[webkit-changes] [231521] trunk

[dbates]

Title: [231521] trunk

Revision

231521

Author

dba...@webkit.org

Date

2018-05-08 16:28:05 -0700 (Tue, 08 May 2018)

Log Message

Do not apply X-Frame-Options and CSP frame-ancestors to Quick Look-applicable responses in NetworkProcess
https://bugs.webkit.org/show_bug.cgi?id=185442
<rdar://problem/40067209>

Reviewed by Andy Estes.

Source/WebKit:

Just as we exempt responses in WebContent process that will be handled by Quick Look from the Content
Security Policy frame-ancestors directive and X-Frame-Options checking we need to do the same when
such checks are performed in NetworkProcess following r231479.

HTTP responses that will be previewed using Quick Look are not considered web pages and are subject
to the security model for Quick Look documents. That is, they are exempt from Content Security Policy
and X-Frame-Options processing.

* NetworkProcess/NetworkResourceLoader.cpp:
(WebKit::NetworkResourceLoader::shouldInterruptLoadForCSPFrameAncestorsOrXFrameOptions):

LayoutTests:

Remove test http/tests/quicklook/csp-header-ignored.html from TestExpectations now that it passes.

* platform/ios/TestExpectations:

Modified Paths

• trunk/LayoutTests/ChangeLog
• trunk/LayoutTests/platform/ios/TestExpectations
• trunk/Source/WebKit/ChangeLog
• trunk/Source/WebKit/NetworkProcess/NetworkResourceLoader.cpp

Diff

Modified: trunk/LayoutTests/ChangeLog (231520 => 231521)

--- trunk/LayoutTests/ChangeLog	2018-05-08 23:26:39 UTC (rev 231520)
+++ trunk/LayoutTests/ChangeLog	2018-05-08 23:28:05 UTC (rev 231521)
@@ -1,5 +1,17 @@
 2018-05-08  Daniel Bates  <daba...@apple.com>
 
+        Do not apply X-Frame-Options and CSP frame-ancestors to Quick Look-applicable responses in NetworkProcess
+        https://bugs.webkit.org/show_bug.cgi?id=185442
+        <rdar://problem/40067209>
+
+        Reviewed by Andy Estes.
+
+        Remove test http/tests/quicklook/csp-header-ignored.html from TestExpectations now that it passes.
+
+        * platform/ios/TestExpectations:
+
+2018-05-08  Daniel Bates  <daba...@apple.com>
+
         Add tests to ensure that the Strong Password appearance is removed on form reset
         https://bugs.webkit.org/show_bug.cgi?id=185440
 

Modified: trunk/LayoutTests/platform/ios/TestExpectations (231520 => 231521)

--- trunk/LayoutTests/platform/ios/TestExpectations	2018-05-08 23:26:39 UTC (rev 231520)
+++ trunk/LayoutTests/platform/ios/TestExpectations	2018-05-08 23:28:05 UTC (rev 231521)
@@ -3296,5 +3296,3 @@
 webkit.org/b/185028 imported/w3c/web-platform-tests/service-workers/service-worker/fetch-request-redirect.https.html [ Failure ]
 
 webkit.org/b/185332 animations/duplicate-keys.html [ Pass ImageOnlyFailure ]
-
-webkit.org/b/185442 http/tests/quicklook/csp-header-ignored.html [ Failure ]
\ No newline at end of file

Modified: trunk/Source/WebKit/ChangeLog (231520 => 231521)

--- trunk/Source/WebKit/ChangeLog	2018-05-08 23:26:39 UTC (rev 231520)
+++ trunk/Source/WebKit/ChangeLog	2018-05-08 23:28:05 UTC (rev 231521)
@@ -1,3 +1,22 @@
+2018-05-08  Daniel Bates  <daba...@apple.com>
+
+        Do not apply X-Frame-Options and CSP frame-ancestors to Quick Look-applicable responses in NetworkProcess
+        https://bugs.webkit.org/show_bug.cgi?id=185442
+        <rdar://problem/40067209>
+
+        Reviewed by Andy Estes.
+
+        Just as we exempt responses in WebContent process that will be handled by Quick Look from the Content
+        Security Policy frame-ancestors directive and X-Frame-Options checking we need to do the same when
+        such checks are performed in NetworkProcess following r231479.
+
+        HTTP responses that will be previewed using Quick Look are not considered web pages and are subject
+        to the security model for Quick Look documents. That is, they are exempt from Content Security Policy
+        and X-Frame-Options processing.
+
+        * NetworkProcess/NetworkResourceLoader.cpp:
+        (WebKit::NetworkResourceLoader::shouldInterruptLoadForCSPFrameAncestorsOrXFrameOptions):
+
 2018-05-08  Brian Burg  <bb...@apple.com>
 
         REGRESSION(r230743): Mousemove events are not coalesced properly, mousemove/drag is very laggy

Modified: trunk/Source/WebKit/NetworkProcess/NetworkResourceLoader.cpp (231520 => 231521)

--- trunk/Source/WebKit/NetworkProcess/NetworkResourceLoader.cpp	2018-05-08 23:26:39 UTC (rev 231520)
+++ trunk/Source/WebKit/NetworkProcess/NetworkResourceLoader.cpp	2018-05-08 23:28:05 UTC (rev 231521)
@@ -62,6 +62,10 @@
 #include <WebCore/PlatformCookieJar.h>
 #endif
 
+#if USE(QUICK_LOOK)
+#include <WebCore/PreviewLoader.h>
+#endif
+
 using namespace WebCore;
 
 #define RELEASE_LOG_IF_ALLOWED(fmt, ...) RELEASE_LOG_IF(isAlwaysOnLoggingAllowed(), Network, "%p - NetworkResourceLoader::" fmt, this, ##__VA_ARGS__)
@@ -430,6 +434,12 @@
 bool NetworkResourceLoader::shouldInterruptLoadForCSPFrameAncestorsOrXFrameOptions(const ResourceResponse& response)
 {
     ASSERT(isMainResource());
+
+#if USE(QUICK_LOOK)
+    if (PreviewLoader::shouldCreateForMIMEType(response.mimeType()))
+        return false;
+#endif
+
     auto url = ""
     ContentSecurityPolicy contentSecurityPolicy { URL { url }, this };
     contentSecurityPolicy.didReceiveHeaders(ContentSecurityPolicyResponseHeaders { response }, originalRequest().httpReferrer());

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes