Title: [286940] trunk
- Revision
- 286940
- Author
- you...@apple.com
- Date
- 2021-12-13 01:18:27 -0800 (Mon, 13 Dec 2021)
Log Message
Implement step 17 of main fetch algorithm
https://bugs.webkit.org/show_bug.cgi?id=234140
Reviewed by Brent Fulgham.
LayoutTests/imported/w3c:
* web-platform-tests/service-workers/service-worker/fetch-csp.https.html:
* web-platform-tests/service-workers/service-worker/resources/fetch-csp-iframe.html.sub.headers:
Source/WebCore:
The step was implemented for non DocumentThreadableLoader resources, we need to also do the same step within DocumentThreadableLoader.
Covered by existing updated tests.
* loader/DocumentThreadableLoader.cpp:
* loader/DocumentThreadableLoader.h:
Modified Paths
Diff
Modified: trunk/LayoutTests/imported/w3c/ChangeLog (286939 => 286940)
--- trunk/LayoutTests/imported/w3c/ChangeLog 2021-12-13 09:09:52 UTC (rev 286939)
+++ trunk/LayoutTests/imported/w3c/ChangeLog 2021-12-13 09:18:27 UTC (rev 286940)
@@ -1,3 +1,13 @@
+2021-12-13 Youenn Fablet <you...@apple.com>
+
+ Implement step 17 of main fetch algorithm
+ https://bugs.webkit.org/show_bug.cgi?id=234140
+
+ Reviewed by Brent Fulgham.
+
+ * web-platform-tests/service-workers/service-worker/fetch-csp.https.html:
+ * web-platform-tests/service-workers/service-worker/resources/fetch-csp-iframe.html.sub.headers:
+
2021-12-11 Antoine Quint <grao...@webkit.org>
Expose a frameRate property to Web Animations
Modified: trunk/LayoutTests/imported/w3c/web-platform-tests/service-workers/service-worker/fetch-csp.https.html (286939 => 286940)
--- trunk/LayoutTests/imported/w3c/web-platform-tests/service-workers/service-worker/fetch-csp.https.html 2021-12-13 09:09:52 UTC (rev 286939)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/service-workers/service-worker/fetch-csp.https.html 2021-12-13 09:18:27 UTC (rev 286940)
@@ -108,6 +108,30 @@
'should ignore the path component of the URL.');
})
.then(function() {
+ return assert_resolves(
+ frame.contentWindow.fetch(IMAGE_URL + "&fetch1", { mode: 'no-cors'}),
+ 'Allowed scope fetch resource should be loaded.');
+ })
+ .then(function() {
+ return assert_resolves(
+ frame.contentWindow.fetch(
+ // The request for IMAGE_URL will be fetched in SW.
+ './sample?url=''&fetch2'), { mode: 'no-cors'}),
+ 'Allowed scope fetch resource which was fetched via SW should be loaded.');
+ })
+ .then(function() {
+ return assert_rejects(
+ frame.contentWindow.fetch(REMOTE_IMAGE_URL + "&fetch3", { mode: 'no-cors'}),
+ 'Disallowed scope fetch resource should not be loaded.');
+ })
+ .then(function() {
+ return assert_rejects(
+ frame.contentWindow.fetch(
+ // The request for REMOTE_IMAGE_URL will be fetched in SW.
+ './sample?url=''&fetch4'), { mode: 'no-cors'}),
+ 'Disallowed scope fetch resource which was fetched via SW should not be loaded.');
+ })
+ .then(function() {
frame.remove();
});
}, 'Verify CSP control of fetch() in a Service Worker');
Modified: trunk/LayoutTests/imported/w3c/web-platform-tests/service-workers/service-worker/resources/fetch-csp-iframe.html.sub.headers (286939 => 286940)
--- trunk/LayoutTests/imported/w3c/web-platform-tests/service-workers/service-worker/resources/fetch-csp-iframe.html.sub.headers 2021-12-13 09:09:52 UTC (rev 286939)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/service-workers/service-worker/resources/fetch-csp-iframe.html.sub.headers 2021-12-13 09:18:27 UTC (rev 286940)
@@ -1 +1 @@
-Content-Security-Policy: img-src https://{{host}}:{{ports[https][0]}}
+Content-Security-Policy: img-src https://{{host}}:{{ports[https][0]}}; connect-src 'unsafe-inline' 'self'
Modified: trunk/Source/WebCore/ChangeLog (286939 => 286940)
--- trunk/Source/WebCore/ChangeLog 2021-12-13 09:09:52 UTC (rev 286939)
+++ trunk/Source/WebCore/ChangeLog 2021-12-13 09:18:27 UTC (rev 286940)
@@ -1,5 +1,19 @@
2021-12-13 Youenn Fablet <you...@apple.com>
+ Implement step 17 of main fetch algorithm
+ https://bugs.webkit.org/show_bug.cgi?id=234140
+
+ Reviewed by Brent Fulgham.
+
+ The step was implemented for non DocumentThreadableLoader resources, we need to also do the same step within DocumentThreadableLoader.
+
+ Covered by existing updated tests.
+
+ * loader/DocumentThreadableLoader.cpp:
+ * loader/DocumentThreadableLoader.h:
+
+2021-12-13 Youenn Fablet <you...@apple.com>
+
Rename startCallback to resetCallback in AudioMediaStreamTrackRendererUnit createInternalUnit
https://bugs.webkit.org/show_bug.cgi?id=234142
Modified: trunk/Source/WebCore/loader/DocumentThreadableLoader.cpp (286939 => 286940)
--- trunk/Source/WebCore/loader/DocumentThreadableLoader.cpp 2021-12-13 09:09:52 UTC (rev 286939)
+++ trunk/Source/WebCore/loader/DocumentThreadableLoader.cpp 2021-12-13 09:18:27 UTC (rev 286940)
@@ -404,6 +404,16 @@
ASSERT(m_client);
ASSERT(response.type() != ResourceResponse::Type::Error);
+#if ENABLE(SERVICE_WORKER)
+ // https://fetch.spec.whatwg.org/commit-snapshots/6257e220d70f560a037e46f1b4206325400db8dc/#main-fetch step 17.
+ if (response.source() == ResourceResponse::Source::ServiceWorker && response.url() != m_resource->url()) {
+ if (!isResponseAllowedByContentSecurityPolicy(response)) {
+ reportContentSecurityPolicyError(response.url());
+ return;
+ }
+ }
+#endif
+
InspectorInstrumentation::didReceiveThreadableLoaderResponse(*this, identifier);
if (m_delayCallbacksForIntegrityCheck)
@@ -691,6 +701,11 @@
return false;
}
+bool DocumentThreadableLoader::isResponseAllowedByContentSecurityPolicy(const ResourceResponse& response)
+{
+ return isAllowedByContentSecurityPolicy(response.url(), ContentSecurityPolicy::RedirectResponseReceived::Yes, { });
+}
+
bool DocumentThreadableLoader::isAllowedRedirect(const URL& url)
{
if (m_options.mode == FetchOptions::Mode::NoCors)
Modified: trunk/Source/WebCore/loader/DocumentThreadableLoader.h (286939 => 286940)
--- trunk/Source/WebCore/loader/DocumentThreadableLoader.h 2021-12-13 09:09:52 UTC (rev 286939)
+++ trunk/Source/WebCore/loader/DocumentThreadableLoader.h 2021-12-13 09:18:27 UTC (rev 286940)
@@ -105,6 +105,7 @@
void loadRequest(ResourceRequest&&, SecurityCheckPolicy);
bool isAllowedRedirect(const URL&);
bool isAllowedByContentSecurityPolicy(const URL&, ContentSecurityPolicy::RedirectResponseReceived, const URL& preRedirectURL = URL());
+ bool isResponseAllowedByContentSecurityPolicy(const ResourceResponse&);
SecurityOrigin& securityOrigin() const;
const ContentSecurityPolicy& contentSecurityPolicy() const;
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes