[webkit-changes] [287210] releases/WebKitGTK/webkit-2.34

[aperez]

Title: [287210] releases/WebKitGTK/webkit-2.34

Revision

287210

Author

ape...@igalia.com

Date

2021-12-17 14:48:11 -0800 (Fri, 17 Dec 2021)

Log Message

Merge r282084 - [wpt-improvement] Improve CSP support for window reuse
https://bugs.webkit.org/show_bug.cgi?id=229882
<rdar://78416553>

Reviewed by Chris Dumez.

LayoutTests/imported/w3c:

Rebaseline a test that now passes.

* web-platform-tests/content-security-policy/sandbox/window-reuse-sandboxed-expected.txt:

Source/WebCore:

If window.open is used to host content with a CSP sandbox header, we should always
create a new window, rather than reusing the existing one, unless the header
includes 'allow-same-site'.

This improves our WPT score.

Tested by: imported/w3c/web-platform-tests/content-security-policy/sandbox/window-reuse-sandboxed.html

* loader/DocumentLoader.cpp:
(WebCore::DocumentLoader::responseReceived): Parse the HTTP headers earlier so we can
make decisions based on their state.
* loader/DocumentWriter.cpp:
(WebCore::DocumentWriter::begin): Don't reuse the current window if 'allow-same-site'
is not allowed.

Modified Paths

• releases/WebKitGTK/webkit-2.34/LayoutTests/imported/w3c/ChangeLog
• releases/WebKitGTK/webkit-2.34/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/window-reuse-sandboxed-expected.txt
• releases/WebKitGTK/webkit-2.34/Source/WebCore/ChangeLog
• releases/WebKitGTK/webkit-2.34/Source/WebCore/loader/DocumentLoader.cpp
• releases/WebKitGTK/webkit-2.34/Source/WebCore/loader/DocumentWriter.cpp

Diff

Modified: releases/WebKitGTK/webkit-2.34/LayoutTests/imported/w3c/ChangeLog (287209 => 287210)

--- releases/WebKitGTK/webkit-2.34/LayoutTests/imported/w3c/ChangeLog	2021-12-17 22:48:02 UTC (rev 287209)
+++ releases/WebKitGTK/webkit-2.34/LayoutTests/imported/w3c/ChangeLog	2021-12-17 22:48:11 UTC (rev 287210)
@@ -1,3 +1,15 @@
+2021-09-07  Brent Fulgham  <bfulg...@apple.com>
+
+        [wpt-improvement] Improve CSP support for window reuse
+        https://bugs.webkit.org/show_bug.cgi?id=229882
+        <rdar://78416553>
+
+        Reviewed by Chris Dumez.
+
+        Rebaseline a test that now passes.
+
+        * web-platform-tests/content-security-policy/sandbox/window-reuse-sandboxed-expected.txt:
+
 2021-09-02  Chris Dumez  <cdu...@apple.com>
 
         [COOP] html/cross-origin-opener-policy/coop-navigate-same-origin-csp-sandbox.html WPT test is failing

Modified: releases/WebKitGTK/webkit-2.34/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/window-reuse-sandboxed-expected.txt (287209 => 287210)

--- releases/WebKitGTK/webkit-2.34/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/window-reuse-sandboxed-expected.txt	2021-12-17 22:48:02 UTC (rev 287209)
+++ releases/WebKitGTK/webkit-2.34/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/window-reuse-sandboxed-expected.txt	2021-12-17 22:48:11 UTC (rev 287210)
@@ -1,3 +1,3 @@
 
-FAIL Window object should not be reused assert_equals: expected (undefined) undefined but got (string) "test"
+PASS Window object should not be reused
 

Modified: releases/WebKitGTK/webkit-2.34/Source/WebCore/ChangeLog (287209 => 287210)

--- releases/WebKitGTK/webkit-2.34/Source/WebCore/ChangeLog	2021-12-17 22:48:02 UTC (rev 287209)
+++ releases/WebKitGTK/webkit-2.34/Source/WebCore/ChangeLog	2021-12-17 22:48:11 UTC (rev 287210)
@@ -1,3 +1,26 @@
+2021-09-07  Brent Fulgham  <bfulg...@apple.com>
+
+        [wpt-improvement] Improve CSP support for window reuse
+        https://bugs.webkit.org/show_bug.cgi?id=229882
+        <rdar://78416553>
+
+        Reviewed by Chris Dumez.
+
+        If window.open is used to host content with a CSP sandbox header, we should always
+        create a new window, rather than reusing the existing one, unless the header
+        includes 'allow-same-site'.
+
+        This improves our WPT score.
+
+        Tested by: imported/w3c/web-platform-tests/content-security-policy/sandbox/window-reuse-sandboxed.html
+
+        * loader/DocumentLoader.cpp:
+        (WebCore::DocumentLoader::responseReceived): Parse the HTTP headers earlier so we can
+        make decisions based on their state.
+        * loader/DocumentWriter.cpp:
+        (WebCore::DocumentWriter::begin): Don't reuse the current window if 'allow-same-site'
+        is not allowed.
+
 2021-09-02  Chris Dumez  <cdu...@apple.com>
 
