Diff
Modified: trunk/Source/WebCore/ChangeLog (258051 => 258052)
--- trunk/Source/WebCore/ChangeLog 2020-03-07 03:34:24 UTC (rev 258051)
+++ trunk/Source/WebCore/ChangeLog 2020-03-07 04:07:53 UTC (rev 258052)
@@ -1,3 +1,35 @@
+2020-03-06 Alex Christensen <[email protected]>
+
+ Add SPI to disable cross origin access control checks
+ https://bugs.webkit.org/show_bug.cgi?id=208748
+ <rdar://problem/59861114>
+
+ Reviewed by Tim Hatcher.
+
+ Because loading is done process-globally in the WebProcess, use a CrossOriginAccessControlCheckDisabler::singleton for those checks.
+ Pass a parameter to the NetworkResourceLoaders to disable these checks only for loads from a web process without access control checks.
+ As long as we're changing the signature of passesAccessControlCheck, make it return an Expected instead of a bool with an out parameter.
+
+ * loader/CrossOriginAccessControl.cpp:
+ (WebCore::CrossOriginAccessControlCheckDisabler::singleton):
+ (WebCore::CrossOriginAccessControlCheckDisabler::setCrossOriginAccessControlCheckEnabled):
+ (WebCore::CrossOriginAccessControlCheckDisabler::crossOriginAccessControlCheckEnabled const):
+ (WebCore::passesAccessControlCheck):
+ (WebCore::validatePreflightResponse):
+ * loader/CrossOriginAccessControl.h:
+ * loader/CrossOriginPreflightChecker.cpp:
+ (WebCore::CrossOriginPreflightChecker::validatePreflightResponse):
+ * loader/DocumentThreadableLoader.cpp:
+ (WebCore::DocumentThreadableLoader::loadRequest):
+ * loader/SubresourceLoader.cpp:
+ (WebCore::SubresourceLoader::willSendRequestInternal):
+ (WebCore::SubresourceLoader::didReceiveResponse):
+ (WebCore::SubresourceLoader::checkResponseCrossOriginAccessControl):
+ (WebCore::SubresourceLoader::checkRedirectionCrossOriginAccessControl):
+ * loader/SubresourceLoader.h:
+ * loader/cache/CachedResource.cpp:
+ (WebCore::CachedResource::loadFrom):
+
2020-03-06 Myles C. Maxfield <[email protected]>
[GPU Process] Implement CanvasRenderingContext2D.putImageData()
Modified: trunk/Source/WebCore/loader/CrossOriginAccessControl.cpp (258051 => 258052)
--- trunk/Source/WebCore/loader/CrossOriginAccessControl.cpp 2020-03-07 03:34:24 UTC (rev 258051)
+++ trunk/Source/WebCore/loader/CrossOriginAccessControl.cpp 2020-03-07 04:07:53 UTC (rev 258052)
@@ -35,6 +35,7 @@
#include "Page.h"
#include "ResourceRequest.h"
#include "ResourceResponse.h"
+#include "RuntimeApplicationChecks.h"
#include "SecurityOrigin.h"
#include "SecurityPolicy.h"
#include <mutex>
@@ -206,55 +207,74 @@
request.clearHTTPAcceptEncoding();
}
-bool passesAccessControlCheck(const ResourceResponse& response, StoredCredentialsPolicy storedCredentialsPolicy, SecurityOrigin& securityOrigin, String& errorDescription)
+CrossOriginAccessControlCheckDisabler& CrossOriginAccessControlCheckDisabler::singleton()
{
+ ASSERT(!isInNetworkProcess());
+ static NeverDestroyed<CrossOriginAccessControlCheckDisabler> disabler;
+ return disabler.get();
+}
+
+void CrossOriginAccessControlCheckDisabler::setCrossOriginAccessControlCheckEnabled(bool enabled)
+{
+ ASSERT(!isInNetworkProcess());
+ m_accessControlCheckEnabled = enabled;
+}
+
+bool CrossOriginAccessControlCheckDisabler::crossOriginAccessControlCheckEnabled() const
+{
+ ASSERT(!isInNetworkProcess());
+ return m_accessControlCheckEnabled;
+}
+
+Expected<void, String> passesAccessControlCheck(const ResourceResponse& response, StoredCredentialsPolicy storedCredentialsPolicy, const SecurityOrigin& securityOrigin, const CrossOriginAccessControlCheckDisabler* checkDisabler)
+{
// A wildcard Access-Control-Allow-Origin can not be used if credentials are to be sent,
// even with Access-Control-Allow-Credentials set to true.
const String& accessControlOriginString = response.httpHeaderField(HTTPHeaderName::AccessControlAllowOrigin);
- if (accessControlOriginString == "*" && storedCredentialsPolicy == StoredCredentialsPolicy::DoNotUse)
- return true;
+ bool starAllowed = storedCredentialsPolicy == StoredCredentialsPolicy::DoNotUse;
+ if (!starAllowed)
+ starAllowed = checkDisabler && !checkDisabler->crossOriginAccessControlCheckEnabled();
+ if (accessControlOriginString == "*" && starAllowed)
+ return { };
String securityOriginString = securityOrigin.toString();
if (accessControlOriginString != securityOriginString) {
if (accessControlOriginString == "*")
- errorDescription = "Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true."_s;
- else if (accessControlOriginString.find(',') != notFound)
- errorDescription = "Access-Control-Allow-Origin cannot contain more than one origin."_s;
- else
- errorDescription = makeString("Origin ", securityOriginString, " is not allowed by Access-Control-Allow-Origin.");
- return false;
+ return makeUnexpected("Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true."_s);
+ if (accessControlOriginString.find(',') != notFound)
+ return makeUnexpected("Access-Control-Allow-Origin cannot contain more than one origin."_s);
+ return makeUnexpected(makeString("Origin ", securityOriginString, " is not allowed by Access-Control-Allow-Origin."));
}
if (storedCredentialsPolicy == StoredCredentialsPolicy::Use) {
const String& accessControlCredentialsString = response.httpHeaderField(HTTPHeaderName::AccessControlAllowCredentials);
- if (accessControlCredentialsString != "true") {
- errorDescription = "Credentials flag is true, but Access-Control-Allow-Credentials is not \"true\".";
- return false;
- }
+ if (accessControlCredentialsString != "true")
+ return makeUnexpected("Credentials flag is true, but Access-Control-Allow-Credentials is not \"true\"."_s);
}
- return true;
+ return { };
}
-bool validatePreflightResponse(const ResourceRequest& request, const ResourceResponse& response, StoredCredentialsPolicy storedCredentialsPolicy, SecurityOrigin& securityOrigin, String& errorDescription)
+Expected<void, String> validatePreflightResponse(const ResourceRequest& request, const ResourceResponse& response, StoredCredentialsPolicy storedCredentialsPolicy, const SecurityOrigin& securityOrigin, const CrossOriginAccessControlCheckDisabler* checkDisabler)
{
- if (!response.isSuccessful()) {
- errorDescription = "Preflight response is not successful"_s;
- return false;
- }
+ if (!response.isSuccessful())
+ return makeUnexpected("Preflight response is not successful"_s);
- if (!passesAccessControlCheck(response, storedCredentialsPolicy, securityOrigin, errorDescription))
- return false;
+ auto accessControlCheckResult = passesAccessControlCheck(response, storedCredentialsPolicy, securityOrigin, checkDisabler);
+ if (!accessControlCheckResult)
+ return accessControlCheckResult;
auto result = makeUnique<CrossOriginPreflightResultCacheItem>(storedCredentialsPolicy);
+ String errorDescription;
+ // FIXME: allowsCrossOriginMethod and allowsCrossOriginHeaders should return Expected<void, String> to avoid having an out parameter.
if (!result->parse(response)
|| !result->allowsCrossOriginMethod(request.httpMethod(), storedCredentialsPolicy, errorDescription)
|| !result->allowsCrossOriginHeaders(request.httpHeaderFields(), storedCredentialsPolicy, errorDescription)) {
- return false;
+ return makeUnexpected(errorDescription);
}
CrossOriginPreflightResultCache::singleton().appendEntry(securityOrigin.toString(), request.url(), WTFMove(result));
- return true;
+ return { };
}
static inline bool shouldCrossOriginResourcePolicyCancelLoad(const SecurityOrigin& origin, const ResourceResponse& response)
Modified: trunk/Source/WebCore/loader/CrossOriginAccessControl.h (258051 => 258052)
--- trunk/Source/WebCore/loader/CrossOriginAccessControl.h 2020-03-07 03:34:24 UTC (rev 258051)
+++ trunk/Source/WebCore/loader/CrossOriginAccessControl.h 2020-03-07 04:07:53 UTC (rev 258052)
@@ -29,6 +29,7 @@
#include "HTTPHeaderNames.h"
#include "ReferrerPolicy.h"
#include "StoredCredentialsPolicy.h"
+#include <wtf/Expected.h>
#include <wtf/Forward.h>
#include <wtf/OptionSet.h>
@@ -66,9 +67,19 @@
OptionSet<HTTPHeadersToKeepFromCleaning> httpHeadersToKeepFromCleaning(const HTTPHeaderMap&);
WEBCORE_EXPORT void cleanHTTPRequestHeadersForAccessControl(ResourceRequest&, OptionSet<HTTPHeadersToKeepFromCleaning>);
-WEBCORE_EXPORT bool passesAccessControlCheck(const ResourceResponse&, StoredCredentialsPolicy, SecurityOrigin&, String& errorDescription);
-WEBCORE_EXPORT bool validatePreflightResponse(const ResourceRequest&, const ResourceResponse&, StoredCredentialsPolicy, SecurityOrigin&, String& errorDescription);
+class WEBCORE_EXPORT CrossOriginAccessControlCheckDisabler {
+public:
+ static CrossOriginAccessControlCheckDisabler& singleton();
+ virtual ~CrossOriginAccessControlCheckDisabler() = default;
+ void setCrossOriginAccessControlCheckEnabled(bool);
+ virtual bool crossOriginAccessControlCheckEnabled() const;
+private:
+ bool m_accessControlCheckEnabled { true };
+};
+WEBCORE_EXPORT Expected<void, String> passesAccessControlCheck(const ResourceResponse&, StoredCredentialsPolicy, const SecurityOrigin&, const CrossOriginAccessControlCheckDisabler*);
+WEBCORE_EXPORT Expected<void, String> validatePreflightResponse(const ResourceRequest&, const ResourceResponse&, StoredCredentialsPolicy, const SecurityOrigin&, const CrossOriginAccessControlCheckDisabler*);
+
WEBCORE_EXPORT Optional<ResourceError> validateCrossOriginResourcePolicy(const SecurityOrigin&, const URL&, const ResourceResponse&);
Optional<ResourceError> validateRangeRequestedFlag(const ResourceRequest&, const ResourceResponse&);
String validateCrossOriginRedirectionURL(const URL&);
Modified: trunk/Source/WebCore/loader/CrossOriginPreflightChecker.cpp (258051 => 258052)
--- trunk/Source/WebCore/loader/CrossOriginPreflightChecker.cpp 2020-03-07 03:34:24 UTC (rev 258051)
+++ trunk/Source/WebCore/loader/CrossOriginPreflightChecker.cpp 2020-03-07 04:07:53 UTC (rev 258052)
@@ -63,12 +63,12 @@
auto* frame = loader.document().frame();
ASSERT(frame);
- String errorDescription;
- if (!WebCore::validatePreflightResponse(request, response, loader.options().storedCredentialsPolicy, loader.securityOrigin(), errorDescription)) {
+ auto result = WebCore::validatePreflightResponse(request, response, loader.options().storedCredentialsPolicy, loader.securityOrigin(), &CrossOriginAccessControlCheckDisabler::singleton());
+ if (!result) {
if (auto* document = frame->document())
- document->addConsoleMessage(MessageSource::Security, MessageLevel::Error, errorDescription);
+ document->addConsoleMessage(MessageSource::Security, MessageLevel::Error, result.error());
- loader.preflightFailure(identifier, ResourceError(errorDomainWebKitInternal, 0, request.url(), errorDescription, ResourceError::Type::AccessControl));
+ loader.preflightFailure(identifier, ResourceError(errorDomainWebKitInternal, 0, request.url(), result.error(), ResourceError::Type::AccessControl));
return;
}
Modified: trunk/Source/WebCore/loader/DocumentThreadableLoader.cpp (258051 => 258052)
--- trunk/Source/WebCore/loader/DocumentThreadableLoader.cpp 2020-03-07 03:34:24 UTC (rev 258051)
+++ trunk/Source/WebCore/loader/DocumentThreadableLoader.cpp 2020-03-07 04:07:53 UTC (rev 258052)
@@ -616,9 +616,9 @@
else {
ASSERT(m_options.mode == FetchOptions::Mode::Cors);
response.setTainting(ResourceResponse::Tainting::Cors);
- String accessControlErrorDescription;
- if (!passesAccessControlCheck(response, m_options.storedCredentialsPolicy, securityOrigin(), accessControlErrorDescription)) {
- logErrorAndFail(ResourceError(errorDomainWebKitInternal, 0, response.url(), accessControlErrorDescription, ResourceError::Type::AccessControl));
+ auto accessControlCheckResult = passesAccessControlCheck(response, m_options.storedCredentialsPolicy, securityOrigin(), &CrossOriginAccessControlCheckDisabler::singleton());
+ if (!accessControlCheckResult) {
+ logErrorAndFail(ResourceError(errorDomainWebKitInternal, 0, response.url(), accessControlCheckResult.error(), ResourceError::Type::AccessControl));
return;
}
}
Modified: trunk/Source/WebCore/loader/SubresourceLoader.cpp (258051 => 258052)
--- trunk/Source/WebCore/loader/SubresourceLoader.cpp 2020-03-07 03:34:24 UTC (rev 258051)
+++ trunk/Source/WebCore/loader/SubresourceLoader.cpp 2020-03-07 04:07:53 UTC (rev 258052)
@@ -281,9 +281,9 @@
return completionHandler(WTFMove(newRequest));
}
- String errorDescription;
- if (!checkRedirectionCrossOriginAccessControl(request(), redirectResponse, newRequest, errorDescription)) {
- String errorMessage = "Cross-origin redirection to " + newRequest.url().string() + " denied by Cross-Origin Resource Sharing policy: " + errorDescription;
+ auto accessControlCheckResult = checkRedirectionCrossOriginAccessControl(request(), redirectResponse, newRequest);
+ if (!accessControlCheckResult) {
+ auto errorMessage = makeString("Cross-origin redirection to ", newRequest.url().string(), " denied by Cross-Origin Resource Sharing policy: ", accessControlCheckResult.error());
if (m_frame && m_frame->document())
m_frame->document()->addConsoleMessage(MessageSource::Security, MessageLevel::Error, errorMessage);
RELEASE_LOG_IF_ALLOWED("willSendRequestInternal: resource load canceled because crosss-origin redirection denied by CORS policy");
@@ -411,12 +411,12 @@
m_frame->page()->diagnosticLoggingClient().logDiagnosticMessageWithResult(DiagnosticLoggingKeys::cachedResourceRevalidationKey(), emptyString(), DiagnosticLoggingResultFail, ShouldSample::Yes);
}
- String errorDescription;
- if (!checkResponseCrossOriginAccessControl(response, errorDescription)) {
+ auto accessControlCheckResult = checkResponseCrossOriginAccessControl(response);
+ if (!accessControlCheckResult) {
if (m_frame && m_frame->document())
- m_frame->document()->addConsoleMessage(MessageSource::Security, MessageLevel::Error, errorDescription);
+ m_frame->document()->addConsoleMessage(MessageSource::Security, MessageLevel::Error, accessControlCheckResult.error());
RELEASE_LOG_IF_ALLOWED("didReceiveResponse: canceling load because of cross origin access control");
- cancel(ResourceError(String(), 0, request().url(), errorDescription, ResourceError::Type::AccessControl));
+ cancel(ResourceError(String(), 0, request().url(), accessControlCheckResult.error(), ResourceError::Type::AccessControl));
return;
}
@@ -600,22 +600,27 @@
frame->page()->diagnosticLoggingClient().logDiagnosticMessage(DiagnosticLoggingKeys::resourceLoadedKey(), resourceType, ShouldSample::Yes);
}
-bool SubresourceLoader::checkResponseCrossOriginAccessControl(const ResourceResponse& response, String& errorDescription)
+Expected<void, String> SubresourceLoader::checkResponseCrossOriginAccessControl(const ResourceResponse& response)
{
if (!m_resource->isCrossOrigin() || options().mode != FetchOptions::Mode::Cors)
- return true;
+ return { };
#if ENABLE(SERVICE_WORKER)
- if (response.source() == ResourceResponse::Source::ServiceWorker)
- return response.tainting() != ResourceResponse::Tainting::Opaque;
+ if (response.source() == ResourceResponse::Source::ServiceWorker) {
+ if (response.tainting() == ResourceResponse::Tainting::Opaque) {
+ // FIXME: This should have an error message.
+ return makeUnexpected(String());
+ }
+ return { };
+ }
#endif
ASSERT(m_origin);
- return passesAccessControlCheck(response, options().credentials == FetchOptions::Credentials::Include ? StoredCredentialsPolicy::Use : StoredCredentialsPolicy::DoNotUse, *m_origin, errorDescription);
+ return passesAccessControlCheck(response, options().credentials == FetchOptions::Credentials::Include ? StoredCredentialsPolicy::Use : StoredCredentialsPolicy::DoNotUse, *m_origin, &CrossOriginAccessControlCheckDisabler::singleton());
}
-bool SubresourceLoader::checkRedirectionCrossOriginAccessControl(const ResourceRequest& previousRequest, const ResourceResponse& redirectResponse, ResourceRequest& newRequest, String& errorMessage)
+Expected<void, String> SubresourceLoader::checkRedirectionCrossOriginAccessControl(const ResourceRequest& previousRequest, const ResourceResponse& redirectResponse, ResourceRequest& newRequest)
{
bool crossOriginFlag = m_resource->isCrossOrigin();
bool isNextRequestCrossOrigin = m_origin && !m_origin->canRequest(newRequest.url());
@@ -629,14 +634,17 @@
if (options().mode == FetchOptions::Mode::Cors) {
if (m_resource->isCrossOrigin()) {
auto locationString = redirectResponse.httpHeaderField(HTTPHeaderName::Location);
- errorMessage = validateCrossOriginRedirectionURL(URL(redirectResponse.url(), locationString));
+ String errorMessage = validateCrossOriginRedirectionURL(URL(redirectResponse.url(), locationString));
if (!errorMessage.isNull())
- return false;
+ return makeUnexpected(WTFMove(errorMessage));
}
ASSERT(m_origin);
- if (crossOriginFlag && !passesAccessControlCheck(redirectResponse, options().storedCredentialsPolicy, *m_origin, errorMessage))
- return false;
+ if (crossOriginFlag) {
+ auto accessControlCheckResult = passesAccessControlCheck(redirectResponse, options().storedCredentialsPolicy, *m_origin, &CrossOriginAccessControlCheckDisabler::singleton());
+ if (!accessControlCheckResult)
+ return accessControlCheckResult;
+ }
}
bool redirectingToNewOrigin = false;
@@ -661,7 +669,7 @@
updateRequestReferrer(newRequest, referrerPolicy(), previousRequest.httpReferrer());
- return true;
+ return { };
}
void SubresourceLoader::updateReferrerPolicy(const String& referrerPolicyValue)
Modified: trunk/Source/WebCore/loader/SubresourceLoader.h (258051 => 258052)
--- trunk/Source/WebCore/loader/SubresourceLoader.h 2020-03-07 03:34:24 UTC (rev 258051)
+++ trunk/Source/WebCore/loader/SubresourceLoader.h 2020-03-07 04:07:53 UTC (rev 258052)
@@ -89,8 +89,8 @@
void releaseResources() override;
bool checkForHTTPStatusCodeError();
- bool checkResponseCrossOriginAccessControl(const ResourceResponse&, String&);
- bool checkRedirectionCrossOriginAccessControl(const ResourceRequest& previousRequest, const ResourceResponse&, ResourceRequest& newRequest, String&);
+ Expected<void, String> checkResponseCrossOriginAccessControl(const ResourceResponse&);
+ Expected<void, String> checkRedirectionCrossOriginAccessControl(const ResourceRequest& previousRequest, const ResourceResponse&, ResourceRequest& newRequest);
void didReceiveDataOrBuffer(const char*, int, RefPtr<SharedBuffer>&&, long long encodedDataLength, DataPayloadType);
Modified: trunk/Source/WebCore/loader/cache/CachedResource.cpp (258051 => 258052)
--- trunk/Source/WebCore/loader/cache/CachedResource.cpp 2020-03-07 03:34:24 UTC (rev 258051)
+++ trunk/Source/WebCore/loader/cache/CachedResource.cpp 2020-03-07 04:07:53 UTC (rev 258052)
@@ -347,9 +347,9 @@
if (isCrossOrigin() && m_options.mode == FetchOptions::Mode::Cors) {
ASSERT(m_origin);
- String errorMessage;
- if (!WebCore::passesAccessControlCheck(resource.response(), m_options.storedCredentialsPolicy, *m_origin, errorMessage)) {
- setResourceError(ResourceError(String(), 0, url(), errorMessage, ResourceError::Type::AccessControl));
+ auto accessControlCheckResult = WebCore::passesAccessControlCheck(resource.response(), m_options.storedCredentialsPolicy, *m_origin, &CrossOriginAccessControlCheckDisabler::singleton());
+ if (!accessControlCheckResult) {
+ setResourceError(ResourceError(String(), 0, url(), accessControlCheckResult.error(), ResourceError::Type::AccessControl));
return;
}
}
Modified: trunk/Source/WebKit/ChangeLog (258051 => 258052)
--- trunk/Source/WebKit/ChangeLog 2020-03-07 03:34:24 UTC (rev 258051)
+++ trunk/Source/WebKit/ChangeLog 2020-03-07 04:07:53 UTC (rev 258052)
@@ -1,3 +1,52 @@
+2020-03-06 Alex Christensen <[email protected]>
+
+ Add SPI to disable cross origin access control checks
+ https://bugs.webkit.org/show_bug.cgi?id=208748
+ <rdar://problem/59861114>
+
+ Reviewed by Tim Hatcher.
+
+ * NetworkProcess/NetworkCORSPreflightChecker.cpp:
+ (WebKit::NetworkCORSPreflightChecker::NetworkCORSPreflightChecker):
+ (WebKit::NetworkCORSPreflightChecker::didCompleteWithError):
+ * NetworkProcess/NetworkCORSPreflightChecker.h:
+ * NetworkProcess/NetworkLoadChecker.cpp:
+ (WebKit::NetworkLoadChecker::NetworkLoadChecker):
+ (WebKit::NetworkLoadChecker::validateResponse):
+ (WebKit::NetworkLoadChecker::checkCORSRequestWithPreflight):
+ * NetworkProcess/NetworkLoadChecker.h:
+ * NetworkProcess/NetworkResourceLoadParameters.cpp:
+ (WebKit::NetworkResourceLoadParameters::encode const):
+ (WebKit::NetworkResourceLoadParameters::decode):
+ * NetworkProcess/NetworkResourceLoadParameters.h:
+ * NetworkProcess/NetworkResourceLoader.cpp:
+ (WebKit::NetworkResourceLoader::crossOriginAccessControlCheckEnabled const):
+ * NetworkProcess/NetworkResourceLoader.h:
+ * NetworkProcess/PingLoad.cpp:
+ (WebKit::PingLoad::PingLoad):
+ * Shared/WebPageCreationParameters.cpp:
+ (WebKit::WebPageCreationParameters::encode const):
+ (WebKit::WebPageCreationParameters::decode):
+ * Shared/WebPageCreationParameters.h:
+ * UIProcess/API/APIPageConfiguration.cpp:
+ (API::PageConfiguration::copy const):
+ * UIProcess/API/APIPageConfiguration.h:
+ (API::PageConfiguration::crossOriginAccessControlCheckEnabled const):
+ (API::PageConfiguration::setCrossOriginAccessControlCheckEnabled):
+ * UIProcess/API/Cocoa/WKWebViewConfiguration.mm:
+ (-[WKWebViewConfiguration _setCrossOriginAccessControlCheckEnabled:]):
+ (-[WKWebViewConfiguration _crossOriginAccessControlCheckEnabled]):
+ * UIProcess/API/Cocoa/WKWebViewConfigurationPrivate.h:
+ * UIProcess/WebPageProxy.cpp:
+ * WebProcess/Network/WebLoaderStrategy.cpp:
+ (WebKit::addParametersShared):
+ (WebKit::WebLoaderStrategy::scheduleLoadFromNetworkProcess):
+ (WebKit::WebLoaderStrategy::loadResourceSynchronously):
+ (WebKit::WebLoaderStrategy::startPingLoad):
+ (WebKit::addParametersFromFrame): Deleted.
+ * WebProcess/WebPage/WebPage.cpp:
+ (WebKit::m_processDisplayName):
+
2020-03-06 Myles C. Maxfield <[email protected]>
[GPU Process] Implement CanvasRenderingContext2D.putImageData()
Modified: trunk/Source/WebKit/NetworkProcess/NetworkCORSPreflightChecker.cpp (258051 => 258052)
--- trunk/Source/WebKit/NetworkProcess/NetworkCORSPreflightChecker.cpp 2020-03-07 03:34:24 UTC (rev 258051)
+++ trunk/Source/WebKit/NetworkProcess/NetworkCORSPreflightChecker.cpp 2020-03-07 04:07:53 UTC (rev 258052)
@@ -31,6 +31,7 @@
#include "Logging.h"
#include "NetworkLoadParameters.h"
#include "NetworkProcess.h"
+#include "NetworkResourceLoader.h"
#include <WebCore/CrossOriginAccessControl.h>
#include <WebCore/SecurityOrigin.h>
@@ -40,11 +41,12 @@
using namespace WebCore;
-NetworkCORSPreflightChecker::NetworkCORSPreflightChecker(NetworkProcess& networkProcess, Parameters&& parameters, bool shouldCaptureExtraNetworkLoadMetrics, CompletionCallback&& completionCallback)
+NetworkCORSPreflightChecker::NetworkCORSPreflightChecker(NetworkProcess& networkProcess, NetworkResourceLoader* networkResourceLoader, Parameters&& parameters, bool shouldCaptureExtraNetworkLoadMetrics, CompletionCallback&& completionCallback)
: m_parameters(WTFMove(parameters))
, m_networkProcess(networkProcess)
, m_completionCallback(WTFMove(completionCallback))
, m_shouldCaptureExtraNetworkLoadMetrics(shouldCaptureExtraNetworkLoadMetrics)
+ , m_networkResourceLoader(makeWeakPtr(networkResourceLoader))
{
}
@@ -137,10 +139,10 @@
RELEASE_LOG_IF_ALLOWED("didComplete http_status_code: %d", m_response.httpStatusCode());
- String errorDescription;
- if (!validatePreflightResponse(m_parameters.originalRequest, m_response, m_parameters.storedCredentialsPolicy, m_parameters.sourceOrigin, errorDescription)) {
- RELEASE_LOG_IF_ALLOWED("didComplete, AccessControl error: %s", errorDescription.utf8().data());
- m_completionCallback(ResourceError { errorDomainWebKitInternal, 0, m_parameters.originalRequest.url(), errorDescription, ResourceError::Type::AccessControl });
+ auto result = validatePreflightResponse(m_parameters.originalRequest, m_response, m_parameters.storedCredentialsPolicy, m_parameters.sourceOrigin, m_networkResourceLoader.get());
+ if (!result) {
+ RELEASE_LOG_IF_ALLOWED("didComplete, AccessControl error: %s", result.error().utf8().data());
+ m_completionCallback(ResourceError { errorDomainWebKitInternal, 0, m_parameters.originalRequest.url(), result.error(), ResourceError::Type::AccessControl });
return;
}
m_completionCallback(ResourceError { });
Modified: trunk/Source/WebKit/NetworkProcess/NetworkCORSPreflightChecker.h (258051 => 258052)
--- trunk/Source/WebKit/NetworkProcess/NetworkCORSPreflightChecker.h 2020-03-07 03:34:24 UTC (rev 258051)
+++ trunk/Source/WebKit/NetworkProcess/NetworkCORSPreflightChecker.h 2020-03-07 04:07:53 UTC (rev 258052)
@@ -42,6 +42,7 @@
namespace WebKit {
class NetworkProcess;
+class NetworkResourceLoader;
class NetworkCORSPreflightChecker final : private NetworkDataTaskClient {
WTF_MAKE_FAST_ALLOCATED;
@@ -58,7 +59,7 @@
};
using CompletionCallback = CompletionHandler<void(WebCore::ResourceError&&)>;
- NetworkCORSPreflightChecker(NetworkProcess&, Parameters&&, bool shouldCaptureExtraNetworkLoadMetrics, CompletionCallback&&);
+ NetworkCORSPreflightChecker(NetworkProcess&, NetworkResourceLoader*, Parameters&&, bool shouldCaptureExtraNetworkLoadMetrics, CompletionCallback&&);
~NetworkCORSPreflightChecker();
const WebCore::ResourceRequest& originalRequest() const { return m_parameters.originalRequest; }
@@ -84,6 +85,7 @@
RefPtr<NetworkDataTask> m_task;
bool m_shouldCaptureExtraNetworkLoadMetrics { false };
WebCore::NetworkTransactionInformation m_loadInformation;
+ WeakPtr<NetworkResourceLoader> m_networkResourceLoader;
};
} // namespace WebKit
Modified: trunk/Source/WebKit/NetworkProcess/NetworkLoadChecker.cpp (258051 => 258052)
--- trunk/Source/WebKit/NetworkProcess/NetworkLoadChecker.cpp 2020-03-07 03:34:24 UTC (rev 258051)
+++ trunk/Source/WebKit/NetworkProcess/NetworkLoadChecker.cpp 2020-03-07 04:07:53 UTC (rev 258052)
@@ -30,6 +30,7 @@
#include "Logging.h"
#include "NetworkCORSPreflightChecker.h"
#include "NetworkProcess.h"
+#include "NetworkResourceLoader.h"
#include "NetworkSchemeRegistry.h"
#include <WebCore/ContentRuleListResults.h>
#include <WebCore/ContentSecurityPolicy.h>
@@ -49,7 +50,7 @@
return url.protocolIsData() || url.protocolIsBlob() || !origin || origin->canRequest(url);
}
-NetworkLoadChecker::NetworkLoadChecker(NetworkProcess& networkProcess, NetworkSchemeRegistry* schemeRegistry, FetchOptions&& options, PAL::SessionID sessionID, WebPageProxyIdentifier webPageProxyID, HTTPHeaderMap&& originalRequestHeaders, URL&& url, RefPtr<SecurityOrigin>&& sourceOrigin, RefPtr<SecurityOrigin>&& topOrigin, PreflightPolicy preflightPolicy, String&& referrer, bool isHTTPSUpgradeEnabled, bool shouldCaptureExtraNetworkLoadMetrics, LoadType requestLoadType)
+NetworkLoadChecker::NetworkLoadChecker(NetworkProcess& networkProcess, NetworkResourceLoader* networkResourceLoader, NetworkSchemeRegistry* schemeRegistry, FetchOptions&& options, PAL::SessionID sessionID, WebPageProxyIdentifier webPageProxyID, HTTPHeaderMap&& originalRequestHeaders, URL&& url, RefPtr<SecurityOrigin>&& sourceOrigin, RefPtr<SecurityOrigin>&& topOrigin, PreflightPolicy preflightPolicy, String&& referrer, bool isHTTPSUpgradeEnabled, bool shouldCaptureExtraNetworkLoadMetrics, LoadType requestLoadType)
: m_options(WTFMove(options))
, m_sessionID(sessionID)
, m_networkProcess(networkProcess)
@@ -64,6 +65,7 @@
, m_isHTTPSUpgradeEnabled(isHTTPSUpgradeEnabled)
, m_requestLoadType(requestLoadType)
, m_schemeRegistry(schemeRegistry)
+ , m_networkResourceLoader(makeWeakPtr(networkResourceLoader))
{
m_isSameOriginRequest = isSameOrigin(m_url, m_origin.get());
switch (options.credentials) {
@@ -187,9 +189,9 @@
if (response.httpStatusCode() == 304)
return { };
- String errorMessage;
- if (!passesAccessControlCheck(response, m_storedCredentialsPolicy, *m_origin, errorMessage))
- return ResourceError { String { }, 0, m_url, WTFMove(errorMessage), ResourceError::Type::AccessControl };
+ auto result = passesAccessControlCheck(response, m_storedCredentialsPolicy, *m_origin, m_networkResourceLoader.get());
+ if (!result)
+ return ResourceError { String { }, 0, m_url, WTFMove(result.error()), ResourceError::Type::AccessControl };
response.setTainting(ResourceResponse::Tainting::Cors);
return { };
@@ -430,7 +432,7 @@
m_webPageProxyID,
m_storedCredentialsPolicy
};
- m_corsPreflightChecker = makeUnique<NetworkCORSPreflightChecker>(m_networkProcess.get(), WTFMove(parameters), m_shouldCaptureExtraNetworkLoadMetrics, [this, request = WTFMove(request), handler = WTFMove(handler), isRedirected = isRedirected()](auto&& error) mutable {
+ m_corsPreflightChecker = makeUnique<NetworkCORSPreflightChecker>(m_networkProcess.get(), m_networkResourceLoader.get(), WTFMove(parameters), m_shouldCaptureExtraNetworkLoadMetrics, [this, request = WTFMove(request), handler = WTFMove(handler), isRedirected = isRedirected()](auto&& error) mutable {
RELEASE_LOG_IF_ALLOWED("checkCORSRequestWithPreflight - makeCrossOriginAccessRequestWithPreflight preflight complete, success: %d forRedirect? %d", error.isNull(), isRedirected);
if (!error.isNull()) {
Modified: trunk/Source/WebKit/NetworkProcess/NetworkLoadChecker.h (258051 => 258052)
--- trunk/Source/WebKit/NetworkProcess/NetworkLoadChecker.h 2020-03-07 03:34:24 UTC (rev 258051)
+++ trunk/Source/WebKit/NetworkProcess/NetworkLoadChecker.h 2020-03-07 04:07:53 UTC (rev 258052)
@@ -57,7 +57,7 @@
public:
enum class LoadType : bool { MainFrame, Other };
- NetworkLoadChecker(NetworkProcess&, NetworkSchemeRegistry*, WebCore::FetchOptions&&, PAL::SessionID, WebPageProxyIdentifier, WebCore::HTTPHeaderMap&&, URL&&, RefPtr<WebCore::SecurityOrigin>&&, RefPtr<WebCore::SecurityOrigin>&& topOrigin, WebCore::PreflightPolicy, String&& referrer, bool isHTTPSUpgradeEnabled = false, bool shouldCaptureExtraNetworkLoadMetrics = false, LoadType requestLoadType = LoadType::Other);
+ NetworkLoadChecker(NetworkProcess&, NetworkResourceLoader*, NetworkSchemeRegistry*, WebCore::FetchOptions&&, PAL::SessionID, WebPageProxyIdentifier, WebCore::HTTPHeaderMap&&, URL&&, RefPtr<WebCore::SecurityOrigin>&&, RefPtr<WebCore::SecurityOrigin>&& topOrigin, WebCore::PreflightPolicy, String&& referrer, bool isHTTPSUpgradeEnabled = false, bool shouldCaptureExtraNetworkLoadMetrics = false, LoadType requestLoadType = LoadType::Other);
~NetworkLoadChecker();
struct RedirectionTriplet {
@@ -157,6 +157,7 @@
LoadType m_requestLoadType;
RefPtr<NetworkSchemeRegistry> m_schemeRegistry;
+ WeakPtr<NetworkResourceLoader> m_networkResourceLoader;
};
}
Modified: trunk/Source/WebKit/NetworkProcess/NetworkResourceLoadParameters.cpp (258051 => 258052)
--- trunk/Source/WebKit/NetworkProcess/NetworkResourceLoadParameters.cpp 2020-03-07 03:34:24 UTC (rev 258051)
+++ trunk/Source/WebKit/NetworkProcess/NetworkResourceLoadParameters.cpp 2020-03-07 04:07:53 UTC (rev 258052)
@@ -108,6 +108,7 @@
encoder << isHTTPSUpgradeEnabled;
encoder << pageHasResourceLoadClient;
encoder << parentFrameID;
+ encoder << crossOriginAccessControlCheckEnabled;
#if ENABLE(SERVICE_WORKER)
encoder << serviceWorkersMode;
@@ -265,6 +266,12 @@
return WTF::nullopt;
result.parentFrameID = WTFMove(*parentFrameID);
+ Optional<bool> crossOriginAccessControlCheckEnabled;
+ decoder >> crossOriginAccessControlCheckEnabled;
+ if (!crossOriginAccessControlCheckEnabled)
+ return WTF::nullopt;
+ result.crossOriginAccessControlCheckEnabled = *crossOriginAccessControlCheckEnabled;
+
#if ENABLE(SERVICE_WORKER)
Optional<ServiceWorkersMode> serviceWorkersMode;
decoder >> serviceWorkersMode;
Modified: trunk/Source/WebKit/NetworkProcess/NetworkResourceLoadParameters.h (258051 => 258052)
--- trunk/Source/WebKit/NetworkProcess/NetworkResourceLoadParameters.h 2020-03-07 03:34:24 UTC (rev 258051)
+++ trunk/Source/WebKit/NetworkProcess/NetworkResourceLoadParameters.h 2020-03-07 04:07:53 UTC (rev 258052)
@@ -63,6 +63,7 @@
bool isHTTPSUpgradeEnabled { false };
bool pageHasResourceLoadClient { false };
Optional<WebCore::FrameIdentifier> parentFrameID;
+ bool crossOriginAccessControlCheckEnabled { true };
#if ENABLE(SERVICE_WORKER)
WebCore::ServiceWorkersMode serviceWorkersMode { WebCore::ServiceWorkersMode::None };
Modified: trunk/Source/WebKit/NetworkProcess/NetworkResourceLoader.cpp (258051 => 258052)
--- trunk/Source/WebKit/NetworkProcess/NetworkResourceLoader.cpp 2020-03-07 03:34:24 UTC (rev 258051)
+++ trunk/Source/WebKit/NetworkProcess/NetworkResourceLoader.cpp 2020-03-07 04:07:53 UTC (rev 258052)
@@ -118,7 +118,7 @@
if (synchronousReply || parameters.shouldRestrictHTTPResponseAccess || parameters.options.keepAlive) {
NetworkLoadChecker::LoadType requestLoadType = isMainFrameLoad() ? NetworkLoadChecker::LoadType::MainFrame : NetworkLoadChecker::LoadType::Other;
- m_networkLoadChecker = makeUnique<NetworkLoadChecker>(connection.networkProcess(), &connection.schemeRegistry(), FetchOptions { m_parameters.options }, sessionID(), m_parameters.webPageProxyID, HTTPHeaderMap { m_parameters.originalRequestHeaders }, URL { m_parameters.request.url() }, m_parameters.sourceOrigin.copyRef(), m_parameters.topOrigin.copyRef(), m_parameters.preflightPolicy, originalRequest().httpReferrer(), m_parameters.isHTTPSUpgradeEnabled, shouldCaptureExtraNetworkLoadMetrics(), requestLoadType);
+ m_networkLoadChecker = makeUnique<NetworkLoadChecker>(connection.networkProcess(), this, &connection.schemeRegistry(), FetchOptions { m_parameters.options }, sessionID(), m_parameters.webPageProxyID, HTTPHeaderMap { m_parameters.originalRequestHeaders }, URL { m_parameters.request.url() }, m_parameters.sourceOrigin.copyRef(), m_parameters.topOrigin.copyRef(), m_parameters.preflightPolicy, originalRequest().httpReferrer(), m_parameters.isHTTPSUpgradeEnabled, shouldCaptureExtraNetworkLoadMetrics(), requestLoadType);
if (m_parameters.cspResponseHeaders)
m_networkLoadChecker->setCSPResponseHeaders(ContentSecurityPolicyResponseHeaders { m_parameters.cspResponseHeaders.value() });
#if ENABLE(CONTENT_EXTENSIONS)
@@ -1246,6 +1246,11 @@
return m_shouldCaptureExtraNetworkLoadMetrics;
}
+bool NetworkResourceLoader::crossOriginAccessControlCheckEnabled() const
+{
+ return m_parameters.crossOriginAccessControlCheckEnabled;
+}
+
#if ENABLE(RESOURCE_LOAD_STATISTICS) && !RELEASE_LOG_DISABLED
bool NetworkResourceLoader::shouldLogCookieInformation(NetworkConnectionToWebProcess& connection, const PAL::SessionID& sessionID)
{
Modified: trunk/Source/WebKit/NetworkProcess/NetworkResourceLoader.h (258051 => 258052)
--- trunk/Source/WebKit/NetworkProcess/NetworkResourceLoader.h 2020-03-07 03:34:24 UTC (rev 258051)
+++ trunk/Source/WebKit/NetworkProcess/NetworkResourceLoader.h 2020-03-07 04:07:53 UTC (rev 258052)
@@ -35,6 +35,7 @@
#include "NetworkResourceLoadParameters.h"
#include <WebCore/AdClickAttribution.h>
#include <WebCore/ContentSecurityPolicyClient.h>
+#include <WebCore/CrossOriginAccessControl.h>
#include <WebCore/ResourceResponse.h>
#include <WebCore/SecurityPolicyViolationEvent.h>
#include <WebCore/Timer.h>
@@ -68,6 +69,7 @@
, public NetworkLoadClient
, public IPC::MessageSender
, public WebCore::ContentSecurityPolicyClient
+ , public WebCore::CrossOriginAccessControlCheckDisabler
, public CanMakeWeakPtr<NetworkResourceLoader> {
public:
static Ref<NetworkResourceLoader> create(NetworkResourceLoadParameters&& parameters, NetworkConnectionToWebProcess& connection, Messages::NetworkConnectionToWebProcess::PerformSynchronousLoadDelayedReply&& reply = nullptr)
@@ -114,6 +116,9 @@
void didReceiveChallenge(const WebCore::AuthenticationChallenge&) final;
bool shouldCaptureExtraNetworkLoadMetrics() const final;
+ // CrossOriginAccessControlCheckDisabler
+ bool crossOriginAccessControlCheckEnabled() const override;
+
void convertToDownload(DownloadID, const WebCore::ResourceRequest&, const WebCore::ResourceResponse&);
bool isMainResource() const { return m_parameters.request.requester() == WebCore::ResourceRequest::Requester::Main; }
Modified: trunk/Source/WebKit/NetworkProcess/PingLoad.cpp (258051 => 258052)
--- trunk/Source/WebKit/NetworkProcess/PingLoad.cpp 2020-03-07 03:34:24 UTC (rev 258051)
+++ trunk/Source/WebKit/NetworkProcess/PingLoad.cpp 2020-03-07 04:07:53 UTC (rev 258052)
@@ -45,7 +45,7 @@
, m_parameters(WTFMove(parameters))
, m_completionHandler(WTFMove(completionHandler))
, m_timeoutTimer(*this, &PingLoad::timeoutTimerFired)
- , m_networkLoadChecker(makeUniqueRef<NetworkLoadChecker>(networkProcess, nullptr, FetchOptions { m_parameters.options}, m_sessionID, m_parameters.webPageProxyID, WTFMove(m_parameters.originalRequestHeaders), URL { m_parameters.request.url() }, m_parameters.sourceOrigin.copyRef(), m_parameters.topOrigin.copyRef(), m_parameters.preflightPolicy, m_parameters.request.httpReferrer()))
+ , m_networkLoadChecker(makeUniqueRef<NetworkLoadChecker>(networkProcess, nullptr, nullptr, FetchOptions { m_parameters.options}, m_sessionID, m_parameters.webPageProxyID, WTFMove(m_parameters.originalRequestHeaders), URL { m_parameters.request.url() }, m_parameters.sourceOrigin.copyRef(), m_parameters.topOrigin.copyRef(), m_parameters.preflightPolicy, m_parameters.request.httpReferrer()))
{
initialize(networkProcess);
}
@@ -55,7 +55,7 @@
, m_parameters(WTFMove(parameters))
, m_completionHandler(WTFMove(completionHandler))
, m_timeoutTimer(*this, &PingLoad::timeoutTimerFired)
- , m_networkLoadChecker(makeUniqueRef<NetworkLoadChecker>(connection.networkProcess(), &connection.schemeRegistry(), FetchOptions { m_parameters.options}, m_sessionID, m_parameters.webPageProxyID, WTFMove(m_parameters.originalRequestHeaders), URL { m_parameters.request.url() }, m_parameters.sourceOrigin.copyRef(), m_parameters.topOrigin.copyRef(), m_parameters.preflightPolicy, m_parameters.request.httpReferrer()))
