Diff
Modified: trunk/LayoutTests/ChangeLog (113588 => 113589)
--- trunk/LayoutTests/ChangeLog 2012-04-09 17:01:06 UTC (rev 113588)
+++ trunk/LayoutTests/ChangeLog 2012-04-09 17:17:25 UTC (rev 113589)
@@ -1,3 +1,19 @@
+2012-04-09 Bill Budge <[email protected]>
+
+ Cross-origin preflight request should not include credentials.
+ https://bugs.webkit.org/show_bug.cgi?id=37676
+
+ Modifies preflight credential tests to make sure that cookies aren't sent along with the
+ CORS prefetch request.
+
+ Reviewed by Adam Barth.
+
+ * http/tests/xmlhttprequest/access-control-preflight-credential-async-expected.txt:
+ * http/tests/xmlhttprequest/access-control-preflight-credential-async.html:
+ * http/tests/xmlhttprequest/access-control-preflight-credential-sync-expected.txt:
+ * http/tests/xmlhttprequest/access-control-preflight-credential-sync.html:
+ * http/tests/xmlhttprequest/resources/basic-auth/access-control-auth-basic.php:
+
2012-04-09 Pavel Feldman <[email protected]>
Web Inspector: get rid of WebInspector.Resource.category, use WebInspector.Resource.type instead.
Modified: trunk/LayoutTests/http/tests/xmlhttprequest/access-control-preflight-credential-async-expected.txt (113588 => 113589)
--- trunk/LayoutTests/http/tests/xmlhttprequest/access-control-preflight-credential-async-expected.txt 2012-04-09 17:01:06 UTC (rev 113588)
+++ trunk/LayoutTests/http/tests/xmlhttprequest/access-control-preflight-credential-async-expected.txt 2012-04-09 17:17:25 UTC (rev 113589)
@@ -1,4 +1,6 @@
-Test case for bug 37781: [XHR] Cross-Origin synchronous request with credential raises NETWORK_ERR
+ALERT: http://localhost:8000/cookies/resources/cookie-utility.php?queryfunction=setFooCookie
+ALERT: XHR response - Set the foo cookie
+Test case for bug 37781: [XHR] Cross-Origin asynchronous request with credential raises NETWORK_ERR
PASSED
Modified: trunk/LayoutTests/http/tests/xmlhttprequest/access-control-preflight-credential-async.html (113588 => 113589)
--- trunk/LayoutTests/http/tests/xmlhttprequest/access-control-preflight-credential-async.html 2012-04-09 17:01:06 UTC (rev 113588)
+++ trunk/LayoutTests/http/tests/xmlhttprequest/access-control-preflight-credential-async.html 2012-04-09 17:17:25 UTC (rev 113589)
@@ -1,8 +1,7 @@
<html>
-<body>
-<p>Test case for bug <a href="" [XHR] Cross-Origin synchronous request with credential raises NETWORK_ERR</p>
-<pre id='console'></pre>
+<head>
<script type="text/_javascript_">
+
function log(message)
{
document.getElementById('console').appendChild(document.createTextNode(message + "\n"));
@@ -11,27 +10,64 @@
if (window.layoutTestController) {
layoutTestController.dumpAsText();
layoutTestController.waitUntilDone();
+ layoutTestController.setAlwaysAcceptCookies(true);
}
-try {
- var xhr = new XMLHttpRequest;
- xhr.open("PUT", "http://localhost:8000/xmlhttprequest/resources/basic-auth/access-control-auth-basic.php?uid=fooUser", false, "fooUser", "barPass");
- xhr._onerror_ = function (e) {
- log("FAILED: received error");
- if (window.layoutTestController)
- layoutTestController.notifyDone();
- };
- xhr._onreadystatechange_ = function () {
- if (xhr.readyState == 4) {
- log((xhr.status == 401) ? "PASSED" : "FAILED: credential send!");
- if (window.layoutTestController)
- layoutTestController.notifyDone();
- }
- };
- xhr.send();
-} catch(e) {
- log("FAILED: got exception " + e.message);
+var cookieSet = false;
+
+window._onmessage_ = function(evt)
+{
+ if (evt.data != "done") {
+ alert("Unexpected message: " + evt.data);
+ return;
+ }
+
+ if (!cookieSet) {
+ cookieSet = true;
+ runTest();
+ }
}
+
+function startTest() {
+ // Set a cookie for localhost:8000.
+ window.frames[0].postMessage("sendXHR setFooCookie", "*");
+}
+
+function stopTest() {
+ // Clean up all cookies for localhost:8000.
+ window.frames[0].postMessage("resetCookiesAndNotifyDone", "*");
+ if (window.layoutTestController)
+ layoutTestController.notifyDone();
+}
+
+function runTest() {
+ try {
+ var xhr = new XMLHttpRequest;
+ xhr.open("PUT", "http://localhost:8000/xmlhttprequest/resources/basic-auth/access-control-auth-basic.php?uid=fooUser", true, "fooUser", "barPass");
+ xhr.withCredentials = true;
+ xhr._onerror_ = function (e) {
+ log("FAILED: received error");
+ stopTest();
+ };
+ xhr._onreadystatechange_ = function () {
+ if (xhr.readyState == 4) {
+ log((xhr.status == 401) ? "PASSED" : "FAILED: credential send!");
+ stopTest();
+ }
+ };
+ xhr.send();
+ } catch(e) {
+ log("FAILED: got exception " + e.message);
+ }
+}
+
</script>
+</head>
+<body _onload_="startTest();">
+<p>Test case for bug <a href="" [XHR] Cross-Origin asynchronous request with credential raises NETWORK_ERR</p>
+<pre id='console'></pre>
+
+<iframe id='testFrame' src=""
+
</body>
</html>
Modified: trunk/LayoutTests/http/tests/xmlhttprequest/access-control-preflight-credential-sync-expected.txt (113588 => 113589)
--- trunk/LayoutTests/http/tests/xmlhttprequest/access-control-preflight-credential-sync-expected.txt 2012-04-09 17:01:06 UTC (rev 113588)
+++ trunk/LayoutTests/http/tests/xmlhttprequest/access-control-preflight-credential-sync-expected.txt 2012-04-09 17:17:25 UTC (rev 113589)
@@ -1,3 +1,5 @@
+ALERT: http://localhost:8000/cookies/resources/cookie-utility.php?queryfunction=setFooCookie
+ALERT: XHR response - Set the foo cookie
Test case for bug 37781: [XHR] Cross-Origin synchronous request with credential raises NETWORK_ERR
PASSED
Modified: trunk/LayoutTests/http/tests/xmlhttprequest/access-control-preflight-credential-sync.html (113588 => 113589)
--- trunk/LayoutTests/http/tests/xmlhttprequest/access-control-preflight-credential-sync.html 2012-04-09 17:01:06 UTC (rev 113588)
+++ trunk/LayoutTests/http/tests/xmlhttprequest/access-control-preflight-credential-sync.html 2012-04-09 17:17:25 UTC (rev 113589)
@@ -1,8 +1,7 @@
<html>
-<body>
-<p>Test case for bug <a href="" [XHR] Cross-Origin synchronous request with credential raises NETWORK_ERR</p>
-<pre id='console'></pre>
+<head>
<script type="text/_javascript_">
+
function log(message)
{
document.getElementById('console').appendChild(document.createTextNode(message + "\n"));
@@ -11,27 +10,64 @@
if (window.layoutTestController) {
layoutTestController.dumpAsText();
layoutTestController.waitUntilDone();
+ layoutTestController.setAlwaysAcceptCookies(true);
}
-try {
- var xhr = new XMLHttpRequest;
- xhr.open("PUT", "http://localhost:8000/xmlhttprequest/resources/basic-auth/access-control-auth-basic.php?uid=fooUser", false, "fooUser", "barPass");
- xhr._onerror_ = function (e) {
- log("FAILED: received error");
- if (window.layoutTestController)
- layoutTestController.notifyDone();
- };
- xhr._onreadystatechange_ = function () {
- if (xhr.readyState == 4) {
- log((xhr.status == 401) ? "PASSED" : "FAILED: credential send!");
- if (window.layoutTestController)
- layoutTestController.notifyDone();
- }
- };
- xhr.send();
-} catch(e) {
- log("FAILED: got exception " + e.message);
+var cookieSet = false;
+
+window._onmessage_ = function(evt)
+{
+ if (evt.data != "done") {
+ alert("Unexpected message: " + evt.data);
+ return;
+ }
+
+ if (!cookieSet) {
+ cookieSet = true;
+ runTest();
+ }
}
+
+function startTest() {
+ // Set a cookie for localhost:8000.
+ window.frames[0].postMessage("sendXHR setFooCookie", "*");
+}
+
+function stopTest() {
+ // Clean up all cookies for localhost:8000.
+ window.frames[0].postMessage("resetCookiesAndNotifyDone", "*");
+ if (window.layoutTestController)
+ layoutTestController.notifyDone();
+}
+
+function runTest() {
+ try {
+ var xhr = new XMLHttpRequest;
+ xhr.open("PUT", "http://localhost:8000/xmlhttprequest/resources/basic-auth/access-control-auth-basic.php?uid=fooUser", false, "fooUser", "barPass");
+ xhr.withCredentials = true;
+ xhr._onerror_ = function (e) {
+ log("FAILED: received error");
+ stopTest();
+ };
+ xhr._onreadystatechange_ = function () {
+ if (xhr.readyState == 4) {
+ log((xhr.status == 401) ? "PASSED" : "FAILED: credential send!");
+ stopTest();
+ }
+ };
+ xhr.send();
+ } catch(e) {
+ log("FAILED: got exception " + e.message);
+ }
+}
+
</script>
+</head>
+<body _onload_="startTest();">
+<p>Test case for bug <a href="" [XHR] Cross-Origin synchronous request with credential raises NETWORK_ERR</p>
+<pre id='console'></pre>
+
+<iframe id='testFrame' src=""
+
</body>
</html>
Modified: trunk/LayoutTests/http/tests/xmlhttprequest/resources/basic-auth/access-control-auth-basic.php (113588 => 113589)
--- trunk/LayoutTests/http/tests/xmlhttprequest/resources/basic-auth/access-control-auth-basic.php 2012-04-09 17:01:06 UTC (rev 113588)
+++ trunk/LayoutTests/http/tests/xmlhttprequest/resources/basic-auth/access-control-auth-basic.php 2012-04-09 17:17:25 UTC (rev 113589)
@@ -2,9 +2,12 @@
header("Access-Control-Allow-Origin: http://127.0.0.1:8000/");
header("Access-Control-Allow-Credentials: true");
-header("Access-Control-Allow-Methods: PUT");
-if ($_SERVER['REQUEST_METHOD'] != "OPTIONS") {
+if ($_SERVER['REQUEST_METHOD'] == "OPTIONS") {
+ if (!isset($_COOKIE['foo'])) {
+ header("Access-Control-Allow-Methods: PUT");
+ }
+} else {
if (!isset($_SERVER['PHP_AUTH_USER']) || !isset($_REQUEST['uid']) || ($_REQUEST['uid'] != $_SERVER['PHP_AUTH_USER'])) {
header('WWW-Authenticate: Basic realm="WebKit Test Realm/Cross Origin"');
header('HTTP/1.0 401 Unauthorized');
Modified: trunk/Source/WebCore/ChangeLog (113588 => 113589)
--- trunk/Source/WebCore/ChangeLog 2012-04-09 17:01:06 UTC (rev 113588)
+++ trunk/Source/WebCore/ChangeLog 2012-04-09 17:17:25 UTC (rev 113589)
@@ -1,3 +1,22 @@
+2012-04-09 Bill Budge <[email protected]>
+
+ Cross-origin preflight request should not include credentials.
+ https://bugs.webkit.org/show_bug.cgi?id=37676
+
+ Modifies createAccessControlPreflightRequest so it never allows credentials.
+
+ Reviewed by Adam Barth.
+
+ http/tests/xmlhttprequest/access-control-preflight-credential-sync.html
+ http/tests/xmlhttprequest/access-control-preflight-credential-async.html
+
+ * loader/CrossOriginAccessControl.cpp:
+ (WebCore::createAccessControlPreflightRequest):
+ * loader/CrossOriginAccessControl.h:
+ (WebCore):
+ * loader/DocumentThreadableLoader.cpp:
+ (WebCore::DocumentThreadableLoader::makeCrossOriginAccessRequestWithPreflight):
+
2012-04-09 Antti Koivisto <[email protected]>
Don't expose internal CSSValues in API
Modified: trunk/Source/WebCore/loader/CrossOriginAccessControl.cpp (113588 => 113589)
--- trunk/Source/WebCore/loader/CrossOriginAccessControl.cpp 2012-04-09 17:01:06 UTC (rev 113588)
+++ trunk/Source/WebCore/loader/CrossOriginAccessControl.cpp 2012-04-09 17:17:25 UTC (rev 113589)
@@ -103,10 +103,10 @@
request.setHTTPOrigin(securityOrigin->toString());
}
-ResourceRequest createAccessControlPreflightRequest(const ResourceRequest& request, SecurityOrigin* securityOrigin, StoredCredentials allowCredentials)
+ResourceRequest createAccessControlPreflightRequest(const ResourceRequest& request, SecurityOrigin* securityOrigin)
{
ResourceRequest preflightRequest(request.url());
- updateRequestForAccessControl(preflightRequest, securityOrigin, allowCredentials);
+ updateRequestForAccessControl(preflightRequest, securityOrigin, DoNotAllowStoredCredentials);
preflightRequest.setHTTPMethod("OPTIONS");
preflightRequest.setHTTPHeaderField("Access-Control-Request-Method", request.httpMethod());
preflightRequest.setPriority(request.priority());
Modified: trunk/Source/WebCore/loader/CrossOriginAccessControl.h (113588 => 113589)
--- trunk/Source/WebCore/loader/CrossOriginAccessControl.h 2012-04-09 17:01:06 UTC (rev 113588)
+++ trunk/Source/WebCore/loader/CrossOriginAccessControl.h 2012-04-09 17:17:25 UTC (rev 113589)
@@ -46,7 +46,7 @@
bool isOnAccessControlResponseHeaderWhitelist(const String&);
void updateRequestForAccessControl(ResourceRequest&, SecurityOrigin*, StoredCredentials);
-ResourceRequest createAccessControlPreflightRequest(const ResourceRequest&, SecurityOrigin*, StoredCredentials);
+ResourceRequest createAccessControlPreflightRequest(const ResourceRequest&, SecurityOrigin*);
bool passesAccessControlCheck(const ResourceResponse&, StoredCredentials, SecurityOrigin*, String& errorDescription);
void parseAccessControlExposeHeadersAllowList(const String& headerValue, HTTPHeaderSet&);
Modified: trunk/Source/WebCore/loader/DocumentThreadableLoader.cpp (113588 => 113589)
--- trunk/Source/WebCore/loader/DocumentThreadableLoader.cpp 2012-04-09 17:01:06 UTC (rev 113588)
+++ trunk/Source/WebCore/loader/DocumentThreadableLoader.cpp 2012-04-09 17:17:25 UTC (rev 113589)
@@ -134,7 +134,7 @@
void DocumentThreadableLoader::makeCrossOriginAccessRequestWithPreflight(const ResourceRequest& request)
{
- ResourceRequest preflightRequest = createAccessControlPreflightRequest(request, securityOrigin(), m_options.allowCredentials);
+ ResourceRequest preflightRequest = createAccessControlPreflightRequest(request, securityOrigin());
loadRequest(preflightRequest, DoSecurityCheck);
}
