Title: [295230] trunk
- Revision
- 295230
- Author
- achristen...@apple.com
- Date
- 2022-06-03 14:03:49 -0700 (Fri, 03 Jun 2022)
Log Message
HSTS synthesized redirect responses should not be blocked by CORS
https://bugs.webkit.org/show_bug.cgi?id=241003
Reviewed by Youenn Fablet.
If a cross-origin request is made to an http URL that would be upgraded to an https URL
because of HSTS, we synthesize a "response" to call willPerformHTTPRedirection with.
Unfortunately, this response can fail CORS checks causing the request to be unnecessarily blocked.
To prevent this, just add CORS headers to the synthesized responses for HSTS.
* Source/WebKit/NetworkProcess/cocoa/NetworkSessionCocoa.mm:
(-[WKNetworkSessionDelegate URLSession:task:_schemeUpgraded:completionHandler:]):
* Tools/TestWebKitAPI/Tests/WebKitCocoa/HSTS.mm:
(TestWebKitAPI::TEST):
Canonical link: https://commits.webkit.org/251284@main
Modified Paths
Diff
Modified: trunk/Source/WebKit/NetworkProcess/cocoa/NetworkSessionCocoa.mm (295229 => 295230)
--- trunk/Source/WebKit/NetworkProcess/cocoa/NetworkSessionCocoa.mm 2022-06-03 21:03:40 UTC (rev 295229)
+++ trunk/Source/WebKit/NetworkProcess/cocoa/NetworkSessionCocoa.mm 2022-06-03 21:03:49 UTC (rev 295230)
@@ -636,7 +636,10 @@
ASSERT_NOT_REACHED();
#endif
- networkDataTask->willPerformHTTPRedirection(WebCore::synthesizeRedirectResponseIfNecessary([task currentRequest], request, nil), request, [completionHandler = makeBlockPtr(completionHandler), taskIdentifier, shouldIgnoreHSTS](auto&& request) {
+ WebCore::ResourceResponse synthesizedResponse = WebCore::synthesizeRedirectResponseIfNecessary([task currentRequest], request, nil);
+ NSString *origin = [request valueForHTTPHeaderField:@"Origin"] ?: @"*";
+ synthesizedResponse.setHTTPHeaderField(WebCore::HTTPHeaderName::AccessControlAllowOrigin, origin);
+ networkDataTask->willPerformHTTPRedirection(WTFMove(synthesizedResponse), request, [completionHandler = makeBlockPtr(completionHandler), taskIdentifier, shouldIgnoreHSTS](auto&& request) {
#if !LOG_DISABLED
LOG(NetworkSession, "%llu _schemeUpgraded completionHandler (%s)", taskIdentifier, request.url().string().utf8().data());
#else
Modified: trunk/Tools/TestWebKitAPI/Tests/WebKitCocoa/HSTS.mm (295229 => 295230)
--- trunk/Tools/TestWebKitAPI/Tests/WebKitCocoa/HSTS.mm 2022-06-03 21:03:40 UTC (rev 295229)
+++ trunk/Tools/TestWebKitAPI/Tests/WebKitCocoa/HSTS.mm 2022-06-03 21:03:49 UTC (rev 295230)
@@ -114,10 +114,8 @@
EXPECT_WK_STREQ(webView.get().URL.absoluteString, "https://example.com/");
[webView loadRequest:[NSURLRequest requestWithURL:[NSURL URLWithString:@"http://example.org/"]]];
- // FIXME: This should be "http://example.com/ hi" but the response generated in _schemeUpgraded is failing a CORS check.
- // This should be fixed to disable CORS checks for HSTS "redirects"
- EXPECT_WK_STREQ([webView _test_waitForAlert], " ");
- EXPECT_EQ(httpServer.totalRequests(), 1u);
+ EXPECT_WK_STREQ([webView _test_waitForAlert], "http://example.com/ hi");
+ EXPECT_EQ(httpServer.totalRequests(), 2u);
}
TEST(HSTS, CrossOriginRedirect)
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes