Title: [289532] trunk
- Revision
- 289532
- Author
- [email protected]
- Date
- 2022-02-10 07:33:42 -0800 (Thu, 10 Feb 2022)
Log Message
Fail synchronously when constructing a SharedWorker with an URL that is not same-origin
https://bugs.webkit.org/show_bug.cgi?id=236419
Reviewed by Darin Adler.
LayoutTests/imported/w3c:
* web-platform-tests/workers/constructors/SharedWorker/same-origin-expected.txt:
Rebaseline test that is now fully passing. I have verified that it is passing in both
Blink and Gecko too.
* web-platform-tests/workers/shared-worker-in-data-url-context.window-expected.txt:
Even though this looks like a regression, this actually aligns our behavior with both
Blink & Gecko (who also fail this check). Note that the load fails no matter what.
However, the test expects it to fail asynchronously instead of synchronously in this
case.
Source/WebCore:
Fail synchronously when constructing a SharedWorker with an URL that is not same-origin.
This aligns our behavior with Chrome and matches the language in the specification.
No new tests, rebaselined existing test.
* workers/shared/SharedWorker.cpp:
(WebCore::SharedWorker::create):
Modified Paths
Diff
Modified: trunk/LayoutTests/imported/w3c/ChangeLog (289531 => 289532)
--- trunk/LayoutTests/imported/w3c/ChangeLog 2022-02-10 14:46:18 UTC (rev 289531)
+++ trunk/LayoutTests/imported/w3c/ChangeLog 2022-02-10 15:33:42 UTC (rev 289532)
@@ -1,3 +1,20 @@
+2022-02-10 Chris Dumez <[email protected]>
+
+ Fail synchronously when constructing a SharedWorker with an URL that is not same-origin
+ https://bugs.webkit.org/show_bug.cgi?id=236419
+
+ Reviewed by Darin Adler.
+
+ * web-platform-tests/workers/constructors/SharedWorker/same-origin-expected.txt:
+ Rebaseline test that is now fully passing. I have verified that it is passing in both
+ Blink and Gecko too.
+
+ * web-platform-tests/workers/shared-worker-in-data-url-context.window-expected.txt:
+ Even though this looks like a regression, this actually aligns our behavior with both
+ Blink & Gecko (who also fail this check). Note that the load fails no matter what.
+ However, the test expects it to fail asynchronously instead of synchronously in this
+ case.
+
2022-02-10 Rob Buis <[email protected]>
Incorrect abspos layout when toggling contain
Modified: trunk/LayoutTests/imported/w3c/web-platform-tests/workers/constructors/SharedWorker/same-origin-expected.txt (289531 => 289532)
--- trunk/LayoutTests/imported/w3c/web-platform-tests/workers/constructors/SharedWorker/same-origin-expected.txt 2022-02-10 14:46:18 UTC (rev 289531)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/workers/constructors/SharedWorker/same-origin-expected.txt 2022-02-10 15:33:42 UTC (rev 289532)
@@ -1,13 +1,5 @@
-CONSOLE MESSAGE: Cannot load unsupported:.
-CONSOLE MESSAGE: Cannot load _javascript_:"".
-CONSOLE MESSAGE: Cannot load about:blank.
-CONSOLE MESSAGE: Cannot load http://www.opera.com/.
-CONSOLE MESSAGE: Cannot load http://localhost:81/.
-CONSOLE MESSAGE: Cannot load https://localhost:80/.
-CONSOLE MESSAGE: Cannot load https://localhost:8000/.
-CONSOLE MESSAGE: Cannot load http://localhost:8012/.
-FAIL unsupported_scheme assert_throws_dom: function "() => { new SharedWorker('unsupported:', ''); }" did not throw
+PASS unsupported_scheme
PASS data_url
PASS _javascript__url
PASS about_blank
Modified: trunk/LayoutTests/imported/w3c/web-platform-tests/workers/shared-worker-in-data-url-context.window-expected.txt (289531 => 289532)
--- trunk/LayoutTests/imported/w3c/web-platform-tests/workers/shared-worker-in-data-url-context.window-expected.txt 2022-02-10 14:46:18 UTC (rev 289531)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/workers/shared-worker-in-data-url-context.window-expected.txt 2022-02-10 15:33:42 UTC (rev 289532)
@@ -1,5 +1,4 @@
-CONSOLE MESSAGE: Cannot load http://localhost:8800/workers/support/post-message-on-load-worker.js.
-PASS Create a shared worker in a data url frame
+FAIL Create a shared worker in a data url frame assert_equals: expected "PASS" but got "SharedWorker construction unexpectedly synchronously failed"
PASS Create a data url shared worker in a data url frame
Modified: trunk/Source/WebCore/ChangeLog (289531 => 289532)
--- trunk/Source/WebCore/ChangeLog 2022-02-10 14:46:18 UTC (rev 289531)
+++ trunk/Source/WebCore/ChangeLog 2022-02-10 15:33:42 UTC (rev 289532)
@@ -1,3 +1,18 @@
+2022-02-10 Chris Dumez <[email protected]>
+
+ Fail synchronously when constructing a SharedWorker with an URL that is not same-origin
+ https://bugs.webkit.org/show_bug.cgi?id=236419
+
+ Reviewed by Darin Adler.
+
+ Fail synchronously when constructing a SharedWorker with an URL that is not same-origin.
+ This aligns our behavior with Chrome and matches the language in the specification.
+
+ No new tests, rebaselined existing test.
+
+ * workers/shared/SharedWorker.cpp:
+ (WebCore::SharedWorker::create):
+
2022-02-10 Gavin Phillips <[email protected]>
Introduce SignedPtrTraits which enables Ref pointers to be protected with PtrTags.
Modified: trunk/Source/WebCore/workers/shared/SharedWorker.cpp (289531 => 289532)
--- trunk/Source/WebCore/workers/shared/SharedWorker.cpp 2022-02-10 14:46:18 UTC (rev 289531)
+++ trunk/Source/WebCore/workers/shared/SharedWorker.cpp 2022-02-10 15:33:42 UTC (rev 289532)
@@ -74,8 +74,9 @@
if (!url.isValid())
return Exception { SyntaxError, "Invalid script URL"_s };
- if (url.isLocalFile())
- return Exception { SecurityError, "Cannot construct a shared worker with a file:// URL"_s };
+ // Per the specification, any same-origin URL (including blob: URLs) can be used. data: URLs can also be used, but they create a worker with an opaque origin.
+ if (!document.securityOrigin().canRequest(url) && !url.protocolIsData())
+ return Exception { SecurityError, "URL of the shared worker is cross-origin"_s };
if (auto* contentSecurityPolicy = document.contentSecurityPolicy()) {
if (!contentSecurityPolicy->allowWorkerFromSource(url))
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes