Attachment 338787 Details for Bug 184870 – rebasing

[patch] rebasing

bug-184870-20180425134545.patch (text/plain), 45.50 KB, created by youenn fablet on 2018-04-25 13:45:46 PDT

(hide)

Description:

Filename:

MIME Type:

Creator: youenn fablet

Created: 2018-04-25 13:45:46 PDT

Size: 45.50 KB

patch

obsolete

>Subversion Revision: 230995
>diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog
>index e7f78e6aae7e9e498d6b853a7eed8cc3ff90e387..ece9e09073555d1198d941c42894b1f30a185ddf 100644
>--- a/Source/WebCore/ChangeLog
>+++ b/Source/WebCore/ChangeLog
>@@ -1,3 +1,17 @@
>+2018-04-25  Youenn Fablet  <youenn@apple.com>
>+
>+        Use NetworkLoadChecker for all subresource loads except fetch/XHR
>+        https://bugs.webkit.org/show_bug.cgi?id=184870
>+        <rdar://problem/39370034>
>+
>+        Reviewed by NOBODY (OOPS!).
>+
>+        No change of behavior.
>+        Update CachedResourceLoader error messages to match NetworkProcess error messages.
>+
>+        * loader/cache/CachedResourceLoader.cpp:
>+        (WebCore::CachedResourceLoader::printAccessDeniedMessage const):
>+
> 2018-04-25  Youenn Fablet  <youenn@apple.com>
> 
>         Make DocumentThreadableLoader error logging more consistent
>diff --git a/Source/WebKit/ChangeLog b/Source/WebKit/ChangeLog
>index 74daa947c87cf2496ddcaeeb96ccc7338aafab03..4a8f87fde57e11b3cc312b0f49f85fe9bc3a40b6 100644
>--- a/Source/WebKit/ChangeLog
>+++ b/Source/WebKit/ChangeLog
>@@ -1,3 +1,28 @@
>+2018-04-25  Youenn Fablet  <youenn@apple.com>
>+
>+        Use NetworkLoadChecker for all subresource loads except fetch/XHR
>+        https://bugs.webkit.org/show_bug.cgi?id=184870
>+        <rdar://problem/39370034>
>+
>+        Reviewed by NOBODY (OOPS!).
>+
>+        Relax rules to check for non HTTP(s) redirections to throw only when WebProcess says to load it after redirection.
>+        This allows WebProcess to load redirected non HTTP(s) URLs, such as data URLs.
>+        We keep these checks when WebProcess asks to continue the load and for all PingLoads.
>+
>+        Update error messages to be more consistent with WK1.
>+
>+        * NetworkProcess/NetworkLoadChecker.cpp:
>+        (WebKit::NetworkLoadChecker::checkRedirection):
>+        (WebKit::NetworkLoadChecker::continueCheckingRequest):
>+        (WebKit::NetworkLoadChecker::validateResourceResponse):
>+        (WebKit::NetworkLoadChecker::continueCheckingRequest):
>+        * NetworkProcess/NetworkLoadChecker.h:
>+        (WebKit::NetworkLoadChecker::validateResponse):
>+        * NetworkProcess/NetworkResourceLoader.cpp:
>+        (WebKit::shouldUseNetworkLoadChecker):
>+        (WebKit::NetworkResourceLoader::continueWillSendRequest):
>+
> 2018-04-25  Youenn Fablet  <youenn@apple.com>
> 
>         Ensure DNT is set for redirections handled in NetworkProcess
>diff --git a/Source/WebCore/loader/cache/CachedResourceLoader.cpp b/Source/WebCore/loader/cache/CachedResourceLoader.cpp
>index a8038121925592b3f215e98b7ee0ad91c34db335..ca68167bb958413df1b2abfd12e0b2ff5c86130b 100644
>--- a/Source/WebCore/loader/cache/CachedResourceLoader.cpp
>+++ b/Source/WebCore/loader/cache/CachedResourceLoader.cpp
>@@ -1205,9 +1205,9 @@ void CachedResourceLoader::printAccessDeniedMessage(const URL& url) const
> 
>     String message;
>     if (!m_document || m_document->url().isNull())
>-        message = "Unsafe attempt to load URL " + url.stringCenterEllipsizedToLength() + '.';
>+        message = makeString("Unsafe attempt to load URL ", url.stringCenterEllipsizedToLength(), '.');
>     else
>-        message = "Unsafe attempt to load URL " + url.stringCenterEllipsizedToLength() + " from frame with URL " + m_document->url().stringCenterEllipsizedToLength() + ". Domains, protocols and ports must match.\n";
>+        message = makeString("Unsafe attempt to load URL ", url.stringCenterEllipsizedToLength(), " from origin ", m_document->origin(), ". Domains, protocols and ports must match.\n");
> 
>     frame()->document()->addConsoleMessage(MessageSource::Security, MessageLevel::Error, message);
> }
>diff --git a/Source/WebKit/NetworkProcess/NetworkLoadChecker.cpp b/Source/WebKit/NetworkProcess/NetworkLoadChecker.cpp
>index 50efd7aabd6d6bf755c1ed0f15f8d04d9cec9982..acd9f6eb18183aebb2ad1e2d0e4acb23a33f96d9 100644
>--- a/Source/WebKit/NetworkProcess/NetworkLoadChecker.cpp
>+++ b/Source/WebKit/NetworkProcess/NetworkLoadChecker.cpp
>@@ -91,27 +91,25 @@ void NetworkLoadChecker::checkRedirection(WebCore::ResourceResponse& redirectRes
> {
>     ASSERT(!isChecking());
> 
>-    auto error = validateResponse(redirectResponse);
>-    if (!error.isNull()) {
>-        handler(makeUnexpected(WTFMove(error)));
>-        return;
>-    }
>-
>-    m_previousURL = WTFMove(m_url);
>-    m_url = request.url();
>-
>     if (m_options.redirect != FetchOptions::Redirect::Follow) {
>-        handler(returnError(ASCIILiteral("Load parameters do not allow following redirections")));
>+        handler(returnError(ASCIILiteral("Redirections are not allowed")));
>         return;
>     }
> 
>+    // FIXME: We should check that redirections are only HTTP(s) as per fetch spec.
>+    // See https://github.com/whatwg/fetch/issues/393
>+
>     if (++m_redirectCount > 20) {
>         handler(returnError(ASCIILiteral("Load cannot follow more than 20 redirections")));
>         return;
>     }
> 
>-    if (!m_url.protocolIsInHTTPFamily()) {
>-        handler(returnError(ASCIILiteral("Redirection to URL with a scheme that is not HTTP(S)")));
>+    m_previousURL = WTFMove(m_url);
>+    m_url = request.url();
>+
>+    auto error = validateResponse(redirectResponse);
>+    if (!error.isNull()) {
>+        handler(makeUnexpected(WTFMove(error)));
>         return;
>     }
> 
>@@ -136,8 +134,11 @@ ResourceError NetworkLoadChecker::validateResponse(ResourceResponse& response)
>     ASSERT(m_options.mode == FetchOptions::Mode::Cors);
> 
>     String errorMessage;
>-    if (!WebCore::passesAccessControlCheck(response, m_storedCredentialsPolicy, *m_origin, errorMessage))
>+    if (!WebCore::passesAccessControlCheck(response, m_storedCredentialsPolicy, *m_origin, errorMessage)) {
>+        if (m_redirectCount)
>+            errorMessage = makeString("Cross-origin redirection to ", m_url.string(), " denied by Cross-Origin Resource Sharing policy: ", errorMessage);
>         return ResourceError { errorDomainWebKitInternal, 0, m_url, WTFMove(errorMessage), ResourceError::Type::AccessControl };
>+    }
> 
>     response.setTainting(ResourceResponse::Tainting::Cors);
>     return { };
>@@ -173,8 +174,9 @@ void NetworkLoadChecker::continueCheckingRequest(ResourceRequest&& request, Vali
>             if (url != request.url())
>                 request.setURL(url);
>         }
>-        if (!contentSecurityPolicy->allowConnectToSource(request.url(), isRedirected() ? ContentSecurityPolicy::RedirectResponseReceived::Yes : ContentSecurityPolicy::RedirectResponseReceived::No)) {
>-            handler(returnError(ASCIILiteral("Blocked by Content Security Policy")));
>+        if (m_options.destination == FetchOptions::Destination::EmptyString && !contentSecurityPolicy->allowConnectToSource(request.url(), isRedirected() ? ContentSecurityPolicy::RedirectResponseReceived::Yes : ContentSecurityPolicy::RedirectResponseReceived::No)) {
>+            String error = !isRedirected() ? ASCIILiteral("Blocked by Content Security Policy") : makeString("Blocked ", request.url().string(), " by Content Security Policy");
>+            handler(returnError(WTFMove(error)));
>             return;
>         }
>     }
>@@ -188,7 +190,8 @@ void NetworkLoadChecker::continueCheckingRequest(ResourceRequest&& request, Vali
>     }
> 
>     if (m_options.mode == FetchOptions::Mode::SameOrigin) {
>-        handler(returnError(ASCIILiteral("SameOrigin mode does not allow cross origin requests")));
>+        String message = makeString("Unsafe attempt to load URL ", request.url().stringCenterEllipsizedToLength(), " from origin ", m_origin->toString(), ". Domains, protocols and ports must match.\n");
>+        handler(returnError(WTFMove(message)));
>         return;
>     }
> 
>diff --git a/Source/WebKit/NetworkProcess/NetworkResourceLoader.cpp b/Source/WebKit/NetworkProcess/NetworkResourceLoader.cpp
>index 8749af7721ab32fd9ca20fe294af80ad449a5e31..2a5dd40d68fcda75b6c9718e7908c5511a67ec54 100644
>--- a/Source/WebKit/NetworkProcess/NetworkResourceLoader.cpp
>+++ b/Source/WebKit/NetworkProcess/NetworkResourceLoader.cpp
>@@ -98,15 +98,8 @@ static inline bool shouldUseNetworkLoadChecker(bool isSynchronous, const Network
>     if (!parameters.shouldRestrictHTTPResponseAccess)
>         return false;
> 
>-    // FIXME: Add support for other destinations.
>-    switch (parameters.options.destination) {
>-    case FetchOptions::Destination::Audio:
>-    case FetchOptions::Destination::Video:
>-        return true;
>-    default:
>-        break;
>-    }
>-    return false;
>+    // FIXME: Add support for Document and EmptyString.
>+    return parameters.options.destination != FetchOptions::Destination::Document && parameters.options.destination != FetchOptions::Destination::EmptyString;
> }
> 
> NetworkResourceLoader::NetworkResourceLoader(NetworkResourceLoadParameters&& parameters, NetworkConnectionToWebProcess& connection, RefPtr<Messages::NetworkConnectionToWebProcess::PerformSynchronousLoad::DelayedReply>&& synchronousReply)
>@@ -626,6 +619,14 @@ ResourceResponse NetworkResourceLoader::sanitizeResponseIfPossible(ResourceRespo
> 
> void NetworkResourceLoader::continueWillSendRequest(ResourceRequest&& newRequest, bool isAllowedToAskUserForCredentials)
> {
>+    if (m_networkLoadChecker) {
>+        // FIXME: We should be doing this check when receiving the redirection.
>+        if (!newRequest.url().protocolIsInHTTPFamily() && m_redirectCount) {
>+            didFailLoading(ResourceError { String { }, 0, newRequest.url(), ASCIILiteral("Redirection to URL with a scheme that is not HTTP(S)"), ResourceError::Type::AccessControl });
>+            return;
>+        }
>+    }
>+
>     RELEASE_LOG_IF_ALLOWED("continueWillSendRequest: (pageID = %" PRIu64 ", frameID = %" PRIu64 ", resourceID = %" PRIu64 ")", m_parameters.webPageID, m_parameters.webFrameID, m_parameters.identifier);
> 
>     if (m_networkLoadChecker)
>diff --git a/Source/WebKit/NetworkProcess/PingLoad.cpp b/Source/WebKit/NetworkProcess/PingLoad.cpp
>index 4d0951d3306b06fb23322db061aafed1b582703e..cd86401b2406d134260ae50fc86f700520d849f5 100644
>--- a/Source/WebKit/NetworkProcess/PingLoad.cpp
>+++ b/Source/WebKit/NetworkProcess/PingLoad.cpp
>@@ -102,6 +102,11 @@ void PingLoad::willPerformHTTPRedirection(ResourceResponse&& redirectResponse, R
>         auto request = WTFMove(result.value());
>         m_networkLoadChecker->prepareRedirectedRequest(request);
> 
>+        if (!result.value().url().protocolIsInHTTPFamily()) {
>+            this->didFinish(ResourceError { String { }, 0, result.value().url(), ASCIILiteral("Redirection to URL with a scheme that is not HTTP(S)"), ResourceError::Type::AccessControl });
>+            return;
>+        }
>+
>         completionHandler(WTFMove(request));
>     });
> }
>diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
>index 1e191ab8c90f5576a2b5b9d4de7239c04c9b701d..af2be80b5152422c82c158dfa06f1bca2295ca08 100644
>--- a/LayoutTests/ChangeLog
>+++ b/LayoutTests/ChangeLog
>@@ -1,3 +1,38 @@
>+2018-04-25  Youenn Fablet  <youenn@apple.com>
>+
>+        Use NetworkLoadChecker for all subresource loads except fetch/XHR
>+        https://bugs.webkit.org/show_bug.cgi?id=184870
>+        <rdar://problem/39370034>
>+
>+        Reviewed by NOBODY (OOPS!).
>+
>+        * TestExpectations:
>+        * http/tests/security/contentSecurityPolicy/1.1/child-src/worker-redirect-blocked-expected.txt:
>+        * http/tests/security/cross-origin-xsl-BLOCKED-expected.txt:
>+        * http/tests/security/cross-origin-xsl-redirect-BLOCKED-expected.txt:
>+        * http/tests/security/isolatedWorld/bypass-main-world-csp-worker-redirect-expected.txt:
>+        * http/tests/security/contentSecurityPolicy/1.1/module-scriptnonce-redirect-expected.txt:
>+        * http/tests/security/shape-image-cors-redirect-error-message-logging-1-expected.txt:
>+        * http/tests/security/shape-image-cors-redirect-error-message-logging-2-expected.txt:
>+        * http/tests/security/worker-cross-origin-expected.txt:
>+        * http/tests/security/xss-DENIED-xml-external-entity-expected.txt:
>+        * http/tests/security/xss-DENIED-xsl-document-expected.txt:
>+        * http/tests/security/xss-DENIED-xsl-external-entity-expected.txt:
>+        * http/tests/workers/worker-redirect-expected.txt:
>+        * http/tests/xmlhttprequest/access-control-and-redirects-expected.txt:
>+        * http/tests/xmlhttprequest/redirect-cross-origin-post-sync-expected.txt:
>+        * http/tests/xmlhttprequest/redirect-cross-origin-sync-expected.txt:
>+        * http/tests/xmlhttprequest/xmlhttprequest-unsafe-redirect-expected.txt:
>+        * platform/mac-wk1/http/tests/security/contentSecurityPolicy/1.1/module-scriptnonce-redirect-expected.txt: Added.
>+        * platform/mac-wk1/http/tests/security/shape-image-cors-redirect-error-message-logging-1-expected.txt: Added.
>+        * platform/mac-wk1/http/tests/security/shape-image-cors-redirect-error-message-logging-2-expected.txt: Added.
>+        * platform/mac-wk1/http/tests/workers/worker-redirect-expected.txt: Added.
>+        * platform/mac-wk2/TestExpectations:
>+        * platform/win/http/tests/security/contentSecurityPolicy/1.1/module-scriptnonce-redirect-expected.txt: Added.
>+        * platform/win/http/tests/security/shape-image-cors-redirect-error-message-logging-1-expected.txt: Added.
>+        * platform/win/http/tests/security/shape-image-cors-redirect-error-message-logging-2-expected.txt: Added.
>+        * platform/win/http/tests/workers/worker-redirect-expected.txt: Added.
>+
> 2018-04-25  Youenn Fablet  <youenn@apple.com>
> 
>         Ensure DNT is set for redirections handled in NetworkProcess
>diff --git a/LayoutTests/imported/w3c/ChangeLog b/LayoutTests/imported/w3c/ChangeLog
>index cbd9dea56cfd5dc3d11c9336da8b84ec742aea3b..1fc37eb803282e7192033482e3cd87f3d65dcd73 100644
>--- a/LayoutTests/imported/w3c/ChangeLog
>+++ b/LayoutTests/imported/w3c/ChangeLog
>@@ -1,3 +1,17 @@
>+2018-04-25  Youenn Fablet  <youenn@apple.com>
>+
>+        Use NetworkLoadChecker for all subresource loads except fetch/XHR
>+        https://bugs.webkit.org/show_bug.cgi?id=184870
>+        <rdar://problem/39370034>
>+
>+        Reviewed by NOBODY (OOPS!).
>+
>+        * web-platform-tests/fetch/api/basic/mode-same-origin.any-expected.txt:
>+        * web-platform-tests/fetch/api/basic/mode-same-origin.any.worker-expected.txt:
>+        * web-platform-tests/fetch/api/redirect/redirect-to-dataurl-expected.txt:
>+        * web-platform-tests/fetch/api/redirect/redirect-to-dataurl-worker-expected.txt:
>+        * web-platform-tests/service-workers/service-worker/fetch-request-redirect.https-expected.txt:
>+
> 2018-04-25  Youenn Fablet  <youenn@apple.com>
> 
>         Make DocumentThreadableLoader error logging more consistent
>diff --git a/LayoutTests/TestExpectations b/LayoutTests/TestExpectations
>index b562323ad560c81230d2326d903d1cc06f55c79e..e07f2310755d4eb999b8b8368fb81ca0e71936c8 100644
>--- a/LayoutTests/TestExpectations
>+++ b/LayoutTests/TestExpectations
>@@ -207,6 +207,7 @@ webkit.org/b/181897 imported/w3c/web-platform-tests/service-workers/service-work
> webkit.org/b/181900 imported/w3c/web-platform-tests/service-workers/service-worker/fetch-canvas-tainting-cache.https.html [ DumpJSConsoleLogInStdErr ]
> imported/w3c/web-platform-tests/service-workers/service-worker/fetch-response-taint.https.html [ DumpJSConsoleLogInStdErr ]
> imported/w3c/web-platform-tests/service-workers/service-worker/register-closed-window.https.html [ DumpJSConsoleLogInStdErr ]
>+imported/w3c/web-platform-tests/service-workers/service-worker/registration-security-error.https.html [ DumpJSConsoleLogInStdErr ]
> imported/w3c/web-platform-tests/service-workers/service-worker/fetch-request-redirect.https.html [ DumpJSConsoleLogInStdErr Slow ]
> [ Debug ] imported/w3c/web-platform-tests/service-workers/service-worker/clients-matchall-order.https.html [ Slow ]
> [ Debug ] imported/w3c/web-platform-tests/service-workers/service-worker/getregistrations.https.html [ Slow ]
>diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/worker-redirect-blocked-expected.txt b/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/worker-redirect-blocked-expected.txt
>index 14a25c77ac89b5c49b66ae624e7d11002e885a08..bf190b127e9f58109243af38cbd2a6438e37dcae 100644
>--- a/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/worker-redirect-blocked-expected.txt
>+++ b/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/worker-redirect-blocked-expected.txt
>@@ -1,5 +1,6 @@
>-CONSOLE MESSAGE: Unsafe attempt to load URL http://localhost:8000/security/contentSecurityPolicy/resources/alert-fail.js from frame with URL http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/child-src/worker-redirect-blocked.html. Domains, protocols and ports must match.
>+CONSOLE MESSAGE: Unsafe attempt to load URL http://localhost:8000/security/contentSecurityPolicy/resources/alert-fail.js from origin http://127.0.0.1:8000. Domains, protocols and ports must match.
> 
>+CONSOLE MESSAGE: Cannot load http://localhost:8000/security/contentSecurityPolicy/resources/alert-fail.js due to access control checks.
> This tests that the Content Security Policy of the page blocks loading a Web Worker's script from a different origin through a redirect.
> 
> On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
>diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/module-scriptnonce-redirect-expected.txt b/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/module-scriptnonce-redirect-expected.txt
>index b45a5b23e7034152bb732b4e9ea210207c9012ad..ccf51f712b525d645456778c0e47b5a039570250 100644
>--- a/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/module-scriptnonce-redirect-expected.txt
>+++ b/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/module-scriptnonce-redirect-expected.txt
>@@ -1,3 +1,3 @@
>-CONSOLE MESSAGE: Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
>+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8000/security/contentSecurityPolicy/resources/alert-pass.js denied by Cross-Origin Resource Sharing policy: Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
> CONSOLE MESSAGE: line 1: TypeError: Cross-origin script load denied by Cross-Origin Resource Sharing policy.
> This tests whether a deferred script load caused by a redirect is properly allowed by a nonce.
>diff --git a/LayoutTests/http/tests/security/cross-origin-xsl-BLOCKED-expected.txt b/LayoutTests/http/tests/security/cross-origin-xsl-BLOCKED-expected.txt
>index 0571c2165cdc115b98415590a8cecaf36e5a74ff..8ae2cce53023889201279b92c9247aca44678bd3 100644
>--- a/LayoutTests/http/tests/security/cross-origin-xsl-BLOCKED-expected.txt
>+++ b/LayoutTests/http/tests/security/cross-origin-xsl-BLOCKED-expected.txt
>@@ -1,4 +1,4 @@
>-CONSOLE MESSAGE: line 2: Unsafe attempt to load URL http://localhost:8000/security/resources/forbidden-stylesheet.xsl from frame with URL http://127.0.0.1:8000/security/resources/cross-origin-xsl.xml. Domains, protocols and ports must match.
>+CONSOLE MESSAGE: line 2: Unsafe attempt to load URL http://localhost:8000/security/resources/forbidden-stylesheet.xsl from origin http://127.0.0.1:8000. Domains, protocols and ports must match.
> 
> This test loads the XML document in an iframe so that it can call dumpAsText(). This test passes if the iframe below does not contain a message starting with "FAIL".
> 
>diff --git a/LayoutTests/http/tests/security/cross-origin-xsl-redirect-BLOCKED-expected.txt b/LayoutTests/http/tests/security/cross-origin-xsl-redirect-BLOCKED-expected.txt
>index 478e18e31b717c90f1d57ef973dacef6fcb872ec..93739810692271194c19dd288be4dc2d1ce14822 100644
>--- a/LayoutTests/http/tests/security/cross-origin-xsl-redirect-BLOCKED-expected.txt
>+++ b/LayoutTests/http/tests/security/cross-origin-xsl-redirect-BLOCKED-expected.txt
>@@ -1,4 +1,4 @@
>-CONSOLE MESSAGE: Unsafe attempt to load URL http://localhost:8000/security/resources/forbidden-stylesheet.xsl from frame with URL http://127.0.0.1:8000/security/resources/cross-origin-xsl-redirect.xml. Domains, protocols and ports must match.
>+CONSOLE MESSAGE: Unsafe attempt to load URL http://localhost:8000/security/resources/forbidden-stylesheet.xsl from origin http://127.0.0.1:8000. Domains, protocols and ports must match.
> 
> This test loads the XML document in an iframe so that it can call dumpAsText(). This test passes if the iframe below does not contain a message starting with "FAIL".
> 
>diff --git a/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-worker-redirect-expected.txt b/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-worker-redirect-expected.txt
>index 164971e3384c5d0b208e5bc017e0aaa287c3acb4..e1ffefd9e3aee6d3068bd865f0ff1d805b5f94b7 100644
>--- a/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-worker-redirect-expected.txt
>+++ b/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-worker-redirect-expected.txt
>@@ -1,5 +1,6 @@
>-CONSOLE MESSAGE: Unsafe attempt to load URL http://localhost:8000/security/contentSecurityPolicy/resources/alert-fail.js from frame with URL http://127.0.0.1:8000/security/isolatedWorld/bypass-main-world-csp-worker-redirect.html. Domains, protocols and ports must match.
>+CONSOLE MESSAGE: Unsafe attempt to load URL http://localhost:8000/security/contentSecurityPolicy/resources/alert-fail.js from origin http://127.0.0.1:8000. Domains, protocols and ports must match.
> 
>+CONSOLE MESSAGE: Cannot load http://localhost:8000/security/contentSecurityPolicy/resources/alert-fail.js due to access control checks.
> This tests that in an isolated world that the Content Security Policy of the parent origin (this page) is bypassed and a CSP violation is not triggered when a Web Worker's script URL loads a different origin through a redirect. This test PASSED if there is no CSP violation console message and the redirect fails (since Web Workers can only load a script from the same origin).
> 
> PASS worker failed to load script URL.
>diff --git a/LayoutTests/http/tests/security/shape-image-cors-redirect-error-message-logging-1-expected.txt b/LayoutTests/http/tests/security/shape-image-cors-redirect-error-message-logging-1-expected.txt
>index 9b16047a7d79f97561afa8f8c83cbada4d123ade..350dfdda8c3250a7599eb41f9d078151034853c0 100644
>--- a/LayoutTests/http/tests/security/shape-image-cors-redirect-error-message-logging-1-expected.txt
>+++ b/LayoutTests/http/tests/security/shape-image-cors-redirect-error-message-logging-1-expected.txt
>@@ -1,4 +1,4 @@
>-CONSOLE MESSAGE: Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
>+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8080/security/resources/image-access-control.php?file=../../resources/square100.png&allow=false denied by Cross-Origin Resource Sharing policy: Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
> Verify the error message in console in case of CORS failing checks.
> 
> 
>diff --git a/LayoutTests/http/tests/security/shape-image-cors-redirect-error-message-logging-2-expected.txt b/LayoutTests/http/tests/security/shape-image-cors-redirect-error-message-logging-2-expected.txt
>index 9b16047a7d79f97561afa8f8c83cbada4d123ade..350dfdda8c3250a7599eb41f9d078151034853c0 100644
>--- a/LayoutTests/http/tests/security/shape-image-cors-redirect-error-message-logging-2-expected.txt
>+++ b/LayoutTests/http/tests/security/shape-image-cors-redirect-error-message-logging-2-expected.txt
>@@ -1,4 +1,4 @@
>-CONSOLE MESSAGE: Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
>+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8080/security/resources/image-access-control.php?file=../../resources/square100.png&allow=false denied by Cross-Origin Resource Sharing policy: Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
> Verify the error message in console in case of CORS failing checks.
