Diff
Modified: trunk/LayoutTests/ChangeLog (283564 => 283565)
--- trunk/LayoutTests/ChangeLog 2021-10-05 18:41:08 UTC (rev 283564)
+++ trunk/LayoutTests/ChangeLog 2021-10-05 18:48:10 UTC (rev 283565)
@@ -1,3 +1,19 @@
+2021-10-05 Chris Dumez <[email protected]>
+
+ Authorization header lost on 30x redirects
+ https://bugs.webkit.org/show_bug.cgi?id=230935
+ <rdar://problem/83689955>
+
+ Reviewed by Darin Adler.
+
+ * http/tests/fetch/fetch-redirect-same-origin-authorization-expected.txt: Added.
+ * http/tests/fetch/fetch-redirect-same-origin-authorization.html: Added.
+ * http/tests/fetch/resources/dump-authorization-header.py: Added.
+ Add layout test coverage.
+
+ * http/tests/xmlhttprequest/redirections-and-user-headers.html:
+ Update existing test to reflect behavior change.
+
2021-10-05 Gabriel Nava Marino <[email protected]>
Unsupported blending of mixed length types leads to nullptr deref when accessing m_value.calc in CSSPrimitiveValue::primitiveType()
Added: trunk/LayoutTests/http/tests/fetch/fetch-redirect-same-origin-authorization-expected.txt (0 => 283565)
--- trunk/LayoutTests/http/tests/fetch/fetch-redirect-same-origin-authorization-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/fetch/fetch-redirect-same-origin-authorization-expected.txt 2021-10-05 18:48:10 UTC (rev 283565)
@@ -0,0 +1,10 @@
+Tests that the Authorization header is present on same-origin redirect requests.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS authorization is "Foo Bar"
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Added: trunk/LayoutTests/http/tests/fetch/fetch-redirect-same-origin-authorization.html (0 => 283565)
--- trunk/LayoutTests/http/tests/fetch/fetch-redirect-same-origin-authorization.html (rev 0)
+++ trunk/LayoutTests/http/tests/fetch/fetch-redirect-same-origin-authorization.html 2021-10-05 18:48:10 UTC (rev 283565)
@@ -0,0 +1,20 @@
+<!DOCTYPE html>
+<html>
+<body>
+<script src=""
+<script>
+description("Tests that the Authorization header is present on same-origin redirect requests.");
+jsTestIsAsync = true;
+
+fetch("/resources/redirect.py?url="" + encodeURIComponent("/fetch/resources/dump-authorization-header.py"), {
+ headers: {
+ Authorization: 'Foo Bar',
+ },
+}).then((response) => response.text()).then((_data) => {
+ authorization = _data;
+ shouldBeEqualToString("authorization", "Foo Bar");
+ finishJSTest();
+});
+</script>
+</body>
+</html>
Added: trunk/LayoutTests/http/tests/fetch/resources/dump-authorization-header.py (0 => 283565)
--- trunk/LayoutTests/http/tests/fetch/resources/dump-authorization-header.py (rev 0)
+++ trunk/LayoutTests/http/tests/fetch/resources/dump-authorization-header.py 2021-10-05 18:48:10 UTC (rev 283565)
@@ -0,0 +1,11 @@
+#!/usr/bin/env python3
+import base64
+import os
+import sys
+
+sys.stdout.write('Content-Type: text/html\r\n\r\n')
+if os.environ.get('HTTP_AUTHORIZATION'):
+ sys.stdout.write(os.environ['HTTP_AUTHORIZATION'])
+else:
+ sys.stdout.write('Missing Authorization header')
+sys.stdout.flush()
Property changes on: trunk/LayoutTests/http/tests/fetch/resources/dump-authorization-header.py
___________________________________________________________________
Added: svn:executable
+*
\ No newline at end of property
Modified: trunk/LayoutTests/http/tests/xmlhttprequest/redirections-and-user-headers.html (283564 => 283565)
--- trunk/LayoutTests/http/tests/xmlhttprequest/redirections-and-user-headers.html 2021-10-05 18:41:08 UTC (rev 283564)
+++ trunk/LayoutTests/http/tests/xmlhttprequest/redirections-and-user-headers.html 2021-10-05 18:48:10 UTC (rev 283565)
@@ -7,7 +7,7 @@
</head>
<body>
<script type="text/_javascript_">
-function doTest(testName, testURL, simpleRequest, changeOrigin)
+function doTest(testName, testURL, simpleRequest, crossOriginRedirect)
{
promise_test(function(test) {
var resolvePromise, rejectPromise;
@@ -31,7 +31,10 @@
if (!simpleRequest) {
