Diff
Modified: trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/origin/assorted.window-expected.txt (261035 => 261036)
--- trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/origin/assorted.window-expected.txt 2020-05-01 23:00:13 UTC (rev 261035)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/origin/assorted.window-expected.txt 2020-05-01 23:07:38 UTC (rev 261036)
@@ -4,7 +4,7 @@
PASS Origin header and POST navigation
PASS Origin header and POST same-origin navigation with Referrer-Policy no-referrer
PASS Origin header and POST same-origin fetch no-cors mode with Referrer-Policy no-referrer
-PASS Origin header and POST same-origin fetch cors mode with Referrer-Policy no-referrer
+FAIL Origin header and POST same-origin fetch cors mode with Referrer-Policy no-referrer assert_equals: expected "null" but got "http://localhost:8800"
PASS Origin header and GET same-origin fetch cors mode with Referrer-Policy no-referrer
PASS Origin header and POST cross-origin navigation with Referrer-Policy no-referrer
PASS Origin header and POST cross-origin fetch no-cors mode with Referrer-Policy no-referrer
Modified: trunk/Source/WebCore/ChangeLog (261035 => 261036)
--- trunk/Source/WebCore/ChangeLog 2020-05-01 23:00:13 UTC (rev 261035)
+++ trunk/Source/WebCore/ChangeLog 2020-05-01 23:07:38 UTC (rev 261036)
@@ -1,3 +1,31 @@
+2020-05-01 Chris Dumez <[email protected]>
+
+ Regression(r259036) Unable to post comments on Jira
+ https://bugs.webkit.org/show_bug.cgi?id=211122
+ <rdar://problem/62561879>
+
+ Unreviewed, revert r259036 as the new behavior does not match other browsers
+ and broke some Jira instances.
+
+ * loader/FormSubmission.cpp:
+ (WebCore::FormSubmission::populateFrameLoadRequest):
+ * loader/FrameLoader.cpp:
+ (WebCore::FrameLoader::addExtraFieldsToRequest):
+ (WebCore::FrameLoader::addHTTPOriginIfNeeded):
+ (WebCore::FrameLoader::loadResourceSynchronously):
+ (WebCore::FrameLoader::loadDifferentDocumentItem):
+ * loader/FrameLoader.h:
+ * loader/NavigationScheduler.cpp:
+ * loader/PingLoader.cpp:
+ (WebCore::PingLoader::sendPing):
+ * loader/SubresourceLoader.cpp:
+ (WebCore::SubresourceLoader::checkRedirectionCrossOriginAccessControl):
+ * loader/cache/CachedResourceRequest.cpp:
+ (WebCore::CachedResourceRequest::updateReferrerAndOriginHeaders):
+ * platform/network/ResourceRequestBase.cpp:
+ (WebCore::doesRequestNeedHTTPOriginHeader): Deleted.
+ * platform/network/ResourceRequestBase.h:
+
2020-05-01 Jack Lee <[email protected]>
Unreviewed, amend change log entry for r260831.
Modified: trunk/Source/WebCore/loader/FormSubmission.cpp (261035 => 261036)
--- trunk/Source/WebCore/loader/FormSubmission.cpp 2020-05-01 23:00:13 UTC (rev 261035)
+++ trunk/Source/WebCore/loader/FormSubmission.cpp 2020-05-01 23:07:38 UTC (rev 261036)
@@ -48,7 +48,6 @@
#include "HTMLNames.h"
#include "HTMLParserIdioms.h"
#include "ScriptDisallowedScope.h"
-#include "SecurityPolicy.h"
#include "TextEncoding.h"
#include <wtf/WallTime.h>
@@ -248,11 +247,7 @@
}
frameRequest.resourceRequest().setURL(requestURL());
- if (doesRequestNeedHTTPOriginHeader(frameRequest.resourceRequest())) {
- auto securityOrigin = SecurityOrigin::createFromString(m_origin);
- auto origin = SecurityPolicy::generateOriginHeader(frameRequest.requester().referrerPolicy(), frameRequest.resourceRequest().url(), securityOrigin);
- frameRequest.resourceRequest().setHTTPOrigin(origin);
- }
+ FrameLoader::addHTTPOriginIfNeeded(frameRequest.resourceRequest(), m_origin);
}
}
Modified: trunk/Source/WebCore/loader/FrameLoader.cpp (261035 => 261036)
--- trunk/Source/WebCore/loader/FrameLoader.cpp 2020-05-01 23:00:13 UTC (rev 261035)
+++ trunk/Source/WebCore/loader/FrameLoader.cpp 2020-05-01 23:07:38 UTC (rev 261036)
@@ -1039,6 +1039,11 @@
return frame->loader().m_outgoingReferrer;
}
+String FrameLoader::outgoingOrigin() const
+{
+ return m_frame.document()->securityOrigin().toString();
+}
+
bool FrameLoader::checkIfFormActionAllowedByCSP(const URL& url, bool didReceiveRedirectResponse) const
{
if (m_submittedFormURL.isEmpty())
@@ -2942,6 +2947,9 @@
if (m_overrideResourceLoadPriorityForTesting)
request.setPriority(m_overrideResourceLoadPriorityForTesting.value());
+ // Make sure we send the Origin header.
+ addHTTPOriginIfNeeded(request, String());
+
// Only set fallback array if it's still empty (later attempts may be incorrect, see bug 117818).
if (request.responseContentDispositionEncodingFallbackArray().isEmpty()) {
// Always try UTF-8. If that fails, try frame encoding (if any) and then the default.
@@ -2949,6 +2957,36 @@
}
}
+void FrameLoader::addHTTPOriginIfNeeded(ResourceRequest& request, const String& origin)
+{
+ if (!request.httpOrigin().isEmpty())
+ return; // Request already has an Origin header.
+
+ // Don't send an Origin header for GET or HEAD to avoid privacy issues.
+ // For example, if an intranet page has a hyperlink to an external web
+ // site, we don't want to include the Origin of the request because it
+ // will leak the internal host name. Similar privacy concerns have lead
+ // to the widespread suppression of the Referer header at the network
+ // layer.
+ if (request.httpMethod() == "GET" || request.httpMethod() == "HEAD")
+ return;
+
+ // FIXME: take referrer-policy into account.
+ // https://bugs.webkit.org/show_bug.cgi?id=209066
+
+ // For non-GET and non-HEAD methods, always send an Origin header so the
+ // server knows we support this feature.
+
+ if (origin.isEmpty()) {
+ // If we don't know what origin header to attach, we attach the value
+ // for an empty origin.
+ request.setHTTPOrigin(SecurityOrigin::createUnique()->toString());
+ return;
+ }
+
+ request.setHTTPOrigin(origin);
+}
+
// Implements the "'Same-site' and 'cross-site' Requests" algorithm from <https://tools.ietf.org/html/draft-ietf-httpbis-cookie-same-site-00#section-2.1>.
// The algorithm is ammended to treat URLs that inherit their security origin from their owner (e.g. about:blank)
// as same-site. This matches the behavior of Chrome and Firefox.
@@ -3035,10 +3073,7 @@
if (!referrer.isEmpty())
initialRequest.setHTTPReferrer(referrer);
- if (doesRequestNeedHTTPOriginHeader(initialRequest)) {
- auto origin = SecurityPolicy::generateOriginHeader(m_frame.document()->referrerPolicy(), initialRequest.url(), m_frame.document()->securityOrigin());
- initialRequest.setHTTPOrigin(origin);
- }
+ addHTTPOriginIfNeeded(initialRequest, outgoingOrigin());
initialRequest.setFirstPartyForCookies(m_frame.mainFrame().loader().documentLoader()->request().url());
@@ -3738,11 +3773,8 @@
request.setHTTPMethod("POST");
request.setHTTPBody(WTFMove(formData));
request.setHTTPContentType(item.formContentType());
- if (doesRequestNeedHTTPOriginHeader(request)) {
- auto securityOrigin = SecurityOrigin::createFromString(item.referrer());
- auto origin = SecurityPolicy::generateOriginHeader(m_frame.document()->referrerPolicy(), request.url(), securityOrigin);
- request.setHTTPOrigin(origin);
- }
+ auto securityOrigin = SecurityOrigin::createFromString(item.referrer());
+ addHTTPOriginIfNeeded(request, securityOrigin->toString());
addExtraFieldsToRequest(request, IsMainResource::Yes, loadType);
Modified: trunk/Source/WebCore/loader/FrameLoader.h (261035 => 261036)
--- trunk/Source/WebCore/loader/FrameLoader.h 2020-05-01 23:00:13 UTC (rev 261035)
+++ trunk/Source/WebCore/loader/FrameLoader.h 2020-05-01 23:07:38 UTC (rev 261036)
@@ -164,6 +164,7 @@
ReferrerPolicy effectiveReferrerPolicy() const;
String referrer() const;
WEBCORE_EXPORT String outgoingReferrer() const;
+ String outgoingOrigin() const;
WEBCORE_EXPORT DocumentLoader* activeDocumentLoader() const;
DocumentLoader* documentLoader() const { return m_documentLoader.get(); }
@@ -216,6 +217,7 @@
WEBCORE_EXPORT void detachFromParent();
void detachViewsAndDocumentLoader();
+ static void addHTTPOriginIfNeeded(ResourceRequest&, const String& origin);
static void addSameSiteInfoToRequestIfNeeded(ResourceRequest&, const Document* initiator = nullptr);
const FrameLoaderClient& client() const { return m_client.get(); }
Modified: trunk/Source/WebCore/loader/NavigationScheduler.cpp (261035 => 261036)
--- trunk/Source/WebCore/loader/NavigationScheduler.cpp 2020-05-01 23:00:13 UTC (rev 261035)
+++ trunk/Source/WebCore/loader/NavigationScheduler.cpp 2020-05-01 23:07:38 UTC (rev 261036)
@@ -303,7 +303,7 @@
FrameLoadRequest frameLoadRequest { requestingDocument, requestingDocument.securityOrigin(), { }, { }, initiatedByMainFrame() };
frameLoadRequest.setLockHistory(lockHistory());
frameLoadRequest.setLockBackForwardList(lockBackForwardList());
- frameLoadRequest.setReferrerPolicy(requestingDocument.referrerPolicy());
+ frameLoadRequest.setReferrerPolicy(ReferrerPolicy::EmptyString);
frameLoadRequest.setShouldOpenExternalURLsPolicy(shouldOpenExternalURLs());
m_submission->populateFrameLoadRequest(frameLoadRequest);
frame.loader().loadFrameRequest(WTFMove(frameLoadRequest), m_submission->event(), m_submission->takeState());
Modified: trunk/Source/WebCore/loader/PingLoader.cpp (261035 => 261036)
--- trunk/Source/WebCore/loader/PingLoader.cpp 2020-05-01 23:00:13 UTC (rev 261035)
+++ trunk/Source/WebCore/loader/PingLoader.cpp 2020-05-01 23:07:38 UTC (rev 261036)
@@ -136,10 +136,9 @@
HTTPHeaderMap originalRequestHeader = request.httpHeaderFields();
- if (doesRequestNeedHTTPOriginHeader(request)) {
- auto origin = SecurityPolicy::generateOriginHeader(document.referrerPolicy(), request.url(), document.securityOrigin());
- request.setHTTPOrigin(origin);
- }
+ auto& sourceOrigin = document.securityOrigin();
+ FrameLoader::addHTTPOriginIfNeeded(request, SecurityPolicy::generateOriginHeader(document.referrerPolicy(), request.url(), sourceOrigin));
+
frame.loader().addExtraFieldsToRequest(request, IsMainResource::No);
request.setHTTPHeaderField(HTTPHeaderName::PingTo, destinationURL.string());
if (!SecurityPolicy::shouldHideReferrer(pingURL, frame.loader().outgoingReferrer()))
Modified: trunk/Source/WebCore/loader/SubresourceLoader.cpp (261035 => 261036)
--- trunk/Source/WebCore/loader/SubresourceLoader.cpp 2020-05-01 23:00:13 UTC (rev 261035)
+++ trunk/Source/WebCore/loader/SubresourceLoader.cpp 2020-05-01 23:07:38 UTC (rev 261036)
@@ -47,7 +47,6 @@
#include "ResourceLoadObserver.h"
#include "ResourceTiming.h"
#include "RuntimeEnabledFeatures.h"
-#include "SecurityPolicy.h"
#include "Settings.h"
#include <wtf/CompletionHandler.h>
#include <wtf/Ref.h>
@@ -670,10 +669,7 @@
updateRequestReferrer(newRequest, referrerPolicy(), previousRequest.httpReferrer());
- if (doesRequestNeedHTTPOriginHeader(newRequest)) {
- auto origin = SecurityPolicy::generateOriginHeader(referrerPolicy(), newRequest.url(), m_origin ? *m_origin : SecurityOrigin::createUnique().get());
- newRequest.setHTTPOrigin(origin);
- }
+ FrameLoader::addHTTPOriginIfNeeded(newRequest, m_origin ? m_origin->toString() : String());
return { };
}
Modified: trunk/Source/WebCore/loader/cache/CachedResourceRequest.cpp (261035 => 261036)
--- trunk/Source/WebCore/loader/cache/CachedResourceRequest.cpp 2020-05-01 23:00:13 UTC (rev 261035)
+++ trunk/Source/WebCore/loader/cache/CachedResourceRequest.cpp 2020-05-01 23:07:38 UTC (rev 261036)
@@ -229,11 +229,14 @@
outgoingReferrer = m_resourceRequest.httpReferrer();
updateRequestReferrer(m_resourceRequest, m_options.referrerPolicy, outgoingReferrer);
- if (doesRequestNeedHTTPOriginHeader(m_resourceRequest)) {
- auto outgoingOrigin = SecurityOrigin::createFromString(outgoingReferrer);
- auto origin = SecurityPolicy::generateOriginHeader(m_options.referrerPolicy, m_resourceRequest.url(), outgoingOrigin);
- m_resourceRequest.setHTTPOrigin(origin);
- }
+ if (!m_resourceRequest.httpOrigin().isEmpty())
+ return;
+ String outgoingOrigin;
+ if (m_options.mode == FetchOptions::Mode::Cors)
+ outgoingOrigin = SecurityOrigin::createFromString(outgoingReferrer)->toString();
+ else
+ outgoingOrigin = SecurityPolicy::generateOriginHeader(m_options.referrerPolicy, m_resourceRequest.url(), SecurityOrigin::createFromString(outgoingReferrer));
+ FrameLoader::addHTTPOriginIfNeeded(m_resourceRequest, outgoingOrigin);
}
void CachedResourceRequest::updateUserAgentHeader(FrameLoader& frameLoader)
Modified: trunk/Source/WebCore/platform/network/ResourceRequestBase.cpp (261035 => 261036)
--- trunk/Source/WebCore/platform/network/ResourceRequestBase.cpp 2020-05-01 23:00:13 UTC (rev 261035)
+++ trunk/Source/WebCore/platform/network/ResourceRequestBase.cpp 2020-05-01 23:07:38 UTC (rev 261036)
@@ -748,18 +748,4 @@
#endif
}
-bool doesRequestNeedHTTPOriginHeader(const ResourceRequest& request)
-{
- if (!request.httpOrigin().isEmpty())
- return false; // Request already has an Origin header.
-
- // Don't send an Origin header for GET or HEAD to avoid privacy issues.
- // For example, if an intranet page has a hyperlink to an external web
- // site, we don't want to include the Origin of the request because it
- // will leak the internal host name. Similar privacy concerns have lead
- // to the widespread suppression of the Referer header at the network
- // layer.
- return request.httpMethod() != "GET" && request.httpMethod() != "HEAD";
}
-
-}
Modified: trunk/Source/WebCore/platform/network/ResourceRequestBase.h (261035 => 261036)
--- trunk/Source/WebCore/platform/network/ResourceRequestBase.h 2020-05-01 23:00:13 UTC (rev 261035)
+++ trunk/Source/WebCore/platform/network/ResourceRequestBase.h 2020-05-01 23:07:38 UTC (rev 261036)
@@ -262,8 +262,6 @@
WEBCORE_EXPORT static double s_defaultTimeoutInterval;
};
-bool doesRequestNeedHTTPOriginHeader(const ResourceRequest&);
-
bool equalIgnoringHeaderFields(const ResourceRequestBase&, const ResourceRequestBase&);
inline bool operator==(const ResourceRequest& a, const ResourceRequest& b) { return ResourceRequestBase::equal(a, b); }
