Diff
Modified: trunk/LayoutTests/ChangeLog (231106 => 231107)
--- trunk/LayoutTests/ChangeLog 2018-04-27 18:03:15 UTC (rev 231106)
+++ trunk/LayoutTests/ChangeLog 2018-04-27 18:10:18 UTC (rev 231107)
@@ -1,3 +1,31 @@
+2018-04-27 Youenn Fablet <[email protected]>
+
+ Use NetworkLoadChecker for XHR/fetch loads
+ https://bugs.webkit.org/show_bug.cgi?id=184741
+
+ Reviewed by Chris Dumez.
+
+ * TestExpectations:
+ * http/tests/security/contentSecurityPolicy/1.1/child-src/worker-redirect-blocked-expected.txt:
+ * http/tests/security/contentSecurityPolicy/connect-src-eventsource-redirect-to-blocked-expected.txt:
+ * http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-redirect-to-blocked-expected.txt:
+ * http/tests/security/contentSecurityPolicy/worker-csp-blocks-xhr-redirect-cross-origin-expected.txt:
+ * http/tests/xmlhttprequest/access-control-and-redirects-async-expected.txt:
+ * http/tests/xmlhttprequest/access-control-and-redirects-expected.txt:
+ * platform/mac-wk1/http/tests/security/contentSecurityPolicy/connect-src-eventsource-redirect-to-blocked-expected.txt: Added.
+ * platform/mac-wk1/http/tests/security/contentSecurityPolicy/worker-csp-blocks-xhr-redirect-cross-origin-expected.txt: Added.
+ * platform/mac-wk1/http/tests/xmlhttprequest/access-control-and-redirects-async-expected.txt: Added.
+ * platform/mac-wk1/imported/w3c/web-platform-tests/XMLHttpRequest/late-upload-events-expected.txt: Added.
+ * platform/mac-wk1/imported/w3c/web-platform-tests/XMLHttpRequest/send-authentication-basic-cors-expected.txt: Added.
+ * platform/mac-wk1/imported/w3c/web-platform-tests/XMLHttpRequest/send-network-error-async-events.sub-expected.txt: Added.
+ * platform/win/http/tests/security/contentSecurityPolicy/connect-src-eventsource-redirect-to-blocked-expected.txt: Added.
+ * platform/win/http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-redirect-to-blocked-expected.txt: Added.
+ * platform/win/http/tests/security/contentSecurityPolicy/worker-csp-blocks-xhr-redirect-cross-origin-expected.txt: Added.
+ * platform/win/http/tests/xmlhttprequest/access-control-and-redirects-async-expected.txt: Added.
+ * platform/win/imported/w3c/web-platform-tests/XMLHttpRequest/late-upload-events-expected.txt: Added.
+ * platform/win/imported/w3c/web-platform-tests/XMLHttpRequest/send-authentication-basic-cors-expected.txt: Added.
+ * platform/win/imported/w3c/web-platform-tests/XMLHttpRequest/send-network-error-async-events.sub-expected.txt: Added.
+
2018-04-27 Simon Fraser <[email protected]>
Make color-filter transform gradient colors
Modified: trunk/LayoutTests/TestExpectations (231106 => 231107)
--- trunk/LayoutTests/TestExpectations 2018-04-27 18:03:15 UTC (rev 231106)
+++ trunk/LayoutTests/TestExpectations 2018-04-27 18:10:18 UTC (rev 231107)
@@ -203,6 +203,12 @@
http/tests/security/frame-loading-via-document-write.html [ DumpJSConsoleLogInStdErr ]
http/tests/security/frame-loading-via-document-write-async-delegates.html [ DumpJSConsoleLogInStdErr ]
+imported/w3c/web-platform-tests/fetch/api/basic/mode-same-origin.any.html [ DumpJSConsoleLogInStdErr ]
+imported/w3c/web-platform-tests/fetch/api/basic/scheme-about.any.html [ DumpJSConsoleLogInStdErr ]
+imported/w3c/web-platform-tests/fetch/api/basic/scheme-about.any.worker.html [ DumpJSConsoleLogInStdErr ]
+imported/w3c/web-platform-tests/fetch/api/redirect/redirect-mode-worker.html [ DumpJSConsoleLogInStdErr ]
+imported/w3c/web-platform-tests/fetch/api/redirect/redirect-to-dataurl.html [ DumpJSConsoleLogInStdErr ]
+
webkit.org/b/181901 imported/w3c/web-platform-tests/service-workers/service-worker/fetch-cors-xhr.https.html [ DumpJSConsoleLogInStdErr ]
webkit.org/b/181897 imported/w3c/web-platform-tests/service-workers/service-worker/fetch-canvas-tainting.https.html [ DumpJSConsoleLogInStdErr ]
webkit.org/b/181900 imported/w3c/web-platform-tests/service-workers/service-worker/fetch-canvas-tainting-cache.https.html [ DumpJSConsoleLogInStdErr ]
Modified: trunk/LayoutTests/http/tests/quicklook/same-origin-xmlhttprequest-allowed-expected.txt (231106 => 231107)
--- trunk/LayoutTests/http/tests/quicklook/same-origin-xmlhttprequest-allowed-expected.txt 2018-04-27 18:03:15 UTC (rev 231106)
+++ trunk/LayoutTests/http/tests/quicklook/same-origin-xmlhttprequest-allowed-expected.txt 2018-04-27 18:10:18 UTC (rev 231107)
@@ -1,3 +1,5 @@
+CONSOLE MESSAGE: Blocked by Content Security Policy
+CONSOLE MESSAGE: XMLHttpRequest cannot load about: due to access control checks.
CONSOLE MESSAGE: line 1: PASS: XMLHttpRequest allowed
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/worker-redirect-blocked-expected.txt (231106 => 231107)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/worker-redirect-blocked-expected.txt 2018-04-27 18:03:15 UTC (rev 231106)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/worker-redirect-blocked-expected.txt 2018-04-27 18:10:18 UTC (rev 231107)
@@ -1,6 +1,8 @@
CONSOLE MESSAGE: Unsafe attempt to load URL http://localhost:8000/security/contentSecurityPolicy/resources/alert-fail.js from origin http://127.0.0.1:8000. Domains, protocols and ports must match.
-CONSOLE MESSAGE: Cannot load http://localhost:8000/security/contentSecurityPolicy/resources/alert-fail.js due to access control checks.
+CONSOLE MESSAGE: Refused to load http://localhost:8000/security/contentSecurityPolicy/resources/alert-fail.js because it does not appear in the child-src directive of the Content Security Policy.
+CONSOLE MESSAGE: Cross-origin redirection denied by Content Security Policy.
+CONSOLE MESSAGE: Cannot load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.php?url="" due to access control checks.
This tests that the Content Security Policy of the page blocks loading a Web Worker's script from a different origin through a redirect.
On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-eventsource-redirect-to-blocked-expected.txt (231106 => 231107)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-eventsource-redirect-to-blocked-expected.txt 2018-04-27 18:03:15 UTC (rev 231106)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-eventsource-redirect-to-blocked-expected.txt 2018-04-27 18:10:18 UTC (rev 231107)
@@ -1,3 +1,4 @@
+CONSOLE MESSAGE: Blocked http://localhost:8000/eventsource/resources/simple-event-stream.asis by Content Security Policy
CONSOLE MESSAGE: Refused to connect to http://localhost:8000/eventsource/resources/simple-event-stream.asis because it does not appear in the connect-src directive of the Content Security Policy.
CONSOLE MESSAGE: Cross-origin redirection denied by Content Security Policy.
CONSOLE MESSAGE: EventSource cannot load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.php?url="" due to access control checks.
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-redirect-to-blocked-expected.txt (231106 => 231107)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-redirect-to-blocked-expected.txt 2018-04-27 18:03:15 UTC (rev 231106)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-redirect-to-blocked-expected.txt 2018-04-27 18:10:18 UTC (rev 231107)
@@ -1,3 +1,4 @@
+CONSOLE MESSAGE: Blocked http://localhost:8000/security/contentSecurityPolicy/resources/xhr-redirect-not-allowed.pl by Content Security Policy
CONSOLE MESSAGE: Refused to connect to http://localhost:8000/security/contentSecurityPolicy/resources/xhr-redirect-not-allowed.pl because it does not appear in the connect-src directive of the Content Security Policy.
CONSOLE MESSAGE: Cross-origin redirection denied by Content Security Policy.
CONSOLE MESSAGE: XMLHttpRequest cannot load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.php?url="" due to access control checks.
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-csp-blocks-xhr-redirect-cross-origin-expected.txt (231106 => 231107)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-csp-blocks-xhr-redirect-cross-origin-expected.txt 2018-04-27 18:03:15 UTC (rev 231106)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-csp-blocks-xhr-redirect-cross-origin-expected.txt 2018-04-27 18:10:18 UTC (rev 231107)
@@ -1,3 +1,4 @@
+CONSOLE MESSAGE: Blocked http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow.cgi by Content Security Policy
This tests an XHR request made from a worker is blocked if it redirects to a cross-origin resource that is not listed as a connect-src in the CSP of the worker.
PASS threw exception NetworkError: A network error occurred..
Modified: trunk/LayoutTests/http/tests/xmlhttprequest/access-control-and-redirects-async-expected.txt (231106 => 231107)
--- trunk/LayoutTests/http/tests/xmlhttprequest/access-control-and-redirects-async-expected.txt 2018-04-27 18:03:15 UTC (rev 231106)
+++ trunk/LayoutTests/http/tests/xmlhttprequest/access-control-and-redirects-async-expected.txt 2018-04-27 18:10:18 UTC (rev 231107)
@@ -1,5 +1,5 @@
CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi denied by Cross-Origin Resource Sharing policy: Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
-CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url="" due to access control checks.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi due to access control checks.
CONSOLE MESSAGE: Cross-origin redirection to foo://bar.cgi denied by Cross-Origin Resource Sharing policy: URL is either a non-HTTP URL or contains credentials.
CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url="" due to access control checks.
CONSOLE MESSAGE: Preflight response is not successful
Modified: trunk/LayoutTests/http/tests/xmlhttprequest/access-control-and-redirects-expected.txt (231106 => 231107)
--- trunk/LayoutTests/http/tests/xmlhttprequest/access-control-and-redirects-expected.txt 2018-04-27 18:03:15 UTC (rev 231106)
+++ trunk/LayoutTests/http/tests/xmlhttprequest/access-control-and-redirects-expected.txt 2018-04-27 18:10:18 UTC (rev 231107)
@@ -1,11 +1,11 @@
CONSOLE MESSAGE: line 25: Cross-origin redirection to http://127.0.0.1:8000/xmlhttprequest/resources/access-control-basic-allow.cgi denied by Cross-Origin Resource Sharing policy: Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
CONSOLE MESSAGE: line 25: XMLHttpRequest cannot load http://127.0.0.1:8000/xmlhttprequest/resources/access-control-basic-allow.cgi due to access control checks.
CONSOLE MESSAGE: Cross-origin redirection to http://127.0.0.1:8000/xmlhttprequest/resources/access-control-basic-allow.cgi denied by Cross-Origin Resource Sharing policy: Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
-CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/resources/redirect.php?url="" due to access control checks.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://127.0.0.1:8000/xmlhttprequest/resources/access-control-basic-allow.cgi due to access control checks.
CONSOLE MESSAGE: line 25: Cross-origin redirection to http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow.cgi denied by Cross-Origin Resource Sharing policy: Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
CONSOLE MESSAGE: line 25: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow.cgi due to access control checks.
CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow.cgi denied by Cross-Origin Resource Sharing policy: Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
-CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/resources/redirect.php?url="" due to access control checks.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow.cgi due to access control checks.
Tests that redirects between origins are never allowed, even when access control is involved.
Per the spec, these test cases should be allowed, but cross-origin redirects are currently unsupported in WebCore.
Modified: trunk/LayoutTests/imported/w3c/ChangeLog (231106 => 231107)
--- trunk/LayoutTests/imported/w3c/ChangeLog 2018-04-27 18:03:15 UTC (rev 231106)
+++ trunk/LayoutTests/imported/w3c/ChangeLog 2018-04-27 18:10:18 UTC (rev 231107)
@@ -1,3 +1,19 @@
+2018-04-27 Youenn Fablet <[email protected]>
+
+ Use NetworkLoadChecker for XHR/fetch loads
+ https://bugs.webkit.org/show_bug.cgi?id=184741
+
+ Reviewed by Chris Dumez.
+
+ * web-platform-tests/XMLHttpRequest/send-authentication-basic-cors-expected.txt:
+ * web-platform-tests/XMLHttpRequest/send-network-error-async-events.sub-expected.txt:
+ * web-platform-tests/cors/late-upload-events-expected.txt:
+ * web-platform-tests/fetch/api/basic/mode-same-origin.any-expected.txt:
+ * web-platform-tests/fetch/api/basic/scheme-about.any-expected.txt:
+ * web-platform-tests/fetch/api/basic/scheme-about.any.worker-expected.txt:
+ * web-platform-tests/fetch/api/redirect/redirect-to-dataurl-expected.txt:
+ * web-platform-tests/service-workers/service-worker/redirected-response.https-expected.txt:
+
2018-04-26 Youenn Fablet <[email protected]>
preflight checker should add a console message when preflight load is blocked
Modified: trunk/LayoutTests/imported/w3c/web-platform-tests/XMLHttpRequest/send-authentication-basic-cors-expected.txt (231106 => 231107)
--- trunk/LayoutTests/imported/w3c/web-platform-tests/XMLHttpRequest/send-authentication-basic-cors-expected.txt 2018-04-27 18:03:15 UTC (rev 231106)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/XMLHttpRequest/send-authentication-basic-cors-expected.txt 2018-04-27 18:10:18 UTC (rev 231107)
@@ -1,5 +1,5 @@
-CONSOLE MESSAGE: CORS-preflight request was blocked
-CONSOLE MESSAGE: XMLHttpRequest cannot load http://www1.localhost:8800/XMLHttpRequest/resources/auth1/corsenabled.py due to access control checks.
+Blocked access to external URL http://www1.localhost:8800/XMLHttpRequest/resources/auth1/corsenabled.py
+CONSOLE MESSAGE: line 31: XMLHttpRequest cannot load http://www1.localhost:8800/XMLHttpRequest/resources/auth1/corsenabled.py due to access control checks.
PASS XMLHttpRequest: send() - "Basic" authenticated CORS requests with user name and password passed to open() (asserts failure)
Modified: trunk/LayoutTests/imported/w3c/web-platform-tests/XMLHttpRequest/send-network-error-async-events.sub-expected.txt (231106 => 231107)
--- trunk/LayoutTests/imported/w3c/web-platform-tests/XMLHttpRequest/send-network-error-async-events.sub-expected.txt 2018-04-27 18:03:15 UTC (rev 231106)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/XMLHttpRequest/send-network-error-async-events.sub-expected.txt 2018-04-27 18:10:18 UTC (rev 231107)
@@ -1,5 +1,5 @@
-CONSOLE MESSAGE: CORS-preflight request was blocked
-CONSOLE MESSAGE: XMLHttpRequest cannot load http://nonexistent-origin.localhost:8800/ due to access control checks.
+Blocked access to external URL http://nonexistent-origin.localhost:8800/
+CONSOLE MESSAGE: line 43: XMLHttpRequest cannot load http://nonexistent-origin.localhost:8800/ due to access control checks.
PASS XMLHttpRequest: The send() method: Fire a progress event named error when Network error happens (synchronous flag is unset)
Modified: trunk/LayoutTests/imported/w3c/web-platform-tests/cors/late-upload-events-expected.txt (231106 => 231107)
--- trunk/LayoutTests/imported/w3c/web-platform-tests/cors/late-upload-events-expected.txt 2018-04-27 18:03:15 UTC (rev 231106)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/cors/late-upload-events-expected.txt 2018-04-27 18:10:18 UTC (rev 231107)
@@ -1,7 +1,7 @@
Blocked access to external URL http://www1.localhost:8800/cors/resources/status.py?headers=custom-header
CONSOLE MESSAGE: line 30: XMLHttpRequest cannot load http://www1.localhost:8800/cors/resources/status.py?headers=custom-header due to access control checks.
-CONSOLE MESSAGE: CORS-preflight request was blocked
-CONSOLE MESSAGE: XMLHttpRequest cannot load http://www1.localhost:8800/cors/resources/status.py?headers=custom-header due to access control checks.
+Blocked access to external URL http://www1.localhost:8800/cors/resources/status.py?headers=custom-header
+CONSOLE MESSAGE: line 30: XMLHttpRequest cannot load http://www1.localhost:8800/cors/resources/status.py?headers=custom-header due to access control checks.
Adding upload event listeners after send()
Modified: trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/basic/mode-same-origin.any-expected.txt (231106 => 231107)
--- trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/basic/mode-same-origin.any-expected.txt 2018-04-27 18:03:15 UTC (rev 231106)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/basic/mode-same-origin.any-expected.txt 2018-04-27 18:10:18 UTC (rev 231107)
@@ -1,10 +1,4 @@
-CONSOLE MESSAGE: line 12: Fetch API cannot load https://localhost:9443/fetch/api/resources/top.txt.
-CONSOLE MESSAGE: line 12: Fetch API cannot load http://127.0.0.1:8800/fetch/api/resources/top.txt.
-CONSOLE MESSAGE: Unsafe attempt to load URL https://localhost:9443/fetch/api/resources/top.txt?location=https%3A%2F%2Flocalhost%3A9443%2Ffetch%2Fapi%2Fresources%2Ftop.txt&count=1 from origin http://localhost:8800. Domains, protocols and ports must match.
-CONSOLE MESSAGE: Unsafe attempt to load URL http://127.0.0.1:8800/fetch/api/resources/top.txt?location=http%3A%2F%2F127.0.0.1%3A8800%2Ffetch%2Fapi%2Fresources%2Ftop.txt&count=1 from origin http://localhost:8800. Domains, protocols and ports must match.
-
-
PASS Fetch ../resources/top.txt with same-origin mode
PASS Fetch http://localhost:8800/fetch/api/resources/top.txt with same-origin mode
PASS Fetch https://localhost:9443/fetch/api/resources/top.txt with same-origin mode
Modified: trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/basic/scheme-about.any-expected.txt (231106 => 231107)
--- trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/basic/scheme-about.any-expected.txt 2018-04-27 18:03:15 UTC (rev 231106)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/basic/scheme-about.any-expected.txt 2018-04-27 18:10:18 UTC (rev 231107)
@@ -1,18 +1,6 @@
-CONSOLE MESSAGE: line 10: Cross origin requests are only supported for HTTP.
-CONSOLE MESSAGE: line 10: Fetch API cannot load about:blank due to access control checks.
-CONSOLE MESSAGE: Preflight response is not successful
-CONSOLE MESSAGE: Fetch API cannot load about:blank due to access control checks.
-CONSOLE MESSAGE: line 10: Cross origin requests are only supported for HTTP.
-CONSOLE MESSAGE: line 10: Fetch API cannot load about:blank due to access control checks.
-CONSOLE MESSAGE: line 27: Cross origin requests are only supported for HTTP.
-CONSOLE MESSAGE: line 27: Fetch API cannot load about:invalid.com due to access control checks.
-CONSOLE MESSAGE: line 27: Cross origin requests are only supported for HTTP.
-CONSOLE MESSAGE: line 27: Fetch API cannot load about:config due to access control checks.
-CONSOLE MESSAGE: line 27: Cross origin requests are only supported for HTTP.
-CONSOLE MESSAGE: line 27: Fetch API cannot load about:unicorn due to access control checks.
FAIL Fetching about:blank (GET) is OK promise_test: Unhandled rejection with value: object "TypeError: Cross origin requests are only supported for HTTP."
-FAIL Fetching about:blank (PUT) is OK promise_test: Unhandled rejection with value: object "TypeError: Preflight response is not successful"
+FAIL Fetching about:blank (PUT) is OK promise_test: Unhandled rejection with value: object "TypeError: Cross origin requests are only supported for HTTP."
FAIL Fetching about:blank (POST) is OK promise_test: Unhandled rejection with value: object "TypeError: Cross origin requests are only supported for HTTP."
PASS Fetching about:invalid.com is KO
PASS Fetching about:config is KO
Modified: trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/basic/scheme-about.any.worker-expected.txt (231106 => 231107)
--- trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/basic/scheme-about.any.worker-expected.txt 2018-04-27 18:03:15 UTC (rev 231106)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/basic/scheme-about.any.worker-expected.txt 2018-04-27 18:10:18 UTC (rev 231107)
@@ -1,7 +1,6 @@
-CONSOLE MESSAGE: Preflight response is not successful
FAIL Fetching about:blank (GET) is OK promise_test: Unhandled rejection with value: object "TypeError: Cross origin requests are only supported for HTTP."
-FAIL Fetching about:blank (PUT) is OK promise_test: Unhandled rejection with value: object "TypeError: Preflight response is not successful"
+FAIL Fetching about:blank (PUT) is OK promise_test: Unhandled rejection with value: object "TypeError: Cross origin requests are only supported for HTTP."
FAIL Fetching about:blank (POST) is OK promise_test: Unhandled rejection with value: object "TypeError: Cross origin requests are only supported for HTTP."
PASS Fetching about:invalid.com is KO
PASS Fetching about:config is KO
Modified: trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/redirect/redirect-to-dataurl-expected.txt (231106 => 231107)
--- trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/redirect/redirect-to-dataurl-expected.txt 2018-04-27 18:03:15 UTC (rev 231106)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/redirect/redirect-to-dataurl-expected.txt 2018-04-27 18:10:18 UTC (rev 231107)
@@ -1,14 +1,4 @@
-CONSOLE MESSAGE: Cross-origin redirection to data:text/plain;base64,cmVzcG9uc2UncyBib2R5 denied by Cross-Origin Resource Sharing policy: URL is either a non-HTTP URL or contains credentials.
-CONSOLE MESSAGE: Fetch API cannot load http://localhost:8800/fetch/api/resources/redirect.py?cors&location=data%3Atext%2Fplain%3Bbase64%2CcmVzcG9uc2UncyBib2R5 due to access control checks.
-CONSOLE MESSAGE: Redirection to URL with a scheme that is not HTTP(S).
-CONSOLE MESSAGE: Fetch API cannot load data:text/plain;base64,cmVzcG9uc2UncyBib2R5 due to access control checks.
-CONSOLE MESSAGE: Unsafe attempt to load URL data:text/plain;base64,cmVzcG9uc2UncyBib2R5 from origin http://localhost:8800. Domains, protocols and ports must match.
-CONSOLE MESSAGE: Cross-origin redirection to data:text/plain;base64,cmVzcG9uc2UncyBib2R5 denied by Cross-Origin Resource Sharing policy: URL is either a non-HTTP URL or contains credentials.
-CONSOLE MESSAGE: Fetch API cannot load http://127.0.0.1:8800/fetch/api/resources/redirect.py?cors&location=data%3Atext%2Fplain%3Bbase64%2CcmVzcG9uc2UncyBib2R5 due to access control checks.
-CONSOLE MESSAGE: Redirection to URL with a scheme that is not HTTP(S).
-CONSOLE MESSAGE: Fetch API cannot load data:text/plain;base64,cmVzcG9uc2UncyBib2R5 due to access control checks.
-
PASS Testing data URL loading after same-origin redirection (cors mode)
PASS Testing data URL loading after same-origin redirection (no-cors mode)
PASS Testing data URL loading after same-origin redirection (same-origin mode)
Modified: trunk/LayoutTests/imported/w3c/web-platform-tests/service-workers/service-worker/redirected-response.https-expected.txt (231106 => 231107)
--- trunk/LayoutTests/imported/w3c/web-platform-tests/service-workers/service-worker/redirected-response.https-expected.txt 2018-04-27 18:03:15 UTC (rev 231106)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/service-workers/service-worker/redirected-response.https-expected.txt 2018-04-27 18:10:18 UTC (rev 231107)
@@ -1,3 +1,4 @@
+CONSOLE MESSAGE: Redirections are not allowed
CONSOLE MESSAGE: Fetch API cannot load https://localhost:9443/service-workers/service-worker/resources/redirect.py?Redirect=https%3A%2F%2Flocalhost%3A9443%2Fservice-workers%2Fservice-worker%2Fresources%2Fsimple.txt%3F&error due to access control checks.
CONSOLE MESSAGE: Response served by service worker has redirections
CONSOLE MESSAGE: Fetch API cannot load https://localhost:9443/service-workers/service-worker/resources/simple.txt? due to access control checks.
Copied: trunk/LayoutTests/platform/mac-wk1/http/tests/security/contentSecurityPolicy/connect-src-eventsource-redirect-to-blocked-expected.txt (from rev 231106, trunk/LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-eventsource-redirect-to-blocked-expected.txt) (0 => 231107)
--- trunk/LayoutTests/platform/mac-wk1/http/tests/security/contentSecurityPolicy/connect-src-eventsource-redirect-to-blocked-expected.txt (rev 0)
+++ trunk/LayoutTests/platform/mac-wk1/http/tests/security/contentSecurityPolicy/connect-src-eventsource-redirect-to-blocked-expected.txt 2018-04-27 18:10:18 UTC (rev 231107)
@@ -0,0 +1,8 @@
+CONSOLE MESSAGE: Refused to connect to http://localhost:8000/eventsource/resources/simple-event-stream.asis because it does not appear in the connect-src directive of the Content Security Policy.
+CONSOLE MESSAGE: Cross-origin redirection denied by Content Security Policy.
+CONSOLE MESSAGE: EventSource cannot load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.php?url="" due to access control checks.
+PASS EventSource() did not follow the disallowed redirect.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Copied: trunk/LayoutTests/platform/mac-wk1/http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-redirect-to-blocked-expected.txt (from rev 231106, trunk/LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-redirect-to-blocked-expected.txt) (0 => 231107)
--- trunk/LayoutTests/platform/mac-wk1/http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-redirect-to-blocked-expected.txt (rev 0)
+++ trunk/LayoutTests/platform/mac-wk1/http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-redirect-to-blocked-expected.txt 2018-04-27 18:10:18 UTC (rev 231107)
@@ -0,0 +1,8 @@
+CONSOLE MESSAGE: Refused to connect to http://localhost:8000/security/contentSecurityPolicy/resources/xhr-redirect-not-allowed.pl because it does not appear in the connect-src directive of the Content Security Policy.
+CONSOLE MESSAGE: Cross-origin redirection denied by Content Security Policy.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.php?url="" due to access control checks.
+PASS XMLHttpRequest.send() did not follow the disallowed redirect.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Copied: trunk/LayoutTests/platform/mac-wk1/http/tests/security/contentSecurityPolicy/worker-csp-blocks-xhr-redirect-cross-origin-expected.txt (from rev 231106, trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-csp-blocks-xhr-redirect-cross-origin-expected.txt) (0 => 231107)
--- trunk/LayoutTests/platform/mac-wk1/http/tests/security/contentSecurityPolicy/worker-csp-blocks-xhr-redirect-cross-origin-expected.txt (rev 0)
+++ trunk/LayoutTests/platform/mac-wk1/http/tests/security/contentSecurityPolicy/worker-csp-blocks-xhr-redirect-cross-origin-expected.txt 2018-04-27 18:10:18 UTC (rev 231107)
@@ -0,0 +1,3 @@
+This tests an XHR request made from a worker is blocked if it redirects to a cross-origin resource that is not listed as a connect-src in the CSP of the worker.
+
+PASS threw exception NetworkError: A network error occurred..
Copied: trunk/LayoutTests/platform/mac-wk1/http/tests/xmlhttprequest/access-control-and-redirects-async-expected.txt (from rev 231106, trunk/LayoutTests/http/tests/xmlhttprequest/access-control-and-redirects-async-expected.txt) (0 => 231107)
--- trunk/LayoutTests/platform/mac-wk1/http/tests/xmlhttprequest/access-control-and-redirects-async-expected.txt (rev 0)
+++ trunk/LayoutTests/platform/mac-wk1/http/tests/xmlhttprequest/access-control-and-redirects-async-expected.txt 2018-04-27 18:10:18 UTC (rev 231107)
@@ -0,0 +1,34 @@
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi denied by Cross-Origin Resource Sharing policy: Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url="" due to access control checks.
+CONSOLE MESSAGE: Cross-origin redirection to foo://bar.cgi denied by Cross-Origin Resource Sharing policy: URL is either a non-HTTP URL or contains credentials.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url="" due to access control checks.
+CONSOLE MESSAGE: Preflight response is not successful
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?redirect-preflight=true&%20%20url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi&%20%20access-control-allow-origin=* due to access control checks.
+CONSOLE MESSAGE: Request header field x-webkit is not allowed by Access-Control-Allow-Headers.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi due to access control checks.
+Tests that asynchronous XMLHttpRequests handle redirects according to the CORS standard.
+
+Testing http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url="" without credentials
+Expecting success: false
+PASS: 0
+Testing http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url="" access-control-allow-origin=http://127.0.0.1:8000 without credentials
+Expecting success: true
+PASS: PASS: Cross-domain access allowed.
+
+Testing http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url="" access-control-allow-origin=http://127.0.0.1:8000 without credentials
+Expecting success: true
+PASS: PASS: Cross-domain access allowed.
+
+Testing http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url="" access-control-allow-origin=http://127.0.0.1:8000 without credentials
+Expecting success: false
+PASS: 0
+Testing http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?redirect-preflight=true& url="" access-control-allow-origin=* without credentials
+Expecting success: false
+PASS: 0
+Testing http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?redirect-preflight=false& url="" access-control-allow-origin=*& access-control-allow-headers=x-webkit without credentials
+Expecting success: false
+PASS: 0
+Testing resources/redirect-cors.php?url="" without credentials
+Expecting success: true
+PASS: PASS
+
Copied: trunk/LayoutTests/platform/mac-wk1/imported/w3c/web-platform-tests/XMLHttpRequest/late-upload-events-expected.txt (from rev 231106, trunk/LayoutTests/imported/w3c/web-platform-tests/cors/late-upload-events-expected.txt) (0 => 231107)
--- trunk/LayoutTests/platform/mac-wk1/imported/w3c/web-platform-tests/XMLHttpRequest/late-upload-events-expected.txt (rev 0)
+++ trunk/LayoutTests/platform/mac-wk1/imported/w3c/web-platform-tests/XMLHttpRequest/late-upload-events-expected.txt 2018-04-27 18:10:18 UTC (rev 231107)
@@ -0,0 +1,10 @@
+Blocked access to external URL http://www1.localhost:8800/cors/resources/status.py?headers=custom-header
+CONSOLE MESSAGE: line 30: XMLHttpRequest cannot load http://www1.localhost:8800/cors/resources/status.py?headers=custom-header due to access control checks.
+CONSOLE MESSAGE: CORS-preflight request was blocked
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://www1.localhost:8800/cors/resources/status.py?headers=custom-header due to access control checks.
+Adding upload event listeners after send()
+
+
+FAIL Late listeners: No preflight assert_equals: expected 200 but got 0
+FAIL Late listeners: Preflight assert_equals: expected 200 but got 0
+
Copied: trunk/LayoutTests/platform/mac-wk1/imported/w3c/web-platform-tests/XMLHttpRequest/send-authentication-basic-cors-expected.txt (from rev 231106, trunk/LayoutTests/imported/w3c/web-platform-tests/XMLHttpRequest/send-authentication-basic-cors-expected.txt) (0 => 231107)
--- trunk/LayoutTests/platform/mac-wk1/imported/w3c/web-platform-tests/XMLHttpRequest/send-authentication-basic-cors-expected.txt (rev 0)
+++ trunk/LayoutTests/platform/mac-wk1/imported/w3c/web-platform-tests/XMLHttpRequest/send-authentication-basic-cors-expected.txt 2018-04-27 18:10:18 UTC (rev 231107)
@@ -0,0 +1,5 @@
+CONSOLE MESSAGE: CORS-preflight request was blocked
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://www1.localhost:8800/XMLHttpRequest/resources/auth1/corsenabled.py due to access control checks.
+
+PASS XMLHttpRequest: send() - "Basic" authenticated CORS requests with user name and password passed to open() (asserts failure)
+
Copied: trunk/LayoutTests/platform/mac-wk1/imported/w3c/web-platform-tests/XMLHttpRequest/send-network-error-async-events.sub-expected.txt (from rev 231106, trunk/LayoutTests/imported/w3c/web-platform-tests/XMLHttpRequest/send-network-error-async-events.sub-expected.txt) (0 => 231107)
--- trunk/LayoutTests/platform/mac-wk1/imported/w3c/web-platform-tests/XMLHttpRequest/send-network-error-async-events.sub-expected.txt (rev 0)
+++ trunk/LayoutTests/platform/mac-wk1/imported/w3c/web-platform-tests/XMLHttpRequest/send-network-error-async-events.sub-expected.txt 2018-04-27 18:10:18 UTC (rev 231107)
@@ -0,0 +1,5 @@
+CONSOLE MESSAGE: CORS-preflight request was blocked
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://nonexistent-origin.localhost:8800/ due to access control checks.
+
+PASS XMLHttpRequest: The send() method: Fire a progress event named error when Network error happens (synchronous flag is unset)
+
Copied: trunk/LayoutTests/platform/mac-wk1/imported/w3c/web-platform-tests/cors/late-upload-events-expected.txt (from rev 231106, trunk/LayoutTests/imported/w3c/web-platform-tests/cors/late-upload-events-expected.txt) (0 => 231107)
--- trunk/LayoutTests/platform/mac-wk1/imported/w3c/web-platform-tests/cors/late-upload-events-expected.txt (rev 0)
+++ trunk/LayoutTests/platform/mac-wk1/imported/w3c/web-platform-tests/cors/late-upload-events-expected.txt 2018-04-27 18:10:18 UTC (rev 231107)
@@ -0,0 +1,10 @@
+Blocked access to external URL http://www1.localhost:8800/cors/resources/status.py?headers=custom-header
+CONSOLE MESSAGE: line 30: XMLHttpRequest cannot load http://www1.localhost:8800/cors/resources/status.py?headers=custom-header due to access control checks.
+CONSOLE MESSAGE: CORS-preflight request was blocked
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://www1.localhost:8800/cors/resources/status.py?headers=custom-header due to access control checks.
+Adding upload event listeners after send()
+
+
+FAIL Late listeners: No preflight assert_equals: expected 200 but got 0
+FAIL Late listeners: Preflight assert_equals: expected 200 but got 0
+
Copied: trunk/LayoutTests/platform/win/http/tests/security/contentSecurityPolicy/connect-src-eventsource-redirect-to-blocked-expected.txt (from rev 231106, trunk/LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-eventsource-redirect-to-blocked-expected.txt) (0 => 231107)
--- trunk/LayoutTests/platform/win/http/tests/security/contentSecurityPolicy/connect-src-eventsource-redirect-to-blocked-expected.txt (rev 0)
+++ trunk/LayoutTests/platform/win/http/tests/security/contentSecurityPolicy/connect-src-eventsource-redirect-to-blocked-expected.txt 2018-04-27 18:10:18 UTC (rev 231107)
@@ -0,0 +1,8 @@
+CONSOLE MESSAGE: Refused to connect to http://localhost:8000/eventsource/resources/simple-event-stream.asis because it does not appear in the connect-src directive of the Content Security Policy.
+CONSOLE MESSAGE: Cross-origin redirection denied by Content Security Policy.
+CONSOLE MESSAGE: EventSource cannot load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.php?url="" due to access control checks.
+PASS EventSource() did not follow the disallowed redirect.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Copied: trunk/LayoutTests/platform/win/http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-redirect-to-blocked-expected.txt (from rev 231106, trunk/LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-redirect-to-blocked-expected.txt) (0 => 231107)
--- trunk/LayoutTests/platform/win/http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-redirect-to-blocked-expected.txt (rev 0)
+++ trunk/LayoutTests/platform/win/http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-redirect-to-blocked-expected.txt 2018-04-27 18:10:18 UTC (rev 231107)
@@ -0,0 +1,8 @@
+CONSOLE MESSAGE: Refused to connect to http://localhost:8000/security/contentSecurityPolicy/resources/xhr-redirect-not-allowed.pl because it does not appear in the connect-src directive of the Content Security Policy.
+CONSOLE MESSAGE: Cross-origin redirection denied by Content Security Policy.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.php?url="" due to access control checks.
+PASS XMLHttpRequest.send() did not follow the disallowed redirect.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Copied: trunk/LayoutTests/platform/win/http/tests/security/contentSecurityPolicy/worker-csp-blocks-xhr-redirect-cross-origin-expected.txt (from rev 231106, trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-csp-blocks-xhr-redirect-cross-origin-expected.txt) (0 => 231107)
--- trunk/LayoutTests/platform/win/http/tests/security/contentSecurityPolicy/worker-csp-blocks-xhr-redirect-cross-origin-expected.txt (rev 0)
+++ trunk/LayoutTests/platform/win/http/tests/security/contentSecurityPolicy/worker-csp-blocks-xhr-redirect-cross-origin-expected.txt 2018-04-27 18:10:18 UTC (rev 231107)
@@ -0,0 +1,3 @@
+This tests an XHR request made from a worker is blocked if it redirects to a cross-origin resource that is not listed as a connect-src in the CSP of the worker.
+
+PASS threw exception NetworkError: A network error occurred..
Copied: trunk/LayoutTests/platform/win/http/tests/xmlhttprequest/access-control-and-redirects-async-expected.txt (from rev 231106, trunk/LayoutTests/http/tests/xmlhttprequest/access-control-and-redirects-async-expected.txt) (0 => 231107)
--- trunk/LayoutTests/platform/win/http/tests/xmlhttprequest/access-control-and-redirects-async-expected.txt (rev 0)
+++ trunk/LayoutTests/platform/win/http/tests/xmlhttprequest/access-control-and-redirects-async-expected.txt 2018-04-27 18:10:18 UTC (rev 231107)
@@ -0,0 +1,34 @@
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi denied by Cross-Origin Resource Sharing policy: Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url="" due to access control checks.
+CONSOLE MESSAGE: Cross-origin redirection to foo://bar.cgi denied by Cross-Origin Resource Sharing policy: URL is either a non-HTTP URL or contains credentials.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url="" due to access control checks.
+CONSOLE MESSAGE: Preflight response is not successful
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?redirect-preflight=true&%20%20url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi&%20%20access-control-allow-origin=* due to access control checks.
+CONSOLE MESSAGE: Request header field x-webkit is not allowed by Access-Control-Allow-Headers.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi due to access control checks.
+Tests that asynchronous XMLHttpRequests handle redirects according to the CORS standard.
+
+Testing http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url="" without credentials
+Expecting success: false
+PASS: 0
+Testing http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url="" access-control-allow-origin=http://127.0.0.1:8000 without credentials
+Expecting success: true
+PASS: PASS: Cross-domain access allowed.
+
+Testing http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url="" access-control-allow-origin=http://127.0.0.1:8000 without credentials
+Expecting success: true
+PASS: PASS: Cross-domain access allowed.
+
+Testing http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url="" access-control-allow-origin=http://127.0.0.1:8000 without credentials
+Expecting success: false
+PASS: 0
+Testing http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?redirect-preflight=true& url="" access-control-allow-origin=* without credentials
+Expecting success: false
+PASS: 0
+Testing http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?redirect-preflight=false& url="" access-control-allow-origin=*& access-control-allow-headers=x-webkit without credentials
+Expecting success: false
+PASS: 0
+Testing resources/redirect-cors.php?url="" without credentials
+Expecting success: true
+PASS: PASS
+
Copied: trunk/LayoutTests/platform/win/imported/w3c/web-platform-tests/XMLHttpRequest/late-upload-events-expected.txt (from rev 231106, trunk/LayoutTests/imported/w3c/web-platform-tests/cors/late-upload-events-expected.txt) (0 => 231107)
--- trunk/LayoutTests/platform/win/imported/w3c/web-platform-tests/XMLHttpRequest/late-upload-events-expected.txt (rev 0)
+++ trunk/LayoutTests/platform/win/imported/w3c/web-platform-tests/XMLHttpRequest/late-upload-events-expected.txt 2018-04-27 18:10:18 UTC (rev 231107)
@@ -0,0 +1,10 @@
+Blocked access to external URL http://www1.localhost:8800/cors/resources/status.py?headers=custom-header
+CONSOLE MESSAGE: line 30: XMLHttpRequest cannot load http://www1.localhost:8800/cors/resources/status.py?headers=custom-header due to access control checks.
+CONSOLE MESSAGE: CORS-preflight request was blocked
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://www1.localhost:8800/cors/resources/status.py?headers=custom-header due to access control checks.
+Adding upload event listeners after send()
+
+
+FAIL Late listeners: No preflight assert_equals: expected 200 but got 0
+FAIL Late listeners: Preflight assert_equals: expected 200 but got 0
+
Copied: trunk/LayoutTests/platform/win/imported/w3c/web-platform-tests/XMLHttpRequest/send-authentication-basic-cors-expected.txt (from rev 231106, trunk/LayoutTests/imported/w3c/web-platform-tests/XMLHttpRequest/send-authentication-basic-cors-expected.txt) (0 => 231107)
--- trunk/LayoutTests/platform/win/imported/w3c/web-platform-tests/XMLHttpRequest/send-authentication-basic-cors-expected.txt (rev 0)
+++ trunk/LayoutTests/platform/win/imported/w3c/web-platform-tests/XMLHttpRequest/send-authentication-basic-cors-expected.txt 2018-04-27 18:10:18 UTC (rev 231107)
@@ -0,0 +1,5 @@
+CONSOLE MESSAGE: CORS-preflight request was blocked
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://www1.localhost:8800/XMLHttpRequest/resources/auth1/corsenabled.py due to access control checks.
+
+PASS XMLHttpRequest: send() - "Basic" authenticated CORS requests with user name and password passed to open() (asserts failure)
+
Copied: trunk/LayoutTests/platform/win/imported/w3c/web-platform-tests/XMLHttpRequest/send-network-error-async-events.sub-expected.txt (from rev 231106, trunk/LayoutTests/imported/w3c/web-platform-tests/XMLHttpRequest/send-network-error-async-events.sub-expected.txt) (0 => 231107)
--- trunk/LayoutTests/platform/win/imported/w3c/web-platform-tests/XMLHttpRequest/send-network-error-async-events.sub-expected.txt (rev 0)
+++ trunk/LayoutTests/platform/win/imported/w3c/web-platform-tests/XMLHttpRequest/send-network-error-async-events.sub-expected.txt 2018-04-27 18:10:18 UTC (rev 231107)
@@ -0,0 +1,5 @@
+CONSOLE MESSAGE: CORS-preflight request was blocked
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://nonexistent-origin.localhost:8800/ due to access control checks.
+
+PASS XMLHttpRequest: The send() method: Fire a progress event named error when Network error happens (synchronous flag is unset)
+
Copied: trunk/LayoutTests/platform/win/imported/w3c/web-platform-tests/cors/late-upload-events-expected.txt (from rev 231106, trunk/LayoutTests/imported/w3c/web-platform-tests/cors/late-upload-events-expected.txt) (0 => 231107)
--- trunk/LayoutTests/platform/win/imported/w3c/web-platform-tests/cors/late-upload-events-expected.txt (rev 0)
+++ trunk/LayoutTests/platform/win/imported/w3c/web-platform-tests/cors/late-upload-events-expected.txt 2018-04-27 18:10:18 UTC (rev 231107)
@@ -0,0 +1,10 @@
+Blocked access to external URL http://www1.localhost:8800/cors/resources/status.py?headers=custom-header
+CONSOLE MESSAGE: line 30: XMLHttpRequest cannot load http://www1.localhost:8800/cors/resources/status.py?headers=custom-header due to access control checks.
+CONSOLE MESSAGE: CORS-preflight request was blocked
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://www1.localhost:8800/cors/resources/status.py?headers=custom-header due to access control checks.
+Adding upload event listeners after send()
+
+
+FAIL Late listeners: No preflight assert_equals: expected 200 but got 0
+FAIL Late listeners: Preflight assert_equals: expected 200 but got 0
+
Modified: trunk/Source/WebCore/ChangeLog (231106 => 231107)
--- trunk/Source/WebCore/ChangeLog 2018-04-27 18:03:15 UTC (rev 231106)
+++ trunk/Source/WebCore/ChangeLog 2018-04-27 18:10:18 UTC (rev 231107)
@@ -1,3 +1,44 @@
+2018-04-27 Youenn Fablet <[email protected]>
+
+ Use NetworkLoadChecker for XHR/fetch loads
+ https://bugs.webkit.org/show_bug.cgi?id=184741
+
+ Reviewed by Chris Dumez.
+
+ Covered by existing tests.
+
+ * loader/DocumentThreadableLoader.cpp:
+ (WebCore::DocumentThreadableLoader::shouldSetHTTPHeadersToKeep const):
+ We need to set this option for CORS done in NetworkProcess.
+ (WebCore::DocumentThreadableLoader::DocumentThreadableLoader):
+ Set httpHeadersTokeep when needed (service worker or CORS loads).
+ Remove the synchronous disabling of preflight since this is now also done for asynchronous loads.
+ (WebCore::DocumentThreadableLoader::checkURLSchemeAsCORSEnabled):
+ Helper routine to make the same check for both simple and preflight case.
+ This allows more consistent error logging between WK1 and WK2.
+ (WebCore::DocumentThreadableLoader::makeCrossOriginAccessRequest):
+ Skip preflight in case this is done in NetworkProcess.
+ (WebCore::DocumentThreadableLoader::makeSimpleCrossOriginAccessRequest):
+ (WebCore::isResponseComingFromNetworkProcess):
+ (WebCore::DocumentThreadableLoader::redirectReceived):
+ Bypass security checks when they are already done in NetworkProcess.
+ (WebCore::DocumentThreadableLoader::didFail):
+ In case of AccessControl error, it might be due to a CSP check done in NetworkProcess.
+ Check it again to enable specific CSP console logging and error reporting.
+ (WebCore::DocumentThreadableLoader::loadRequest):
+ Recreating the error in case of synchronous loads to be able to log it adequately.
+ (WebCore::DocumentThreadableLoader::isDoingSecurityChecksInNetworkProcess const):
+ * loader/DocumentThreadableLoader.h:
+ * loader/SubresourceLoader.cpp:
+ (WebCore::SubresourceLoader::checkResponseCrossOriginAccessControl):
+ Specific handling of SameOrigin credential mode for which cross-origin load will not use any credential.
+ (WebCore::SubresourceLoader::checkRedirectionCrossOriginAccessControl):
+ We keep the application headers so that DocumentThreadableLoader does not have to restart a brand new load.
+ * loader/cache/CachedResourceLoader.cpp:
+ (WebCore::CachedResourceLoader::requestResource):
+ DocumentThreadableLoader is setting referrer and origin directly. Until we fix that, we remove them from the original requests
+ as applications are not supposed to set these headers.
+
2018-04-27 Wenson Hsieh <[email protected]>
Add an experimental feature flag for viewport "min-device-width"
Modified: trunk/Source/WebCore/loader/DocumentThreadableLoader.cpp (231106 => 231107)
--- trunk/Source/WebCore/loader/DocumentThreadableLoader.cpp 2018-04-27 18:03:15 UTC (rev 231106)
+++ trunk/Source/WebCore/loader/DocumentThreadableLoader.cpp 2018-04-27 18:10:18 UTC (rev 231107)
@@ -89,6 +89,24 @@
return create(document, client, WTFMove(request), options, nullptr, nullptr, WTFMove(referrer), ShouldLogError::Yes);
}
+static inline bool isDoingSecurityChecksInNetworkProcess()
+{
+ return platformStrategies()->loaderStrategy()->isDoingLoadingSecurityChecks();
+}
+
+bool DocumentThreadableLoader::shouldSetHTTPHeadersToKeep() const
+{
+ if (m_options.mode == FetchOptions::Mode::Cors && isDoingSecurityChecksInNetworkProcess())
+ return true;
+
+#if ENABLE(SERVICE_WORKER)
+ if (m_options.serviceWorkersMode == ServiceWorkersMode::All && m_async)
+ return m_options.serviceWorkerRegistrationIdentifier || m_document.activeServiceWorker();
+#endif
+
+ return false;
+}
+
DocumentThreadableLoader::DocumentThreadableLoader(Document& document, ThreadableLoaderClient& client, BlockingBehavior blockingBehavior, ResourceRequest&& request, const ThreadableLoaderOptions& options, RefPtr<SecurityOrigin>&& origin, std::unique_ptr<ContentSecurityPolicy>&& contentSecurityPolicy, String&& referrer, ShouldLogError shouldLogError)
: m_client(&client)
, m_document(document)
@@ -107,10 +125,6 @@
// Setting a referrer header is only supported in the async code path.
ASSERT(m_async || m_referrer.isEmpty());
- // No need to do preflight if the network stack will do it for us.
- if (!m_async && platformStrategies()->loaderStrategy()->isDoingLoadingSecurityChecks())
- m_options.preflightPolicy = PreflightPolicy::Prevent;
-
// Referrer and Origin headers should be set after the preflight if any.
ASSERT(!request.hasHTTPReferrer() && !request.hasHTTPOrigin());
@@ -121,13 +135,11 @@
ASSERT(!request.httpHeaderFields().contains(HTTPHeaderName::Origin));
// Copy headers if we need to replay the request after a redirection.
- if (!m_async || m_options.mode == FetchOptions::Mode::Cors)
+ if (m_options.mode == FetchOptions::Mode::Cors)
m_originalHeaders = request.httpHeaderFields();
-#if ENABLE(SERVICE_WORKER)
- if (m_options.serviceWorkersMode == ServiceWorkersMode::All && m_async && (m_options.serviceWorkerRegistrationIdentifier || document.activeServiceWorker()))
+ if (shouldSetHTTPHeadersToKeep())
m_options.httpHeadersToKeep = httpHeadersToKeepFromCleaning(request.httpHeaderFields());
-#endif
if (document.page() && document.page()->isRunningUserScripts() && SchemeRegistry::isUserExtensionScheme(request.url().protocol().toStringWithoutCopying())) {
m_options.mode = FetchOptions::Mode::NoCors;
@@ -134,8 +146,7 @@
m_options.filteringPolicy = ResponseFilteringPolicy::Disable;
}
- if (m_contentSecurityPolicy || !document.shouldBypassMainWorldContentSecurityPolicy())
- m_options.cspResponseHeaders = this->contentSecurityPolicy().responseHeaders();
+ m_options.cspResponseHeaders = m_options.contentSecurityPolicyEnforcement != ContentSecurityPolicyEnforcement::DoNotEnforce ? this->contentSecurityPolicy().responseHeaders() : ContentSecurityPolicyResponseHeaders { };
// As per step 11 of https://fetch.spec.whatwg.org/#main-fetch, data scheme (if same-origin data-URL flag is set) and about scheme are considered same-origin.
if (request.url().protocolIsData())
@@ -154,13 +165,24 @@
makeCrossOriginAccessRequest(WTFMove(request));
}
+bool DocumentThreadableLoader::checkURLSchemeAsCORSEnabled(const URL& url)
+{
+ // Cross-origin requests are only allowed for HTTP and registered schemes. We would catch this when checking response headers later, but there is no reason to send a request that's guaranteed to be denied.
+ if (!SchemeRegistry::shouldTreatURLSchemeAsCORSEnabled(url.protocol().toStringWithoutCopying())) {
+ logErrorAndFail(ResourceError(errorDomainWebKitInternal, 0, url, "Cross origin requests are only supported for HTTP.", ResourceError::Type::AccessControl));
+ return false;
+ }
+ return true;
+}
+
void DocumentThreadableLoader::makeCrossOriginAccessRequest(ResourceRequest&& request)
{
ASSERT(m_options.mode == FetchOptions::Mode::Cors);
- if ((m_options.preflightPolicy == PreflightPolicy::Consider && isSimpleCrossOriginAccessRequest(request.httpMethod(), request.httpHeaderFields())) || m_options.preflightPolicy == PreflightPolicy::Prevent)
- makeSimpleCrossOriginAccessRequest(WTFMove(request));
- else {
+ if ((m_options.preflightPolicy == PreflightPolicy::Consider && isSimpleCrossOriginAccessRequest(request.httpMethod(), request.httpHeaderFields())) || m_options.preflightPolicy == PreflightPolicy::Prevent || isDoingSecurityChecksInNetworkProcess()) {
+ if (checkURLSchemeAsCORSEnabled(request.url()))
+ makeSimpleCrossOriginAccessRequest(WTFMove(request));
+ } else {
#if ENABLE(SERVICE_WORKER)
if (m_options.serviceWorkersMode == ServiceWorkersMode::All && m_async) {
if (m_options.serviceWorkerRegistrationIdentifier || document().activeServiceWorker()) {
@@ -172,6 +194,9 @@
}
}
#endif
+ if (!checkURLSchemeAsCORSEnabled(request.url()))
+ return;
+
m_simpleRequest = false;
if (CrossOriginPreflightResultCache::singleton().canSkipPreflight(securityOrigin().toString(), request.url(), m_options.storedCredentialsPolicy, request.httpMethod(), request.httpHeaderFields()))
preflightSuccess(WTFMove(request));
@@ -182,15 +207,9 @@
void DocumentThreadableLoader::makeSimpleCrossOriginAccessRequest(ResourceRequest&& request)
{
- ASSERT(m_options.preflightPolicy != PreflightPolicy::Force);
- ASSERT(m_options.preflightPolicy == PreflightPolicy::Prevent || isSimpleCrossOriginAccessRequest(request.httpMethod(), request.httpHeaderFields()));
+ ASSERT(m_options.preflightPolicy != PreflightPolicy::Force || isDoingSecurityChecksInNetworkProcess());
+ ASSERT(m_options.preflightPolicy == PreflightPolicy::Prevent || isSimpleCrossOriginAccessRequest(request.httpMethod(), request.httpHeaderFields()) || isDoingSecurityChecksInNetworkProcess());
- // Cross-origin requests are only allowed for HTTP and registered schemes. We would catch this when checking response headers later, but there is no reason to send a request that's guaranteed to be denied.
- if (!SchemeRegistry::shouldTreatURLSchemeAsCORSEnabled(request.url().protocol().toStringWithoutCopying())) {
- logErrorAndFail(ResourceError(errorDomainWebKitInternal, 0, request.url(), "Cross origin requests are only supported for HTTP.", ResourceError::Type::AccessControl));
- return;
- }
-
updateRequestForAccessControl(request, securityOrigin(), m_options.storedCredentialsPolicy);
loadRequest(WTFMove(request), DoSecurityCheck);
}
@@ -247,6 +266,12 @@
m_preflightChecker = std::nullopt;
}
+static inline bool isResponseComingFromNetworkProcess(const ResourceResponse& response)
+{
+ auto source = response.source();
+ return source == ResourceResponse::Source::Network || source == ResourceResponse::Source::DiskCache || source == ResourceResponse::Source::DiskCacheAfterValidation;
+}
+
void DocumentThreadableLoader::redirectReceived(CachedResource& resource, ResourceRequest&& request, const ResourceResponse& redirectResponse, CompletionHandler<void(ResourceRequest&&)>&& completionHandler)
{
ASSERT(m_client);
@@ -270,6 +295,11 @@
return completionHandler(WTFMove(request));
}
+ if (isDoingSecurityChecksInNetworkProcess() && isResponseComingFromNetworkProcess(redirectResponse)) {
+ completionHandler(WTFMove(request));
+ return;
+ }
+
// Allow same origin requests to continue after allowing clients to audit the redirect.
if (isAllowedRedirect(request.url()))
return completionHandler(WTFMove(request));
@@ -436,6 +466,15 @@
return;
}
#endif
+
+ // NetworkProcess might return a CSP violation as an AccessControl error in case of redirection.
+ // Let's recheck CSP to generate the report if needed.
+ // FIXME: We should introduce an error dedicated to CSP violation.
+ if (isDoingSecurityChecksInNetworkProcess() && error.isAccessControl() && error.failingURL().protocolIsInHTTPFamily() && !isAllowedByContentSecurityPolicy(error.failingURL(), ContentSecurityPolicy::RedirectResponseReceived::Yes)) {
+ reportContentSecurityPolicyError(m_resource->resourceRequest().url());
+ return;
+ }
+
if (m_shouldLogError == ShouldLogError::Yes)
logError(m_document, error, m_options.initiator);
@@ -540,7 +579,7 @@
return;
}
- if (!platformStrategies()->loaderStrategy()->isDoingLoadingSecurityChecks()) {
+ if (!isDoingSecurityChecksInNetworkProcess()) {
// FIXME: FrameLoader::loadSynchronously() does not tell us whether a redirect happened or not, so we guess by comparing the
// request and response URLs. This isn't a perfect test though, since a server can serve a redirect to the same URL that was
// requested. Also comparing the request and response URLs as strings will fail if the requestURL still has its credentials.
Modified: trunk/Source/WebCore/loader/DocumentThreadableLoader.h (231106 => 231107)
--- trunk/Source/WebCore/loader/DocumentThreadableLoader.h 2018-04-27 18:03:15 UTC (rev 231106)
+++ trunk/Source/WebCore/loader/DocumentThreadableLoader.h 2018-04-27 18:10:18 UTC (rev 231107)
@@ -118,6 +118,9 @@
void reportIntegrityMetadataError(const URL&);
void logErrorAndFail(const ResourceError&);
+ bool shouldSetHTTPHeadersToKeep() const;
+ bool checkURLSchemeAsCORSEnabled(const URL&);
+
CachedResourceHandle<CachedRawResource> m_resource;
ThreadableLoaderClient* m_client;
Document& m_document;
Modified: trunk/Source/WebCore/loader/ResourceLoaderOptions.h (231106 => 231107)
--- trunk/Source/WebCore/loader/ResourceLoaderOptions.h 2018-04-27 18:03:15 UTC (rev 231106)
+++ trunk/Source/WebCore/loader/ResourceLoaderOptions.h 2018-04-27 18:10:18 UTC (rev 231107)
@@ -155,11 +155,8 @@
ApplicationCacheMode applicationCacheMode { ApplicationCacheMode::Use };
#if ENABLE(SERVICE_WORKER)
std::optional<ServiceWorkerRegistrationIdentifier> serviceWorkerRegistrationIdentifier;
- // WebKit loading code is adding some HTTP headers between the application and the time service worker intercepts the fetch.
- // We keep a list of these headers so that we only remove the ones that are set by the loading code and not by the application.
- // FIXME: Remove this when service worker fetch interception happens before the setting of these headers in the loading code.
+#endif
HashSet<HTTPHeaderName, WTF::IntHash<HTTPHeaderName>, WTF::StrongEnumHashTraits<HTTPHeaderName>> httpHeadersToKeep;
-#endif
ClientCredentialPolicy clientCredentialPolicy { ClientCredentialPolicy::CannotAskClientForCredentials };
unsigned maxRedirectCount { 20 };
Modified: trunk/Source/WebCore/loader/SubresourceLoader.cpp (231106 => 231107)
--- trunk/Source/WebCore/loader/SubresourceLoader.cpp 2018-04-27 18:03:15 UTC (rev 231106)
+++ trunk/Source/WebCore/loader/SubresourceLoader.cpp 2018-04-27 18:10:18 UTC (rev 231107)
@@ -530,7 +530,8 @@
#endif
ASSERT(m_origin);
- return passesAccessControlCheck(response, options().storedCredentialsPolicy, *m_origin, errorDescription);
+
+ return passesAccessControlCheck(response, options().credentials == FetchOptions::Credentials::Include ? StoredCredentialsPolicy::Use : StoredCredentialsPolicy::DoNotUse, *m_origin, errorDescription);
}
bool SubresourceLoader::checkRedirectionCrossOriginAccessControl(const ResourceRequest& previousRequest, const ResourceResponse& redirectResponse, ResourceRequest& newRequest, String& errorMessage)
@@ -571,7 +572,7 @@
updateReferrerPolicy(redirectResponse.httpHeaderField(HTTPHeaderName::ReferrerPolicy));
if (redirectingToNewOrigin) {
- cleanHTTPRequestHeadersForAccessControl(newRequest);
+ cleanHTTPRequestHeadersForAccessControl(newRequest, options().httpHeadersToKeep);
updateRequestForAccessControl(newRequest, *m_origin, options().storedCredentialsPolicy);
}
Modified: trunk/Source/WebCore/loader/cache/CachedResourceLoader.cpp (231106 => 231107)
--- trunk/Source/WebCore/loader/cache/CachedResourceLoader.cpp 2018-04-27 18:03:15 UTC (rev 231106)
+++ trunk/Source/WebCore/loader/cache/CachedResourceLoader.cpp 2018-04-27 18:10:18 UTC (rev 231107)
@@ -776,8 +776,11 @@
// Entry point to https://fetch.spec.whatwg.org/#main-fetch.
std::unique_ptr<ResourceRequest> originalRequest;
- if (CachedResource::shouldUsePingLoad(type))
+ if (CachedResource::shouldUsePingLoad(type) || request.options().destination == FetchOptions::Destination::EmptyString) {
originalRequest = std::make_unique<ResourceRequest>(request.resourceRequest());
+ originalRequest->clearHTTPReferrer();
+ originalRequest->clearHTTPOrigin();
+ }
if (Document* document = this->document())
request.upgradeInsecureRequestIfNeeded(*document);
Modified: trunk/Source/WebCore/platform/SchemeRegistry.h (231106 => 231107)
--- trunk/Source/WebCore/platform/SchemeRegistry.h 2018-04-27 18:03:15 UTC (rev 231106)
+++ trunk/Source/WebCore/platform/SchemeRegistry.h 2018-04-27 18:10:18 UTC (rev 231107)
@@ -82,7 +82,7 @@
// Allow non-HTTP schemes to be registered to allow CORS requests.
WEBCORE_EXPORT static void registerURLSchemeAsCORSEnabled(const String& scheme);
- static bool shouldTreatURLSchemeAsCORSEnabled(const String& scheme);
+ WEBCORE_EXPORT static bool shouldTreatURLSchemeAsCORSEnabled(const String& scheme);
// Allow resources from some schemes to load on a page, regardless of its
// Content Security Policy.
Modified: trunk/Source/WebKit/ChangeLog (231106 => 231107)
--- trunk/Source/WebKit/ChangeLog 2018-04-27 18:03:15 UTC (rev 231106)
+++ trunk/Source/WebKit/ChangeLog 2018-04-27 18:10:18 UTC (rev 231107)
@@ -1,3 +1,31 @@
+2018-04-27 Youenn Fablet <[email protected]>
+
+ Use NetworkLoadChecker for XHR/fetch loads
+ https://bugs.webkit.org/show_bug.cgi?id=184741
+
+ Reviewed by Chris Dumez.
+
+ * NetworkProcess/NetworkCORSPreflightChecker.cpp:
+ (WebKit::NetworkCORSPreflightChecker::didCompleteWithError):
+ Pass the preflight error as completion error if any.
+ * NetworkProcess/NetworkLoad.cpp:
+ (WebKit::NetworkLoad::willPerformHTTPRedirection):
+ Set response source to Network so that checks relying on that are correct.
+ * NetworkProcess/NetworkLoadChecker.cpp:
+ (WebKit::NetworkLoadChecker::validateResponse):
+ Adding Oppaqueredirect tainting.
+ (NetworkLoadChecker::doesNotNeedCORSCheck):
+ Adding a check to only activate CORS checks for CORS enabled schemes.
+ Non CORS enabled schemes loads should have failed in WebProcess already.
+ (WebKit::NetworkLoadChecker::checkCORSRedirectedRequest):
+ Remove Authorization header as done by SubresourceLoader.
+ (WebKit::NetworkLoadChecker::checkCORSRequestWithPreflight):
+ If error is cancellation, we still want to call the completion handler.
+ * NetworkProcess/NetworkResourceLoader.cpp:
+ Activate network load checker for all types of loads.
+ (WebKit::NetworkResourceLoader::willSendRedirectedRequest):
+ Handle manual redirection by directly calling didReceiveResponse.
+
2018-04-27 Wenson Hsieh <[email protected]>
Add an experimental feature flag for viewport "min-device-width"
Modified: trunk/Source/WebKit/NetworkProcess/NetworkCORSPreflightChecker.cpp (231106 => 231107)
--- trunk/Source/WebKit/NetworkProcess/NetworkCORSPreflightChecker.cpp 2018-04-27 18:03:15 UTC (rev 231106)
+++ trunk/Source/WebKit/NetworkProcess/NetworkCORSPreflightChecker.cpp 2018-04-27 18:10:18 UTC (rev 231107)
@@ -97,11 +97,15 @@
RELEASE_LOG_IF_ALLOWED("didReceiveData");
}
-void NetworkCORSPreflightChecker::didCompleteWithError(const WebCore::ResourceError& error, const WebCore::NetworkLoadMetrics&)
+void NetworkCORSPreflightChecker::didCompleteWithError(const WebCore::ResourceError& preflightError, const WebCore::NetworkLoadMetrics&)
{
- if (!error.isNull()) {
+ if (!preflightError.isNull()) {
RELEASE_LOG_IF_ALLOWED("didCompleteWithError");
- m_completionCallback(ResourceError { errorDomainWebKitInternal, 0, m_parameters.originalRequest.url(), ASCIILiteral("Preflight response is not successful"), ResourceError::Type::AccessControl });
+ auto error = preflightError;
+ if (error.isNull() || error.isGeneral())
+ error.setType(ResourceError::Type::AccessControl);
+
+ m_completionCallback(WTFMove(error));
return;
}
Modified: trunk/Source/WebKit/NetworkProcess/NetworkLoad.cpp (231106 => 231107)
--- trunk/Source/WebKit/NetworkProcess/NetworkLoad.cpp 2018-04-27 18:03:15 UTC (rev 231106)
+++ trunk/Source/WebKit/NetworkProcess/NetworkLoad.cpp 2018-04-27 18:10:18 UTC (rev 231107)
@@ -239,6 +239,7 @@
ASSERT(RunLoop::isMain());
ASSERT(!m_redirectCompletionHandler);
+ redirectResponse.setSource(ResourceResponse::Source::Network);
m_redirectCompletionHandler = WTFMove(completionHandler);
#if ENABLE(NETWORK_CAPTURE)
Modified: trunk/Source/WebKit/NetworkProcess/NetworkLoadChecker.cpp (231106 => 231107)
--- trunk/Source/WebKit/NetworkProcess/NetworkLoadChecker.cpp 2018-04-27 18:03:15 UTC (rev 231106)
+++ trunk/Source/WebKit/NetworkProcess/NetworkLoadChecker.cpp 2018-04-27 18:10:18 UTC (rev 231107)
@@ -35,6 +35,7 @@
#include <WebCore/CrossOriginAccessControl.h>
#include <WebCore/CrossOriginPreflightResultCache.h>
#include <WebCore/HTTPParsers.h>
+#include <WebCore/SchemeRegistry.h>
#define RELEASE_LOG_IF_ALLOWED(fmt, ...) RELEASE_LOG_IF(m_sessionID.isAlwaysOnLoggingAllowed(), Network, "%p - NetworkLoadChecker::" fmt, this, ##__VA_ARGS__)
@@ -122,6 +123,11 @@
if (m_redirectCount)
response.setRedirected(true);
+ if (response.type() == ResourceResponse::Type::Opaqueredirect) {
+ response.setTainting(ResourceResponse::Tainting::Opaqueredirect);
+ return { };
+ }
+
if (m_isSameOriginRequest) {
response.setTainting(ResourceResponse::Tainting::Basic);
return { };
@@ -237,13 +243,13 @@
// https://fetch.spec.whatwg.org/#concept-http-redirect-fetch (Step 10).
if (!m_origin || !m_origin->isUnique())
m_origin = SecurityOrigin::createUnique();
-
- // FIXME: Add support for SameOrigin credentials.
}
// FIXME: We should set the request referrer according the referrer policy.
// Let's fetch the request with the original headers (equivalent to request cloning specified by fetch algorithm).
+ if (!request.httpHeaderFields().contains(HTTPHeaderName::Authorization))
+ m_firstRequestHeaders.remove(HTTPHeaderName::Authorization);
request.setHTTPHeaderFields(m_firstRequestHeaders);
checkCORSRequest(WTFMove(request), WTFMove(handler));
@@ -272,12 +278,9 @@
m_sessionID,
m_storedCredentialsPolicy
};
- m_corsPreflightChecker = std::make_unique<NetworkCORSPreflightChecker>(WTFMove(parameters), [this, request = WTFMove(request), handler = WTFMove(handler)](auto&& error) mutable {
- if (error.isCancellation())
- return;
+ m_corsPreflightChecker = std::make_unique<NetworkCORSPreflightChecker>(WTFMove(parameters), [this, request = WTFMove(request), handler = WTFMove(handler), isRedirected = isRedirected()](auto&& error) mutable {
+ RELEASE_LOG_IF_ALLOWED("checkCORSRequestWithPreflight - makeCrossOriginAccessRequestWithPreflight preflight complete, success: %d forRedirect? %d", error.isNull(), isRedirected);
- RELEASE_LOG_IF_ALLOWED("checkCORSRequestWithPreflight - makeCrossOriginAccessRequestWithPreflight preflight complete, success: %d forRedirect? %d", error.isNull(), isRedirected());
-
if (!error.isNull()) {
handler(makeUnexpected(WTFMove(error)));
return;
@@ -295,6 +298,9 @@
if (m_options.mode == FetchOptions::Mode::NoCors || m_options.mode == FetchOptions::Mode::Navigate)
return true;
+ if (!SchemeRegistry::shouldTreatURLSchemeAsCORSEnabled(url.protocol().toStringWithoutCopying()))
+ return true;
+
return m_isSameOriginRequest && m_origin->canRequest(url);
}
Modified: trunk/Source/WebKit/NetworkProcess/NetworkResourceLoader.cpp (231106 => 231107)
--- trunk/Source/WebKit/NetworkProcess/NetworkResourceLoader.cpp 2018-04-27 18:03:15 UTC (rev 231106)
+++ trunk/Source/WebKit/NetworkProcess/NetworkResourceLoader.cpp 2018-04-27 18:10:18 UTC (rev 231107)
@@ -90,18 +90,6 @@
data.delayedReply = nullptr;
}
-static inline bool shouldUseNetworkLoadChecker(bool isSynchronous, const NetworkResourceLoadParameters& parameters)
-{
- if (isSynchronous)
- return true;
-
- if (!parameters.shouldRestrictHTTPResponseAccess)
- return false;
-
- // FIXME: Add support for Document and EmptyString.
- return parameters.options.destination != FetchOptions::Destination::Document && parameters.options.destination != FetchOptions::Destination::EmptyString;
-}
-
NetworkResourceLoader::NetworkResourceLoader(NetworkResourceLoadParameters&& parameters, NetworkConnectionToWebProcess& connection, RefPtr<Messages::NetworkConnectionToWebProcess::PerformSynchronousLoad::DelayedReply>&& synchronousReply)
: m_parameters { WTFMove(parameters) }
, m_connection { connection }
@@ -122,7 +110,7 @@
}
}
- if (shouldUseNetworkLoadChecker(!!synchronousReply, m_parameters)) {
+ if (synchronousReply || parameters.shouldRestrictHTTPResponseAccess) {
m_networkLoadChecker = NetworkLoadChecker::create(FetchOptions { m_parameters.options }, m_parameters.sessionID, HTTPHeaderMap { m_parameters.originalRequestHeaders }, URL { m_parameters.request.url() }, m_parameters.sourceOrigin.copyRef(), m_parameters.preflightPolicy);
if (m_parameters.cspResponseHeaders)
m_networkLoadChecker->setCSPResponseHeaders(ContentSecurityPolicyResponseHeaders { m_parameters.cspResponseHeaders.value() });
@@ -561,6 +549,14 @@
if (!result.has_value()) {
if (result.error().isCancellation())
return;
+
+ if (m_parameters.options.redirect == FetchOptions::Redirect::Manual) {
+ redirectResponse.setType(ResourceResponse::Type::Opaqueredirect);
+ this->didReceiveResponse(WTFMove(redirectResponse));
+ this->didFinishLoading({ });
+ return;
+ }
+
this->didFailLoading(result.error());
return;
}