+ , m_networkLoadChecker(makeUniqueRef<NetworkLoadChecker>(connection.networkProcess(), nullptr, &connection.schemeRegistry(), FetchOptions { m_parameters.options}, m_sessionID, m_parameters.webPageProxyID, WTFMove(m_parameters.originalRequestHeaders), URL { m_parameters.request.url() }, m_parameters.sourceOrigin.copyRef(), m_parameters.topOrigin.copyRef(), m_parameters.preflightPolicy, m_parameters.request.httpReferrer()))
, m_blobFiles(connection.resolveBlobReferences(m_parameters))
{
for (auto& file : m_blobFiles) {
Modified: trunk/Source/WebKit/Shared/WebPageCreationParameters.cpp (258051 => 258052)
--- trunk/Source/WebKit/Shared/WebPageCreationParameters.cpp 2020-03-07 03:34:24 UTC (rev 258051)
+++ trunk/Source/WebKit/Shared/WebPageCreationParameters.cpp 2020-03-07 04:07:53 UTC (rev 258052)
@@ -138,6 +138,7 @@
encoder << oldPageID;
encoder << overriddenMediaType;
encoder << corsDisablingPatterns;
+ encoder << crossOriginAccessControlCheckEnabled;
encoder << processDisplayName;
encoder << shouldCaptureAudioInUIProcess;
@@ -443,6 +444,12 @@
return WTF::nullopt;
parameters.corsDisablingPatterns = WTFMove(*corsDisablingPatterns);
+ Optional<bool> crossOriginAccessControlCheckEnabled;
+ decoder >> crossOriginAccessControlCheckEnabled;
+ if (!crossOriginAccessControlCheckEnabled)
+ return WTF::nullopt;
+ parameters.crossOriginAccessControlCheckEnabled = *crossOriginAccessControlCheckEnabled;
+
Optional<String> processDisplayName;
decoder >> processDisplayName;
if (!processDisplayName)
Modified: trunk/Source/WebKit/Shared/WebPageCreationParameters.h (258051 => 258052)
--- trunk/Source/WebKit/Shared/WebPageCreationParameters.h 2020-03-07 03:34:24 UTC (rev 258051)
+++ trunk/Source/WebKit/Shared/WebPageCreationParameters.h 2020-03-07 04:07:53 UTC (rev 258052)
@@ -209,6 +209,7 @@
String overriddenMediaType;
Vector<String> corsDisablingPatterns;
+ bool crossOriginAccessControlCheckEnabled { true };
String processDisplayName;
bool shouldCaptureAudioInUIProcess { false };
Modified: trunk/Source/WebKit/UIProcess/API/APIPageConfiguration.cpp (258051 => 258052)
--- trunk/Source/WebKit/UIProcess/API/APIPageConfiguration.cpp 2020-03-07 03:34:24 UTC (rev 258051)
+++ trunk/Source/WebKit/UIProcess/API/APIPageConfiguration.cpp 2020-03-07 04:07:53 UTC (rev 258052)
@@ -90,6 +90,7 @@
for (auto& pair : this->m_urlSchemeHandlers)
copy->m_urlSchemeHandlers.set(pair.key, pair.value.copyRef());
copy->m_corsDisablingPatterns = this->m_corsDisablingPatterns;
+ copy->m_crossOriginAccessControlCheckEnabled = this->m_crossOriginAccessControlCheckEnabled;
copy->m_webViewCategory = this->m_webViewCategory;
copy->m_processDisplayName = this->m_processDisplayName;
Modified: trunk/Source/WebKit/UIProcess/API/APIPageConfiguration.h (258051 => 258052)
--- trunk/Source/WebKit/UIProcess/API/APIPageConfiguration.h 2020-03-07 03:34:24 UTC (rev 258051)
+++ trunk/Source/WebKit/UIProcess/API/APIPageConfiguration.h 2020-03-07 04:07:53 UTC (rev 258052)
@@ -138,6 +138,9 @@
const Vector<WTF::String>& corsDisablingPatterns() const { return m_corsDisablingPatterns; }
void setCORSDisablingPatterns(Vector<WTF::String>&& patterns) { m_corsDisablingPatterns = WTFMove(patterns); }
+ bool crossOriginAccessControlCheckEnabled() const { return m_crossOriginAccessControlCheckEnabled; }
+ void setCrossOriginAccessControlCheckEnabled(bool enabled) { m_crossOriginAccessControlCheckEnabled = enabled; }
+
const WTF::String& processDisplayName() const { return m_processDisplayName; }
void setProcessDisplayName(const WTF::String& name) { m_processDisplayName = name; }
@@ -181,6 +184,7 @@
HashMap<WTF::String, Ref<WebKit::WebURLSchemeHandler>> m_urlSchemeHandlers;
Vector<WTF::String> m_corsDisablingPatterns;
+ bool m_crossOriginAccessControlCheckEnabled { true };
WTF::String m_processDisplayName;
WebKit::WebViewCategory m_webViewCategory { WebKit::WebViewCategory::AppBoundDomain };
};
Modified: trunk/Source/WebKit/UIProcess/API/Cocoa/WKWebViewConfiguration.mm (258051 => 258052)
--- trunk/Source/WebKit/UIProcess/API/Cocoa/WKWebViewConfiguration.mm 2020-03-07 03:34:24 UTC (rev 258051)
+++ trunk/Source/WebKit/UIProcess/API/Cocoa/WKWebViewConfiguration.mm 2020-03-07 04:07:53 UTC (rev 258052)
@@ -913,6 +913,16 @@
_pageConfiguration->setCORSDisablingPatterns(WTFMove(vector));
}
+- (void)_setCrossOriginAccessControlCheckEnabled:(BOOL)enabled
+{
+ _pageConfiguration->setCrossOriginAccessControlCheckEnabled(enabled);
+}
+
+- (BOOL)_crossOriginAccessControlCheckEnabled
+{
+ return _pageConfiguration->crossOriginAccessControlCheckEnabled();
+}
+
- (BOOL)_drawsBackground
{
return _drawsBackground;
Modified: trunk/Source/WebKit/UIProcess/API/Cocoa/WKWebViewConfigurationPrivate.h (258051 => 258052)
--- trunk/Source/WebKit/UIProcess/API/Cocoa/WKWebViewConfigurationPrivate.h 2020-03-07 03:34:24 UTC (rev 258051)
+++ trunk/Source/WebKit/UIProcess/API/Cocoa/WKWebViewConfigurationPrivate.h 2020-03-07 04:07:53 UTC (rev 258052)
@@ -84,6 +84,7 @@
@property (nonatomic, readonly) WKWebsiteDataStore *_websiteDataStoreIfExists WK_API_AVAILABLE(macos(WK_MAC_TBA), ios(WK_IOS_TBA));
@property (nonatomic, copy, setter=_setCORSDisablingPatterns:) NSArray<NSString *> *_corsDisablingPatterns WK_API_AVAILABLE(macos(WK_MAC_TBA), ios(WK_IOS_TBA));
+@property (nonatomic, setter=_setCrossOriginAccessControlCheckEnabled:) BOOL _crossOriginAccessControlCheckEnabled WK_API_AVAILABLE(macos(WK_MAC_TBA), ios(WK_IOS_TBA));
#if TARGET_OS_IPHONE
@property (nonatomic, setter=_setClientNavigationsRunAtForegroundPriority:) BOOL _clientNavigationsRunAtForegroundPriority WK_API_AVAILABLE(ios(WK_IOS_TBA));
Modified: trunk/Source/WebKit/UIProcess/WebPageProxy.cpp (258051 => 258052)
--- trunk/Source/WebKit/UIProcess/WebPageProxy.cpp 2020-03-07 03:34:24 UTC (rev 258051)
+++ trunk/Source/WebKit/UIProcess/WebPageProxy.cpp 2020-03-07 04:07:53 UTC (rev 258052)
@@ -7722,6 +7722,7 @@
parameters.overriddenMediaType = m_overriddenMediaType;
parameters.corsDisablingPatterns = m_configuration->corsDisablingPatterns();
+ parameters.crossOriginAccessControlCheckEnabled = m_configuration->crossOriginAccessControlCheckEnabled();
parameters.hasResourceLoadClient = !!m_resourceLoadClient;
process.addWebUserContentControllerProxy(m_userContentController, parameters);
Modified: trunk/Source/WebKit/WebProcess/Network/WebLoaderStrategy.cpp (258051 => 258052)
--- trunk/Source/WebKit/WebProcess/Network/WebLoaderStrategy.cpp 2020-03-07 03:34:24 UTC (rev 258051)
+++ trunk/Source/WebKit/WebProcess/Network/WebLoaderStrategy.cpp 2020-03-07 04:07:53 UTC (rev 258052)
@@ -262,8 +262,10 @@
return true;
}
-static void addParametersFromFrame(const Frame* frame, NetworkResourceLoadParameters& parameters)
+static void addParametersShared(const Frame* frame, NetworkResourceLoadParameters& parameters)
{
+ parameters.crossOriginAccessControlCheckEnabled = CrossOriginAccessControlCheckDisabler::singleton().crossOriginAccessControlCheckEnabled();
+
if (!frame)
return;
@@ -311,7 +313,7 @@
loadParameters.maximumBufferingTime = maximumBufferingTime;
loadParameters.options = resourceLoader.options();
loadParameters.preflightPolicy = resourceLoader.options().preflightPolicy;
- addParametersFromFrame(frame, loadParameters);
+ addParametersShared(frame, loadParameters);
#if ENABLE(SERVICE_WORKER)
loadParameters.serviceWorkersMode = resourceLoader.options().serviceWorkersMode;
@@ -608,7 +610,7 @@
if (webPage)
loadParameters.isNavigatingToAppBoundDomain = webPage->isNavigatingToAppBoundDomain();
- addParametersFromFrame(webFrame->coreFrame(), loadParameters);
+ addParametersShared(webFrame->coreFrame(), loadParameters);
data.shrink(0);
@@ -681,7 +683,7 @@
if (auto* contentSecurityPolicy = document->contentSecurityPolicy())
loadParameters.cspResponseHeaders = contentSecurityPolicy->responseHeaders();
}
- addParametersFromFrame(&frame, loadParameters);
+ addParametersShared(&frame, loadParameters);
auto* webFrameLoaderClient = toWebFrameLoaderClient(frame.loader().client());
auto* webFrame = webFrameLoaderClient ? webFrameLoaderClient->webFrame() : nullptr;
Modified: trunk/Source/WebKit/WebProcess/WebPage/WebPage.cpp (258051 => 258052)
--- trunk/Source/WebKit/WebProcess/WebPage/WebPage.cpp 2020-03-07 03:34:24 UTC (rev 258051)
+++ trunk/Source/WebKit/WebProcess/WebPage/WebPage.cpp 2020-03-07 04:07:53 UTC (rev 258052)
@@ -529,6 +529,8 @@
#endif
pageConfiguration.corsDisablingPatterns = WTFMove(parameters.corsDisablingPatterns);
+ if (!parameters.crossOriginAccessControlCheckEnabled)
+ CrossOriginAccessControlCheckDisabler::singleton().setCrossOriginAccessControlCheckEnabled(false);
#if ENABLE(ATTACHMENT_ELEMENT) && PLATFORM(IOS_FAMILY)
if (parameters.frontboardExtensionHandle)
Modified: trunk/Tools/ChangeLog (258051 => 258052)
--- trunk/Tools/ChangeLog 2020-03-07 03:34:24 UTC (rev 258051)
+++ trunk/Tools/ChangeLog 2020-03-07 04:07:53 UTC (rev 258052)
@@ -1,3 +1,13 @@
+2020-03-06 Alex Christensen <[email protected]>
+
+ Add SPI to disable cross origin access control checks
+ https://bugs.webkit.org/show_bug.cgi?id=208748
+
+ Reviewed by Tim Hatcher.
+
+ * TestWebKitAPI/Tests/WebKitCocoa/WKURLSchemeHandler-1.mm:
+ Add a test that verifies this SPI allows Access-Control-Allow-Origin: * with credentials.
+
2020-03-06 Basuke Suzuki <[email protected]>
[webkitpy] Fix executive on Windows to run wpt server correctly
Modified: trunk/Tools/TestWebKitAPI/Tests/WebKitCocoa/WKURLSchemeHandler-1.mm (258051 => 258052)
--- trunk/Tools/TestWebKitAPI/Tests/WebKitCocoa/WKURLSchemeHandler-1.mm 2020-03-07 03:34:24 UTC (rev 258051)
+++ trunk/Tools/TestWebKitAPI/Tests/WebKitCocoa/WKURLSchemeHandler-1.mm 2020-03-07 04:07:53 UTC (rev 258052)
@@ -886,6 +886,59 @@
EXPECT_FALSE(corsfailure);
}
+TEST(URLSchemeHandler, DisableCORSCredentials)
+{
+ TestWebKitAPI::HTTPServer server({
+ { "/subresource", { {{ "Access-Control-Allow-Origin", "*" }}, "subresourcecontent" } }
+ });
+
+ bool corssuccess = false;
+ bool corsfailure = false;
+ bool done = false;
+
+ auto handler = adoptNS([[TestURLSchemeHandler alloc] init]);
+
+ WKWebViewConfiguration *configuration = [[[WKWebViewConfiguration alloc] init] autorelease];
+ [configuration setURLSchemeHandler:handler.get() forURLScheme:@"cors"];
+
+ [handler setStartURLSchemeTaskHandler:[&](WKWebView *, id<WKURLSchemeTask> task) {
+ if ([task.request.URL.path isEqualToString:@"/main.html"]) {
+ NSData *data = "" stringWithFormat:@"<script>fetch('http://127.0.0.1:%d/subresource', {credentials:'include'}).then(function(){fetch('/corssuccess')}).catch(function(){fetch('/corsfailure')})</script>", server.port()] dataUsingEncoding:NSUTF8StringEncoding];
+ [task didReceiveResponse:[[[NSURLResponse alloc] initWithURL:task.request.URL MIMEType:@"text/html" expectedContentLength:data.length textEncodingName:nil] autorelease]];
+ [task didReceiveData:data];
+ [task didFinish];
+ } else if ([task.request.URL.path isEqualToString:@"/corssuccess"]) {
+ corssuccess = true;
+ done = true;
+ } else if ([task.request.URL.path isEqualToString:@"/corsfailure"]) {
+ corsfailure = true;
+ done = true;
+ } else
+ ASSERT_NOT_REACHED();
+ }];
+
+ {
+ auto webView = adoptNS([[WKWebView alloc] initWithFrame:CGRectMake(0, 0, 800, 600) configuration:configuration]);
+ [webView loadRequest:[NSURLRequest requestWithURL:[NSURL URLWithString:@"cors://host1/main.html"]]];
+ TestWebKitAPI::Util::run(&done);
+ }
+ EXPECT_FALSE(corssuccess);
+ EXPECT_TRUE(corsfailure);
+
+ corssuccess = false;
+ corsfailure = false;
+ done = false;
+
+ configuration._crossOriginAccessControlCheckEnabled = NO;
+ {
+ auto webView = adoptNS([[WKWebView alloc] initWithFrame:CGRectMake(0, 0, 800, 600) configuration:configuration]);
+ [webView loadRequest:[NSURLRequest requestWithURL:[NSURL URLWithString:@"cors://host1/main.html"]]];
+ TestWebKitAPI::Util::run(&done);
+ }
+ EXPECT_TRUE(corssuccess);
+ EXPECT_FALSE(corsfailure);
+}
+
TEST(URLSchemeHandler, DisableCORSScript)
{
TestWebKitAPI::HTTPServer server({
