resources/worker-message-pass.js from frame with URL http://127.0.0.1:8000/security/worker-cross-origin.html. Domains, protocols and ports must match.
+CONSOLE MESSAGE: Unsafe attempt to load URL http://localhost:8000/security/resources/worker-message-pass.js from origin http://127.0.0.1:8000. Domains, protocols and ports must match.
+CONSOLE MESSAGE: Cannot load http://localhost:8000/security/resources/worker-message-pass.js due to access control checks.
This tests that Web Worker script redirects are blocked if cross origin.
On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
Modified: trunk/LayoutTests/http/tests/security/xss-DENIED-xml-external-entity-expected.txt (231039 => 231040)
--- trunk/LayoutTests/http/tests/security/xss-DENIED-xml-external-entity-expected.txt 2018-04-26 02:10:59 UTC (rev 231039)
+++ trunk/LayoutTests/http/tests/security/xss-DENIED-xml-external-entity-expected.txt 2018-04-26 03:21:55 UTC (rev 231040)
@@ -1,4 +1,4 @@
-CONSOLE MESSAGE: line 11: Unsafe attempt to load URL http://localhost:8000/security/resources/target.xml from frame with URL http://127.0.0.1:8000/security/xss-DENIED-xml-external-entity.xhtml. Domains, protocols and ports must match.
+CONSOLE MESSAGE: line 11: Unsafe attempt to load URL http://localhost:8000/security/resources/target.xml from origin http://127.0.0.1:8000. Domains, protocols and ports must match.
This test includes a cross-origin external entity. It passes if the load fails and thus there is no text below this line.
Modified: trunk/LayoutTests/http/tests/security/xss-DENIED-xsl-document-expected.txt (231039 => 231040)
--- trunk/LayoutTests/http/tests/security/xss-DENIED-xsl-document-expected.txt 2018-04-26 02:10:59 UTC (rev 231039)
+++ trunk/LayoutTests/http/tests/security/xss-DENIED-xsl-document-expected.txt 2018-04-26 03:21:55 UTC (rev 231040)
@@ -1,3 +1,3 @@
-CONSOLE MESSAGE: Unsafe attempt to load URL http://localhost:8000/security/resources/target.xml from frame with URL http://127.0.0.1:8000/security/xss-DENIED-xsl-document.xml. Domains, protocols and ports must match.
+CONSOLE MESSAGE: Unsafe attempt to load URL http://localhost:8000/security/resources/target.xml from origin http://127.0.0.1:8000. Domains, protocols and ports must match.
This test includes content via a cross-origin document() command. It passes if the load fails and thus there is no text below this line.
Modified: trunk/LayoutTests/http/tests/security/xss-DENIED-xsl-external-entity-expected.txt (231039 => 231040)
--- trunk/LayoutTests/http/tests/security/xss-DENIED-xsl-external-entity-expected.txt 2018-04-26 02:10:59 UTC (rev 231039)
+++ trunk/LayoutTests/http/tests/security/xss-DENIED-xsl-external-entity-expected.txt 2018-04-26 03:21:55 UTC (rev 231040)
@@ -1,6 +1,6 @@
-CONSOLE MESSAGE: Unsafe attempt to load URL http://localhost:8000/security/resources/target.xml from frame with URL http://127.0.0.1:8000/security/xss-DENIED-xsl-external-entity.xml. Domains, protocols and ports must match.
+CONSOLE MESSAGE: Unsafe attempt to load URL http://localhost:8000/security/resources/target.xml from origin http://127.0.0.1:8000. Domains, protocols and ports must match.
-CONSOLE MESSAGE: Unsafe attempt to load URL http://localhost:8000/security/resources/target.xml from frame with URL http://127.0.0.1:8000/security/xss-DENIED-xsl-external-entity.xml. Domains, protocols and ports must match.
+CONSOLE MESSAGE: Unsafe attempt to load URL http://localhost:8000/security/resources/target.xml from origin http://127.0.0.1:8000. Domains, protocols and ports must match.
This test includes a cross-origin external entity. It passes if the load fails and thus there is no text below this line.
Modified: trunk/LayoutTests/http/tests/workers/worker-redirect-expected.txt (231039 => 231040)
--- trunk/LayoutTests/http/tests/workers/worker-redirect-expected.txt 2018-04-26 02:10:59 UTC (rev 231039)
+++ trunk/LayoutTests/http/tests/workers/worker-redirect-expected.txt 2018-04-26 03:21:55 UTC (rev 231040)
@@ -1,5 +1,6 @@
-CONSOLE MESSAGE: Unsafe attempt to load URL http://localhost:8000/workers/resources/worker-redirect-target.js from frame with URL http://127.0.0.1:8000/workers/worker-redirect.html. Domains, protocols and ports must match.
+CONSOLE MESSAGE: Unsafe attempt to load URL http://localhost:8000/workers/resources/worker-redirect-target.js from origin http://127.0.0.1:8000. Domains, protocols and ports must match.
+CONSOLE MESSAGE: Cannot load http://localhost:8000/workers/resources/worker-redirect-target.js due to access control checks.
Test that loading the worker's script does not allow a cross origin redirect (bug 26146)
SUCCESS: threw exception (SecurityError: The operation is insecure.) when attempting to cross origin while loading the worker script.
Modified: trunk/LayoutTests/http/tests/xmlhttprequest/access-control-and-redirects-expected.txt (231039 => 231040)
--- trunk/LayoutTests/http/tests/xmlhttprequest/access-control-and-redirects-expected.txt 2018-04-26 02:10:59 UTC (rev 231039)
+++ trunk/LayoutTests/http/tests/xmlhttprequest/access-control-and-redirects-expected.txt 2018-04-26 03:21:55 UTC (rev 231040)
@@ -1,9 +1,9 @@
-CONSOLE MESSAGE: line 25: Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
-CONSOLE MESSAGE: line 25: XMLHttpRequest cannot load http://localhost:8000/resources/redirect.php?url="" due to access control checks.
+CONSOLE MESSAGE: line 25: Cross-origin redirection to http://127.0.0.1:8000/xmlhttprequest/resources/access-control-basic-allow.cgi denied by Cross-Origin Resource Sharing policy: Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: line 25: XMLHttpRequest cannot load http://127.0.0.1:8000/xmlhttprequest/resources/access-control-basic-allow.cgi due to access control checks.
CONSOLE MESSAGE: Cross-origin redirection to http://127.0.0.1:8000/xmlhttprequest/resources/access-control-basic-allow.cgi denied by Cross-Origin Resource Sharing policy: Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/resources/redirect.php?url="" due to access control checks.
-CONSOLE MESSAGE: line 25: Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
-CONSOLE MESSAGE: line 25: XMLHttpRequest cannot load http://localhost:8000/resources/redirect.php?url="" due to access control checks.
+CONSOLE MESSAGE: line 25: Cross-origin redirection to http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow.cgi denied by Cross-Origin Resource Sharing policy: Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: line 25: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow.cgi due to access control checks.
CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow.cgi denied by Cross-Origin Resource Sharing policy: Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/resources/redirect.php?url="" due to access control checks.
Tests that redirects between origins are never allowed, even when access control is involved.
Modified: trunk/LayoutTests/http/tests/xmlhttprequest/redirect-cross-origin-post-sync-expected.txt (231039 => 231040)
--- trunk/LayoutTests/http/tests/xmlhttprequest/redirect-cross-origin-post-sync-expected.txt 2018-04-26 02:10:59 UTC (rev 231039)
+++ trunk/LayoutTests/http/tests/xmlhttprequest/redirect-cross-origin-post-sync-expected.txt 2018-04-26 03:21:55 UTC (rev 231040)
@@ -1,4 +1,4 @@
-CONSOLE MESSAGE: line 31: Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: line 31: Cross-origin redirection to http://localhost:8000/xmlhttprequest/resources/reply.xml denied by Cross-Origin Resource Sharing policy: Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
CONSOLE MESSAGE: line 31: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/reply.xml due to access control checks.
Test that a cross-origin redirect to a server that responds is indistinguishable from one that does not. Should say PASS:
Modified: trunk/LayoutTests/http/tests/xmlhttprequest/redirect-cross-origin-sync-expected.txt (231039 => 231040)
--- trunk/LayoutTests/http/tests/xmlhttprequest/redirect-cross-origin-sync-expected.txt 2018-04-26 02:10:59 UTC (rev 231039)
+++ trunk/LayoutTests/http/tests/xmlhttprequest/redirect-cross-origin-sync-expected.txt 2018-04-26 03:21:55 UTC (rev 231040)
@@ -1,4 +1,4 @@
-CONSOLE MESSAGE: line 26: Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: line 26: Cross-origin redirection to http://localhost:8000/xmlhttprequest/resources/reply.xml denied by Cross-Origin Resource Sharing policy: Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
CONSOLE MESSAGE: line 26: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/reply.xml due to access control checks.
Test that a cross-origin redirect to a server that responds is indistinguishable from one that does not. Should say PASS:
Modified: trunk/LayoutTests/http/tests/xmlhttprequest/xmlhttprequest-unsafe-redirect-expected.txt (231039 => 231040)
--- trunk/LayoutTests/http/tests/xmlhttprequest/xmlhttprequest-unsafe-redirect-expected.txt 2018-04-26 02:10:59 UTC (rev 231039)
+++ trunk/LayoutTests/http/tests/xmlhttprequest/xmlhttprequest-unsafe-redirect-expected.txt 2018-04-26 03:21:55 UTC (rev 231040)
@@ -1,4 +1,4 @@
-CONSOLE MESSAGE: line 54: Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: line 54: Cross-origin redirection to http://localhost:8080/xmlhttprequest/resources/forbidden.txt denied by Cross-Origin Resource Sharing policy: Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
CONSOLE MESSAGE: line 54: XMLHttpRequest cannot load http://localhost:8080/xmlhttprequest/resources/forbidden.txt due to access control checks.
CONSOLE MESSAGE: Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8080/xmlhttprequest/resources/forbidden.txt due to access control checks.
Modified: trunk/LayoutTests/http/wpt/beacon/connect-src-beacon-redirect-blocked.sub-expected.txt (231039 => 231040)
--- trunk/LayoutTests/http/wpt/beacon/connect-src-beacon-redirect-blocked.sub-expected.txt 2018-04-26 02:10:59 UTC (rev 231039)
+++ trunk/LayoutTests/http/wpt/beacon/connect-src-beacon-redirect-blocked.sub-expected.txt 2018-04-26 03:21:55 UTC (rev 231040)
@@ -1,4 +1,4 @@
-CONSOLE MESSAGE: Beacon API cannot load http://127.0.0.1:8800/WebKit/beacon/resources/beacon-preflight.py?allowCors=1&cmd=put&id=2539e883-7dfb-4dde-a227-a41c670d5fe1&redirect_status=307&location=http%3A%2F%2F127.0.0.1%3A8800%2FWebKit%2Fbeacon%2Fresources%2Fbeacon-preflight.py%3FallowCors%3D1%26cmd%3Dput%26id%3D2539e883-7dfb-4dde-a227-a41c670d5fe1&count=1. Blocked by Content Security Policy
+CONSOLE MESSAGE: Beacon API cannot load http://127.0.0.1:8800/WebKit/beacon/resources/beacon-preflight.py?allowCors=1&cmd=put&id=2539e883-7dfb-4dde-a227-a41c670d5fe1&redirect_status=307&location=http%3A%2F%2F127.0.0.1%3A8800%2FWebKit%2Fbeacon%2Fresources%2Fbeacon-preflight.py%3FallowCors%3D1%26cmd%3Dput%26id%3D2539e883-7dfb-4dde-a227-a41c670d5fe1&count=1. Blocked http://127.0.0.1:8800/WebKit/beacon/resources/beacon-preflight.py?allowCors=1&cmd=put&id=2539e883-7dfb-4dde-a227-a41c670d5fe1&redirect_status=307&location=http%3A%2F%2F127.0.0.1%3A8800%2FWebKit%2Fbeacon%2Fresources%2Fbeacon-preflight.py%3FallowCors%3D1%26cmd%3Dput%26id%3D2539e883-7dfb-4dde-a227-a41c670d5fe1&count=1 by Content Security Policy
PASS Redirect is blocked by CSP
Modified: trunk/LayoutTests/imported/w3c/ChangeLog (231039 => 231040)
--- trunk/LayoutTests/imported/w3c/ChangeLog 2018-04-26 02:10:59 UTC (rev 231039)
+++ trunk/LayoutTests/imported/w3c/ChangeLog 2018-04-26 03:21:55 UTC (rev 231040)
@@ -1,5 +1,19 @@
2018-04-25 Youenn Fablet <[email protected]>
+ Use NetworkLoadChecker for all subresource loads except fetch/XHR
+ https://bugs.webkit.org/show_bug.cgi?id=184870
+ <rdar://problem/39370034>
+
+ Reviewed by Chris Dumez.
+
+ * web-platform-tests/fetch/api/basic/mode-same-origin.any-expected.txt:
+ * web-platform-tests/fetch/api/basic/mode-same-origin.any.worker-expected.txt:
+ * web-platform-tests/fetch/api/redirect/redirect-to-dataurl-expected.txt:
+ * web-platform-tests/fetch/api/redirect/redirect-to-dataurl-worker-expected.txt:
+ * web-platform-tests/service-workers/service-worker/fetch-request-redirect.https-expected.txt:
+
+2018-04-25 Youenn Fablet <[email protected]>
+
Make DocumentThreadableLoader error logging more consistent
https://bugs.webkit.org/show_bug.cgi?id=184853
Modified: trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/basic/mode-same-origin.any-expected.txt (231039 => 231040)
--- trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/basic/mode-same-origin.any-expected.txt 2018-04-26 02:10:59 UTC (rev 231039)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/basic/mode-same-origin.any-expected.txt 2018-04-26 03:21:55 UTC (rev 231040)
@@ -1,8 +1,8 @@
CONSOLE MESSAGE: line 12: Fetch API cannot load https://localhost:9443/fetch/api/resources/top.txt.
CONSOLE MESSAGE: line 12: Fetch API cannot load http://127.0.0.1:8800/fetch/api/resources/top.txt.
-CONSOLE MESSAGE: Unsafe attempt to load URL https://localhost:9443/fetch/api/resources/top.txt?location=https%3A%2F%2Flocalhost%3A9443%2Ffetch%2Fapi%2Fresources%2Ftop.txt&count=1 from frame with URL http://localhost:8800/fetch/api/basic/mode-same-origin.any.html. Domains, protocols and ports must match.
+CONSOLE MESSAGE: Unsafe attempt to load URL https://localhost:9443/fetch/api/resources/top.txt?location=https%3A%2F%2Flocalhost%3A9443%2Ffetch%2Fapi%2Fresources%2Ftop.txt&count=1 from origin http://localhost:8800. Domains, protocols and ports must match.
-CONSOLE MESSAGE: Unsafe attempt to load URL http://127.0.0.1:8800/fetch/api/resources/top.txt?location=http%3A%2F%2F127.0.0.1%3A8800%2Ffetch%2Fapi%2Fresources%2Ftop.txt&count=1 from frame with URL http://localhost:8800/fetch/api/basic/mode-same-origin.any.html. Domains, protocols and ports must match.
+CONSOLE MESSAGE: Unsafe attempt to load URL http://127.0.0.1:8800/fetch/api/resources/top.txt?location=http%3A%2F%2F127.0.0.1%3A8800%2Ffetch%2Fapi%2Fresources%2Ftop.txt&count=1 from origin http://localhost:8800. Domains, protocols and ports must match.
PASS Fetch ../resources/top.txt with same-origin mode
Modified: trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/basic/mode-same-origin.any.worker-expected.txt (231039 => 231040)
--- trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/basic/mode-same-origin.any.worker-expected.txt 2018-04-26 02:10:59 UTC (rev 231039)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/basic/mode-same-origin.any.worker-expected.txt 2018-04-26 03:21:55 UTC (rev 231040)
@@ -1,6 +1,6 @@
-CONSOLE MESSAGE: Unsafe attempt to load URL https://localhost:9443/fetch/api/resources/top.txt?location=https%3A%2F%2Flocalhost%3A9443%2Ffetch%2Fapi%2Fresources%2Ftop.txt&count=1 from frame with URL http://localhost:8800/fetch/api/basic/mode-same-origin.any.worker.html. Domains, protocols and ports must match.
+CONSOLE MESSAGE: Unsafe attempt to load URL https://localhost:9443/fetch/api/resources/top.txt?location=https%3A%2F%2Flocalhost%3A9443%2Ffetch%2Fapi%2Fresources%2Ftop.txt&count=1 from origin http://localhost:8800. Domains, protocols and ports must match.
-CONSOLE MESSAGE: Unsafe attempt to load URL http://127.0.0.1:8800/fetch/api/resources/top.txt?location=http%3A%2F%2F127.0.0.1%3A8800%2Ffetch%2Fapi%2Fresources%2Ftop.txt&count=1 from frame with URL http://localhost:8800/fetch/api/basic/mode-same-origin.any.worker.html. Domains, protocols and ports must match.
+CONSOLE MESSAGE: Unsafe attempt to load URL http://127.0.0.1:8800/fetch/api/resources/top.txt?location=http%3A%2F%2F127.0.0.1%3A8800%2Ffetch%2Fapi%2Fresources%2Ftop.txt&count=1 from origin http://localhost:8800. Domains, protocols and ports must match.
PASS Fetch ../resources/top.txt with same-origin mode
Modified: trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/redirect/redirect-to-dataurl-expected.txt (231039 => 231040)
--- trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/redirect/redirect-to-dataurl-expected.txt 2018-04-26 02:10:59 UTC (rev 231039)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/redirect/redirect-to-dataurl-expected.txt 2018-04-26 03:21:55 UTC (rev 231040)
@@ -2,7 +2,7 @@
CONSOLE MESSAGE: Fetch API cannot load http://localhost:8800/fetch/api/resources/redirect.py?cors&location=data%3Atext%2Fplain%3Bbase64%2CcmVzcG9uc2UncyBib2R5 due to access control checks.
CONSOLE MESSAGE: Redirection to URL with a scheme that is not HTTP(S).
CONSOLE MESSAGE: Fetch API cannot load data:text/plain;base64,cmVzcG9uc2UncyBib2R5 due to access control checks.
-CONSOLE MESSAGE: Unsafe attempt to load URL data:text/plain;base64,cmVzcG9uc2UncyBib2R5 from frame with URL http://localhost:8800/fetch/api/redirect/redirect-to-dataurl.html. Domains, protocols and ports must match.
+CONSOLE MESSAGE: Unsafe attempt to load URL data:text/plain;base64,cmVzcG9uc2UncyBib2R5 from origin http://localhost:8800. Domains, protocols and ports must match.
CONSOLE MESSAGE: Cross-origin redirection to data:text/plain;base64,cmVzcG9uc2UncyBib2R5 denied by Cross-Origin Resource Sharing policy: URL is either a non-HTTP URL or contains credentials.
CONSOLE MESSAGE: Fetch API cannot load http://127.0.0.1:8800/fetch/api/resources/redirect.py?cors&location=data%3Atext%2Fplain%3Bbase64%2CcmVzcG9uc2UncyBib2R5 due to access control checks.
Modified: trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/redirect/redirect-to-dataurl-worker-expected.txt (231039 => 231040)
--- trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/redirect/redirect-to-dataurl-worker-expected.txt 2018-04-26 02:10:59 UTC (rev 231039)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/redirect/redirect-to-dataurl-worker-expected.txt 2018-04-26 03:21:55 UTC (rev 231040)
@@ -1,5 +1,5 @@
CONSOLE MESSAGE: Cross-origin redirection to data:text/plain;base64,cmVzcG9uc2UncyBib2R5 denied by Cross-Origin Resource Sharing policy: URL is either a non-HTTP URL or contains credentials.
-CONSOLE MESSAGE: Unsafe attempt to load URL data:text/plain;base64,cmVzcG9uc2UncyBib2R5 from frame with URL http://localhost:8800/fetch/api/redirect/redirect-to-dataurl-worker.html. Domains, protocols and ports must match.
+CONSOLE MESSAGE: Unsafe attempt to load URL data:text/plain;base64,cmVzcG9uc2UncyBib2R5 from origin http://localhost:8800. Domains, protocols and ports must match.
CONSOLE MESSAGE: Cross-origin redirection to data:text/plain;base64,cmVzcG9uc2UncyBib2R5 denied by Cross-Origin Resource Sharing policy: URL is either a non-HTTP URL or contains credentials.
Modified: trunk/LayoutTests/imported/w3c/web-platform-tests/service-workers/service-worker/fetch-request-fallback.https-expected.txt (231039 => 231040)
--- trunk/LayoutTests/imported/w3c/web-platform-tests/service-workers/service-worker/fetch-request-fallback.https-expected.txt 2018-04-26 02:10:59 UTC (rev 231039)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/service-workers/service-worker/fetch-request-fallback.https-expected.txt 2018-04-26 03:21:55 UTC (rev 231040)
@@ -4,7 +4,7 @@
CONSOLE MESSAGE: XMLHttpRequest cannot load https://127.0.0.1:9443/service-workers/service-worker/resources/fetch-access-control.py? due to access control checks.
CONSOLE MESSAGE: Origin https://localhost:9443 is not allowed by Access-Control-Allow-Origin.
CONSOLE MESSAGE: Cannot load image https://127.0.0.1:9443/service-workers/service-worker/resources/fetch-access-control.py?PNGIMAGE& due to access control checks.
-CONSOLE MESSAGE: Origin https://localhost:9443 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: Cross-origin redirection to https://127.0.0.1:9443/service-workers/service-worker/resources/fetch-access-control.py?PNGIMAGE& denied by Cross-Origin Resource Sharing policy: Origin https://localhost:9443 is not allowed by Access-Control-Allow-Origin.
CONSOLE MESSAGE: Cannot load image https://localhost:9443/service-workers/service-worker/resources/redirect.py?Redirect=https%3A%2F%2F127.0.0.1%3A9443%2Fservice-workers%2Fservice-worker%2Fresources%2Ffetch-access-control.py%3FPNGIMAGE%26 due to access control checks.
PASS initialize global state
Modified: trunk/LayoutTests/imported/w3c/web-platform-tests/service-workers/service-worker/registration-security-error.https-expected.txt (231039 => 231040)
--- trunk/LayoutTests/imported/w3c/web-platform-tests/service-workers/service-worker/registration-security-error.https-expected.txt 2018-04-26 02:10:59 UTC (rev 231039)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/service-workers/service-worker/registration-security-error.https-expected.txt 2018-04-26 03:21:55 UTC (rev 231040)
@@ -1,4 +1,3 @@
-CONSOLE MESSAGE: Cannot load https://localhost:9443/service-workers/service-worker/resources/redirect.py?Redirect=%2Fservice-workers%2Fservice-worker%2Fresources%2Fregistration-worker.js due to access control checks.
PASS Registering same scope as the script directory without the last slash
PASS Registration scope outside the script directory
Copied: trunk/LayoutTests/platform/mac-wk1/http/tests/security/contentSecurityPolicy/1.1/child-src/worker-redirect-blocked-expected.txt (from rev 231039, trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/worker-redirect-blocked-expected.txt) (0 => 231040)
--- trunk/LayoutTests/platform/mac-wk1/http/tests/security/contentSecurityPolicy/1.1/child-src/worker-redirect-blocked-expected.txt (rev 0)
+++ trunk/LayoutTests/platform/mac-wk1/http/tests/security/contentSecurityPolicy/1.1/child-src/worker-redirect-blocked-expected.txt 2018-04-26 03:21:55 UTC (rev 231040)
@@ -0,0 +1,13 @@
+CONSOLE MESSAGE: Unsafe attempt to load URL http://localhost:8000/security/contentSecurityPolicy/resources/alert-fail.js from origin http://127.0.0.1:8000. Domains, protocols and ports must match.
+
+This tests that the Content Security Policy of the page blocks loading a Web Worker's script from a different origin through a redirect.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS worker = new Worker("http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.php?url="" did not throw exception.
+PASS error event dispatched
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Copied: trunk/LayoutTests/platform/mac-wk1/http/tests/security/contentSecurityPolicy/1.1/module-scriptnonce-redirect-expected.txt (from rev 231039, trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/module-scriptnonce-redirect-expected.txt) (0 => 231040)
--- trunk/LayoutTests/platform/mac-wk1/http/tests/security/contentSecurityPolicy/1.1/module-scriptnonce-redirect-expected.txt (rev 0)
+++ trunk/LayoutTests/platform/mac-wk1/http/tests/security/contentSecurityPolicy/1.1/module-scriptnonce-redirect-expected.txt 2018-04-26 03:21:55 UTC (rev 231040)
@@ -0,0 +1,3 @@
+CONSOLE MESSAGE: Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: line 1: TypeError: Cross-origin script load denied by Cross-Origin Resource Sharing policy.
+This tests whether a deferred script load caused by a redirect is properly allowed by a nonce.
Copied: trunk/LayoutTests/platform/mac-wk1/http/tests/security/isolatedWorld/bypass-main-world-csp-worker-redirect-expected.txt (from rev 231039, trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-worker-redirect-expected.txt) (0 => 231040)
--- trunk/LayoutTests/platform/mac-wk1/http/tests/security/isolatedWorld/bypass-main-world-csp-worker-redirect-expected.txt (rev 0)
+++ trunk/LayoutTests/platform/mac-wk1/http/tests/security/isolatedWorld/bypass-main-world-csp-worker-redirect-expected.txt 2018-04-26 03:21:55 UTC (rev 231040)
@@ -0,0 +1,5 @@
+CONSOLE MESSAGE: Unsafe attempt to load URL http://localhost:8000/security/contentSecurityPolicy/resources/alert-fail.js from origin http://127.0.0.1:8000. Domains, protocols and ports must match.
+
+This tests that in an isolated world that the Content Security Policy of the parent origin (this page) is bypassed and a CSP violation is not triggered when a Web Worker's script URL loads a different origin through a redirect. This test PASSED if there is no CSP violation console message and the redirect fails (since Web Workers can only load a script from the same origin).
+
+PASS worker failed to load script URL.
Copied: trunk/LayoutTests/platform/mac-wk1/http/tests/security/shape-image-cors-redirect-error-message-logging-1-expected.txt (from rev 231039, trunk/LayoutTests/http/tests/security/shape-image-cors-redirect-error-message-logging-1-expected.txt) (0 => 231040)
--- trunk/LayoutTests/platform/mac-wk1/http/tests/security/shape-image-cors-redirect-error-message-logging-1-expected.txt (rev 0)
+++ trunk/LayoutTests/platform/mac-wk1/http/tests/security/shape-image-cors-redirect-error-message-logging-1-expected.txt 2018-04-26 03:21:55 UTC (rev 231040)
@@ -0,0 +1,4 @@
+CONSOLE MESSAGE: Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
+Verify the error message in console in case of CORS failing checks.
+
+
Copied: trunk/LayoutTests/platform/mac-wk1/http/tests/security/shape-image-cors-redirect-error-message-logging-2-expected.txt (from rev 231039, trunk/LayoutTests/http/tests/security/shape-image-cors-redirect-error-message-logging-2-expected.txt) (0 => 231040)
--- trunk/LayoutTests/platform/mac-wk1/http/tests/security/shape-image-cors-redirect-error-message-logging-2-expected.txt (rev 0)
+++ trunk/LayoutTests/platform/mac-wk1/http/tests/security/shape-image-cors-redirect-error-message-logging-2-expected.txt 2018-04-26 03:21:55 UTC (rev 231040)
@@ -0,0 +1,4 @@
+CONSOLE MESSAGE: Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
+Verify the error message in console in case of CORS failing checks.
+
+
Copied: trunk/LayoutTests/platform/mac-wk1/http/tests/security/worker-cross-origin-expected.txt (from rev 231039, trunk/LayoutTests/http/tests/security/worker-cross-origin-expected.txt) (0 => 231040)
--- trunk/LayoutTests/platform/mac-wk1/http/tests/security/worker-cross-origin-expected.txt (rev 0)
+++ trunk/LayoutTests/platform/mac-wk1/http/tests/security/worker-cross-origin-expected.txt 2018-04-26 03:21:55 UTC (rev 231040)
@@ -0,0 +1,13 @@
+CONSOLE MESSAGE: Unsafe attempt to load URL http://localhost:8000/security/resources/worker-message-pass.js from origin http://127.0.0.1:8000. Domains, protocols and ports must match.
+
+This tests that Web Worker script redirects are blocked if cross origin.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS worker = new Worker("http://127.0.0.1:8000/resources/redirect.php?url="" did not throw exception.
+PASS Blocked cross origin Worker script load
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Copied: trunk/LayoutTests/platform/mac-wk1/http/tests/workers/worker-redirect-expected.txt (from rev 231039, trunk/LayoutTests/http/tests/workers/worker-redirect-expected.txt) (0 => 231040)
--- trunk/LayoutTests/platform/mac-wk1/http/tests/workers/worker-redirect-expected.txt (rev 0)
+++ trunk/LayoutTests/platform/mac-wk1/http/tests/workers/worker-redirect-expected.txt 2018-04-26 03:21:55 UTC (rev 231040)
@@ -0,0 +1,8 @@
+CONSOLE MESSAGE: Unsafe attempt to load URL http://localhost:8000/workers/resources/worker-redirect-target.js from origin http://127.0.0.1:8000. Domains, protocols and ports must match.
+
+Test that loading the worker's script does not allow a cross origin redirect (bug 26146)
+
+SUCCESS: threw exception (SecurityError: The operation is insecure.) when attempting to cross origin while loading the worker script.
+SUCCESS: threw error when attempting to redirected cross origin while loading the worker script.
+DONE
+
Copied: trunk/LayoutTests/platform/win/http/tests/security/contentSecurityPolicy/1.1/child-src/worker-redirect-blocked-expected.txt (from rev 231039, trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/worker-redirect-blocked-expected.txt) (0 => 231040)
--- trunk/LayoutTests/platform/win/http/tests/security/contentSecurityPolicy/1.1/child-src/worker-redirect-blocked-expected.txt (rev 0)
+++ trunk/LayoutTests/platform/win/http/tests/security/contentSecurityPolicy/1.1/child-src/worker-redirect-blocked-expected.txt 2018-04-26 03:21:55 UTC (rev 231040)
@@ -0,0 +1,13 @@
+CONSOLE MESSAGE: Unsafe attempt to load URL http://localhost:8000/security/contentSecurityPolicy/resources/alert-fail.js from origin http://127.0.0.1:8000. Domains, protocols and ports must match.
+
+This tests that the Content Security Policy of the page blocks loading a Web Worker's script from a different origin through a redirect.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS worker = new Worker("http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.php?url="" did not throw exception.
+PASS error event dispatched
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Copied: trunk/LayoutTests/platform/win/http/tests/security/contentSecurityPolicy/1.1/module-scriptnonce-redirect-expected.txt (from rev 231039, trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/module-scriptnonce-redirect-expected.txt) (0 => 231040)
--- trunk/LayoutTests/platform/win/http/tests/security/contentSecurityPolicy/1.1/module-scriptnonce-redirect-expected.txt (rev 0)
+++ trunk/LayoutTests/platform/win/http/tests/security/contentSecurityPolicy/1.1/module-scriptnonce-redirect-expected.txt 2018-04-26 03:21:55 UTC (rev 231040)
@@ -0,0 +1,3 @@
+CONSOLE MESSAGE: Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: line 1: TypeError: Cross-origin script load denied by Cross-Origin Resource Sharing policy.
+This tests whether a deferred script load caused by a redirect is properly allowed by a nonce.
Copied: trunk/LayoutTests/platform/win/http/tests/security/isolatedWorld/bypass-main-world-csp-worker-redirect-expected.txt (from rev 231039, trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-worker-redirect-expected.txt) (0 => 231040)
--- trunk/LayoutTests/platform/win/http/tests/security/isolatedWorld/bypass-main-world-csp-worker-redirect-expected.txt (rev 0)
+++ trunk/LayoutTests/platform/win/http/tests/security/isolatedWorld/bypass-main-world-csp-worker-redirect-expected.txt 2018-04-26 03:21:55 UTC (rev 231040)
@@ -0,0 +1,5 @@
+CONSOLE MESSAGE: Unsafe attempt to load URL http://localhost:8000/security/contentSecurityPolicy/resources/alert-fail.js from origin http://127.0.0.1:8000. Domains, protocols and ports must match.
+
+This tests that in an isolated world that the Content Security Policy of the parent origin (this page) is bypassed and a CSP violation is not triggered when a Web Worker's script URL loads a different origin through a redirect. This test PASSED if there is no CSP violation console message and the redirect fails (since Web Workers can only load a script from the same origin).
+
+PASS worker failed to load script URL.
Copied: trunk/LayoutTests/platform/win/http/tests/security/shape-image-cors-redirect-error-message-logging-1-expected.txt (from rev 231039, trunk/LayoutTests/http/tests/security/shape-image-cors-redirect-error-message-logging-1-expected.txt) (0 => 231040)
--- trunk/LayoutTests/platform/win/http/tests/security/shape-image-cors-redirect-error-message-logging-1-expected.txt (rev 0)
+++ trunk/LayoutTests/platform/win/http/tests/security/shape-image-cors-redirect-error-message-logging-1-expected.txt 2018-04-26 03:21:55 UTC (rev 231040)
@@ -0,0 +1,4 @@
+CONSOLE MESSAGE: Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
+Verify the error message in console in case of CORS failing checks.
+
+
Copied: trunk/LayoutTests/platform/win/http/tests/security/shape-image-cors-redirect-error-message-logging-2-expected.txt (from rev 231039, trunk/LayoutTests/http/tests/security/shape-image-cors-redirect-error-message-logging-2-expected.txt) (0 => 231040)
--- trunk/LayoutTests/platform/win/http/tests/security/shape-image-cors-redirect-error-message-logging-2-expected.txt (rev 0)
+++ trunk/LayoutTests/platform/win/http/tests/security/shape-image-cors-redirect-error-message-logging-2-expected.txt 2018-04-26 03:21:55 UTC (rev 231040)
@@ -0,0 +1,4 @@
+CONSOLE MESSAGE: Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
+Verify the error message in console in case of CORS failing checks.
+
+
Copied: trunk/LayoutTests/platform/win/http/tests/security/worker-cross-origin-expected.txt (from rev 231039, trunk/LayoutTests/http/tests/security/worker-cross-origin-expected.txt) (0 => 231040)
--- trunk/LayoutTests/platform/win/http/tests/security/worker-cross-origin-expected.txt (rev 0)
+++ trunk/LayoutTests/platform/win/http/tests/security/worker-cross-origin-expected.txt 2018-04-26 03:21:55 UTC (rev 231040)
@@ -0,0 +1,13 @@
+CONSOLE MESSAGE: Unsafe attempt to load URL http://localhost:8000/security/resources/worker-message-pass.js from origin http://127.0.0.1:8000. Domains, protocols and ports must match.
+
+This tests that Web Worker script redirects are blocked if cross origin.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS worker = new Worker("http://127.0.0.1:8000/resources/redirect.php?url="" did not throw exception.
+PASS Blocked cross origin Worker script load
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Copied: trunk/LayoutTests/platform/win/http/tests/workers/worker-redirect-expected.txt (from rev 231039, trunk/LayoutTests/http/tests/workers/worker-redirect-expected.txt) (0 => 231040)
--- trunk/LayoutTests/platform/win/http/tests/workers/worker-redirect-expected.txt (rev 0)
+++ trunk/LayoutTests/platform/win/http/tests/workers/worker-redirect-expected.txt 2018-04-26 03:21:55 UTC (rev 231040)
@@ -0,0 +1,8 @@
+CONSOLE MESSAGE: Unsafe attempt to load URL http://localhost:8000/workers/resources/worker-redirect-target.js from origin http://127.0.0.1:8000. Domains, protocols and ports must match.
+
+Test that loading the worker's script does not allow a cross origin redirect (bug 26146)
+
+SUCCESS: threw exception (SecurityError: The operation is insecure.) when attempting to cross origin while loading the worker script.
+SUCCESS: threw error when attempting to redirected cross origin while loading the worker script.
+DONE
+
Modified: trunk/Source/WebCore/ChangeLog (231039 => 231040)
--- trunk/Source/WebCore/ChangeLog 2018-04-26 02:10:59 UTC (rev 231039)
+++ trunk/Source/WebCore/ChangeLog 2018-04-26 03:21:55 UTC (rev 231040)
@@ -1,3 +1,17 @@
+2018-04-25 Youenn Fablet <[email protected]>
+
+ Use NetworkLoadChecker for all subresource loads except fetch/XHR
+ https://bugs.webkit.org/show_bug.cgi?id=184870
+ <rdar://problem/39370034>
+
+ Reviewed by Chris Dumez.
+
+ No change of behavior.
+ Update CachedResourceLoader error messages to match NetworkProcess error messages.
+
+ * loader/cache/CachedResourceLoader.cpp:
+ (WebCore::CachedResourceLoader::printAccessDeniedMessage const):
+
2018-04-25 Zalan Bujtas <[email protected]>
[LFC] Add support for is<> and downcast<>
Modified: trunk/Source/WebCore/loader/cache/CachedResourceLoader.cpp (231039 => 231040)
--- trunk/Source/WebCore/loader/cache/CachedResourceLoader.cpp 2018-04-26 02:10:59 UTC (rev 231039)
+++ trunk/Source/WebCore/loader/cache/CachedResourceLoader.cpp 2018-04-26 03:21:55 UTC (rev 231040)
@@ -1205,9 +1205,9 @@
String message;
if (!m_document || m_document->url().isNull())
- message = "Unsafe attempt to load URL " + url.stringCenterEllipsizedToLength() + '.';
+ message = makeString("Unsafe attempt to load URL ", url.stringCenterEllipsizedToLength(), '.');
else
- message = "Unsafe attempt to load URL " + url.stringCenterEllipsizedToLength() + " from frame with URL " + m_document->url().stringCenterEllipsizedToLength() + ". Domains, protocols and ports must match.\n";
+ message = makeString("Unsafe attempt to load URL ", url.stringCenterEllipsizedToLength(), " from origin ", m_document->origin(), ". Domains, protocols and ports must match.\n");
frame()->document()->addConsoleMessage(MessageSource::Security, MessageLevel::Error, message);
}
Modified: trunk/Source/WebKit/ChangeLog (231039 => 231040)
--- trunk/Source/WebKit/ChangeLog 2018-04-26 02:10:59 UTC (rev 231039)
+++ trunk/Source/WebKit/ChangeLog 2018-04-26 03:21:55 UTC (rev 231040)
@@ -1,3 +1,28 @@
+2018-04-25 Youenn Fablet <[email protected]>
+
+ Use NetworkLoadChecker for all subresource loads except fetch/XHR
+ https://bugs.webkit.org/show_bug.cgi?id=184870
+ <rdar://problem/39370034>
+
+ Reviewed by Chris Dumez.
+
+ Relax rules to check for non HTTP(s) redirections to throw only when WebProcess says to load it after redirection.
+ This allows WebProcess to load redirected non HTTP(s) URLs, such as data URLs.
+ We keep these checks when WebProcess asks to continue the load and for all PingLoads.
+
+ Update error messages to be more consistent with WK1.
+
+ * NetworkProcess/NetworkLoadChecker.cpp:
+ (WebKit::NetworkLoadChecker::checkRedirection):
+ (WebKit::NetworkLoadChecker::continueCheckingRequest):
+ (WebKit::NetworkLoadChecker::validateResourceResponse):
+ (WebKit::NetworkLoadChecker::continueCheckingRequest):
+ * NetworkProcess/NetworkLoadChecker.h:
+ (WebKit::NetworkLoadChecker::validateResponse):
+ * NetworkProcess/NetworkResourceLoader.cpp:
+ (WebKit::shouldUseNetworkLoadChecker):
+ (WebKit::NetworkResourceLoader::continueWillSendRequest):
+
2018-04-25 Ryosuke Niwa <[email protected]>
PSON: Don't create a new process when navigating to a blob URL, data URL, and about:blank
Modified: trunk/Source/WebKit/NetworkProcess/NetworkLoadChecker.cpp (231039 => 231040)
--- trunk/Source/WebKit/NetworkProcess/NetworkLoadChecker.cpp 2018-04-26 02:10:59 UTC (rev 231039)
+++ trunk/Source/WebKit/NetworkProcess/NetworkLoadChecker.cpp 2018-04-26 03:21:55 UTC (rev 231040)
@@ -91,27 +91,25 @@
{
ASSERT(!isChecking());
- auto error = validateResponse(redirectResponse);
- if (!error.isNull()) {
- handler(makeUnexpected(WTFMove(error)));
+ if (m_options.redirect != FetchOptions::Redirect::Follow) {
+ handler(returnError(ASCIILiteral("Redirections are not allowed")));
return;
}
- m_previousURL = WTFMove(m_url);
- m_url = request.url();
+ // FIXME: We should check that redirections are only HTTP(s) as per fetch spec.
+ // See https://github.com/whatwg/fetch/issues/393
- if (m_options.redirect != FetchOptions::Redirect::Follow) {
- handler(returnError(ASCIILiteral("Load parameters do not allow following redirections")));
- return;
- }
-
if (++m_redirectCount > 20) {
handler(returnError(ASCIILiteral("Load cannot follow more than 20 redirections")));
return;
}
- if (!m_url.protocolIsInHTTPFamily()) {
- handler(returnError(ASCIILiteral("Redirection to URL with a scheme that is not HTTP(S)")));
+ m_previousURL = WTFMove(m_url);
+ m_url = request.url();
+
+ auto error = validateResponse(redirectResponse);
+ if (!error.isNull()) {
+ handler(makeUnexpected(WTFMove(error)));
return;
}
@@ -136,8 +134,11 @@
ASSERT(m_options.mode == FetchOptions::Mode::Cors);
String errorMessage;
- if (!WebCore::passesAccessControlCheck(response, m_storedCredentialsPolicy, *m_origin, errorMessage))
+ if (!WebCore::passesAccessControlCheck(response, m_storedCredentialsPolicy, *m_origin, errorMessage)) {
+ if (m_redirectCount)
+ errorMessage = makeString("Cross-origin redirection to ", m_url.string(), " denied by Cross-Origin Resource Sharing policy: ", errorMessage);
return ResourceError { errorDomainWebKitInternal, 0, m_url, WTFMove(errorMessage), ResourceError::Type::AccessControl };
+ }
response.setTainting(ResourceResponse::Tainting::Cors);
return { };
@@ -173,8 +174,9 @@
if (url != request.url())
request.setURL(url);
}
- if (!contentSecurityPolicy->allowConnectToSource(request.url(), isRedirected() ? ContentSecurityPolicy::RedirectResponseReceived::Yes : ContentSecurityPolicy::RedirectResponseReceived::No)) {
- handler(returnError(ASCIILiteral("Blocked by Content Security Policy")));
+ if (m_options.destination == FetchOptions::Destination::EmptyString && !contentSecurityPolicy->allowConnectToSource(request.url(), isRedirected() ? ContentSecurityPolicy::RedirectResponseReceived::Yes : ContentSecurityPolicy::RedirectResponseReceived::No)) {
+ String error = !isRedirected() ? ASCIILiteral("Blocked by Content Security Policy") : makeString("Blocked ", request.url().string(), " by Content Security Policy");
+ handler(returnError(WTFMove(error)));
return;
}
}
@@ -188,7 +190,8 @@
}
if (m_options.mode == FetchOptions::Mode::SameOrigin) {
- handler(returnError(ASCIILiteral("SameOrigin mode does not allow cross origin requests")));
+ String message = makeString("Unsafe attempt to load URL ", request.url().stringCenterEllipsizedToLength(), " from origin ", m_origin->toString(), ". Domains, protocols and ports must match.\n");
+ handler(returnError(WTFMove(message)));
return;
}
Modified: trunk/Source/WebKit/NetworkProcess/NetworkResourceLoader.cpp (231039 => 231040)
--- trunk/Source/WebKit/NetworkProcess/NetworkResourceLoader.cpp 2018-04-26 02:10:59 UTC (rev 231039)
+++ trunk/Source/WebKit/NetworkProcess/NetworkResourceLoader.cpp 2018-04-26 03:21:55 UTC (rev 231040)
@@ -98,15 +98,8 @@
if (!parameters.shouldRestrictHTTPResponseAccess)
return false;
- // FIXME: Add support for other destinations.
- switch (parameters.options.destination) {
- case FetchOptions::Destination::Audio:
- case FetchOptions::Destination::Video:
- return true;
- default:
- break;
- }
- return false;
+ // FIXME: Add support for Document and EmptyString.
+ return parameters.options.destination != FetchOptions::Destination::Document && parameters.options.destination != FetchOptions::Destination::EmptyString;
}
NetworkResourceLoader::NetworkResourceLoader(NetworkResourceLoadParameters&& parameters, NetworkConnectionToWebProcess& connection, RefPtr<Messages::NetworkConnectionToWebProcess::PerformSynchronousLoad::DelayedReply>&& synchronousReply)
@@ -628,6 +621,14 @@
void NetworkResourceLoader::continueWillSendRequest(ResourceRequest&& newRequest, bool isAllowedToAskUserForCredentials)
{
+ if (m_networkLoadChecker) {
+ // FIXME: We should be doing this check when receiving the redirection.
+ if (!newRequest.url().protocolIsInHTTPFamily() && m_redirectCount) {
+ didFailLoading(ResourceError { String { }, 0, newRequest.url(), ASCIILiteral("Redirection to URL with a scheme that is not HTTP(S)"), ResourceError::Type::AccessControl });
+ return;
+ }
+ }
+
RELEASE_LOG_IF_ALLOWED("continueWillSendRequest: (pageID = %" PRIu64 ", frameID = %" PRIu64 ", resourceID = %" PRIu64 ")", m_parameters.webPageID, m_parameters.webFrameID, m_parameters.identifier);
if (m_networkLoadChecker)
Modified: trunk/Source/WebKit/NetworkProcess/PingLoad.cpp (231039 => 231040)
--- trunk/Source/WebKit/NetworkProcess/PingLoad.cpp 2018-04-26 02:10:59 UTC (rev 231039)
+++ trunk/Source/WebKit/NetworkProcess/PingLoad.cpp 2018-04-26 03:21:55 UTC (rev 231040)
@@ -102,6 +102,11 @@
auto request = WTFMove(result.value());
m_networkLoadChecker->prepareRedirectedRequest(request);
+ if (!result.value().url().protocolIsInHTTPFamily()) {
+ this->didFinish(ResourceError { String { }, 0, result.value().url(), ASCIILiteral("Redirection to URL with a scheme that is not HTTP(S)"), ResourceError::Type::AccessControl });
+ return;
+ }
+
completionHandler(WTFMove(request));
});
}
