[webkit-changes] [257729] trunk

Mon, 02 Mar 2020 13:09:07 -0800

Title: [257729] trunk
Revision
257729
Author
[email protected]
Date
2020-03-02 13:07:55 -0800 (Mon, 02 Mar 2020)

Log Message

Fix behavior of pings regarding Origin header
https://bugs.webkit.org/show_bug.cgi?id=207102

Patch by Rob Buis <[email protected]> on 2020-03-02
Reviewed by Youenn Fablet.

LayoutTests/imported/w3c:

Import relevant tests.

* web-platform-tests/html/semantics/links/downloading-resources/header-origin-expected.txt: Added.
* web-platform-tests/html/semantics/links/downloading-resources/header-origin-no-referrer-expected.txt: Added.
* web-platform-tests/html/semantics/links/downloading-resources/header-origin-no-referrer-when-downgrade-expected.txt: Added.
* web-platform-tests/html/semantics/links/downloading-resources/header-origin-no-referrer-when-downgrade.html: Added.
* web-platform-tests/html/semantics/links/downloading-resources/header-origin-no-referrer.html: Added.
* web-platform-tests/html/semantics/links/downloading-resources/header-origin-origin-expected.txt: Added.
* web-platform-tests/html/semantics/links/downloading-resources/header-origin-origin-when-cross-origin-expected.txt: Added.
* web-platform-tests/html/semantics/links/downloading-resources/header-origin-origin-when-cross-origin.html: Added.
* web-platform-tests/html/semantics/links/downloading-resources/header-origin-origin.html: Added.
* web-platform-tests/html/semantics/links/downloading-resources/header-origin-same-origin-expected.txt: Added.
* web-platform-tests/html/semantics/links/downloading-resources/header-origin-same-origin.html: Added.
* web-platform-tests/html/semantics/links/downloading-resources/header-origin-strict-origin-expected.txt: Added.
* web-platform-tests/html/semantics/links/downloading-resources/header-origin-strict-origin-when-cross-origin-expected.txt: Added.
* web-platform-tests/html/semantics/links/downloading-resources/header-origin-strict-origin-when-cross-origin.html: Added.
* web-platform-tests/html/semantics/links/downloading-resources/header-origin-strict-origin.html: Added.
* web-platform-tests/html/semantics/links/downloading-resources/header-origin-unsafe-url-expected.txt: Added.
* web-platform-tests/html/semantics/links/downloading-resources/header-origin-unsafe-url.html: Added.
* web-platform-tests/html/semantics/links/downloading-resources/header-origin.html: Added.
* web-platform-tests/html/semantics/links/downloading-resources/header-origin.js: Added.
(testOriginHeader):
(pollResult.return.new.Promise.):
(pollResult.return.new.Promise):
* web-platform-tests/html/semantics/links/downloading-resources/w3c-import.log:

Source/WebCore:

Fix behavior of pings regarding Origin header by using the
"append a request Origin header" algorithm [1]. This patch
also sets the origin before calling addExtraFieldsToSubresourceRequest
since the latter forces the origin to "null".

Tests: imported/w3c/web-platform-tests/html/semantics/links/downloading-resources/header-origin-no-referrer-when-downgrade.html
       imported/w3c/web-platform-tests/html/semantics/links/downloading-resources/header-origin-no-referrer.html
       imported/w3c/web-platform-tests/html/semantics/links/downloading-resources/header-origin-origin-when-cross-origin.html
       imported/w3c/web-platform-tests/html/semantics/links/downloading-resources/header-origin-origin.html
       imported/w3c/web-platform-tests/html/semantics/links/downloading-resources/header-origin-same-origin.html
       imported/w3c/web-platform-tests/html/semantics/links/downloading-resources/header-origin-strict-origin-when-cross-origin.html
       imported/w3c/web-platform-tests/html/semantics/links/downloading-resources/header-origin-strict-origin.html
       imported/w3c/web-platform-tests/html/semantics/links/downloading-resources/header-origin-unsafe-url.html
       imported/w3c/web-platform-tests/html/semantics/links/downloading-resources/header-origin.html

[1] https://fetch.spec.whatwg.org/#append-a-request-origin-header

* loader/PingLoader.cpp:
(WebCore::PingLoader::sendPing):
* page/SecurityPolicy.cpp:
(WebCore::SecurityPolicy::generateOriginHeader):
* page/SecurityPolicy.h:

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/imported/w3c/ChangeLog (257728 => 257729)


--- trunk/LayoutTests/imported/w3c/ChangeLog	2020-03-02 20:58:22 UTC (rev 257728)
+++ trunk/LayoutTests/imported/w3c/ChangeLog	2020-03-02 21:07:55 UTC (rev 257729)
@@ -1,5 +1,38 @@
 2020-03-02  Rob Buis  <[email protected]>
 
+        Fix behavior of pings regarding Origin header
+        https://bugs.webkit.org/show_bug.cgi?id=207102
+
+        Reviewed by Youenn Fablet.
+
+        Import relevant tests.
+
+        * web-platform-tests/html/semantics/links/downloading-resources/header-origin-expected.txt: Added.
+        * web-platform-tests/html/semantics/links/downloading-resources/header-origin-no-referrer-expected.txt: Added.
+        * web-platform-tests/html/semantics/links/downloading-resources/header-origin-no-referrer-when-downgrade-expected.txt: Added.
+        * web-platform-tests/html/semantics/links/downloading-resources/header-origin-no-referrer-when-downgrade.html: Added.
+        * web-platform-tests/html/semantics/links/downloading-resources/header-origin-no-referrer.html: Added.
+        * web-platform-tests/html/semantics/links/downloading-resources/header-origin-origin-expected.txt: Added.
+        * web-platform-tests/html/semantics/links/downloading-resources/header-origin-origin-when-cross-origin-expected.txt: Added.
+        * web-platform-tests/html/semantics/links/downloading-resources/header-origin-origin-when-cross-origin.html: Added.
+        * web-platform-tests/html/semantics/links/downloading-resources/header-origin-origin.html: Added.
+        * web-platform-tests/html/semantics/links/downloading-resources/header-origin-same-origin-expected.txt: Added.
+        * web-platform-tests/html/semantics/links/downloading-resources/header-origin-same-origin.html: Added.
+        * web-platform-tests/html/semantics/links/downloading-resources/header-origin-strict-origin-expected.txt: Added.
+        * web-platform-tests/html/semantics/links/downloading-resources/header-origin-strict-origin-when-cross-origin-expected.txt: Added.
+        * web-platform-tests/html/semantics/links/downloading-resources/header-origin-strict-origin-when-cross-origin.html: Added.
+        * web-platform-tests/html/semantics/links/downloading-resources/header-origin-strict-origin.html: Added.
+        * web-platform-tests/html/semantics/links/downloading-resources/header-origin-unsafe-url-expected.txt: Added.
+        * web-platform-tests/html/semantics/links/downloading-resources/header-origin-unsafe-url.html: Added.
+        * web-platform-tests/html/semantics/links/downloading-resources/header-origin.html: Added.
+        * web-platform-tests/html/semantics/links/downloading-resources/header-origin.js: Added.
+        (testOriginHeader):
+        (pollResult.return.new.Promise.):
+        (pollResult.return.new.Promise):
+        * web-platform-tests/html/semantics/links/downloading-resources/w3c-import.log:
+
+2020-03-02  Rob Buis  <[email protected]>
+
         Add referrerpolicy attribute support for anchors
         https://bugs.webkit.org/show_bug.cgi?id=208424

Added: trunk/LayoutTests/imported/w3c/web-platform-tests/html/semantics/links/downloading-resources/header-origin-expected.txt (0 => 257729)


--- trunk/LayoutTests/imported/w3c/web-platform-tests/html/semantics/links/downloading-resources/header-origin-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/html/semantics/links/downloading-resources/header-origin-expected.txt	2020-03-02 21:07:55 UTC (rev 257729)
@@ -0,0 +1,3 @@
+
+PASS Test origin header /html/semantics/links/downloading-resources/resources/ 
+

Added: trunk/LayoutTests/imported/w3c/web-platform-tests/html/semantics/links/downloading-resources/header-origin-no-referrer-expected.txt (0 => 257729)


--- trunk/LayoutTests/imported/w3c/web-platform-tests/html/semantics/links/downloading-resources/header-origin-no-referrer-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/html/semantics/links/downloading-resources/header-origin-no-referrer-expected.txt	2020-03-02 21:07:55 UTC (rev 257729)
@@ -0,0 +1,3 @@
+
+PASS Test origin header /html/semantics/links/downloading-resources/resources/ 
+

Added: trunk/LayoutTests/imported/w3c/web-platform-tests/html/semantics/links/downloading-resources/header-origin-no-referrer-when-downgrade-expected.txt (0 => 257729)


--- trunk/LayoutTests/imported/w3c/web-platform-tests/html/semantics/links/downloading-resources/header-origin-no-referrer-when-downgrade-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/html/semantics/links/downloading-resources/header-origin-no-referrer-when-downgrade-expected.txt	2020-03-02 21:07:55 UTC (rev 257729)
@@ -0,0 +1,3 @@
+
+PASS Test origin header /html/semantics/links/downloading-resources/resources/ 
+

Added: trunk/LayoutTests/imported/w3c/web-platform-tests/html/semantics/links/downloading-resources/header-origin-no-referrer-when-downgrade.html (0 => 257729)


--- trunk/LayoutTests/imported/w3c/web-platform-tests/html/semantics/links/downloading-resources/header-origin-no-referrer-when-downgrade.html	                        (rev 0)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/html/semantics/links/downloading-resources/header-origin-no-referrer-when-downgrade.html	2020-03-02 21:07:55 UTC (rev 257729)
@@ -0,0 +1,20 @@
+<!doctype html>
+<html>
+  <head>
+    <meta charset="utf-8">
+    <title>Ping attribute Origin Header No Referrer When Downgrade Policy</title>
+    <script src=""
+    <script src=""
+    <meta name='referrer' content='no-referrer-when-downgrade'>
+  </head>
+  <body>
+    <a id="a" href=""
+    <script src=""
+    <script src=""
+    <script src=""
+    <script src=""
+    <script>
+      testOriginHeader(self.location.origin);
+    </script>
+  </body>
+</html>

Added: trunk/LayoutTests/imported/w3c/web-platform-tests/html/semantics/links/downloading-resources/header-origin-no-referrer.html (0 => 257729)


--- trunk/LayoutTests/imported/w3c/web-platform-tests/html/semantics/links/downloading-resources/header-origin-no-referrer.html	                        (rev 0)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/html/semantics/links/downloading-resources/header-origin-no-referrer.html	2020-03-02 21:07:55 UTC (rev 257729)
@@ -0,0 +1,20 @@
+<!doctype html>
+<html>
+  <head>
+    <meta charset="utf-8">
+    <title>Ping attribute Origin Header No Referrer Policy</title>
+    <script src=""
+    <script src=""
+    <meta name='referrer' content='no-referrer'>
+  </head>
+  <body>
+    <a id="a" href=""
+    <script src=""
+    <script src=""
+    <script src=""
+    <script src=""
+    <script>
+      testOriginHeader("null");
+    </script>
+  </body>
+</html>

Added: trunk/LayoutTests/imported/w3c/web-platform-tests/html/semantics/links/downloading-resources/header-origin-origin-expected.txt (0 => 257729)


--- trunk/LayoutTests/imported/w3c/web-platform-tests/html/semantics/links/downloading-resources/header-origin-origin-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/html/semantics/links/downloading-resources/header-origin-origin-expected.txt	2020-03-02 21:07:55 UTC (rev 257729)
@@ -0,0 +1,3 @@
+
+PASS Test origin header /html/semantics/links/downloading-resources/resources/ 
+

Added: trunk/LayoutTests/imported/w3c/web-platform-tests/html/semantics/links/downloading-resources/header-origin-origin-when-cross-origin-expected.txt (0 => 257729)


--- trunk/LayoutTests/imported/w3c/web-platform-tests/html/semantics/links/downloading-resources/header-origin-origin-when-cross-origin-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/html/semantics/links/downloading-resources/header-origin-origin-when-cross-origin-expected.txt	2020-03-02 21:07:55 UTC (rev 257729)
@@ -0,0 +1,3 @@
+
+PASS Test origin header /html/semantics/links/downloading-resources/resources/ 
+

Added: trunk/LayoutTests/imported/w3c/web-platform-tests/html/semantics/links/downloading-resources/header-origin-origin-when-cross-origin.html (0 => 257729)


--- trunk/LayoutTests/imported/w3c/web-platform-tests/html/semantics/links/downloading-resources/header-origin-origin-when-cross-origin.html	                        (rev 0)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/html/semantics/links/downloading-resources/header-origin-origin-when-cross-origin.html	2020-03-02 21:07:55 UTC (rev 257729)
@@ -0,0 +1,20 @@
+<!doctype html>
+<html>
+  <head>
+    <meta charset="utf-8">
+    <title>Ping attribute Origin Header Origin When Cross Origin Policy</title>
+    <script src=""
+    <script src=""
+    <meta name='referrer' content='origin-when-cross-origin'>
+  </head>
+  <body>
+    <a id="a" href=""
+    <script src=""
+    <script src=""
+    <script src=""
+    <script src=""
+    <script>
+      testOriginHeader(self.location.origin);
+    </script>
+  </body>
+</html>

Added: trunk/LayoutTests/imported/w3c/web-platform-tests/html/semantics/links/downloading-resources/header-origin-origin.html (0 => 257729)


--- trunk/LayoutTests/imported/w3c/web-platform-tests/html/semantics/links/downloading-resources/header-origin-origin.html	                        (rev 0)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/html/semantics/links/downloading-resources/header-origin-origin.html	2020-03-02 21:07:55 UTC (rev 257729)
@@ -0,0 +1,20 @@
+<!doctype html>
+<html>
+  <head>
+    <meta charset="utf-8">
+    <title>Ping attribute Origin Header Origin Policy</title>
+    <script src=""
+    <script src=""
+    <meta name='referrer' content='origin'>
+  </head>
+  <body>
+    <a id="a" href=""
+    <script src=""
+    <script src=""
+    <script src=""
+    <script src=""
+    <script>
+      testOriginHeader(self.location.origin);
+    </script>
+  </body>
+</html>

Added: trunk/LayoutTests/imported/w3c/web-platform-tests/html/semantics/links/downloading-resources/header-origin-same-origin-expected.txt (0 => 257729)


--- trunk/LayoutTests/imported/w3c/web-platform-tests/html/semantics/links/downloading-resources/header-origin-same-origin-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/html/semantics/links/downloading-resources/header-origin-same-origin-expected.txt	2020-03-02 21:07:55 UTC (rev 257729)
@@ -0,0 +1,3 @@
+
+PASS Test origin header /html/semantics/links/downloading-resources/resources/ 
+

Added: trunk/LayoutTests/imported/w3c/web-platform-tests/html/semantics/links/downloading-resources/header-origin-same-origin.html (0 => 257729)


--- trunk/LayoutTests/imported/w3c/web-platform-tests/html/semantics/links/downloading-resources/header-origin-same-origin.html	                        (rev 0)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/html/semantics/links/downloading-resources/header-origin-same-origin.html	2020-03-02 21:07:55 UTC (rev 257729)
@@ -0,0 +1,20 @@
+<!doctype html>
+<html>
+  <head>
+    <meta charset="utf-8">
+    <title>Ping attribute Origin Header Same Origin Policy</title>
+    <script src=""
+    <script src=""
+    <meta name='referrer' content='same-origin'>
+  </head>
+  <body>
+    <a id="a" href=""
+    <script src=""
+    <script src=""
+    <script src=""
+    <script src=""
+    <script>
+      testOriginHeader(self.location.origin);
+    </script>
+  </body>
+</html>

Added: trunk/LayoutTests/imported/w3c/web-platform-tests/html/semantics/links/downloading-resources/header-origin-strict-origin-expected.txt (0 => 257729)


--- trunk/LayoutTests/imported/w3c/web-platform-tests/html/semantics/links/downloading-resources/header-origin-strict-origin-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/html/semantics/links/downloading-resources/header-origin-strict-origin-expected.txt	2020-03-02 21:07:55 UTC (rev 257729)
@@ -0,0 +1,3 @@
+
+PASS Test origin header /html/semantics/links/downloading-resources/resources/ 
+

Added: trunk/LayoutTests/imported/w3c/web-platform-tests/html/semantics/links/downloading-resources/header-origin-strict-origin-when-cross-origin-expected.txt (0 => 257729)


--- trunk/LayoutTests/imported/w3c/web-platform-tests/html/semantics/links/downloading-resources/header-origin-strict-origin-when-cross-origin-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/html/semantics/links/downloading-resources/header-origin-strict-origin-when-cross-origin-expected.txt	2020-03-02 21:07:55 UTC (rev 257729)
@@ -0,0 +1,3 @@
+
+PASS Test origin header /html/semantics/links/downloading-resources/resources/ 
+

Added: trunk/LayoutTests/imported/w3c/web-platform-tests/html/semantics/links/downloading-resources/header-origin-strict-origin-when-cross-origin.html (0 => 257729)


--- trunk/LayoutTests/imported/w3c/web-platform-tests/html/semantics/links/downloading-resources/header-origin-strict-origin-when-cross-origin.html	                        (rev 0)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/html/semantics/links/downloading-resources/header-origin-strict-origin-when-cross-origin.html	2020-03-02 21:07:55 UTC (rev 257729)
@@ -0,0 +1,20 @@
+<!doctype html>
+<html>
+  <head>
+    <meta charset="utf-8">
+    <title>Ping attribute Origin Header Strict Origin When Cross Origin Policy</title>
+    <script src=""
+    <script src=""
+    <meta name='referrer' content='strict-origin-when-cross-origin'>
+  </head>
+  <body>
+    <a id="a" href=""
+    <script src=""
+    <script src=""
+    <script src=""
+    <script src=""
+    <script>
+      testOriginHeader(self.location.origin);
+    </script>
+  </body>
+</html>

Added: trunk/LayoutTests/imported/w3c/web-platform-tests/html/semantics/links/downloading-resources/header-origin-strict-origin.html (0 => 257729)


--- trunk/LayoutTests/imported/w3c/web-platform-tests/html/semantics/links/downloading-resources/header-origin-strict-origin.html	                        (rev 0)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/html/semantics/links/downloading-resources/header-origin-strict-origin.html	2020-03-02 21:07:55 UTC (rev 257729)
@@ -0,0 +1,20 @@
+<!doctype html>
+<html>
+  <head>
+    <meta charset="utf-8">
+    <title>Ping attribute Origin Header Strict Origin Policy</title>
+    <script src=""
+    <script src=""
+    <meta name='referrer' content='strict-origin'>
+  </head>
+  <body>
+    <a id="a" href=""
+    <script src=""
+    <script src=""
+    <script src=""
+    <script src=""
+    <script>
+      testOriginHeader(self.location.origin);
+    </script>
+  </body>
+</html>

Added: trunk/LayoutTests/imported/w3c/web-platform-tests/html/semantics/links/downloading-resources/header-origin-unsafe-url-expected.txt (0 => 257729)


--- trunk/LayoutTests/imported/w3c/web-platform-tests/html/semantics/links/downloading-resources/header-origin-unsafe-url-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/html/semantics/links/downloading-resources/header-origin-unsafe-url-expected.txt	2020-03-02 21:07:55 UTC (rev 257729)
@@ -0,0 +1,3 @@
+
+PASS Test origin header /html/semantics/links/downloading-resources/resources/ 
+

Added: trunk/LayoutTests/imported/w3c/web-platform-tests/html/semantics/links/downloading-resources/header-origin-unsafe-url.html (0 => 257729)


--- trunk/LayoutTests/imported/w3c/web-platform-tests/html/semantics/links/downloading-resources/header-origin-unsafe-url.html	                        (rev 0)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/html/semantics/links/downloading-resources/header-origin-unsafe-url.html	2020-03-02 21:07:55 UTC (rev 257729)
@@ -0,0 +1,20 @@
+<!doctype html>
+<html>
+  <head>
+    <meta charset="utf-8">
+    <title>Ping attribute Origin Header Unsafe Url Policy</title>
+    <script src=""
+    <script src=""
+    <meta name='referrer' content='unsafe-url'>
+  </head>
+  <body>
+    <a id="a" href=""
+    <script src=""
+    <script src=""
+    <script src=""
+    <script src=""
+    <script>
+      testOriginHeader(self.location.origin);
+    </script>
+  </body>
+</html>

Added: trunk/LayoutTests/imported/w3c/web-platform-tests/html/semantics/links/downloading-resources/header-origin.html (0 => 257729)


--- trunk/LayoutTests/imported/w3c/web-platform-tests/html/semantics/links/downloading-resources/header-origin.html	                        (rev 0)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/html/semantics/links/downloading-resources/header-origin.html	2020-03-02 21:07:55 UTC (rev 257729)
@@ -0,0 +1,19 @@
+<!doctype html>
+<html>
+  <head>
+    <meta charset="utf-8">
+    <title>Ping attribute Origin no Referrer Policy</title>
+    <script src=""
+    <script src=""
+  </head>
+  <body>
+    <a id="a" href=""
+    <script src=""
+    <script src=""
+    <script src=""
+    <script src=""
+    <script>
+      testOriginHeader(self.location.origin);
+    </script>
+  </body>
+</html>

Added: trunk/LayoutTests/imported/w3c/web-platform-tests/html/semantics/links/downloading-resources/header-origin.js (0 => 257729)


--- trunk/LayoutTests/imported/w3c/web-platform-tests/html/semantics/links/downloading-resources/header-origin.js	                        (rev 0)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/html/semantics/links/downloading-resources/header-origin.js	2020-03-02 21:07:55 UTC (rev 257729)
@@ -0,0 +1,40 @@
+const RESOURCES_DIR = "/html/semantics/links/downloading-resources/resources/";
+
+function testOriginHeader(expectedOrigin) {
+  var id = self.token();
+  let testUrl = RESOURCES_DIR + "inspect-header.py?header=origin&cmd=put&id=" + id;
+
+  promise_test(function(test) {
+    const anchor = document.getElementById("a");
+    anchor.setAttribute("ping", testUrl);
+    anchor.click();
+    return pollResult(id) .then(result => {
+      assert_equals(result, expectedOrigin, "Correct origin header result");
+    });
+  }, "Test origin header " + RESOURCES_DIR);
+}
+
+// Sending a ping is an asynchronous and non-blocking request to a web server.
+// We may have to create a poll loop to get result from server
+function pollResult(id) {
+  let checkUrl = RESOURCES_DIR + "inspect-header.py?header=origin&cmd=get&id=" + id;
+
+  return new Promise(resolve => {
+    function checkResult() {
+      fetch(checkUrl).then(
+        function(response) {
+          assert_equals(response.status, 200, "Inspect header response's status is 200");
+          let result = response.headers.get("x-request-origin");
+
+          if (result != undefined) {
+            resolve(result);
+          } else {
+            step_timeout(checkResult.bind(this), 100);
+          }
+        });
+    }
+
+    checkResult();
+  });
+
+}

Modified: trunk/LayoutTests/imported/w3c/web-platform-tests/html/semantics/links/downloading-resources/w3c-import.log (257728 => 257729)


--- trunk/LayoutTests/imported/w3c/web-platform-tests/html/semantics/links/downloading-resources/w3c-import.log	2020-03-02 20:58:22 UTC (rev 257728)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/html/semantics/links/downloading-resources/w3c-import.log	2020-03-02 21:07:55 UTC (rev 257729)
@@ -14,6 +14,16 @@
 None
 ------------------------------------------------------------------------
 List of files:
+/LayoutTests/imported/w3c/web-platform-tests/html/semantics/links/downloading-resources/header-origin-no-referrer-when-downgrade.html
+/LayoutTests/imported/w3c/web-platform-tests/html/semantics/links/downloading-resources/header-origin-no-referrer.html
+/LayoutTests/imported/w3c/web-platform-tests/html/semantics/links/downloading-resources/header-origin-origin-when-cross-origin.html
+/LayoutTests/imported/w3c/web-platform-tests/html/semantics/links/downloading-resources/header-origin-origin.html
+/LayoutTests/imported/w3c/web-platform-tests/html/semantics/links/downloading-resources/header-origin-same-origin.html
+/LayoutTests/imported/w3c/web-platform-tests/html/semantics/links/downloading-resources/header-origin-strict-origin-when-cross-origin.html
+/LayoutTests/imported/w3c/web-platform-tests/html/semantics/links/downloading-resources/header-origin-strict-origin.html
+/LayoutTests/imported/w3c/web-platform-tests/html/semantics/links/downloading-resources/header-origin-unsafe-url.html
+/LayoutTests/imported/w3c/web-platform-tests/html/semantics/links/downloading-resources/header-origin.html
+/LayoutTests/imported/w3c/web-platform-tests/html/semantics/links/downloading-resources/header-origin.js
 /LayoutTests/imported/w3c/web-platform-tests/html/semantics/links/downloading-resources/header-referrer-no-referrer-when-downgrade.html
 /LayoutTests/imported/w3c/web-platform-tests/html/semantics/links/downloading-resources/header-referrer-no-referrer.html
 /LayoutTests/imported/w3c/web-platform-tests/html/semantics/links/downloading-resources/header-referrer-origin-when-cross-origin.html

Modified: trunk/Source/WebCore/ChangeLog (257728 => 257729)


--- trunk/Source/WebCore/ChangeLog	2020-03-02 20:58:22 UTC (rev 257728)
+++ trunk/Source/WebCore/ChangeLog	2020-03-02 21:07:55 UTC (rev 257729)
@@ -1,3 +1,33 @@
+2020-03-02  Rob Buis  <[email protected]>
+
+        Fix behavior of pings regarding Origin header
+        https://bugs.webkit.org/show_bug.cgi?id=207102
+
+        Reviewed by Youenn Fablet.
+
+        Fix behavior of pings regarding Origin header by using the
+        "append a request Origin header" algorithm [1]. This patch
+        also sets the origin before calling addExtraFieldsToSubresourceRequest
+        since the latter forces the origin to "null".
+
+        Tests: imported/w3c/web-platform-tests/html/semantics/links/downloading-resources/header-origin-no-referrer-when-downgrade.html
+               imported/w3c/web-platform-tests/html/semantics/links/downloading-resources/header-origin-no-referrer.html
+               imported/w3c/web-platform-tests/html/semantics/links/downloading-resources/header-origin-origin-when-cross-origin.html
+               imported/w3c/web-platform-tests/html/semantics/links/downloading-resources/header-origin-origin.html
+               imported/w3c/web-platform-tests/html/semantics/links/downloading-resources/header-origin-same-origin.html
+               imported/w3c/web-platform-tests/html/semantics/links/downloading-resources/header-origin-strict-origin-when-cross-origin.html
+               imported/w3c/web-platform-tests/html/semantics/links/downloading-resources/header-origin-strict-origin.html
+               imported/w3c/web-platform-tests/html/semantics/links/downloading-resources/header-origin-unsafe-url.html
+               imported/w3c/web-platform-tests/html/semantics/links/downloading-resources/header-origin.html
+
+        [1] https://fetch.spec.whatwg.org/#append-a-request-origin-header
+
+        * loader/PingLoader.cpp:
+        (WebCore::PingLoader::sendPing):
+        * page/SecurityPolicy.cpp:
+        (WebCore::SecurityPolicy::generateOriginHeader):
+        * page/SecurityPolicy.h:
+
 2020-03-02  Chris Dumez  <[email protected]>
 
         Reduce size of PerformanceEntry

Modified: trunk/Source/WebCore/loader/PingLoader.cpp (257728 => 257729)


--- trunk/Source/WebCore/loader/PingLoader.cpp	2020-03-02 20:58:22 UTC (rev 257728)
+++ trunk/Source/WebCore/loader/PingLoader.cpp	2020-03-02 21:07:55 UTC (rev 257729)
@@ -134,10 +134,9 @@
 
     HTTPHeaderMap originalRequestHeader = request.httpHeaderFields();
 
+    auto& sourceOrigin = document.securityOrigin();
+    FrameLoader::addHTTPOriginIfNeeded(request, SecurityPolicy::generateOriginHeader(document.referrerPolicy(), request.url(), sourceOrigin));
     frame.loader().addExtraFieldsToSubresourceRequest(request);
-
-    auto& sourceOrigin = document.securityOrigin();
-    FrameLoader::addHTTPOriginIfNeeded(request, sourceOrigin.toString());
     request.setHTTPHeaderField(HTTPHeaderName::PingTo, destinationURL);
     if (!SecurityPolicy::shouldHideReferrer(pingURL, frame.loader().outgoingReferrer()))
         request.setHTTPHeaderField(HTTPHeaderName::PingFrom, document.url());

Modified: trunk/Source/WebCore/page/SecurityPolicy.cpp (257728 => 257729)


--- trunk/Source/WebCore/page/SecurityPolicy.cpp	2020-03-02 20:58:22 UTC (rev 257728)
+++ trunk/Source/WebCore/page/SecurityPolicy.cpp	2020-03-02 21:07:55 UTC (rev 257729)
@@ -131,6 +131,31 @@
     return shouldHideReferrer(url, referrer) ? String() : referrer;
 }
 
+String SecurityPolicy::generateOriginHeader(ReferrerPolicy referrerPolicy, const URL& url, const SecurityOrigin& securityOrigin)
+{
+    switch (referrerPolicy) {
+    case ReferrerPolicy::NoReferrer:
+        return "null"_s;
+    case ReferrerPolicy::NoReferrerWhenDowngrade:
+    case ReferrerPolicy::StrictOrigin:
+    case ReferrerPolicy::StrictOriginWhenCrossOrigin:
+        if (protocolIs(securityOrigin.protocol(), "https") && !url.protocolIs("https"))
+            return "null"_s;
+        break;
+    case ReferrerPolicy::SameOrigin:
+        if (!securityOrigin.canRequest(url))
+            return "null"_s;
+        break;
+    case ReferrerPolicy::EmptyString:
+    case ReferrerPolicy::Origin:
+    case ReferrerPolicy::OriginWhenCrossOrigin:
+    case ReferrerPolicy::UnsafeUrl:
+        break;
+    }
+
+    return securityOrigin.toString();
+}
+
 bool SecurityPolicy::shouldInheritSecurityOriginFromOwner(const URL& url)
 {
     // Paraphrased from <https://html.spec.whatwg.org/multipage/browsers.html#origin> (8 July 2016)

Modified: trunk/Source/WebCore/page/SecurityPolicy.h (257728 => 257729)


--- trunk/Source/WebCore/page/SecurityPolicy.h	2020-03-02 20:58:22 UTC (rev 257728)
+++ trunk/Source/WebCore/page/SecurityPolicy.h	2020-03-02 21:07:55 UTC (rev 257729)
@@ -50,6 +50,8 @@
     // referrer header should be omitted.
     WEBCORE_EXPORT static String generateReferrerHeader(ReferrerPolicy, const URL&, const String& referrer);
 
+    static String generateOriginHeader(ReferrerPolicy, const URL&, const SecurityOrigin&);
+
     static bool shouldInheritSecurityOriginFromOwner(const URL&);
 
     static bool isBaseURLSchemeAllowed(const URL&);

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to