         [COOP] html/cross-origin-opener-policy/coop-navigate-same-origin-csp-sandbox.html WPT test is failing

Modified: releases/WebKitGTK/webkit-2.34/Source/WebCore/loader/DocumentLoader.cpp (287209 => 287210)

--- releases/WebKitGTK/webkit-2.34/Source/WebCore/loader/DocumentLoader.cpp	2021-12-17 22:48:02 UTC (rev 287209)
+++ releases/WebKitGTK/webkit-2.34/Source/WebCore/loader/DocumentLoader.cpp	2021-12-17 22:48:11 UTC (rev 287210)
@@ -781,12 +781,6 @@
     if (!m_frame->document() || !m_frame->document()->settings().crossOriginOpenerPolicyEnabled())
         return true;
 
-    if (!response.httpHeaderField(HTTPHeaderName::ContentSecurityPolicy).isNull()) {
-        m_contentSecurityPolicy = makeUnique<ContentSecurityPolicy>(URL { response.url() }, nullptr);
-        m_contentSecurityPolicy->didReceiveHeaders(ContentSecurityPolicyResponseHeaders { response }, m_request.httpReferrer(), ContentSecurityPolicy::ReportParsingErrors::No);
-    } else
-        m_contentSecurityPolicy = nullptr;
-
     auto [responseOrigin, responseCOOP] = computeResponseOriginAndCOOP(response, *m_frame->document(), m_triggeringAction.requester(), m_contentSecurityPolicy.get());
 
     // https://html.spec.whatwg.org/multipage/browsing-the-web.html#process-a-navigate-fetch (Step 12.5.6.2)
@@ -924,6 +918,12 @@
 {
     ASSERT_UNUSED(resource, m_mainResource == &resource);
 
+    if (!response.httpHeaderField(HTTPHeaderName::ContentSecurityPolicy).isNull()) {
+        m_contentSecurityPolicy = makeUnique<ContentSecurityPolicy>(URL { response.url() }, nullptr);
+        m_contentSecurityPolicy->didReceiveHeaders(ContentSecurityPolicyResponseHeaders { response }, m_request.httpReferrer(), ContentSecurityPolicy::ReportParsingErrors::No);
+    } else
+        m_contentSecurityPolicy = nullptr;
+
 #if ENABLE(RESOURCE_LOAD_STATISTICS)
     // FIXME(218779): Remove this quirk once microsoft.com completes their login flow redesign.
     if (m_frame && m_frame->document()) {

Modified: releases/WebKitGTK/webkit-2.34/Source/WebCore/loader/DocumentWriter.cpp (287209 => 287210)

--- releases/WebKitGTK/webkit-2.34/Source/WebCore/loader/DocumentWriter.cpp	2021-12-17 22:48:02 UTC (rev 287209)
+++ releases/WebKitGTK/webkit-2.34/Source/WebCore/loader/DocumentWriter.cpp	2021-12-17 22:48:11 UTC (rev 287210)
@@ -142,6 +142,12 @@
         && m_frame->document()->isSecureTransitionTo(url)
         && (m_frame->window() && !m_frame->window()->wasWrappedWithoutInitializedSecurityOrigin() && m_frame->window()->mayReuseForNavigation());
 
+    if (shouldReuseDefaultView) {
+        ASSERT(m_frame->loader().documentLoader());
+        if (auto* contentSecurityPolicy = m_frame->loader().documentLoader()->contentSecurityPolicy())
+            shouldReuseDefaultView = !(contentSecurityPolicy->sandboxFlags() & SandboxOrigin);
+    }
+
     // Temporarily extend the lifetime of the existing document so that FrameLoader::clear() doesn't destroy it as
     // we need to retain its ongoing set of upgraded requests in new navigation contexts per <http://www.w3.org/TR/upgrade-insecure-requests/>
     // and we may also need to inherit its Content Security Policy below.

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes