[webkit-changes] [120490] trunk/Source/WebKit/chromium

Fri, 15 Jun 2012 13:49:03 -0700

Title: [120490] trunk/Source/WebKit/chromium
Revision
120490
Author
[email protected]
Date
2012-06-15 13:48:55 -0700 (Fri, 15 Jun 2012)

Log Message

AssociatedURLLoader should allow trusted clients to read all headers, not just exposed ones.
https://bugs.webkit.org/show_bug.cgi?id=89185

Reviewed by Adam Barth.

This change adds an option to turn off whitelist filtering of response headers for CORS loads,
and modifies AssociatedURLLoader check for that before filtering.

* public/WebURLLoaderOptions.h:
(WebKit::WebURLLoaderOptions::WebURLLoaderOptions):
(WebURLLoaderOptions):
* src/AssociatedURLLoader.cpp:
(WebKit::AssociatedURLLoader::ClientAdapter::didReceiveResponse):
* tests/AssociatedURLLoaderTest.cpp:
(WebKit):
(WebKit::TEST_F):

Modified Paths

Diff

Modified: trunk/Source/WebKit/chromium/ChangeLog (120489 => 120490)


--- trunk/Source/WebKit/chromium/ChangeLog	2012-06-15 20:36:22 UTC (rev 120489)
+++ trunk/Source/WebKit/chromium/ChangeLog	2012-06-15 20:48:55 UTC (rev 120490)
@@ -1,3 +1,22 @@
+2012-06-15  Bill Budge  <[email protected]>
+
+        AssociatedURLLoader should allow trusted clients to read all headers, not just exposed ones.
+        https://bugs.webkit.org/show_bug.cgi?id=89185
+
+        Reviewed by Adam Barth.
+
+        This change adds an option to turn off whitelist filtering of response headers for CORS loads,
+        and modifies AssociatedURLLoader check for that before filtering.
+
+        * public/WebURLLoaderOptions.h:
+        (WebKit::WebURLLoaderOptions::WebURLLoaderOptions):
+        (WebURLLoaderOptions):
+        * src/AssociatedURLLoader.cpp:
+        (WebKit::AssociatedURLLoader::ClientAdapter::didReceiveResponse):
+        * tests/AssociatedURLLoaderTest.cpp:
+        (WebKit):
+        (WebKit::TEST_F):
+
 2012-06-15  Sami Kyostila  <[email protected]>
 
         [chromium] Allow scrolling non-root layers in the compositor thread

Modified: trunk/Source/WebKit/chromium/public/WebURLLoaderOptions.h (120489 => 120490)


--- trunk/Source/WebKit/chromium/public/WebURLLoaderOptions.h	2012-06-15 20:36:22 UTC (rev 120489)
+++ trunk/Source/WebKit/chromium/public/WebURLLoaderOptions.h	2012-06-15 20:48:55 UTC (rev 120490)
@@ -46,6 +46,7 @@
         , sniffContent(false)
         , allowCredentials(false)
         , forcePreflight(false)
+        , exposeAllResponseHeaders(false)
         , crossOriginRequestPolicy(CrossOriginRequestPolicyDeny)
         { }
 
@@ -53,6 +54,7 @@
     bool sniffContent; // Whether to sniff content.
     bool allowCredentials; // Whether to send HTTP credentials and cookies with the request.
     bool forcePreflight; // If policy is to use access control, whether to force a preflight for GET, HEAD, and POST requests.
+    bool exposeAllResponseHeaders; // If policy is to use access control, whether to expose non-whitelisted response headers to the client.
     CrossOriginRequestPolicy crossOriginRequestPolicy;
 };

Modified: trunk/Source/WebKit/chromium/src/AssociatedURLLoader.cpp (120489 => 120490)


--- trunk/Source/WebKit/chromium/src/AssociatedURLLoader.cpp	2012-06-15 20:36:22 UTC (rev 120489)
+++ trunk/Source/WebKit/chromium/src/AssociatedURLLoader.cpp	2012-06-15 20:48:55 UTC (rev 120490)
@@ -209,7 +209,9 @@
     // Try to use the original ResourceResponse if possible.
     WebURLResponse validatedResponse = WrappedResourceResponse(response);
     HTTPResponseHeaderValidator validator(m_options.crossOriginRequestPolicy == WebURLLoaderOptions::CrossOriginRequestPolicyUseAccessControl);
-    validatedResponse.visitHTTPHeaderFields(&validator);
+    if (!m_options.exposeAllResponseHeaders)
+        validatedResponse.visitHTTPHeaderFields(&validator);
+
     // If there are blocked headers, copy the response so we can remove them.
     const HTTPHeaderSet& blockedHeaders = validator.blockedHeaders();
     if (!blockedHeaders.isEmpty()) {

Modified: trunk/Source/WebKit/chromium/tests/AssociatedURLLoaderTest.cpp (120489 => 120490)


--- trunk/Source/WebKit/chromium/tests/AssociatedURLLoaderTest.cpp	2012-06-15 20:36:22 UTC (rev 120489)
+++ trunk/Source/WebKit/chromium/tests/AssociatedURLLoaderTest.cpp	2012-06-15 20:48:55 UTC (rev 120490)
@@ -585,4 +585,34 @@
     EXPECT_FALSE(CheckAccessControlHeaders("Set-Cookie", true));
 }
 
+// Test that the loader can allow non-whitelisted response headers for trusted CORS loads.
+TEST_F(AssociatedURLLoaderTest, CrossOriginHeaderAllowResponseHeaders)
+{
+    WebURLRequest request;
+    request.initialize();
+    GURL url = ""
+    request.setURL(url);
+
+    WebString headerNameString(WebString::fromUTF8("non-whitelisted"));
+    m_expectedResponse = WebURLResponse();
+    m_expectedResponse.initialize();
+    m_expectedResponse.setMIMEType("text/html");
+    m_expectedResponse.addHTTPHeaderField("Access-Control-Allow-Origin", "*");
+    m_expectedResponse.addHTTPHeaderField(headerNameString, "foo");
+    webkit_support::RegisterMockedURL(url, m_expectedResponse, m_frameFilePath);
+
+    WebURLLoaderOptions options;
+    options.exposeAllResponseHeaders = true; // This turns off response whitelisting.
+    options.crossOriginRequestPolicy = WebURLLoaderOptions::CrossOriginRequestPolicyUseAccessControl;
+    m_expectedLoader = createAssociatedURLLoader(options);
+    EXPECT_TRUE(m_expectedLoader);
+    m_expectedLoader->loadAsynchronously(request, this);
+    serveRequests();
+    EXPECT_TRUE(m_didReceiveResponse);
+    EXPECT_TRUE(m_didReceiveData);
+    EXPECT_TRUE(m_didFinishLoading);
+
+    EXPECT_FALSE(m_actualResponse.httpHeaderField(headerNameString).isEmpty());
 }
+
+}

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes

Reply via email to