[webkit-changes] [119911] trunk

[commit-queue]

Title: [119911] trunk

Revision

119911

Author

commit-qu...@webkit.org

Date

2012-06-09 11:42:41 -0700 (Sat, 09 Jun 2012)

Log Message

The value in Access-Control-Allow-Origin is not being matched correctly for CORS-enabled requests
https://bugs.webkit.org/show_bug.cgi?id=88139

Patch by Pablo Flouret <pab...@motorola.com> on 2012-06-09
Reviewed by Adam Barth.

Source/WebCore:

Compare a request's origin with the value given in any
Access-Control-Allow-Origin headers in an exact, case-sensitive manner,
instead of using SecurityOrigin::isSameSchemeHostPort(). Per step 3 of
the resource sharing check algorithm in
http://dvcs.w3.org/hg/cors/raw-file/tip/Overview.html#resource-sharing-check

Test: http/tests/xmlhttprequest/origin-exact-matching.html

* loader/CrossOriginAccessControl.cpp:
(WebCore::passesAccessControlCheck):

LayoutTests:

* http/tests/xmlhttprequest/origin-exact-matching-expected.txt: Added.
* http/tests/xmlhttprequest/origin-exact-matching.html: Added.
* http/tests/xmlhttprequest/resources/basic-auth/access-control-auth-basic.php: Get rid of a trailing slash in the origin.
* http/tests/xmlhttprequest/resources/origin-exact-matching-iframe.html: Added.

Modified Paths

• trunk/LayoutTests/ChangeLog
• trunk/LayoutTests/http/tests/xmlhttprequest/resources/basic-auth/access-control-auth-basic.php
• trunk/Source/WebCore/ChangeLog
• trunk/Source/WebCore/loader/CrossOriginAccessControl.cpp

Added Paths

• trunk/LayoutTests/http/tests/xmlhttprequest/origin-exact-matching-expected.txt
• trunk/LayoutTests/http/tests/xmlhttprequest/origin-exact-matching.html
• trunk/LayoutTests/http/tests/xmlhttprequest/resources/origin-exact-matching-iframe.html

Diff

Modified: trunk/LayoutTests/ChangeLog (119910 => 119911)

--- trunk/LayoutTests/ChangeLog	2012-06-09 18:26:28 UTC (rev 119910)
+++ trunk/LayoutTests/ChangeLog	2012-06-09 18:42:41 UTC (rev 119911)
@@ -1,3 +1,15 @@
+2012-06-09  Pablo Flouret  <pab...@motorola.com>
+
+        The value in Access-Control-Allow-Origin is not being matched correctly for CORS-enabled requests
+        https://bugs.webkit.org/show_bug.cgi?id=88139
+
+        Reviewed by Adam Barth.
+
+        * http/tests/xmlhttprequest/origin-exact-matching-expected.txt: Added.
+        * http/tests/xmlhttprequest/origin-exact-matching.html: Added.
+        * http/tests/xmlhttprequest/resources/basic-auth/access-control-auth-basic.php: Get rid of a trailing slash in the origin.
+        * http/tests/xmlhttprequest/resources/origin-exact-matching-iframe.html: Added.
+
 2012-06-09  Christophe Dumez  <christophe.du...@intel.com>
 
         [EFL] Skip tests that rely on pathToLocalResource() due to regression in r119788

Added: trunk/LayoutTests/http/tests/xmlhttprequest/origin-exact-matching-expected.txt (0 => 119911)

--- trunk/LayoutTests/http/tests/xmlhttprequest/origin-exact-matching-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/http/tests/xmlhttprequest/origin-exact-matching-expected.txt	2012-06-09 18:42:41 UTC (rev 119911)
@@ -0,0 +1,133 @@
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://127.0.0.1:8000/xmlhttprequest/resources/redirect-cors.php?access-control-allow-origin=http%3A%2F%2Fwww2.localhost%3A8000. Origin http://localhost:8000 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://127.0.0.1:8000/xmlhttprequest/resources/redirect-cors.php?access-control-allow-origin=%2F%2Flocalhost%3A8000. Origin http://localhost:8000 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://127.0.0.1:8000/xmlhttprequest/resources/redirect-cors.php?access-control-allow-origin=%3A%2F%2Flocalhost%3A8000. Origin http://localhost:8000 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://127.0.0.1:8000/xmlhttprequest/resources/redirect-cors.php?access-control-allow-origin=ftp%3A%2F%2Flocalhost%3A8000. Origin http://localhost:8000 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://127.0.0.1:8000/xmlhttprequest/resources/redirect-cors.php?access-control-allow-origin=http%3A%3A%2F%2Flocalhost%3A8000. Origin http://localhost:8000 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://127.0.0.1:8000/xmlhttprequest/resources/redirect-cors.php?access-control-allow-origin=http%3A%2Flocalhost%3A8000. Origin http://localhost:8000 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://127.0.0.1:8000/xmlhttprequest/resources/redirect-cors.php?access-control-allow-origin=http%3Alocalhost%3A8000. Origin http://localhost:8000 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://127.0.0.1:8000/xmlhttprequest/resources/redirect-cors.php?access-control-allow-origin=localhost%3A8000. Origin http://localhost:8000 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://127.0.0.1:8000/xmlhttprequest/resources/redirect-cors.php?access-control-allow-origin=http%3A%2F%2Flocalhost%3A8000%3F. Origin http://localhost:8000 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://127.0.0.1:8000/xmlhttprequest/resources/redirect-cors.php?access-control-allow-origin=http%3A%2F%2Flocalhost%3A8000%2F. Origin http://localhost:8000 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://127.0.0.1:8000/xmlhttprequest/resources/redirect-cors.php?access-control-allow-origin=http%3A%2F%2Flocalhost%3A8000%20%2F. Origin http://localhost:8000 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://127.0.0.1:8000/xmlhttprequest/resources/redirect-cors.php?access-control-allow-origin=http%3A%2F%2Flocalhost%3A8000%23. Origin http://localhost:8000 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://127.0.0.1:8000/xmlhttprequest/resources/redirect-cors.php?access-control-allow-origin=http%3A%2F%2Flocalhost%3A8000%2523. Origin http://localhost:8000 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://127.0.0.1:8000/xmlhttprequest/resources/redirect-cors.php?access-control-allow-origin=http%3A%2F%2Flocalhost%3A8000%3A80. Origin http://localhost:8000 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://127.0.0.1:8000/xmlhttprequest/resources/redirect-cors.php?access-control-allow-origin=http%3A%2F%2Flocalhost%3A8000%2C%20*. Origin http://localhost:8000 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://127.0.0.1:8000/xmlhttprequest/resources/redirect-cors.php?access-control-allow-origin=HTTP%3A%2F%2FLOCALHOST%3A8000. Origin http://localhost:8000 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://127.0.0.1:8000/xmlhttprequest/resources/redirect-cors.php?access-control-allow-origin=HTTP%3A%2F%2Flocalhost%3A8000. Origin http://localhost:8000 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://127.0.0.1:8000/xmlhttprequest/resources/redirect-cors.php?access-control-allow-origin=-. Origin http://localhost:8000 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://127.0.0.1:8000/xmlhttprequest/resources/redirect-cors.php?access-control-allow-origin=**. Origin http://localhost:8000 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://127.0.0.1:8000/xmlhttprequest/resources/redirect-cors.php?access-control-allow-origin=%00*. Origin http://localhost:8000 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://127.0.0.1:8000/xmlhttprequest/resources/redirect-cors.php?access-control-allow-origin='*'. Origin http://localhost:8000 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://127.0.0.1:8000/xmlhttprequest/resources/redirect-cors.php?access-control-allow-origin=%22*%22. Origin http://localhost:8000 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://127.0.0.1:8000/xmlhttprequest/resources/redirect-cors.php?access-control-allow-origin=*%20*. Origin http://localhost:8000 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://127.0.0.1:8000/xmlhttprequest/resources/redirect-cors.php?access-control-allow-origin=*http%3A%2F%2F*. Origin http://localhost:8000 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://127.0.0.1:8000/xmlhttprequest/resources/redirect-cors.php?access-control-allow-origin=*http%3A%2F%2Flocalhost%3A8000. Origin http://localhost:8000 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://127.0.0.1:8000/xmlhttprequest/resources/redirect-cors.php?access-control-allow-origin=*%20http%3A%2F%2Flocalhost%3A8000. Origin http://localhost:8000 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://127.0.0.1:8000/xmlhttprequest/resources/redirect-cors.php?access-control-allow-origin=*%2C%20http%3A%2F%2Flocalhost%3A8000. Origin http://localhost:8000 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://127.0.0.1:8000/xmlhttprequest/resources/redirect-cors.php?access-control-allow-origin=%00http%3A%2F%2Flocalhost%3A8000. Origin http://localhost:8000 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://127.0.0.1:8000/xmlhttprequest/resources/redirect-cors.php?access-control-allow-origin=null%20http%3A%2F%2Flocalhost%3A8000. Origin http://localhost:8000 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://127.0.0.1:8000/xmlhttprequest/resources/redirect-cors.php?access-control-allow-origin=http%3A%2F%2Fexample.net. Origin http://localhost:8000 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://127.0.0.1:8000/xmlhttprequest/resources/redirect-cors.php?access-control-allow-origin=null. Origin http://localhost:8000 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://127.0.0.1:8000/xmlhttprequest/resources/redirect-cors.php?access-control-allow-origin=. Origin http://localhost:8000 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://127.0.0.1:8000/xmlhttprequest/resources/redirect-cors.php?access-control-allow-origin=http%3A%2F%2Flocalhost%3A8000%2Fxmlhttprequest%2Fresources%2Forigin-exact-matching-iframe.html. Origin http://localhost:8000 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://127.0.0.1:8000/xmlhttprequest/resources/redirect-cors.php?access-control-allow-origin=http%3A%2F%2Flocalhost%3A8000%2Fxmlhttprequest%2Fresources%2F. Origin http://localhost:8000 is not allowed by Access-Control-Allow-Origin.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://127.0.0.1:8000/xmlhttprequest/resources/redirect-cors.php?access-control-allow-origin=http%3A%2F%2Flocalhost%3A8000%2Fxmlhttprequest%2Fresources%2Forigin-exact-matching-iframe.html. Origin http://localhost:8000 is not allowed by Access-Control-Allow-Origin.
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+Check that exact matching is used when comparing a request's originating url and the value provided by Access-Control-Allow-Origin.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+Should allow origin: '*'
+PASS xhr.send(null) is undefined.
+Should allow origin: ' *  '
+PASS xhr.send(null) is undefined.
+Should allow origin: '	*'
+PASS xhr.send(null) is undefined.
+Should allow origin: 'http://localhost:8000'
+PASS xhr.send(null) is undefined.
+Should allow origin: ' http://localhost:8000'
+PASS xhr.send(null) is undefined.
+Should allow origin: ' http://localhost:8000   	 '
+PASS xhr.send(null) is undefined.
+Should allow origin: '	http://localhost:8000'
+PASS xhr.send(null) is undefined.
+Should disallow origin: 'http://www2.localhost:8000'
+PASS xhr.send(null) threw exception Error: NETWORK_ERR: XMLHttpRequest Exception 101.
+Should disallow origin: '//localhost:8000'
+PASS xhr.send(null) threw exception Error: NETWORK_ERR: XMLHttpRequest Exception 101.
+Should disallow origin: '://localhost:8000'
+PASS xhr.send(null) threw exception Error: NETWORK_ERR: XMLHttpRequest Exception 101.
+Should disallow origin: 'ftp://localhost:8000'
+PASS xhr.send(null) threw exception Error: NETWORK_ERR: XMLHttpRequest Exception 101.
+Should disallow origin: 'http:://localhost:8000'
+PASS xhr.send(null) threw exception Error: NETWORK_ERR: XMLHttpRequest Exception 101.
+Should disallow origin: 'http:/localhost:8000'
+PASS xhr.send(null) threw exception Error: NETWORK_ERR: XMLHttpRequest Exception 101.
+Should disallow origin: 'http:localhost:8000'
+PASS xhr.send(null) threw exception Error: NETWORK_ERR: XMLHttpRequest Exception 101.
+Should disallow origin: 'localhost:8000'
+PASS xhr.send(null) threw exception Error: NETWORK_ERR: XMLHttpRequest Exception 101.
+Should disallow origin: 'http://localhost:8000?'
+PASS xhr.send(null) threw exception Error: NETWORK_ERR: XMLHttpRequest Exception 101.
+Should disallow origin: 'http://localhost:8000/'
+PASS xhr.send(null) threw exception Error: NETWORK_ERR: XMLHttpRequest Exception 101.
+Should disallow origin: 'http://localhost:8000 /'
+PASS xhr.send(null) threw exception Error: NETWORK_ERR: XMLHttpRequest Exception 101.
+Should disallow origin: 'http://localhost:8000#'
+PASS xhr.send(null) threw exception Error: NETWORK_ERR: XMLHttpRequest Exception 101.
+Should disallow origin: 'http://localhost:8000%23'
+PASS xhr.send(null) threw exception Error: NETWORK_ERR: XMLHttpRequest Exception 101.
+Should disallow origin: 'http://localhost:8000:80'
+PASS xhr.send(null) threw exception Error: NETWORK_ERR: XMLHttpRequest Exception 101.
+Should disallow origin: 'http://localhost:8000, *'
+PASS xhr.send(null) threw exception Error: NETWORK_ERR: XMLHttpRequest Exception 101.
+Should disallow origin: 'HTTP://LOCALHOST:8000'
+PASS xhr.send(null) threw exception Error: NETWORK_ERR: XMLHttpRequest Exception 101.
+Should disallow origin: 'HTTP://localhost:8000'
+PASS xhr.send(null) threw exception Error: NETWORK_ERR: XMLHttpRequest Exception 101.
+Should disallow origin: '-'
+PASS xhr.send(null) threw exception Error: NETWORK_ERR: XMLHttpRequest Exception 101.
+Should disallow origin: '**'
+PASS xhr.send(null) threw exception Error: NETWORK_ERR: XMLHttpRequest Exception 101.
+Should disallow origin: '*'
+PASS xhr.send(null) threw exception Error: NETWORK_ERR: XMLHttpRequest Exception 101.
+Should disallow origin: ''*''
+PASS xhr.send(null) threw exception Error: NETWORK_ERR: XMLHttpRequest Exception 101.
+Should disallow origin: '"*"'
+PASS xhr.send(null) threw exception Error: NETWORK_ERR: XMLHttpRequest Exception 101.
+Should disallow origin: '* *'
+PASS xhr.send(null) threw exception Error: NETWORK_ERR: XMLHttpRequest Exception 101.
+Should disallow origin: '*http://*'
+PASS xhr.send(null) threw exception Error: NETWORK_ERR: XMLHttpRequest Exception 101.
+Should disallow origin: '*http://localhost:8000'
+PASS xhr.send(null) threw exception Error: NETWORK_ERR: XMLHttpRequest Exception 101.
+Should disallow origin: '* http://localhost:8000'
+PASS xhr.send(null) threw exception Error: NETWORK_ERR: XMLHttpRequest Exception 101.
+Should disallow origin: '*, http://localhost:8000'
+PASS xhr.send(null) threw exception Error: NETWORK_ERR: XMLHttpRequest Exception 101.
+Should disallow origin: 'http://localhost:8000'
+PASS xhr.send(null) threw exception Error: NETWORK_ERR: XMLHttpRequest Exception 101.
+Should disallow origin: 'null http://localhost:8000'
+PASS xhr.send(null) threw exception Error: NETWORK_ERR: XMLHttpRequest Exception 101.
+Should disallow origin: 'http://example.net'
+PASS xhr.send(null) threw exception Error: NETWORK_ERR: XMLHttpRequest Exception 101.
+Should disallow origin: 'null'
+PASS xhr.send(null) threw exception Error: NETWORK_ERR: XMLHttpRequest Exception 101.
+Should disallow origin: ''
+PASS xhr.send(null) threw exception Error: NETWORK_ERR: XMLHttpRequest Exception 101.
+Should disallow origin: 'http://localhost:8000/xmlhttprequest/resources/origin-exact-matching-iframe.html'
+PASS xhr.send(null) threw exception Error: NETWORK_ERR: XMLHttpRequest Exception 101.
+Should disallow origin: 'http://localhost:8000/xmlhttprequest/resources/'
+PASS xhr.send(null) threw exception Error: NETWORK_ERR: XMLHttpRequest Exception 101.
+Should disallow origin: 'http://localhost:8000/xmlhttprequest/resources/origin-exact-matching-iframe.html'
+PASS xhr.send(null) threw exception Error: NETWORK_ERR: XMLHttpRequest Exception 101.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+

Added: trunk/LayoutTests/http/tests/xmlhttprequest/origin-exact-matching.html (0 => 119911)

--- trunk/LayoutTests/http/tests/xmlhttprequest/origin-exact-matching.html	                        (rev 0)
+++ trunk/LayoutTests/http/tests/xmlhttprequest/origin-exact-matching.html	2012-06-09 18:42:41 UTC (rev 119911)
@@ -0,0 +1,6 @@
+<!DOCTYPE html>
+<script>
+    if (window.layoutTestController)
+        layoutTestController.dumpChildFramesAsText();
+</script>
+<iframe style="width: 100%; height: 600px" src=""

Modified: trunk/LayoutTests/http/tests/xmlhttprequest/resources/basic-auth/access-control-auth-basic.php (119910 => 119911)

--- trunk/LayoutTests/http/tests/xmlhttprequest/resources/basic-auth/access-control-auth-basic.php	2012-06-09 18:26:28 UTC (rev 119910)
+++ trunk/LayoutTests/http/tests/xmlhttprequest/resources/basic-auth/access-control-auth-basic.php	2012-06-09 18:42:41 UTC (rev 119911)
@@ -1,6 +1,6 @@
 <?php
 
-header("Access-Control-Allow-Origin: http://127.0.0.1:8000/");
+header("Access-Control-Allow-Origin: http://127.0.0.1:8000");
 header("Access-Control-Allow-Credentials: true");
 
 if ($_SERVER['REQUEST_METHOD'] == "OPTIONS") {

Added: trunk/LayoutTests/http/tests/xmlhttprequest/resources/origin-exact-matching-iframe.html (0 => 119911)

--- trunk/LayoutTests/http/tests/xmlhttprequest/resources/origin-exact-matching-iframe.html	                        (rev 0)
+++ trunk/LayoutTests/http/tests/xmlhttprequest/resources/origin-exact-matching-iframe.html	2012-06-09 18:42:41 UTC (rev 119911)
@@ -0,0 +1,73 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src=""
+</head>
+<body>
+<script type="text/_javascript_">
+description("Check that exact matching is used when comparing a request's originating url and the value provided by Access-Control-Allow-Origin.");
+var urlTemplate = "http://127.0.0.1:8000/xmlhttprequest/resources/redirect-cors.php?access-control-allow-origin=";
+
+function shouldPass(origin) {
+    debug("Should allow origin: '" + origin + "'");
+    xhr = new XMLHttpRequest();
+    xhr.open('GET', urlTemplate + encodeURIComponent(origin), false);
+    shouldBeUndefined("xhr.send(null)");
+}
+
+function shouldFail(origin) {
+    debug("Should disallow origin: '" + origin + "'");
+    xhr = new XMLHttpRequest();
+    xhr.open('GET', urlTemplate + encodeURIComponent(origin), false);
+    shouldThrow("xhr.send(null)");
+}
+
+shouldPass('*');
+shouldPass(' *  ');
+shouldPass('	*');
+shouldPass(location.protocol + "//" + location.host);
+shouldPass(" "+location.protocol + "//" + location.host);
+shouldPass(" "+location.protocol + "//" + location.host + "   	 ");
+shouldPass("	"+location.protocol + "//" + location.host);
+shouldFail(location.protocol + "//www2." + location.host);
+shouldFail("//" + location.host);
+shouldFail("://" + location.host);
+shouldFail("ftp://" + location.host);
+shouldFail("http:://" + location.host);
+shouldFail("http:/" + location.host);
+shouldFail("http:" + location.host);
+shouldFail(location.host);
+shouldFail(location.protocol + "//" + location.host + "?");
+shouldFail(location.protocol + "//" + location.host + "/");
+shouldFail(location.protocol + "//" + location.host + " /");
+shouldFail(location.protocol + "//" + location.host + "#");
+shouldFail(location.protocol + "//" + location.host + "%23");
+shouldFail(location.protocol + "//" + location.host + ":80");
+shouldFail(location.protocol + "//" + location.host + ", *");
+//shouldFail(location.protocol + "//" + location.host + "\0"); // Doesn't fail in chromium-linux. See http://wkbug.com/88688 and http://wkbug.com/88139
+shouldFail((location.protocol + "//" + location.host).toUpperCase());
+shouldFail(location.protocol.toUpperCase() + "//" + location.host);
+shouldFail("-");
+shouldFail("**");
+shouldFail("\0*");
+//shouldFail("*\0"); // Doesn't fail in chromium-linux. http://wkbug.com/88688 and http://wkbug.com/88139
+shouldFail("'*'");
+shouldFail('"*"');
+shouldFail("* *");
+shouldFail("*" + location.protocol + "//" + "*");
+shouldFail("*" + location.protocol + "//" + location.host);
+shouldFail("* " + location.protocol + "//" + location.host);
+shouldFail("*, " + location.protocol + "//" + location.host);
+shouldFail("\0" + location.protocol + "//" + location.host);
+shouldFail("null " + location.protocol + "//" + location.host);
+shouldFail('http://example.net');
+shouldFail('null');
+shouldFail('');
+shouldFail(location.href);
+shouldFail(location.href.replace(/\/[^\/]*$/, '/'));
+shouldFail(location.href.replace(location.hostname, "localhost"));
+
+</script>
+<script src=""
+</body>
+</html>

Modified: trunk/Source/WebCore/ChangeLog (119910 => 119911)

--- trunk/Source/WebCore/ChangeLog	2012-06-09 18:26:28 UTC (rev 119910)
+++ trunk/Source/WebCore/ChangeLog	2012-06-09 18:42:41 UTC (rev 119911)
@@ -1,3 +1,21 @@
+2012-06-09  Pablo Flouret  <pab...@motorola.com>
+
+        The value in Access-Control-Allow-Origin is not being matched correctly for CORS-enabled requests
+        https://bugs.webkit.org/show_bug.cgi?id=88139
+
+        Reviewed by Adam Barth.
+
+        Compare a request's origin with the value given in any
+        Access-Control-Allow-Origin headers in an exact, case-sensitive manner,
+        instead of using SecurityOrigin::isSameSchemeHostPort(). Per step 3 of
+        the resource sharing check algorithm in
+        http://dvcs.w3.org/hg/cors/raw-file/tip/Overview.html#resource-sharing-check
+
+        Test: http/tests/xmlhttprequest/origin-exact-matching.html
+
+        * loader/CrossOriginAccessControl.cpp:
+        (WebCore::passesAccessControlCheck):
+
 2012-06-09  Huang Dongsung  <luxte...@company100.net>
 
         [Qt][Texmap] All layers with backingStore are opaque when using TextureMapperGL.

Modified: trunk/Source/WebCore/loader/CrossOriginAccessControl.cpp (119910 => 119911)

--- trunk/Source/WebCore/loader/CrossOriginAccessControl.cpp	2012-06-09 18:26:28 UTC (rev 119910)
+++ trunk/Source/WebCore/loader/CrossOriginAccessControl.cpp	2012-06-09 18:42:41 UTC (rev 119911)
@@ -149,8 +149,7 @@
     }
 
     // FIXME: Access-Control-Allow-Origin can contain a list of origins.
-    RefPtr<SecurityOrigin> accessControlOrigin = SecurityOrigin::createFromString(accessControlOriginString);
-    if (!accessControlOrigin->isSameSchemeHostPort(securityOrigin)) {
+    if (accessControlOriginString != securityOrigin->toString()) {
         if (accessControlOriginString == "*")
             errorDescription = "Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.";
         else

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes