Diff
Modified: trunk/LayoutTests/ChangeLog (232216 => 232217)
--- trunk/LayoutTests/ChangeLog 2018-05-25 23:48:11 UTC (rev 232216)
+++ trunk/LayoutTests/ChangeLog 2018-05-26 00:06:08 UTC (rev 232217)
@@ -1,3 +1,35 @@
+2018-05-25 Youenn Fablet <[email protected]>
+
+ Migrate From-Origin to Cross-Origin-Resource-Policy
+ https://bugs.webkit.org/show_bug.cgi?id=185840
+
+ Reviewed by Chris Dumez.
+
+ Migrating From-Origin tests to Cross-Origin-Resource-Policy tests.
+ Given the scope of the header is reduced to no-cors and no ancestor checks,
+ We cover the new header with fetch/image/script loads.
+
+ * TestExpectations:
+ * http/tests/from-origin: Removed.
+ * http/wpt/cross-origin-resource-policy/fetch-expected.txt: Added.
+ * http/wpt/cross-origin-resource-policy/fetch-in-iframe-expected.txt: Added.
+ * http/wpt/cross-origin-resource-policy/fetch-in-iframe.html: Added.
+ * http/wpt/cross-origin-resource-policy/fetch.html: Added.
+ * http/wpt/cross-origin-resource-policy/iframe-loads-expected.txt: Added.
+ * http/wpt/cross-origin-resource-policy/iframe-loads.html: Added.
+ * http/wpt/cross-origin-resource-policy/image-loads-expected.txt: Added.
+ * http/wpt/cross-origin-resource-policy/image-loads.html: Added.
+ * http/wpt/cross-origin-resource-policy/resources/green.png: Added.
+ * http/wpt/cross-origin-resource-policy/resources/hello.py: Added.
+ * http/wpt/cross-origin-resource-policy/resources/iframe.py: Added.
+ * http/wpt/cross-origin-resource-policy/resources/iframeFetch.html: Added.
+ * http/wpt/cross-origin-resource-policy/resources/image.py: Added.
+ * http/wpt/cross-origin-resource-policy/resources/redirect.py: Added.
+ * http/wpt/cross-origin-resource-policy/resources/script.py: Added.
+ * http/wpt/cross-origin-resource-policy/script-loads-expected.txt: Added.
+ * http/wpt/cross-origin-resource-policy/script-loads.html: Added.
+ * platform/wk2/TestExpectations:
+
2018-05-25 David Fenton <[email protected]>
fast/text/user-installed-fonts/shadow-family.html and fast/text/user-installed-fonts/shadow-postscript-family.html are flaky
Modified: trunk/LayoutTests/TestExpectations (232216 => 232217)
--- trunk/LayoutTests/TestExpectations 2018-05-25 23:48:11 UTC (rev 232216)
+++ trunk/LayoutTests/TestExpectations 2018-05-26 00:06:08 UTC (rev 232217)
@@ -369,7 +369,7 @@
http/tests/xmlhttprequest/gzip-content-type-no-content-encoding.html [ Skip ]
# Only supported in WebKit2.
-http/tests/from-origin/ [ Skip ]
+http/wpt/cross-origin-resource-policy/ [ Skip ]
#//////////////////////////////////////////////////////////////////////////////////////////
# End platform-specific tests.
Added: trunk/LayoutTests/http/wpt/cross-origin-resource-policy/fetch-expected.txt (0 => 232217)
--- trunk/LayoutTests/http/wpt/cross-origin-resource-policy/fetch-expected.txt (rev 0)
+++ trunk/LayoutTests/http/wpt/cross-origin-resource-policy/fetch-expected.txt 2018-05-26 00:06:08 UTC (rev 232217)
@@ -0,0 +1,26 @@
+CONSOLE MESSAGE: Cancelled load to http://127.0.0.1:8800/WebKit/cross-origin-resource-policy/resources/hello.py?corp=same because it violates the resource's Cross-Origin-Resource-Policy response header.
+CONSOLE MESSAGE: Fetch API cannot load http://127.0.0.1:8800/WebKit/cross-origin-resource-policy/resources/hello.py?corp=same due to access control checks.
+CONSOLE MESSAGE: Cancelled load to http://127.0.0.1:8800/WebKit/cross-origin-resource-policy/resources/hello.py?corp=same-site because it violates the resource's Cross-Origin-Resource-Policy response header.
+CONSOLE MESSAGE: Fetch API cannot load http://127.0.0.1:8800/WebKit/cross-origin-resource-policy/resources/hello.py?corp=same-site due to access control checks.
+CONSOLE MESSAGE: Cancelled load to https://localhost:9443/WebKit/cross-origin-resource-policy/resources/hello.py?corp=same because it violates the resource's Cross-Origin-Resource-Policy response header.
+CONSOLE MESSAGE: Fetch API cannot load https://localhost:9443/WebKit/cross-origin-resource-policy/resources/hello.py?corp=same due to access control checks.
+CONSOLE MESSAGE: Cancelled load to http://localhost:8801/WebKit/cross-origin-resource-policy/resources/hello.py?corp=same because it violates the resource's Cross-Origin-Resource-Policy response header.
+CONSOLE MESSAGE: Fetch API cannot load http://localhost:8801/WebKit/cross-origin-resource-policy/resources/hello.py?corp=same due to access control checks.
+CONSOLE MESSAGE: Cancelled load to http://127.0.0.1:8800/WebKit/cross-origin-resource-policy/resources/hello.py?corp=same because it violates the resource's Cross-Origin-Resource-Policy response header.
+CONSOLE MESSAGE: Fetch API cannot load http://127.0.0.1:8800/WebKit/cross-origin-resource-policy/resources/hello.py?corp=same due to access control checks.
+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8800/WebKit/cross-origin-resource-policy/resources/hello.py?corp=same denied by Cross-Origin Resource Sharing policy: Cancelled load to http://127.0.0.1:8800/WebKit/cross-origin-resource-policy/resources/redirect.py?corp=same&redirectTo=http%3A%2F%2Flocalhost%3A8800%2FWebKit%2Fcross-origin-resource-policy%2Fresources%2Fhello.py%3Fcorp%3Dsame because it violates the resource's Cross-Origin-Resource-Policy response header.
+CONSOLE MESSAGE: Fetch API cannot load http://127.0.0.1:8800/WebKit/cross-origin-resource-policy/resources/redirect.py?corp=same&redirectTo=http%3A%2F%2Flocalhost%3A8800%2FWebKit%2Fcross-origin-resource-policy%2Fresources%2Fhello.py%3Fcorp%3Dsame due to access control checks.
+
+PASS Same-origin fetch with a 'Cross-Origin-Resource-Policy: same' response header.
+PASS Same-origin fetch with a 'Cross-Origin-Resource-Policy: same-site' response header.
+PASS Cross-origin cors fetch with a 'Cross-Origin-Resource-Policy: same' response header.
+PASS Cross-origin cors fetch with a 'Cross-Origin-Resource-Policy: same-site' response header.
+PASS Cross-origin no-cors fetch with a 'Cross-Origin-Resource-Policy: same' response header.
+PASS Cross-origin no-cors fetch with a 'Cross-Origin-Resource-Policy: same-site' response header.
+PASS Cross-origin no-cors fetch to a same-site URL with a 'Cross-Origin-Resource-Policy: same-site' response header.
+PASS Cross-origin no-cors fetch to a same-site URL with a 'Cross-Origin-Resource-Policy: same' response header.
+PASS Valid cross-origin no-cors fetch with a 'Cross-Origin-Resource-Policy: same-site' response header.
+PASS Cross-origin no-cors fetch with a 'Cross-Origin-Resource-Policy: same' response header after a redirection.
+PASS Cross-origin no-cors fetch with a 'Cross-Origin-Resource-Policy: same' response header after a cross-origin redirection.
+PASS Cross-origin no-cors fetch with a 'Cross-Origin-Resource-Policy: same' redirect response header.
+
Added: trunk/LayoutTests/http/wpt/cross-origin-resource-policy/fetch-in-iframe-expected.txt (0 => 232217)
--- trunk/LayoutTests/http/wpt/cross-origin-resource-policy/fetch-in-iframe-expected.txt (rev 0)
+++ trunk/LayoutTests/http/wpt/cross-origin-resource-policy/fetch-in-iframe-expected.txt 2018-05-26 00:06:08 UTC (rev 232217)
@@ -0,0 +1,12 @@
+CONSOLE MESSAGE: Cancelled load to http://localhost:8800/WebKit/cross-origin-resource-policy/resources/hello.py?corp=same because it violates the resource's Cross-Origin-Resource-Policy response header.
+CONSOLE MESSAGE: Fetch API cannot load http://localhost:8800/WebKit/cross-origin-resource-policy/resources/hello.py?corp=same due to access control checks.
+CONSOLE MESSAGE: Cancelled load to http://localhost:8800/WebKit/cross-origin-resource-policy/resources/hello.py?corp=same-site because it violates the resource's Cross-Origin-Resource-Policy response header.
+CONSOLE MESSAGE: Fetch API cannot load http://localhost:8800/WebKit/cross-origin-resource-policy/resources/hello.py?corp=same-site due to access control checks.
+CONSOLE MESSAGE: Cancelled load to http://localhost:8800/WebKit/cross-origin-resource-policy/resources/hello.py?corp=same because it violates the resource's Cross-Origin-Resource-Policy response header.
+CONSOLE MESSAGE: Fetch API cannot load http://localhost:8800/WebKit/cross-origin-resource-policy/resources/hello.py?corp=same due to access control checks.
+
+PASS Cross-origin fetch in a data: iframe load fails if the server blocks cross-origin loads with a 'Cross-Origin-Resource-Policy: same' response header.
+PASS Cross-origin fetch in a data: iframe load fails if the server blocks cross-origin loads with a 'Cross-Origin-Resource-Policy: same-site' response header.
+PASS Cross-origin fetch in a cross origin iframe load fails if the server blocks cross-origin loads with a 'Cross-Origin-Resource-Policy: same' response header.
+PASS Same-origin fetch in a cross origin iframe load succeeds if the server blocks cross-origin loads with a 'Cross-Origin-Resource-Policy: same' response header.
+
Added: trunk/LayoutTests/http/wpt/cross-origin-resource-policy/fetch-in-iframe.html (0 => 232217)
--- trunk/LayoutTests/http/wpt/cross-origin-resource-policy/fetch-in-iframe.html (rev 0)
+++ trunk/LayoutTests/http/wpt/cross-origin-resource-policy/fetch-in-iframe.html 2018-05-26 00:06:08 UTC (rev 232217)
@@ -0,0 +1,63 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <script src=""
+ <script src=""
+ <script src=""
+</head>
+<body>
+ <script>
+const host = get_host_info();
+const remoteBaseURL = host.HTTP_REMOTE_ORIGIN + window.location.pathname.replace(/\/[^\/]*$/, '/') ;
+const localBaseURL = host.HTTP_ORIGIN + window.location.pathname.replace(/\/[^\/]*$/, '/') ;
+
+function with_iframe(url)
+{
+ return new Promise(function(resolve) {
+ var frame = document.createElement('iframe');
+ frame.src = ""
+ frame._onload_ = function() { resolve(frame); };
+ document.body.appendChild(frame);
+ });
+}
+
+function loadIFrameAndFetch(iframeURL, fetchURL, expectedFetchResult)
+{
+ promise_test(async () => {
+ const frame = await with_iframe(iframeURL);
+ let receiveMessage;
+ const promise = new Promise((resolve, reject) => {
+ receiveMessage = (event) => {
+ if (event.data !== expectedFetchResult) {
+ reject("Received unexpected message " + event.data);
+ return;
+ }
+ resolve();
+ }
+ window.addEventListener("message", receiveMessage, false);
+ });
+ frame.contentWindow.postMessage(fetchURL, "*");
+ return promise.finally(() => {
+ frame.remove();
+ window.removeEventListener("message", receiveMessage, false);
+ });
+ }, title);
+}
+
+// This above data URL should be equivalent to resources/iframeFetch.html
+var dataIFrameURL = "data:text/html;base64,PCFET0NUWVBFIGh0bWw+CjxodG1sPgo8aGVhZD4KICAgIDxzY3JpcHQ+CiAgICAgICAgZnVuY3Rpb24gcHJvY2Vzc01lc3NhZ2UoZXZlbnQpCiAgICAgICAgewogICAgICAgICAgICBmZXRjaChldmVudC5kYXRhLCB7IG1vZGU6ICJuby1jb3JzIiB9KS50aGVuKCgpID0+IHsKICAgICAgICAgICAgICAgIHBhcmVudC5wb3N0TWVzc2FnZSgib2siLCAiKiIpOwogICAgICAgICAgICB9LCAoKSA9PiB7CiAgICAgICAgICAgICAgICBwYXJlbnQucG9zdE1lc3NhZ2UoImtvIiwgIioiKTsKICAgICAgICAgICAgfSk7CiAgICAgICAgfQogICAgICAgIHdpbmRvdy5hZGRFdmVudExpc3RlbmVyKCJtZXNzYWdlIiwgcHJvY2Vzc01lc3NhZ2UsIGZhbHNlKTsKICAgIDwvc2NyaXB0Pgo8L2hlYWQ+Cjxib2R5PgogICAgPGgzPlRoZSBpZnJhbWUgbWFraW5nIGEgc2FtZSBvcmlnaW4gZmV0Y2ggY2FsbC48L2gzPgo8L2JvZHk+CjwvaHRtbD4K";
+
+title = "Cross-origin fetch in a data: iframe load fails if the server blocks cross-origin loads with a 'Cross-Origin-Resource-Policy: same' response header.";
+loadIFrameAndFetch(dataIFrameURL, localBaseURL + "resources/hello.py?corp=same", "ko");
+
+title = "Cross-origin fetch in a data: iframe load fails if the server blocks cross-origin loads with a 'Cross-Origin-Resource-Policy: same-site' response header.";
+loadIFrameAndFetch(dataIFrameURL, localBaseURL + "resources/hello.py?corp=same-site", "ko");
+
+title = "Cross-origin fetch in a cross origin iframe load fails if the server blocks cross-origin loads with a 'Cross-Origin-Resource-Policy: same' response header.";
+loadIFrameAndFetch(remoteBaseURL + "resources/iframeFetch.html", localBaseURL + "resources/hello.py?corp=same", "ko");
+
+title = "Same-origin fetch in a cross origin iframe load succeeds if the server blocks cross-origin loads with a 'Cross-Origin-Resource-Policy: same' response header.";
+loadIFrameAndFetch(remoteBaseURL + "resources/iframeFetch.html", remoteBaseURL + "resources/hello.py?corp=same", "ok");
+ </script>
+</body>
+</html>
Added: trunk/LayoutTests/http/wpt/cross-origin-resource-policy/fetch.html (0 => 232217)
--- trunk/LayoutTests/http/wpt/cross-origin-resource-policy/fetch.html (rev 0)
+++ trunk/LayoutTests/http/wpt/cross-origin-resource-policy/fetch.html 2018-05-26 00:06:08 UTC (rev 232217)
@@ -0,0 +1,83 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <script src=""
+ <script src=""
+ <script src=""
+</head>
+<body>
+ <script>
+const host = get_host_info();
+const remoteBaseURL = host.HTTP_REMOTE_ORIGIN + window.location.pathname.replace(/\/[^\/]*$/, '/') ;
+const localBaseURL = host.HTTP_ORIGIN + window.location.pathname.replace(/\/[^\/]*$/, '/') ;
+const remoteSameSiteBaseURL = "http://" + host.ORIGINAL_HOST + ":" + host.HTTP_PORT2 + window.location.pathname.replace(/\/[^\/]*$/, '/') ;
+const httpsBaseURL = host.HTTPS_ORIGIN + window.location.pathname.replace(/\/[^\/]*$/, '/') ;
+
+promise_test(async () => {
+ const response = await fetch("./resources/hello.py?corp=same");
+ assert_equals(await response.text(), "hello");
+}, "Same-origin fetch with a 'Cross-Origin-Resource-Policy: same' response header.");
+
+promise_test(async () => {
+ const response = await fetch("./resources/hello.py?corp=same-site");
+ assert_equals(await response.text(), "hello");
+}, "Same-origin fetch with a 'Cross-Origin-Resource-Policy: same-site' response header.");
+
+promise_test(async (test) => {
+ const response = await fetch(remoteBaseURL + "resources/hello.py?corp=same");
+ assert_equals(await response.text(), "hello");
+}, "Cross-origin cors fetch with a 'Cross-Origin-Resource-Policy: same' response header.");
+
+promise_test(async (test) => {
+ const response = await fetch(remoteBaseURL + "resources/hello.py?corp=same-site");
+ assert_equals(await response.text(), "hello");
+}, "Cross-origin cors fetch with a 'Cross-Origin-Resource-Policy: same-site' response header.");
+
+promise_test((test) => {
+ const remoteURL = remoteBaseURL + "resources/hello.py?corp=same";
+ return promise_rejects(test, new TypeError, fetch(remoteURL, { mode : "no-cors" }));
+}, "Cross-origin no-cors fetch with a 'Cross-Origin-Resource-Policy: same' response header.");
+
+promise_test((test) => {
+ const remoteURL = remoteBaseURL + "resources/hello.py?corp=same-site";
+ return promise_rejects(test, new TypeError, fetch(remoteURL, { mode: "no-cors" }));
+}, "Cross-origin no-cors fetch with a 'Cross-Origin-Resource-Policy: same-site' response header.");
+
+promise_test((test) => {
+ const remoteURL = httpsBaseURL + "resources/hello.py?corp=same-site";
+ return fetch(remoteURL, { mode: "no-cors" });
+}, "Cross-origin no-cors fetch to a same-site URL with a 'Cross-Origin-Resource-Policy: same-site' response header.");
+
+promise_test((test) => {
+ const remoteURL = httpsBaseURL + "resources/hello.py?corp=same";
+ return promise_rejects(test, new TypeError, fetch(remoteURL, { mode : "no-cors" }));
+}, "Cross-origin no-cors fetch to a same-site URL with a 'Cross-Origin-Resource-Policy: same' response header.");
+
+promise_test(async (test) => {
+ const remoteSameSiteURL = remoteSameSiteBaseURL + "resources/hello.py?corp=same-site";
+
+ await fetch(remoteSameSiteURL, { mode: "no-cors" });
+
+ return promise_rejects(test, new TypeError, fetch(remoteSameSiteBaseURL + "resources/hello.py?corp=same", { mode: "no-cors" }));
+}, "Valid cross-origin no-cors fetch with a 'Cross-Origin-Resource-Policy: same-site' response header.");
+
+promise_test((test) => {
+ const finalURL = remoteBaseURL + "resources/hello.py?corp=same";
+ return promise_rejects(test, new TypeError, fetch("resources/redirect.py?redirectTo=" + encodeURIComponent(finalURL), { mode: "no-cors" }));
+}, "Cross-origin no-cors fetch with a 'Cross-Origin-Resource-Policy: same' response header after a redirection.");
+
+promise_test((test) => {
+ const finalURL = localBaseURL + "resources/hello.py?corp=same";
+ return fetch(remoteBaseURL + "resources/redirect.py?redirectTo=" + encodeURIComponent(finalURL), { mode: "no-cors" });
+}, "Cross-origin no-cors fetch with a 'Cross-Origin-Resource-Policy: same' response header after a cross-origin redirection.");
+
+promise_test(async (test) => {
+ const finalURL = localBaseURL + "resources/hello.py?corp=same";
+
+ await fetch(finalURL, { mode: "no-cors" });
+
+ return promise_rejects(test, new TypeError, fetch(remoteBaseURL + "resources/redirect.py?corp=same&redirectTo=" + encodeURIComponent(finalURL), { mode: "no-cors" }));
+}, "Cross-origin no-cors fetch with a 'Cross-Origin-Resource-Policy: same' redirect response header.");
+ </script>
+</body>
+</html>
Added: trunk/LayoutTests/http/wpt/cross-origin-resource-policy/iframe-loads-expected.txt (0 => 232217)
--- trunk/LayoutTests/http/wpt/cross-origin-resource-policy/iframe-loads-expected.txt (rev 0)
+++ trunk/LayoutTests/http/wpt/cross-origin-resource-policy/iframe-loads-expected.txt 2018-05-26 00:06:08 UTC (rev 232217)
@@ -0,0 +1,5 @@
+CONSOLE MESSAGE: Cancelled load to http://127.0.0.1:8800/WebKit/cross-origin-resource-policy/resources/iframe.py?corp=same because it violates the resource's Cross-Origin-Resource-Policy response header.
+CONSOLE MESSAGE: Fetch API cannot load http://127.0.0.1:8800/WebKit/cross-origin-resource-policy/resources/iframe.py?corp=same due to access control checks.
+
+PASS Load an iframe that has Cross-Origin-Resource-Policy header
+
Added: trunk/LayoutTests/http/wpt/cross-origin-resource-policy/iframe-loads.html (0 => 232217)
--- trunk/LayoutTests/http/wpt/cross-origin-resource-policy/iframe-loads.html (rev 0)
+++ trunk/LayoutTests/http/wpt/cross-origin-resource-policy/iframe-loads.html 2018-05-26 00:06:08 UTC (rev 232217)
@@ -0,0 +1,46 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <script src=""
+ <script src=""
+ <script src=""
+</head>
+<body>
+ <script>
+const host = get_host_info();
+const remoteBaseURL = host.HTTP_REMOTE_ORIGIN + window.location.pathname.replace(/\/[^\/]*$/, '/') ;
+const localBaseURL = host.HTTP_ORIGIN + window.location.pathname.replace(/\/[^\/]*$/, '/') ;
+
+function with_iframe(url) {
+ return new Promise(function(resolve) {
+ var frame = document.createElement('iframe');
+ frame.src = ""
+ frame._onload_ = function() { resolve(frame); };
+ document.body.appendChild(frame);
+ });
+}
+
+promise_test(async() => {
+ const url = "" + "resources/iframe.py?corp=same";
+
+ await new Promise((resolve, reject) => {
+ return fetch(url, { mode: "no-cors" }).then(reject, resolve);
+ });
+
+ const iframe = await with_iframe(url);
+ return new Promise((resolve, reject) => {
+ window.addEventListener("message", (event) => {
+ if (event.data !== "pong") {
+ reject(event.data);
+ return;
+ }
+ resolve();
+ }, false);
+ iframe.contentWindow.postMessage("ping", "*");
+ }).finally(() => {
+ iframe.remove();
+ });
+}, "Load an iframe that has Cross-Origin-Resource-Policy header");
+ </script>
+</body>
+</html>
Added: trunk/LayoutTests/http/wpt/cross-origin-resource-policy/image-loads-expected.txt (0 => 232217)
--- trunk/LayoutTests/http/wpt/cross-origin-resource-policy/image-loads-expected.txt (rev 0)
+++ trunk/LayoutTests/http/wpt/cross-origin-resource-policy/image-loads-expected.txt 2018-05-26 00:06:08 UTC (rev 232217)
@@ -0,0 +1,12 @@
+CONSOLE MESSAGE: Cancelled load to http://127.0.0.1:8800/WebKit/cross-origin-resource-policy/resources/image.py?corp=same&acao=* because it violates the resource's Cross-Origin-Resource-Policy response header.
+CONSOLE MESSAGE: Cannot load image http://127.0.0.1:8800/WebKit/cross-origin-resource-policy/resources/image.py?corp=same&acao=* due to access control checks.
+CONSOLE MESSAGE: Cancelled load to http://127.0.0.1:8800/WebKit/cross-origin-resource-policy/resources/image.py?corp=same-site&acao=* because it violates the resource's Cross-Origin-Resource-Policy response header.
+CONSOLE MESSAGE: Cannot load image http://127.0.0.1:8800/WebKit/cross-origin-resource-policy/resources/image.py?corp=same-site&acao=* due to access control checks.
+
+PASS Same-origin image load with a 'Cross-Origin-Resource-Policy: same' response header.
+PASS Same-origin image load with a 'Cross-Origin-Resource-Policy: same-site' response header.
+PASS Cross-origin cors image load with a 'Cross-Origin-Resource-Policy: same' response header.
+PASS Cross-origin cors image load with a 'Cross-Origin-Resource-Policy: same-site' response header.
+PASS Cross-origin no-cors image load with a 'Cross-Origin-Resource-Policy: same' response header.
+PASS Cross-origin no-cors image load with a 'Cross-Origin-Resource-Policy: same-site' response header.
+
Added: trunk/LayoutTests/http/wpt/cross-origin-resource-policy/image-loads.html (0 => 232217)
--- trunk/LayoutTests/http/wpt/cross-origin-resource-policy/image-loads.html (rev 0)
+++ trunk/LayoutTests/http/wpt/cross-origin-resource-policy/image-loads.html 2018-05-26 00:06:08 UTC (rev 232217)
@@ -0,0 +1,52 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <script src=""
+ <script src=""
+ <script src=""
+</head>
+<body>
+ <div id="testDiv"></div>
+ <script>
+const host = get_host_info();
+const remoteBaseURL = host.HTTP_REMOTE_ORIGIN + window.location.pathname.replace(/\/[^\/]*$/, '/') ;
+const ok = true;
+const ko = false;
+
+function loadImage(url, shoudLoad, corsMode)
+{
+ promise_test(() => {
+ const img = new Image();
+ if (corsMode)
+ img.crossOrigin = corsMode;
+ img.src = ""
+ return new Promise((resolve, reject) => {
+ img._onload_ = shoudLoad ? resolve : reject;
+ img._onerror_ = shoudLoad ? reject : resolve;
+ testDiv.appendChild(img);
+ }).finally(() => {
+ testDiv.innerHTML = "";
+ });
+ }, title)
+}
+
+title = "Same-origin image load with a 'Cross-Origin-Resource-Policy: same' response header.";
+loadImage("./resources/image.py?corp=same", ok);
+
+title = "Same-origin image load with a 'Cross-Origin-Resource-Policy: same-site' response header.";
+loadImage("./resources/image.py?corp=same-site", ok);
+
+title = "Cross-origin cors image load with a 'Cross-Origin-Resource-Policy: same' response header.";
+loadImage(remoteBaseURL + "resources/image.py?corp=same&acao=*", ok, "anonymous");
+
+title = "Cross-origin cors image load with a 'Cross-Origin-Resource-Policy: same-site' response header.";
+loadImage(remoteBaseURL + "resources/image.py?corp=same-site&acao=*", ok, "anonymous");
+
+title = "Cross-origin no-cors image load with a 'Cross-Origin-Resource-Policy: same' response header.";
+loadImage(remoteBaseURL + "resources/image.py?corp=same&acao=*", ko);
+
+title = "Cross-origin no-cors image load with a 'Cross-Origin-Resource-Policy: same-site' response header.";
+loadImage(remoteBaseURL + "resources/image.py?corp=same-site&acao=*", ko);
+ </script>
+</body>
+</html>
Added: trunk/LayoutTests/http/wpt/cross-origin-resource-policy/resources/green.png
(Binary files differ)
--- trunk/LayoutTests/http/wpt/cross-origin-resource-policy/resources/green.png 2018-05-25 23:48:11 UTC (rev 232216)
+++ trunk/LayoutTests/http/wpt/cross-origin-resource-policy/resources/green.png 2018-05-26 00:06:08 UTC (rev 232217)
Property changes on: trunk/LayoutTests/http/wpt/cross-origin-resource-policy/resources/green.png
___________________________________________________________________
Added: svn:mime-type
+image/png
\ No newline at end of property
Added: trunk/LayoutTests/http/wpt/cross-origin-resource-policy/resources/hello.py (0 => 232217)
--- trunk/LayoutTests/http/wpt/cross-origin-resource-policy/resources/hello.py (rev 0)
+++ trunk/LayoutTests/http/wpt/cross-origin-resource-policy/resources/hello.py 2018-05-26 00:06:08 UTC (rev 232217)
@@ -0,0 +1,6 @@
+def main(request, response):
+ headers = [("Cross-Origin-Resource-Policy", request.GET['corp'])]
+ if 'origin' in request.headers:
+ headers.append(('Access-Control-Allow-Origin', request.headers['origin']))
+
+ return 200, headers, "hello"
Added: trunk/LayoutTests/http/wpt/cross-origin-resource-policy/resources/iframe.py (0 => 232217)
--- trunk/LayoutTests/http/wpt/cross-origin-resource-policy/resources/iframe.py (rev 0)
+++ trunk/LayoutTests/http/wpt/cross-origin-resource-policy/resources/iframe.py 2018-05-26 00:06:08 UTC (rev 232217)
@@ -0,0 +1,5 @@
+def main(request, response):
+ headers = [("Content-Type", "text/html"),
+ ("Cross-Origin-Resource-Policy", request.GET['corp'])]
+ return 200, headers, "<body><h3>The iframe</h3><script>window._onmessage_ = () => { parent.postMessage('pong', '*'); }</script></body>"
+
Added: trunk/LayoutTests/http/wpt/cross-origin-resource-policy/resources/iframeFetch.html (0 => 232217)
--- trunk/LayoutTests/http/wpt/cross-origin-resource-policy/resources/iframeFetch.html (rev 0)
+++ trunk/LayoutTests/http/wpt/cross-origin-resource-policy/resources/iframeFetch.html 2018-05-26 00:06:08 UTC (rev 232217)
@@ -0,0 +1,19 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <script>
+ function processMessage(event)
+ {
+ fetch(event.data, { mode: "no-cors" }).then(() => {
+ parent.postMessage("ok", "*");
+ }, () => {
+ parent.postMessage("ko", "*");
+ });
+ }
+ window.addEventListener("message", processMessage, false);
+ </script>
+</head>
+<body>
+ <h3>The iframe making a same origin fetch call.</h3>
+</body>
+</html>
Added: trunk/LayoutTests/http/wpt/cross-origin-resource-policy/resources/image.py (0 => 232217)
--- trunk/LayoutTests/http/wpt/cross-origin-resource-policy/resources/image.py (rev 0)
+++ trunk/LayoutTests/http/wpt/cross-origin-resource-policy/resources/image.py 2018-05-26 00:06:08 UTC (rev 232217)
@@ -0,0 +1,21 @@
+import os.path
+
+def main(request, response):
+ type = request.GET.first("type", None)
+
+ body = open(os.path.join(os.path.dirname(__file__), "green.png"), "rb").read()
+
+ response.add_required_headers = False
+ response.writer.write_status(200)
+
+ if 'corp' in request.GET:
+ response.writer.write_header("cross-origin-resource-policy", request.GET['corp'])
+ if 'acao' in request.GET:
+ response.writer.write_header("access-control-allow-origin", request.GET['acao'])
+ response.writer.write_header("content-length", len(body))
+ if(type != None):
+ response.writer.write_header("content-type", type)
+ response.writer.end_headers()
+
+ response.writer.write(body)
+
Added: trunk/LayoutTests/http/wpt/cross-origin-resource-policy/resources/redirect.py (0 => 232217)
--- trunk/LayoutTests/http/wpt/cross-origin-resource-policy/resources/redirect.py (rev 0)
+++ trunk/LayoutTests/http/wpt/cross-origin-resource-policy/resources/redirect.py 2018-05-26 00:06:08 UTC (rev 232217)
@@ -0,0 +1,6 @@
+def main(request, response):
+ headers = [("Location", request.GET['redirectTo'])]
+ if 'corp' in request.GET:
+ headers.append(('Cross-Origin-Resource-Policy', request.GET['corp']))
+
+ return 302, headers, ""
Added: trunk/LayoutTests/http/wpt/cross-origin-resource-policy/resources/script.py (0 => 232217)
--- trunk/LayoutTests/http/wpt/cross-origin-resource-policy/resources/script.py (rev 0)
+++ trunk/LayoutTests/http/wpt/cross-origin-resource-policy/resources/script.py 2018-05-26 00:06:08 UTC (rev 232217)
@@ -0,0 +1,6 @@
+def main(request, response):
+ headers = [("Cross-Origin-Resource-Policy", request.GET['corp'])]
+ if 'origin' in request.headers:
+ headers.append(('Access-Control-Allow-Origin', request.headers['origin']))
+
+ return 200, headers, ""
Added: trunk/LayoutTests/http/wpt/cross-origin-resource-policy/script-loads-expected.txt (0 => 232217)
--- trunk/LayoutTests/http/wpt/cross-origin-resource-policy/script-loads-expected.txt (rev 0)
+++ trunk/LayoutTests/http/wpt/cross-origin-resource-policy/script-loads-expected.txt 2018-05-26 00:06:08 UTC (rev 232217)
@@ -0,0 +1,12 @@
+CONSOLE MESSAGE: Cancelled load to http://127.0.0.1:8800/WebKit/cross-origin-resource-policy/resources/script.py?corp=same&acao=* because it violates the resource's Cross-Origin-Resource-Policy response header.
+CONSOLE MESSAGE: Cross-origin script load denied by Cross-Origin Resource Sharing policy.
+CONSOLE MESSAGE: Cancelled load to http://127.0.0.1:8800/WebKit/cross-origin-resource-policy/resources/script.py?corp=same-site&acao=* because it violates the resource's Cross-Origin-Resource-Policy response header.
+CONSOLE MESSAGE: Cross-origin script load denied by Cross-Origin Resource Sharing policy.
+
+PASS Same-origin script load with a 'Cross-Origin-Resource-Policy: same' response header.
+PASS Same-origin script load with a 'Cross-Origin-Resource-Policy: same-site' response header.
+PASS Cross-origin cors script load with a 'Cross-Origin-Resource-Policy: same' response header.
+PASS Cross-origin cors script load with a 'Cross-Origin-Resource-Policy: same-site' response header.
+PASS Cross-origin no-cors script load with a 'Cross-Origin-Resource-Policy: same' response header.
+PASS Cross-origin no-cors script load with a 'Cross-Origin-Resource-Policy: same-site' response header.
+
Added: trunk/LayoutTests/http/wpt/cross-origin-resource-policy/script-loads.html (0 => 232217)
--- trunk/LayoutTests/http/wpt/cross-origin-resource-policy/script-loads.html (rev 0)
+++ trunk/LayoutTests/http/wpt/cross-origin-resource-policy/script-loads.html 2018-05-26 00:06:08 UTC (rev 232217)
@@ -0,0 +1,50 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <script src=""
+ <script src=""
+ <script src=""
+</head>
+<body>
+ <div id="testDiv"></div>
+ <script>
+const host = get_host_info();
+const remoteBaseURL = host.HTTP_REMOTE_ORIGIN + window.location.pathname.replace(/\/[^\/]*$/, '/') ;
+const ok = true;
+const ko = false;
+
+function loadScript(url, shoudLoad, corsMode)
+{
+ promise_test(() => {
+ const script = document.createElement("script");
+ if (corsMode)
+ script.crossOrigin = corsMode;
+ script.src = ""
+ return new Promise((resolve, reject) => {
+ script._onload_ = shoudLoad ? resolve : reject;
+ script._onerror_ = shoudLoad ? reject : resolve;
+ testDiv.appendChild(script);
+ });
+ }, title);
+}
+
+title = "Same-origin script load with a 'Cross-Origin-Resource-Policy: same' response header.";
+loadScript("./resources/script.py?corp=same", ok);
+
+title = "Same-origin script load with a 'Cross-Origin-Resource-Policy: same-site' response header.";
+loadScript("./resources/script.py?corp=same-site", ok);
+
+title = "Cross-origin cors script load with a 'Cross-Origin-Resource-Policy: same' response header.";
+loadScript(remoteBaseURL + "resources/script.py?corp=same&acao=*", ok, "anonymous");
+
+title = "Cross-origin cors script load with a 'Cross-Origin-Resource-Policy: same-site' response header.";
+loadScript(remoteBaseURL + "resources/script.py?corp=same-site&acao=*", ok, "anonymous");
+
+title = "Cross-origin no-cors script load with a 'Cross-Origin-Resource-Policy: same' response header.";
+loadScript(remoteBaseURL + "resources/script.py?corp=same&acao=*", ko);
+
+title = "Cross-origin no-cors script load with a 'Cross-Origin-Resource-Policy: same-site' response header.";
+loadScript(remoteBaseURL + "resources/script.py?corp=same-site&acao=*", ko);
+ </script>
+</body>
+</html>
Modified: trunk/LayoutTests/platform/wk2/TestExpectations (232216 => 232217)
--- trunk/LayoutTests/platform/wk2/TestExpectations 2018-05-25 23:48:11 UTC (rev 232216)
+++ trunk/LayoutTests/platform/wk2/TestExpectations 2018-05-26 00:06:08 UTC (rev 232217)
@@ -710,8 +710,8 @@
# Process swapping is only implemented on WebKit2.
http/tests/navigation/process-swap-window-open.html [ Pass ]
-# From-Origin response header is only implemented in WebKit2.
-http/tests/from-origin/ [ Pass ]
+# Cross-Origin-Resource-Policy response header is only implemented in WebKit2.
+http/wpt/cross-origin-resource-policy/ [ Pass ]
### END OF (5) Progressions, expected successes that are expected failures in WebKit1.
########################################
Modified: trunk/Source/WebCore/ChangeLog (232216 => 232217)
--- trunk/Source/WebCore/ChangeLog 2018-05-25 23:48:11 UTC (rev 232216)
+++ trunk/Source/WebCore/ChangeLog 2018-05-26 00:06:08 UTC (rev 232217)
@@ -1,3 +1,21 @@
+2018-05-25 Youenn Fablet <[email protected]>
+
+ Migrate From-Origin to Cross-Origin-Resource-Policy
+ https://bugs.webkit.org/show_bug.cgi?id=185840
+
+ Reviewed by Chris Dumez.
+
+ Tests: http/wpt/cross-origin-resource-policy/fetch-in-iframe.html
+ http/wpt/cross-origin-resource-policy/fetch.html
+ http/wpt/cross-origin-resource-policy/iframe-loads.html
+ http/wpt/cross-origin-resource-policy/image-loads.html
+ http/wpt/cross-origin-resource-policy/script-loads.html
+
+ * platform/network/HTTPHeaderNames.in:
+ * platform/network/HTTPParsers.cpp:
+ (WebCore::parseCrossOriginResourcePolicyHeader):
+ * platform/network/HTTPParsers.h:
+
2018-05-25 Daniel Bates <[email protected]>
NavigationAction should not hold a strong reference to a Document
Modified: trunk/Source/WebCore/platform/network/HTTPHeaderNames.in (232216 => 232217)
--- trunk/Source/WebCore/platform/network/HTTPHeaderNames.in 2018-05-25 23:48:11 UTC (rev 232216)
+++ trunk/Source/WebCore/platform/network/HTTPHeaderNames.in 2018-05-26 00:06:08 UTC (rev 232217)
@@ -51,6 +51,7 @@
Cookie
Cookie2
Cross-Origin-Options
+Cross-Origin-Resource-Policy
Date
DNT
Default-Style
@@ -57,7 +58,6 @@
ETag
Expect
Expires
-From-Origin
Host
If-Match
If-Modified-Since
Modified: trunk/Source/WebCore/platform/network/HTTPParsers.cpp (232216 => 232217)
--- trunk/Source/WebCore/platform/network/HTTPParsers.cpp 2018-05-25 23:48:11 UTC (rev 232216)
+++ trunk/Source/WebCore/platform/network/HTTPParsers.cpp 2018-05-26 00:06:08 UTC (rev 232217)
@@ -897,20 +897,20 @@
return method;
}
-FromOriginDisposition parseFromOriginHeader(const String& header)
+CrossOriginResourcePolicy parseCrossOriginResourcePolicyHeader(StringView header)
{
auto strippedHeader = stripLeadingAndTrailingHTTPSpaces(header);
if (strippedHeader.isEmpty())
- return FromOriginDisposition::None;
+ return CrossOriginResourcePolicy::None;
if (equalLettersIgnoringASCIICase(strippedHeader, "same"))
- return FromOriginDisposition::Same;
+ return CrossOriginResourcePolicy::Same;
if (equalLettersIgnoringASCIICase(strippedHeader, "same-site"))
- return FromOriginDisposition::SameSite;
+ return CrossOriginResourcePolicy::SameSite;
- return FromOriginDisposition::Invalid;
+ return CrossOriginResourcePolicy::Invalid;
}
CrossOriginOptions parseCrossOriginOptionsHeader(StringView header)
Modified: trunk/Source/WebCore/platform/network/HTTPParsers.h (232216 => 232217)
--- trunk/Source/WebCore/platform/network/HTTPParsers.h 2018-05-25 23:48:11 UTC (rev 232216)
+++ trunk/Source/WebCore/platform/network/HTTPParsers.h 2018-05-26 00:06:08 UTC (rev 232217)
@@ -64,7 +64,7 @@
XFrameOptionsConflict
};
-enum class FromOriginDisposition {
+enum class CrossOriginResourcePolicy {
None,
Same,
SameSite,
@@ -117,7 +117,7 @@
String normalizeHTTPMethod(const String&);
-WEBCORE_EXPORT FromOriginDisposition parseFromOriginHeader(const String&);
+WEBCORE_EXPORT CrossOriginResourcePolicy parseCrossOriginResourcePolicyHeader(StringView);
CrossOriginOptions parseCrossOriginOptionsHeader(StringView);
inline bool isHTTPSpace(UChar character)
Modified: trunk/Source/WebKit/ChangeLog (232216 => 232217)
--- trunk/Source/WebKit/ChangeLog 2018-05-25 23:48:11 UTC (rev 232216)
+++ trunk/Source/WebKit/ChangeLog 2018-05-26 00:06:08 UTC (rev 232217)
@@ -1,3 +1,31 @@
+2018-05-25 Youenn Fablet <[email protected]>
+
+ Migrate From-Origin to Cross-Origin-Resource-Policy
+ https://bugs.webkit.org/show_bug.cgi?id=185840
+
+ Reviewed by Chris Dumez.
+
+ Do Cross-Origin-Resource-Policy (CORP) checks in NetworkLoadChecker instead of NetworkResourceLoader directly.
+ Make sure CORP only applies to no-cors loads.
+ Remove ancestor checks and only consider the document origin making the load.
+ This means that in case of cross-origin redirection to same-origin, the redirection will be CORP-checked,
+ the final response will not be CORP-checked but will be opaque.
+
+ * NetworkProcess/NetworkLoadChecker.cpp:
+ (WebKit::NetworkLoadChecker::validateCrossOriginResourcePolicyPolicy):
+ (WebKit::NetworkLoadChecker::validateResponse):
+ * NetworkProcess/NetworkLoadChecker.h:
+ * NetworkProcess/NetworkResourceLoader.cpp:
+ (WebKit::NetworkResourceLoader::retrieveCacheEntry):
+ (WebKit::NetworkResourceLoader::didReceiveResponse):
+ (WebKit::NetworkResourceLoader::continueWillSendRedirectedRequest):
+ (WebKit::NetworkResourceLoader::didRetrieveCacheEntry):
+ (WebKit::NetworkResourceLoader::dispatchWillSendRequestForCacheEntry):
+ * NetworkProcess/NetworkResourceLoader.h:
+ * WebProcess/Network/WebLoaderStrategy.cpp:
+ (WebKit::WebLoaderStrategy::scheduleLoadFromNetworkProcess):
+ Send ancestor information for navigation loads only.
+
2018-05-25 Daniel Bates <[email protected]>
NavigationAction should not hold a strong reference to a Document
Modified: trunk/Source/WebKit/NetworkProcess/NetworkLoadChecker.cpp (232216 => 232217)
--- trunk/Source/WebKit/NetworkProcess/NetworkLoadChecker.cpp 2018-05-25 23:48:11 UTC (rev 232216)
+++ trunk/Source/WebKit/NetworkProcess/NetworkLoadChecker.cpp 2018-05-26 00:06:08 UTC (rev 232217)
@@ -131,6 +131,29 @@
checkRequest(WTFMove(request), WTFMove(handler));
}
+bool NetworkLoadChecker::shouldCrossOriginResourcePolicyPolicyCancelLoad(const ResourceResponse& response)
+{
+ if (m_origin->canRequest(response.url()))
+ return false;
+
+ auto policy = parseCrossOriginResourcePolicyHeader(response.httpHeaderField(HTTPHeaderName::CrossOriginResourcePolicy));
+ switch (policy) {
+ case CrossOriginResourcePolicy::None:
+ case CrossOriginResourcePolicy::Invalid:
+ return false;
+ case CrossOriginResourcePolicy::Same:
+ return true;
+ case CrossOriginResourcePolicy::SameSite: {
+#if ENABLE(PUBLIC_SUFFIX_LIST)
+ return m_origin->isUnique() || !registrableDomainsAreEqual(response.url(), ResourceRequest::partitionName(m_origin->host()));
+#else
+ return true;
+#endif
+ }}
+
+ RELEASE_ASSERT_NOT_REACHED();
+}
+
ResourceError NetworkLoadChecker::validateResponse(ResourceResponse& response)
{
if (m_redirectCount)
@@ -147,6 +170,8 @@
}
if (m_options.mode == FetchOptions::Mode::NoCors) {
+ if (shouldCrossOriginResourcePolicyPolicyCancelLoad(response))
+ return ResourceError { errorDomainWebKitInternal, 0, m_url, makeString("Cancelled load to ", response.url().stringCenterEllipsizedToLength(), " because it violates the resource's Cross-Origin-Resource-Policy response header."), ResourceError::Type::AccessControl };
response.setTainting(ResourceResponse::Tainting::Opaque);
return { };
}
Modified: trunk/Source/WebKit/NetworkProcess/NetworkLoadChecker.h (232216 => 232217)
--- trunk/Source/WebKit/NetworkProcess/NetworkLoadChecker.h 2018-05-25 23:48:11 UTC (rev 232216)
+++ trunk/Source/WebKit/NetworkProcess/NetworkLoadChecker.h 2018-05-26 00:06:08 UTC (rev 232217)
@@ -110,6 +110,8 @@
uint64_t m_webFrameID;
ResourceLoadIdentifier m_loadIdentifier;
+ bool shouldCrossOriginResourcePolicyPolicyCancelLoad(const WebCore::ResourceResponse&);
+
WebCore::FetchOptions m_options;
WebCore::StoredCredentialsPolicy m_storedCredentialsPolicy;
PAL::SessionID m_sessionID;
Modified: trunk/Source/WebKit/NetworkProcess/NetworkResourceLoader.cpp (232216 => 232217)
--- trunk/Source/WebKit/NetworkProcess/NetworkResourceLoader.cpp 2018-05-25 23:48:11 UTC (rev 232216)
+++ trunk/Source/WebKit/NetworkProcess/NetworkResourceLoader.cpp 2018-05-26 00:06:08 UTC (rev 232217)
@@ -361,48 +361,6 @@
cleanup(LoadResult::Cancel);
}
-static bool areFrameAncestorsSameSite(const ResourceResponse& response, const Vector<RefPtr<SecurityOrigin>>& frameAncestorOrigins)
-{
-#if ENABLE(PUBLIC_SUFFIX_LIST)
- auto responsePartition = ResourceRequest::partitionName(response.url().host().toString());
- return frameAncestorOrigins.findMatching([&](const auto& item) {
- return item->isUnique() || ResourceRequest::partitionName(item->host()) != responsePartition;
- }) == notFound;
-#else
- UNUSED_PARAM(response);
- UNUSED_PARAM(frameAncestorOrigins);
- return false;
-#endif
-}
-
-static bool areFrameAncestorsSameOrigin(const ResourceResponse& response, const Vector<RefPtr<SecurityOrigin>>& frameAncestorOrigins)
-{
- return frameAncestorOrigins.findMatching([responseOrigin = SecurityOrigin::create(response.url())](const auto& item) {
- return !item->isSameOriginAs(responseOrigin);
- }) == notFound;
-}
-
-static bool shouldCancelCrossOriginLoad(const ResourceResponse& response, const Vector<RefPtr<SecurityOrigin>>& frameAncestorOrigins)
-{
- auto fromOriginDirective = WebCore::parseFromOriginHeader(response.httpHeaderField(WebCore::HTTPHeaderName::FromOrigin));
- switch (fromOriginDirective) {
- case WebCore::FromOriginDisposition::None:
- case WebCore::FromOriginDisposition::Invalid:
- return false;
- case WebCore::FromOriginDisposition::Same:
- return !areFrameAncestorsSameOrigin(response, frameAncestorOrigins);
- case WebCore::FromOriginDisposition::SameSite:
- return !areFrameAncestorsSameSite(response, frameAncestorOrigins);
- }
-
- RELEASE_ASSERT_NOT_REACHED();
-}
-
-static ResourceError fromOriginResourceError(const URL& url)
-{
- return { errorDomainWebKitInternal, 0, url, ASCIILiteral { "Cancelled load because it violates the resource's From-Origin response header." }, ResourceError::Type::AccessControl };
-}
-
bool NetworkResourceLoader::shouldInterruptLoadForXFrameOptions(const String& xFrameOptions, const URL& url)
{
if (isMainFrameLoad())
@@ -491,21 +449,20 @@
if (m_cacheEntryForValidation)
return ShouldContinueDidReceiveResponse::Yes;
- ResourceError error;
- if (m_parameters.shouldEnableFromOriginResponseHeader && shouldCancelCrossOriginLoad(m_response, m_parameters.frameAncestorOrigins))
- error = fromOriginResourceError(m_response.url());
- if (error.isNull() && isMainResource() && shouldInterruptLoadForCSPFrameAncestorsOrXFrameOptions(m_response)) {
+ if (isMainResource() && shouldInterruptLoadForCSPFrameAncestorsOrXFrameOptions(m_response)) {
send(Messages::WebResourceLoader::StopLoadingAfterXFrameOptionsOrContentSecurityPolicyDenied { });
return ShouldContinueDidReceiveResponse::No;
}
- if (error.isNull() && m_networkLoadChecker)
- error = m_networkLoadChecker->validateResponse(m_response);
- if (!error.isNull()) {
- RunLoop::main().dispatch([protectedThis = makeRef(*this), error = WTFMove(error)] {
- if (protectedThis->m_networkLoad)
- protectedThis->didFailLoading(error);
- });
- return ShouldContinueDidReceiveResponse::No;
+
+ if (m_networkLoadChecker) {
+ auto error = m_networkLoadChecker->validateResponse(m_response);
+ if (!error.isNull()) {
+ RunLoop::main().dispatch([protectedThis = makeRef(*this), error = WTFMove(error)] {
+ if (protectedThis->m_networkLoad)
+ protectedThis->didFailLoading(error);
+ });
+ return ShouldContinueDidReceiveResponse::No;
+ }
}
auto response = sanitizeResponseIfPossible(ResourceResponse { m_response }, ResourceResponse::SanitizationType::CrossOriginSafe);
@@ -662,11 +619,6 @@
{
ASSERT(!isSynchronous());
- if (m_parameters.shouldEnableFromOriginResponseHeader && shouldCancelCrossOriginLoad(redirectResponse, m_parameters.frameAncestorOrigins) && m_networkLoad) {
- didFailLoading(fromOriginResourceError(redirectResponse.url()));
- return;
- }
-
send(Messages::WebResourceLoader::WillSendRequest(redirectRequest, sanitizeResponseIfPossible(WTFMove(redirectResponse), ResourceResponse::SanitizationType::Redirection)));
}
@@ -804,19 +756,16 @@
{
auto response = entry->response();
- ResourceError error;
- if (m_parameters.shouldEnableFromOriginResponseHeader && shouldCancelCrossOriginLoad(response, m_parameters.frameAncestorOrigins))
- error = fromOriginResourceError(response.url());
- if (error.isNull() && isMainResource() && shouldInterruptLoadForCSPFrameAncestorsOrXFrameOptions(response)) {
+ if (isMainResource() && shouldInterruptLoadForCSPFrameAncestorsOrXFrameOptions(response)) {
send(Messages::WebResourceLoader::StopLoadingAfterXFrameOptionsOrContentSecurityPolicyDenied { });
return;
}
- if (error.isNull() && m_networkLoadChecker)
- error = m_networkLoadChecker->validateResponse(response);
-
- if (!error.isNull()) {
- didFailLoading(error);
- return;
+ if (m_networkLoadChecker) {
+ auto error = m_networkLoadChecker->validateResponse(response);
+ if (!error.isNull()) {
+ didFailLoading(error);
+ return;
+ }
}
response = sanitizeResponseIfPossible(WTFMove(response), ResourceResponse::SanitizationType::CrossOriginSafe);
Modified: trunk/Source/WebKit/WebProcess/Network/WebLoaderStrategy.cpp (232216 => 232217)
--- trunk/Source/WebKit/WebProcess/Network/WebLoaderStrategy.cpp 2018-05-25 23:48:11 UTC (rev 232216)
+++ trunk/Source/WebKit/WebProcess/Network/WebLoaderStrategy.cpp 2018-05-26 00:06:08 UTC (rev 232217)
@@ -329,10 +329,12 @@
loadParameters.shouldEnableFromOriginResponseHeader = RuntimeEnabledFeatures::sharedFeatures().fromOriginResponseHeaderEnabled() && !loadParameters.isMainFrameNavigation;
- Vector<RefPtr<SecurityOrigin>> frameAncestorOrigins;
- for (auto* frame = resourceLoader.frame(); frame; frame = frame->tree().parent())
- frameAncestorOrigins.append(makeRefPtr(frame->document()->securityOrigin()));
- loadParameters.frameAncestorOrigins = WTFMove(frameAncestorOrigins);
+ if (resourceLoader.options().mode == FetchOptions::Mode::Navigate) {
+ Vector<RefPtr<SecurityOrigin>> frameAncestorOrigins;
+ for (auto* frame = resourceLoader.frame(); frame; frame = frame->tree().parent())
+ frameAncestorOrigins.append(makeRefPtr(frame->document()->securityOrigin()));
+ loadParameters.frameAncestorOrigins = WTFMove(frameAncestorOrigins);
+ }
ASSERT((loadParameters.webPageID && loadParameters.webFrameID) || loadParameters.clientCredentialPolicy == ClientCredentialPolicy::CannotAskClientForCredentials);
Modified: trunk/Tools/TestWebKitAPI/Tests/WebCore/HTTPParsers.cpp (232216 => 232217)
--- trunk/Tools/TestWebKitAPI/Tests/WebCore/HTTPParsers.cpp 2018-05-25 23:48:11 UTC (rev 232216)
+++ trunk/Tools/TestWebKitAPI/Tests/WebCore/HTTPParsers.cpp 2018-05-26 00:06:08 UTC (rev 232217)
@@ -32,27 +32,27 @@
namespace TestWebKitAPI {
-TEST(HTTPParsers, ParseFromOriginHeader)
+TEST(HTTPParsers, ParseCrossOriginResourcePolicyHeader)
{
- EXPECT_TRUE(parseFromOriginHeader("") == FromOriginDisposition::None);
- EXPECT_TRUE(parseFromOriginHeader(" ") == FromOriginDisposition::None);
+ EXPECT_TRUE(parseCrossOriginResourcePolicyHeader("") == CrossOriginResourcePolicy::None);
+ EXPECT_TRUE(parseCrossOriginResourcePolicyHeader(" ") == CrossOriginResourcePolicy::None);
- EXPECT_TRUE(parseFromOriginHeader("same") == FromOriginDisposition::Same);
- EXPECT_TRUE(parseFromOriginHeader("Same") == FromOriginDisposition::Same);
- EXPECT_TRUE(parseFromOriginHeader("SAME") == FromOriginDisposition::Same);
- EXPECT_TRUE(parseFromOriginHeader(" same ") == FromOriginDisposition::Same);
+ EXPECT_TRUE(parseCrossOriginResourcePolicyHeader("same") == CrossOriginResourcePolicy::Same);
+ EXPECT_TRUE(parseCrossOriginResourcePolicyHeader("Same") == CrossOriginResourcePolicy::Same);
+ EXPECT_TRUE(parseCrossOriginResourcePolicyHeader("SAME") == CrossOriginResourcePolicy::Same);
+ EXPECT_TRUE(parseCrossOriginResourcePolicyHeader(" same ") == CrossOriginResourcePolicy::Same);
- EXPECT_TRUE(parseFromOriginHeader("same-site") == FromOriginDisposition::SameSite);
- EXPECT_TRUE(parseFromOriginHeader("Same-Site") == FromOriginDisposition::SameSite);
- EXPECT_TRUE(parseFromOriginHeader("SAME-SITE") == FromOriginDisposition::SameSite);
- EXPECT_TRUE(parseFromOriginHeader(" same-site ") == FromOriginDisposition::SameSite);
+ EXPECT_TRUE(parseCrossOriginResourcePolicyHeader("same-site") == CrossOriginResourcePolicy::SameSite);
+ EXPECT_TRUE(parseCrossOriginResourcePolicyHeader("Same-Site") == CrossOriginResourcePolicy::SameSite);
+ EXPECT_TRUE(parseCrossOriginResourcePolicyHeader("SAME-SITE") == CrossOriginResourcePolicy::SameSite);
+ EXPECT_TRUE(parseCrossOriginResourcePolicyHeader(" same-site ") == CrossOriginResourcePolicy::SameSite);
- EXPECT_TRUE(parseFromOriginHeader("zame") == FromOriginDisposition::Invalid);
- EXPECT_TRUE(parseFromOriginHeader("samesite") == FromOriginDisposition::Invalid);
- EXPECT_TRUE(parseFromOriginHeader("same site") == FromOriginDisposition::Invalid);
- EXPECT_TRUE(parseFromOriginHeader("same–site") == FromOriginDisposition::Invalid);
- EXPECT_TRUE(parseFromOriginHeader("SAMESITE") == FromOriginDisposition::Invalid);
- EXPECT_TRUE(parseFromOriginHeader("") == FromOriginDisposition::Invalid);
+ EXPECT_TRUE(parseCrossOriginResourcePolicyHeader("zame") == CrossOriginResourcePolicy::Invalid);
+ EXPECT_TRUE(parseCrossOriginResourcePolicyHeader("samesite") == CrossOriginResourcePolicy::Invalid);
+ EXPECT_TRUE(parseCrossOriginResourcePolicyHeader("same site") == CrossOriginResourcePolicy::Invalid);
+ EXPECT_TRUE(parseCrossOriginResourcePolicyHeader("same–site") == CrossOriginResourcePolicy::Invalid);
+ EXPECT_TRUE(parseCrossOriginResourcePolicyHeader("SAMESITE") == CrossOriginResourcePolicy::Invalid);
+ EXPECT_TRUE(parseCrossOriginResourcePolicyHeader("") == CrossOriginResourcePolicy::Invalid);
}
} // namespace TestWebKitAPI