assert_true(xhr.responseText.indexOf("x-webkit header found: funky") !== -1, "xhr final request should have a x-webkit=funky header");
assert_true(xhr.responseText.indexOf("content-type header found: rocky") !== -1, "xhr final request should have a content-type=groovy header");
- assert_true(xhr.responseText.indexOf("not found any authorization header") !== -1, "xhr final request should not have an authorization header");
+ if (crossOriginRedirect)
+ assert_true(xhr.responseText.indexOf("not found any authorization header") !== -1, "xhr final request should not have an authorization header");
+ else
+ assert_true(xhr.responseText.indexOf("authorization header found") !== -1, "xhr final request should have an authorization header");
}
testPassed = true;
}
@@ -50,38 +53,39 @@
}
var simpleRequest = true;
+var crossOriginRedirect = true;
doTest("Check headers after same-origin redirection to same-origin resource (simple request)",
"resources/access-control-preflight-redirect.py?redirect=true&url=""
- simpleRequest);
+ simpleRequest, !crossOriginRedirect);
doTest("Check headers after same-origin redirection to same-origin resource (not simple request)",
"resources/access-control-preflight-redirect.py?redirect=true&url=""
- !simpleRequest);
+ !simpleRequest, !crossOriginRedirect);
doTest("Check headers after same origin redirection to cross-origin resource (simple request)",
"resources/access-control-preflight-redirect.py?redirect=true&url=""
- simpleRequest);
+ simpleRequest, crossOriginRedirect);
doTest("Check headers after same origin redirection to cross-origin resource (not simple request)",
"resources/access-control-preflight-redirect.py?redirect=true&url=""
- !simpleRequest);
+ !simpleRequest, crossOriginRedirect);
doTest("Check headers after cross-origin redirection to same-origin resource (simple request)",
"http://localhost:8080/xmlhttprequest/resources/access-control-preflight-redirect.py?redirect=true&url=""
- simpleRequest);
+ simpleRequest, crossOriginRedirect);
doTest("Check headers after cross-origin redirection to same-origin resource (not simple request)",
"http://localhost:8080/xmlhttprequest/resources/access-control-preflight-redirect.py?redirect=true&url=""
- !simpleRequest);
+ !simpleRequest, crossOriginRedirect);
doTest("Check headers after cross-origin redirection to cross-origin resource (simple request)",
"http://localhost:8080/xmlhttprequest/resources/access-control-preflight-redirect.py?redirect=true&url=""
- simpleRequest);
+ simpleRequest, !crossOriginRedirect);
doTest("Check headers after cross-origin redirection to cross-origin resource (not simple request)",
"http://localhost:8080/xmlhttprequest/resources/access-control-preflight-redirect.py?redirect=true&url=""
- !simpleRequest);
+ !simpleRequest, !crossOriginRedirect);
</script>
</body>
Modified: trunk/Source/WebCore/ChangeLog (283564 => 283565)
--- trunk/Source/WebCore/ChangeLog 2021-10-05 18:41:08 UTC (rev 283564)
+++ trunk/Source/WebCore/ChangeLog 2021-10-05 18:48:10 UTC (rev 283565)
@@ -1,3 +1,23 @@
+2021-10-05 Chris Dumez <[email protected]>
+
+ Authorization header lost on 30x redirects
+ https://bugs.webkit.org/show_bug.cgi?id=230935
+ <rdar://problem/83689955>
+
+ Reviewed by Darin Adler.
+
+ CFNetwork drops the Authorization request header in cases of same-origin redirects, which is not as per
+ the fetch specification [1] and doesn't match the behavior of other browsers.
+
+ To address the issue, WebKit adds the Authorization request back in case of a same-origin redirect.
+
+ Test: http/tests/fetch/fetch-redirect-same-origin-authorization.html
+
+ * platform/network/cf/ResourceHandleCFNet.cpp:
+ (WebCore::ResourceHandle::willSendRequest):
+ * platform/network/mac/ResourceHandleMac.mm:
+ (WebCore::ResourceHandle::willSendRequest):
+
2021-10-05 Andres Gonzalez <[email protected]>
Move handling of AXValue from platform wrapper to AX core code.
Modified: trunk/Source/WebCore/platform/network/cf/ResourceHandleCFNet.cpp (283564 => 283565)
--- trunk/Source/WebCore/platform/network/cf/ResourceHandleCFNet.cpp 2021-10-05 18:41:08 UTC (rev 283564)
+++ trunk/Source/WebCore/platform/network/cf/ResourceHandleCFNet.cpp 2021-10-05 18:48:10 UTC (rev 283565)
@@ -288,6 +288,9 @@
request.clearHTTPAuthorization();
request.clearHTTPOrigin();
} else {
+ if (auto authorization = d->m_firstRequest.httpHeaderField(HTTPHeaderName::Authorization); !authorization.isNull())
+ request.setHTTPHeaderField(HTTPHeaderName::Authorization, authorization);
+
// Only consider applying authentication credentials if this is actually a redirect and the redirect
// URL didn't include credentials of its own.
if (d->m_user.isEmpty() && d->m_password.isEmpty() && !redirectResponse.isNull()) {
Modified: trunk/Source/WebCore/platform/network/mac/ResourceHandleMac.mm (283564 => 283565)
--- trunk/Source/WebCore/platform/network/mac/ResourceHandleMac.mm 2021-10-05 18:41:08 UTC (rev 283564)
+++ trunk/Source/WebCore/platform/network/mac/ResourceHandleMac.mm 2021-10-05 18:48:10 UTC (rev 283565)
@@ -444,6 +444,9 @@
request.clearHTTPAuthorization();
request.clearHTTPOrigin();
} else {
+ if (auto authorization = d->m_firstRequest.httpHeaderField(HTTPHeaderName::Authorization); !authorization.isNull())
+ request.setHTTPHeaderField(HTTPHeaderName::Authorization, authorization);
+
// Only consider applying authentication credentials if this is actually a redirect and the redirect
// URL didn't include credentials of its own.
if (d->m_user.isEmpty() && d->m_password.isEmpty() && !redirectResponse.isNull()) {
Modified: trunk/Source/WebKit/ChangeLog (283564 => 283565)
--- trunk/Source/WebKit/ChangeLog 2021-10-05 18:41:08 UTC (rev 283564)
+++ trunk/Source/WebKit/ChangeLog 2021-10-05 18:48:10 UTC (rev 283565)
@@ -1,3 +1,21 @@
+2021-10-05 Chris Dumez <[email protected]>
+
+ Authorization header lost on 30x redirects
+ https://bugs.webkit.org/show_bug.cgi?id=230935
+ <rdar://problem/83689955>
+
+ Reviewed by Darin Adler.
+
+ CFNetwork drops the Authorization request header in cases of same-origin redirects, which is not as per
+ the fetch specification [1] and doesn't match the behavior of other browsers.
+
+ To address the issue, WebKit adds the Authorization request back in case of a same-origin redirect.
+
+ [1] https://fetch.spec.whatwg.org/#concept-http-redirect-fetch
+
+ * NetworkProcess/cocoa/NetworkDataTaskCocoa.mm:
+ (WebKit::NetworkDataTaskCocoa::willPerformHTTPRedirection):
+
2021-10-05 Tim Horton <[email protected]>
<model> should be draggable, similar to <img>
Modified: trunk/Source/WebKit/NetworkProcess/cocoa/NetworkDataTaskCocoa.mm (283564 => 283565)
--- trunk/Source/WebKit/NetworkProcess/cocoa/NetworkDataTaskCocoa.mm 2021-10-05 18:41:08 UTC (rev 283564)
+++ trunk/Source/WebKit/NetworkProcess/cocoa/NetworkDataTaskCocoa.mm 2021-10-05 18:48:10 UTC (rev 283565)
@@ -506,8 +506,12 @@
// we want to strip here because the redirect is cross-origin.
request.clearHTTPAuthorization();
request.clearHTTPOrigin();
+
+ } else {
+ if (auto authorization = m_firstRequest.httpHeaderField(WebCore::HTTPHeaderName::Authorization); !authorization.isNull())
+ request.setHTTPHeaderField(WebCore::HTTPHeaderName::Authorization, authorization);
+
#if USE(CREDENTIAL_STORAGE_WITH_NETWORK_SESSION)
- } else {
// Only consider applying authentication credentials if this is actually a redirect and the redirect
// URL didn't include credentials of its own.
if (m_user.isEmpty() && m_password.isEmpty() && !redirectResponse.isNull()) {
@@ -518,8 +522,8 @@
// FIXME: Support Digest authentication, and Proxy-Authorization.
applyBasicAuthorizationHeader(request, m_initialCredential);
}
+#endif
}
-#endif
}
if (isTopLevelNavigation())