> 
> 
>diff --git a/LayoutTests/http/tests/security/worker-cross-origin-expected.txt b/LayoutTests/http/tests/security/worker-cross-origin-expected.txt
>index 3b263b716c116ce84af26d46aae468c4fcbb108f..dc3a9e702c25955beb6bf2cf68d7e618ec5e1e3b 100644
>--- a/LayoutTests/http/tests/security/worker-cross-origin-expected.txt
>+++ b/LayoutTests/http/tests/security/worker-cross-origin-expected.txt
>@@ -1,5 +1,6 @@
>-CONSOLE MESSAGE: Unsafe attempt to load URL http://localhost:8000/security/resources/worker-message-pass.js from frame with URL http://127.0.0.1:8000/security/worker-cross-origin.html. Domains, protocols and ports must match.
>+CONSOLE MESSAGE: Unsafe attempt to load URL http://localhost:8000/security/resources/worker-message-pass.js from origin http://127.0.0.1:8000. Domains, protocols and ports must match.
> 
>+CONSOLE MESSAGE: Cannot load http://localhost:8000/security/resources/worker-message-pass.js due to access control checks.
> This tests that Web Worker script redirects are blocked if cross origin.
> 
> On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
>diff --git a/LayoutTests/http/tests/security/xss-DENIED-xml-external-entity-expected.txt b/LayoutTests/http/tests/security/xss-DENIED-xml-external-entity-expected.txt
>index de9517b30f4083afecf60dfe9b35d6f8ce282e56..c9989d2e4d6047429e7ce7dcf3425729c8bf492b 100644
>--- a/LayoutTests/http/tests/security/xss-DENIED-xml-external-entity-expected.txt
>+++ b/LayoutTests/http/tests/security/xss-DENIED-xml-external-entity-expected.txt
>@@ -1,4 +1,4 @@
>-CONSOLE MESSAGE: line 11: Unsafe attempt to load URL http://localhost:8000/security/resources/target.xml from frame with URL http://127.0.0.1:8000/security/xss-DENIED-xml-external-entity.xhtml. Domains, protocols and ports must match.
>+CONSOLE MESSAGE: line 11: Unsafe attempt to load URL http://localhost:8000/security/resources/target.xml from origin http://127.0.0.1:8000. Domains, protocols and ports must match.
> 
> This test includes a cross-origin external entity. It passes if the load fails and thus there is no text below this line.
> 
>diff --git a/LayoutTests/http/tests/security/xss-DENIED-xsl-document-expected.txt b/LayoutTests/http/tests/security/xss-DENIED-xsl-document-expected.txt
>index 9bc3c87045f21e24a5a3d984a8c82835afe1794f..e64f7c12a7da83d58699f22b8fad1226f8f5d67f 100644
>--- a/LayoutTests/http/tests/security/xss-DENIED-xsl-document-expected.txt
>+++ b/LayoutTests/http/tests/security/xss-DENIED-xsl-document-expected.txt
>@@ -1,3 +1,3 @@
>-CONSOLE MESSAGE: Unsafe attempt to load URL http://localhost:8000/security/resources/target.xml from frame with URL http://127.0.0.1:8000/security/xss-DENIED-xsl-document.xml. Domains, protocols and ports must match.
>+CONSOLE MESSAGE: Unsafe attempt to load URL http://localhost:8000/security/resources/target.xml from origin http://127.0.0.1:8000. Domains, protocols and ports must match.
> 
> This test includes content via a cross-origin document() command. It passes if the load fails and thus there is no text below this line.
>diff --git a/LayoutTests/http/tests/security/xss-DENIED-xsl-external-entity-expected.txt b/LayoutTests/http/tests/security/xss-DENIED-xsl-external-entity-expected.txt
>index 6c8aae07180e0a57db9766365bce397efa98a855..c264df1048291231ce0a0d98ad35d42a94c35930 100644
>--- a/LayoutTests/http/tests/security/xss-DENIED-xsl-external-entity-expected.txt
>+++ b/LayoutTests/http/tests/security/xss-DENIED-xsl-external-entity-expected.txt
>@@ -1,6 +1,6 @@
>-CONSOLE MESSAGE: Unsafe attempt to load URL http://localhost:8000/security/resources/target.xml from frame with URL http://127.0.0.1:8000/security/xss-DENIED-xsl-external-entity.xml. Domains, protocols and ports must match.
>+CONSOLE MESSAGE: Unsafe attempt to load URL http://localhost:8000/security/resources/target.xml from origin http://127.0.0.1:8000. Domains, protocols and ports must match.
> 
>-CONSOLE MESSAGE: Unsafe attempt to load URL http://localhost:8000/security/resources/target.xml from frame with URL http://127.0.0.1:8000/security/xss-DENIED-xsl-external-entity.xml. Domains, protocols and ports must match.
>+CONSOLE MESSAGE: Unsafe attempt to load URL http://localhost:8000/security/resources/target.xml from origin http://127.0.0.1:8000. Domains, protocols and ports must match.
> 
> This test includes a cross-origin external entity. It passes if the load fails and thus there is no text below this line.
> 
>diff --git a/LayoutTests/http/tests/workers/worker-redirect-expected.txt b/LayoutTests/http/tests/workers/worker-redirect-expected.txt
>index 6b37f500faf60e0fc9308a58a1b7c090dd6f095a..f400b8ece7cf0e95ff665ab376c806cef7010752 100644
>--- a/LayoutTests/http/tests/workers/worker-redirect-expected.txt
>+++ b/LayoutTests/http/tests/workers/worker-redirect-expected.txt
>@@ -1,5 +1,6 @@
>-CONSOLE MESSAGE: Unsafe attempt to load URL http://localhost:8000/workers/resources/worker-redirect-target.js from frame with URL http://127.0.0.1:8000/workers/worker-redirect.html. Domains, protocols and ports must match.
>+CONSOLE MESSAGE: Unsafe attempt to load URL http://localhost:8000/workers/resources/worker-redirect-target.js from origin http://127.0.0.1:8000. Domains, protocols and ports must match.
> 
>+CONSOLE MESSAGE: Cannot load http://localhost:8000/workers/resources/worker-redirect-target.js due to access control checks.
> Test that loading the worker's script does not allow a cross origin redirect (bug 26146)
> 
> SUCCESS: threw exception (SecurityError: The operation is insecure.) when attempting to cross origin while loading the worker script.
>diff --git a/LayoutTests/http/wpt/beacon/connect-src-beacon-redirect-blocked.sub-expected.txt b/LayoutTests/http/wpt/beacon/connect-src-beacon-redirect-blocked.sub-expected.txt
>index 8bc5ca4106d256d0a68007b996f135a429bcafb1..a2b7a6f7c8618e8314657dfd617872e4f182aa01 100644
>--- a/LayoutTests/http/wpt/beacon/connect-src-beacon-redirect-blocked.sub-expected.txt
>+++ b/LayoutTests/http/wpt/beacon/connect-src-beacon-redirect-blocked.sub-expected.txt
>@@ -1,4 +1,4 @@
>-CONSOLE MESSAGE: Beacon API cannot load http://127.0.0.1:8800/WebKit/beacon/resources/beacon-preflight.py?allowCors=1&cmd=put&id=2539e883-7dfb-4dde-a227-a41c670d5fe1&redirect_status=307&location=http%3A%2F%2F127.0.0.1%3A8800%2FWebKit%2Fbeacon%2Fresources%2Fbeacon-preflight.py%3FallowCors%3D1%26cmd%3Dput%26id%3D2539e883-7dfb-4dde-a227-a41c670d5fe1&count=1. Blocked by Content Security Policy
>+CONSOLE MESSAGE: Beacon API cannot load http://127.0.0.1:8800/WebKit/beacon/resources/beacon-preflight.py?allowCors=1&cmd=put&id=2539e883-7dfb-4dde-a227-a41c670d5fe1&redirect_status=307&location=http%3A%2F%2F127.0.0.1%3A8800%2FWebKit%2Fbeacon%2Fresources%2Fbeacon-preflight.py%3FallowCors%3D1%26cmd%3Dput%26id%3D2539e883-7dfb-4dde-a227-a41c670d5fe1&count=1. Blocked http://127.0.0.1:8800/WebKit/beacon/resources/beacon-preflight.py?allowCors=1&cmd=put&id=2539e883-7dfb-4dde-a227-a41c670d5fe1&redirect_status=307&location=http%3A%2F%2F127.0.0.1%3A8800%2FWebKit%2Fbeacon%2Fresources%2Fbeacon-preflight.py%3FallowCors%3D1%26cmd%3Dput%26id%3D2539e883-7dfb-4dde-a227-a41c670d5fe1&count=1 by Content Security Policy
> 
> PASS Redirect is blocked by CSP 
> 
>diff --git a/LayoutTests/imported/w3c/web-platform-tests/fetch/api/basic/mode-same-origin.any-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/fetch/api/basic/mode-same-origin.any-expected.txt
>index 453b9faf8644230e1be3301f2ab63caa31395cc7..b9b8b766b72c2a4dfbb7389977fe225f90dec0ab 100644
>--- a/LayoutTests/imported/w3c/web-platform-tests/fetch/api/basic/mode-same-origin.any-expected.txt
>+++ b/LayoutTests/imported/w3c/web-platform-tests/fetch/api/basic/mode-same-origin.any-expected.txt
>@@ -1,8 +1,8 @@
> CONSOLE MESSAGE: line 12: Fetch API cannot load https://localhost:9443/fetch/api/resources/top.txt.
> CONSOLE MESSAGE: line 12: Fetch API cannot load http://127.0.0.1:8800/fetch/api/resources/top.txt.
>-CONSOLE MESSAGE: Unsafe attempt to load URL https://localhost:9443/fetch/api/resources/top.txt?location=https%3A%2F%2Flocalhost%3A9443%2Ffetch%2Fapi%2Fresources%2Ftop.txt&count=1 from frame with URL http://localhost:8800/fetch/api/basic/mode-same-origin.any.html. Domains, protocols and ports must match.
>+CONSOLE MESSAGE: Unsafe attempt to load URL https://localhost:9443/fetch/api/resources/top.txt?location=https%3A%2F%2Flocalhost%3A9443%2Ffetch%2Fapi%2Fresources%2Ftop.txt&count=1 from origin http://localhost:8800. Domains, protocols and ports must match.
> 
>-CONSOLE MESSAGE: Unsafe attempt to load URL http://127.0.0.1:8800/fetch/api/resources/top.txt?location=http%3A%2F%2F127.0.0.1%3A8800%2Ffetch%2Fapi%2Fresources%2Ftop.txt&count=1 from frame with URL http://localhost:8800/fetch/api/basic/mode-same-origin.any.html. Domains, protocols and ports must match.
>+CONSOLE MESSAGE: Unsafe attempt to load URL http://127.0.0.1:8800/fetch/api/resources/top.txt?location=http%3A%2F%2F127.0.0.1%3A8800%2Ffetch%2Fapi%2Fresources%2Ftop.txt&count=1 from origin http://localhost:8800. Domains, protocols and ports must match.
> 
> 
> PASS Fetch ../resources/top.txt with same-origin mode 
>diff --git a/LayoutTests/imported/w3c/web-platform-tests/fetch/api/basic/mode-same-origin.any.worker-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/fetch/api/basic/mode-same-origin.any.worker-expected.txt
>index ae047aa0ee161fb3c9b32323328259fc08772b7a..a6b3bf4f87df5e21a89f5607b3ba880d494ff8ca 100644
>--- a/LayoutTests/imported/w3c/web-platform-tests/fetch/api/basic/mode-same-origin.any.worker-expected.txt
>+++ b/LayoutTests/imported/w3c/web-platform-tests/fetch/api/basic/mode-same-origin.any.worker-expected.txt
>@@ -1,6 +1,6 @@
>-CONSOLE MESSAGE: Unsafe attempt to load URL https://localhost:9443/fetch/api/resources/top.txt?location=https%3A%2F%2Flocalhost%3A9443%2Ffetch%2Fapi%2Fresources%2Ftop.txt&count=1 from frame with URL http://localhost:8800/fetch/api/basic/mode-same-origin.any.worker.html. Domains, protocols and ports must match.
>+CONSOLE MESSAGE: Unsafe attempt to load URL https://localhost:9443/fetch/api/resources/top.txt?location=https%3A%2F%2Flocalhost%3A9443%2Ffetch%2Fapi%2Fresources%2Ftop.txt&count=1 from origin http://localhost:8800. Domains, protocols and ports must match.
> 
>-CONSOLE MESSAGE: Unsafe attempt to load URL http://127.0.0.1:8800/fetch/api/resources/top.txt?location=http%3A%2F%2F127.0.0.1%3A8800%2Ffetch%2Fapi%2Fresources%2Ftop.txt&count=1 from frame with URL http://localhost:8800/fetch/api/basic/mode-same-origin.any.worker.html. Domains, protocols and ports must match.
>+CONSOLE MESSAGE: Unsafe attempt to load URL http://127.0.0.1:8800/fetch/api/resources/top.txt?location=http%3A%2F%2F127.0.0.1%3A8800%2Ffetch%2Fapi%2Fresources%2Ftop.txt&count=1 from origin http://localhost:8800. Domains, protocols and ports must match.
> 
> 
> PASS Fetch ../resources/top.txt with same-origin mode 
>diff --git a/LayoutTests/imported/w3c/web-platform-tests/fetch/api/redirect/redirect-to-dataurl-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/fetch/api/redirect/redirect-to-dataurl-expected.txt
>index 1df2e95ff5d8f79867a02f62499612d6b32be091..96d0eae77c6354e08beb60ab62be18c110224064 100644
>--- a/LayoutTests/imported/w3c/web-platform-tests/fetch/api/redirect/redirect-to-dataurl-expected.txt
>+++ b/LayoutTests/imported/w3c/web-platform-tests/fetch/api/redirect/redirect-to-dataurl-expected.txt
>@@ -2,7 +2,7 @@ CONSOLE MESSAGE: Cross-origin redirection to data:text/plain;base64,cmVzcG9uc2Un
> CONSOLE MESSAGE: Fetch API cannot load http://localhost:8800/fetch/api/resources/redirect.py?cors&location=data%3Atext%2Fplain%3Bbase64%2CcmVzcG9uc2UncyBib2R5 due to access control checks.
> CONSOLE MESSAGE: Redirection to URL with a scheme that is not HTTP(S).
> CONSOLE MESSAGE: Fetch API cannot load data:text/plain;base64,cmVzcG9uc2UncyBib2R5 due to access control checks.
>-CONSOLE MESSAGE: Unsafe attempt to load URL data:text/plain;base64,cmVzcG9uc2UncyBib2R5 from frame with URL http://localhost:8800/fetch/api/redirect/redirect-to-dataurl.html. Domains, protocols and ports must match.
>+CONSOLE MESSAGE: Unsafe attempt to load URL data:text/plain;base64,cmVzcG9uc2UncyBib2R5 from origin http://localhost:8800. Domains, protocols and ports must match.
> 
> CONSOLE MESSAGE: Cross-origin redirection to data:text/plain;base64,cmVzcG9uc2UncyBib2R5 denied by Cross-Origin Resource Sharing policy: URL is either a non-HTTP URL or contains credentials.
> CONSOLE MESSAGE: Fetch API cannot load http://127.0.0.1:8800/fetch/api/resources/redirect.py?cors&location=data%3Atext%2Fplain%3Bbase64%2CcmVzcG9uc2UncyBib2R5 due to access control checks.
>diff --git a/LayoutTests/imported/w3c/web-platform-tests/fetch/api/redirect/redirect-to-dataurl-worker-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/fetch/api/redirect/redirect-to-dataurl-worker-expected.txt
>index a21bd78f1c7467492d94c8c78e020bebd1dbd6b5..b16c54d9d509ae9d40cea6610b492e48cff284f1 100644
>--- a/LayoutTests/imported/w3c/web-platform-tests/fetch/api/redirect/redirect-to-dataurl-worker-expected.txt
>+++ b/LayoutTests/imported/w3c/web-platform-tests/fetch/api/redirect/redirect-to-dataurl-worker-expected.txt
>@@ -1,5 +1,5 @@
> CONSOLE MESSAGE: Cross-origin redirection to data:text/plain;base64,cmVzcG9uc2UncyBib2R5 denied by Cross-Origin Resource Sharing policy: URL is either a non-HTTP URL or contains credentials.
>-CONSOLE MESSAGE: Unsafe attempt to load URL data:text/plain;base64,cmVzcG9uc2UncyBib2R5 from frame with URL http://localhost:8800/fetch/api/redirect/redirect-to-dataurl-worker.html. Domains, protocols and ports must match.
>+CONSOLE MESSAGE: Unsafe attempt to load URL data:text/plain;base64,cmVzcG9uc2UncyBib2R5 from origin http://localhost:8800. Domains, protocols and ports must match.
> 
> CONSOLE MESSAGE: Cross-origin redirection to data:text/plain;base64,cmVzcG9uc2UncyBib2R5 denied by Cross-Origin Resource Sharing policy: URL is either a non-HTTP URL or contains credentials.
> 
>diff --git a/LayoutTests/imported/w3c/web-platform-tests/service-workers/service-worker/fetch-request-fallback.https-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/service-workers/service-worker/fetch-request-fallback.https-expected.txt
>index 2d647629c2e40f4245026a0cc252b6879439f55f..f911ac087d622c80495427a589e8cef0f117fe0b 100644
>--- a/LayoutTests/imported/w3c/web-platform-tests/service-workers/service-worker/fetch-request-fallback.https-expected.txt
>+++ b/LayoutTests/imported/w3c/web-platform-tests/service-workers/service-worker/fetch-request-fallback.https-expected.txt
>@@ -4,7 +4,7 @@ CONSOLE MESSAGE: Origin https://localhost:9443 is not allowed by Access-Control-
> CONSOLE MESSAGE: XMLHttpRequest cannot load https://127.0.0.1:9443/service-workers/service-worker/resources/fetch-access-control.py? due to access control checks.
> CONSOLE MESSAGE: Origin https://localhost:9443 is not allowed by Access-Control-Allow-Origin.
> CONSOLE MESSAGE: Cannot load image https://127.0.0.1:9443/service-workers/service-worker/resources/fetch-access-control.py?PNGIMAGE& due to access control checks.
>-CONSOLE MESSAGE: Origin https://localhost:9443 is not allowed by Access-Control-Allow-Origin.
>+CONSOLE MESSAGE: Cross-origin redirection to https://127.0.0.1:9443/service-workers/service-worker/resources/fetch-access-control.py?PNGIMAGE& denied by Cross-Origin Resource Sharing policy: Origin https://localhost:9443 is not allowed by Access-Control-Allow-Origin.
> CONSOLE MESSAGE: Cannot load image https://localhost:9443/service-workers/service-worker/resources/redirect.py?Redirect=https%3A%2F%2F127.0.0.1%3A9443%2Fservice-workers%2Fservice-worker%2Fresources%2Ffetch-access-control.py%3FPNGIMAGE%26 due to access control checks.
> 
> PASS initialize global state 
>diff --git a/LayoutTests/imported/w3c/web-platform-tests/service-workers/service-worker/registration-security-error.https-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/service-workers/service-worker/registration-security-error.https-expected.txt
>index 915d690e8d633c9a4b89ac0e8e04bd0a9b9b3d1a..fae5ef2c831c2305c17145035976cb0b40877676 100644
>--- a/LayoutTests/imported/w3c/web-platform-tests/service-workers/service-worker/registration-security-error.https-expected.txt
>+++ b/LayoutTests/imported/w3c/web-platform-tests/service-workers/service-worker/registration-security-error.https-expected.txt
>@@ -1,4 +1,3 @@
>-CONSOLE MESSAGE: Cannot load https://localhost:9443/service-workers/service-worker/resources/redirect.py?Redirect=%2Fservice-workers%2Fservice-worker%2Fresources%2Fregistration-worker.js due to access control checks.
> 
> PASS Registering same scope as the script directory without the last slash 
> PASS Registration scope outside the script directory 
>diff --git a/LayoutTests/platform/mac-wk1/http/tests/security/contentSecurityPolicy/1.1/module-scriptnonce-redirect-expected.txt b/LayoutTests/platform/mac-wk1/http/tests/security/contentSecurityPolicy/1.1/module-scriptnonce-redirect-expected.txt
>new file mode 100644
>index 0000000000000000000000000000000000000000..b45a5b23e7034152bb732b4e9ea210207c9012ad
>--- /dev/null
>+++ b/LayoutTests/platform/mac-wk1/http/tests/security/contentSecurityPolicy/1.1/module-scriptnonce-redirect-expected.txt
>@@ -0,0 +1,3 @@
>+CONSOLE MESSAGE: Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
>+CONSOLE MESSAGE: line 1: TypeError: Cross-origin script load denied by Cross-Origin Resource Sharing policy.
>+This tests whether a deferred script load caused by a redirect is properly allowed by a nonce.
>diff --git a/LayoutTests/platform/mac-wk1/http/tests/security/shape-image-cors-redirect-error-message-logging-1-expected.txt b/LayoutTests/platform/mac-wk1/http/tests/security/shape-image-cors-redirect-error-message-logging-1-expected.txt
>new file mode 100644
>index 0000000000000000000000000000000000000000..9b16047a7d79f97561afa8f8c83cbada4d123ade
>--- /dev/null
>+++ b/LayoutTests/platform/mac-wk1/http/tests/security/shape-image-cors-redirect-error-message-logging-1-expected.txt
>@@ -0,0 +1,4 @@
>+CONSOLE MESSAGE: Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
>+Verify the error message in console in case of CORS failing checks.
>+
>+
>diff --git a/LayoutTests/platform/mac-wk1/http/tests/security/shape-image-cors-redirect-error-message-logging-2-expected.txt b/LayoutTests/platform/mac-wk1/http/tests/security/shape-image-cors-redirect-error-message-logging-2-expected.txt
>new file mode 100644
>index 0000000000000000000000000000000000000000..9b16047a7d79f97561afa8f8c83cbada4d123ade
>--- /dev/null
>+++ b/LayoutTests/platform/mac-wk1/http/tests/security/shape-image-cors-redirect-error-message-logging-2-expected.txt
>@@ -0,0 +1,4 @@
>+CONSOLE MESSAGE: Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
>+Verify the error message in console in case of CORS failing checks.
>+
>+
>diff --git a/LayoutTests/platform/mac-wk1/http/tests/workers/worker-redirect-expected.txt b/LayoutTests/platform/mac-wk1/http/tests/workers/worker-redirect-expected.txt
>new file mode 100644
>index 0000000000000000000000000000000000000000..9d876439339dd2c3439b825c5f80cec28735e793
>--- /dev/null
>+++ b/LayoutTests/platform/mac-wk1/http/tests/workers/worker-redirect-expected.txt
>@@ -0,0 +1,8 @@
>+CONSOLE MESSAGE: Unsafe attempt to load URL http://localhost:8000/workers/resources/worker-redirect-target.js from origin http://127.0.0.1:8000. Domains, protocols and ports must match.
>+
>+Test that loading the worker's script does not allow a cross origin redirect (bug 26146)
>+
>+SUCCESS: threw exception (SecurityError: The operation is insecure.) when attempting to cross origin while loading the worker script.
>+SUCCESS: threw error when attempting to redirected cross origin while loading the worker script.
>+DONE
>+
>diff --git a/LayoutTests/platform/win/http/tests/security/contentSecurityPolicy/1.1/module-scriptnonce-redirect-expected.txt b/LayoutTests/platform/win/http/tests/security/contentSecurityPolicy/1.1/module-scriptnonce-redirect-expected.txt
>new file mode 100644
>index 0000000000000000000000000000000000000000..b45a5b23e7034152bb732b4e9ea210207c9012ad
>--- /dev/null
>+++ b/LayoutTests/platform/win/http/tests/security/contentSecurityPolicy/1.1/module-scriptnonce-redirect-expected.txt
>@@ -0,0 +1,3 @@
>+CONSOLE MESSAGE: Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
>+CONSOLE MESSAGE: line 1: TypeError: Cross-origin script load denied by Cross-Origin Resource Sharing policy.
>+This tests whether a deferred script load caused by a redirect is properly allowed by a nonce.
>diff --git a/LayoutTests/platform/win/http/tests/security/shape-image-cors-redirect-error-message-logging-1-expected.txt b/LayoutTests/platform/win/http/tests/security/shape-image-cors-redirect-error-message-logging-1-expected.txt
>new file mode 100644
>index 0000000000000000000000000000000000000000..9b16047a7d79f97561afa8f8c83cbada4d123ade
>--- /dev/null
>+++ b/LayoutTests/platform/win/http/tests/security/shape-image-cors-redirect-error-message-logging-1-expected.txt
>@@ -0,0 +1,4 @@
>+CONSOLE MESSAGE: Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
>+Verify the error message in console in case of CORS failing checks.
>+
>+
>diff --git a/LayoutTests/platform/win/http/tests/security/shape-image-cors-redirect-error-message-logging-2-expected.txt b/LayoutTests/platform/win/http/tests/security/shape-image-cors-redirect-error-message-logging-2-expected.txt
>new file mode 100644
>index 0000000000000000000000000000000000000000..9b16047a7d79f97561afa8f8c83cbada4d123ade
>--- /dev/null
>+++ b/LayoutTests/platform/win/http/tests/security/shape-image-cors-redirect-error-message-logging-2-expected.txt
>@@ -0,0 +1,4 @@
>+CONSOLE MESSAGE: Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
>+Verify the error message in console in case of CORS failing checks.
>+
>+
>diff --git a/LayoutTests/platform/win/http/tests/workers/worker-redirect-expected.txt b/LayoutTests/platform/win/http/tests/workers/worker-redirect-expected.txt
>new file mode 100644
>index 0000000000000000000000000000000000000000..9d876439339dd2c3439b825c5f80cec28735e793
>--- /dev/null
>+++ b/LayoutTests/platform/win/http/tests/workers/worker-redirect-expected.txt
>@@ -0,0 +1,8 @@
>+CONSOLE MESSAGE: Unsafe attempt to load URL http://localhost:8000/workers/resources/worker-redirect-target.js from origin http://127.0.0.1:8000. Domains, protocols and ports must match.
>+
>+Test that loading the worker's script does not allow a cross origin redirect (bug 26146)
>+
>+SUCCESS: threw exception (SecurityError: The operation is insecure.) when attempting to cross origin while loading the worker script.
>+SUCCESS: threw error when attempting to redirected cross origin while loading the worker script.
>+DONE
>+

Actions: View | Formatted Diff | Diff

Attachments on bug 184870: 338544 | 338545 | 338546 | 338547 | 338548 | 338549 | 338551 | 338553 | 338555 | 338566 | 338570 | 338587 | 338621 | 338628 | 338787 | 338802 | 338804 | 338845