WebKit Bugzilla
Attachment 338900 Details for
Bug 184741
: Use NetworkLoadChecker for XHR/fetch loads
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch
bug-184741-20180426115029.patch (text/plain), 68.49 KB, created by
youenn fablet
on 2018-04-26 11:50:30 PDT
(
hide
)
Description:
Patch
Filename:
MIME Type:
Creator:
youenn fablet
Created:
2018-04-26 11:50:30 PDT
Size:
68.49 KB
patch
obsolete
>Subversion Revision: 230995 >diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog >index af96552f1076baa5ceb5e4f647a91ed705b40b03..2066193eec12cfa333572f23b64f4552202005b6 100644 >--- a/Source/WebCore/ChangeLog >+++ b/Source/WebCore/ChangeLog >@@ -1,3 +1,44 @@ >+2018-04-26 Youenn Fablet <youenn@apple.com> >+ >+ Use NetworkLoadChecker for XHR/fetch loads >+ https://bugs.webkit.org/show_bug.cgi?id=184741 >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ Covered by existing tests. >+ >+ * loader/DocumentThreadableLoader.cpp: >+ (WebCore::DocumentThreadableLoader::shouldSetHTTPHeadersToKeep const): >+ We need to set this option for CORS done in NetworkProcess. >+ (WebCore::DocumentThreadableLoader::DocumentThreadableLoader): >+ Set httpHeadersTokeep when needed (service worker or CORS loads). >+ Remove the synchronous disabling of preflight since this is now also done for asynchronous loads. >+ (WebCore::DocumentThreadableLoader::checkURLSchemeAsCORSEnabled): >+ Helper routine to make the same check for both simple and preflight case. >+ This allows more consistent error logging between WK1 and WK2. >+ (WebCore::DocumentThreadableLoader::makeCrossOriginAccessRequest): >+ Skip preflight in case this is done in NetworkProcess. >+ (WebCore::DocumentThreadableLoader::makeSimpleCrossOriginAccessRequest): >+ (WebCore::isResponseComingFromNetworkProcess): >+ (WebCore::DocumentThreadableLoader::redirectReceived): >+ Bypass security checks when they are already done in NetworkProcess. >+ (WebCore::DocumentThreadableLoader::didFail): >+ In case of AccessControl error, it might be due to a CSP check done in NetworkProcess. >+ Check it again to enable specific CSP console logging and error reporting. >+ (WebCore::DocumentThreadableLoader::loadRequest): >+ Recreating the error in case of synchronous loads to be able to log it adequately. >+ (WebCore::DocumentThreadableLoader::isDoingSecurityChecksInNetworkProcess const): >+ * loader/DocumentThreadableLoader.h: >+ * loader/SubresourceLoader.cpp: >+ (WebCore::SubresourceLoader::checkResponseCrossOriginAccessControl): >+ Specific handling of SameOrigin credential mode for which cross-origin load will not use any credential. >+ (WebCore::SubresourceLoader::checkRedirectionCrossOriginAccessControl): >+ We keep the application headers so that DocumentThreadableLoader does not have to restart a brand new load. >+ * loader/cache/CachedResourceLoader.cpp: >+ (WebCore::CachedResourceLoader::requestResource): >+ DocumentThreadableLoader is setting referrer and origin directly. Until we fix that, we remove them from the original requests >+ as applications are not supposed to set these headers. >+ > 2018-04-25 Youenn Fablet <youenn@apple.com> > > CORS preflight checker should add a console message when preflight load is blocked >diff --git a/Source/WebKit/ChangeLog b/Source/WebKit/ChangeLog >index da9593981708ac2c594833ac8af2f915fd51b198..82fb7401af9335e9824bbb249d773ea4fe27307d 100644 >--- a/Source/WebKit/ChangeLog >+++ b/Source/WebKit/ChangeLog >@@ -1,3 +1,28 @@ >+2018-04-26 Youenn Fablet <youenn@apple.com> >+ >+ Use NetworkLoadChecker for XHR/fetch loads >+ https://bugs.webkit.org/show_bug.cgi?id=184741 >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ * NetworkProcess/NetworkCORSPreflightChecker.cpp: >+ (WebKit::NetworkCORSPreflightChecker::didCompleteWithError): >+ Pass the preflight error as completion error if any. >+ * NetworkProcess/NetworkLoad.cpp: >+ (WebKit::NetworkLoad::willPerformHTTPRedirection): >+ Set response source to Network so that checks relying on that are correct. >+ * NetworkProcess/NetworkLoadChecker.cpp: >+ (WebKit::NetworkLoadChecker::validateResponse): >+ Adding Oppaqueredirect tainting. >+ (WebKit::NetworkLoadChecker::checkCORSRedirectedRequest): >+ Remove Authorization header as done by SubresourceLoader. >+ (WebKit::NetworkLoadChecker::checkCORSRequestWithPreflight): >+ If error is cancellation, we still want to call the completion handler. >+ * NetworkProcess/NetworkResourceLoader.cpp: >+ Activate network load checker for all types of loads. >+ (WebKit::NetworkResourceLoader::willSendRedirectedRequest): >+ Handle manual redirection by directly calling didReceiveResponse. >+ > 2018-04-25 Youenn Fablet <youenn@apple.com> > > Make cross origin redirection error messages consistent between SubresourceLoader and NetworkLoadChecker >diff --git a/Source/WebCore/loader/DocumentThreadableLoader.cpp b/Source/WebCore/loader/DocumentThreadableLoader.cpp >index a7edc8b80c65fe5c2c407019ed0bd722901af7bb..932114ecae2aa339739c967e417c42c1c782c474 100644 >--- a/Source/WebCore/loader/DocumentThreadableLoader.cpp >+++ b/Source/WebCore/loader/DocumentThreadableLoader.cpp >@@ -89,6 +89,24 @@ RefPtr<DocumentThreadableLoader> DocumentThreadableLoader::create(Document& docu > return create(document, client, WTFMove(request), options, nullptr, nullptr, WTFMove(referrer), ShouldLogError::Yes); > } > >+static inline bool isDoingSecurityChecksInNetworkProcess() >+{ >+ return platformStrategies()->loaderStrategy()->isDoingLoadingSecurityChecks(); >+} >+ >+bool DocumentThreadableLoader::shouldSetHTTPHeadersToKeep() const >+{ >+ if (m_options.mode == FetchOptions::Mode::Cors && isDoingSecurityChecksInNetworkProcess()) >+ return true; >+ >+#if ENABLE(SERVICE_WORKER) >+ if (m_options.serviceWorkersMode == ServiceWorkersMode::All && m_async) >+ return m_options.serviceWorkerRegistrationIdentifier || m_document.activeServiceWorker(); >+#endif >+ >+ return false; >+} >+ > DocumentThreadableLoader::DocumentThreadableLoader(Document& document, ThreadableLoaderClient& client, BlockingBehavior blockingBehavior, ResourceRequest&& request, const ThreadableLoaderOptions& options, RefPtr<SecurityOrigin>&& origin, std::unique_ptr<ContentSecurityPolicy>&& contentSecurityPolicy, String&& referrer, ShouldLogError shouldLogError) > : m_client(&client) > , m_document(document) >@@ -107,10 +125,6 @@ DocumentThreadableLoader::DocumentThreadableLoader(Document& document, Threadabl > // Setting a referrer header is only supported in the async code path. > ASSERT(m_async || m_referrer.isEmpty()); > >- // No need to do preflight if the network stack will do it for us. >- if (!m_async && platformStrategies()->loaderStrategy()->isDoingLoadingSecurityChecks()) >- m_options.preflightPolicy = PreflightPolicy::Prevent; >- > // Referrer and Origin headers should be set after the preflight if any. > ASSERT(!request.hasHTTPReferrer() && !request.hasHTTPOrigin()); > >@@ -121,13 +135,15 @@ DocumentThreadableLoader::DocumentThreadableLoader(Document& document, Threadabl > ASSERT(!request.httpHeaderFields().contains(HTTPHeaderName::Origin)); > > // Copy headers if we need to replay the request after a redirection. >- if (!m_async || m_options.mode == FetchOptions::Mode::Cors) >+ if (m_options.mode == FetchOptions::Mode::Cors) { > m_originalHeaders = request.httpHeaderFields(); >+ // We need to keep WebProcess from clearing headers until NetworkProcess stops asking WebProcess for every redirection. >+ if (isDoingSecurityChecksInNetworkProcess()) >+ m_options.httpHeadersToKeep = httpHeadersToKeepFromCleaning(request.httpHeaderFields()); >+ } > >-#if ENABLE(SERVICE_WORKER) >- if (m_options.serviceWorkersMode == ServiceWorkersMode::All && m_async && (m_options.serviceWorkerRegistrationIdentifier || document.activeServiceWorker())) >+ if (shouldSetHTTPHeadersToKeep()) > m_options.httpHeadersToKeep = httpHeadersToKeepFromCleaning(request.httpHeaderFields()); >-#endif > > if (document.page() && document.page()->isRunningUserScripts() && SchemeRegistry::isUserExtensionScheme(request.url().protocol().toStringWithoutCopying())) { > m_options.mode = FetchOptions::Mode::NoCors; >@@ -154,13 +170,24 @@ DocumentThreadableLoader::DocumentThreadableLoader(Document& document, Threadabl > makeCrossOriginAccessRequest(WTFMove(request)); > } > >+bool DocumentThreadableLoader::checkURLSchemeAsCORSEnabled(const URL& url) >+{ >+ if (!SchemeRegistry::shouldTreatURLSchemeAsCORSEnabled(url.protocol().toStringWithoutCopying())) { >+ logErrorAndFail(ResourceError(errorDomainWebKitInternal, 0, url, "Cross origin requests are only supported for HTTP.", ResourceError::Type::AccessControl)); >+ return false; >+ } >+ return true; >+} >+ > void DocumentThreadableLoader::makeCrossOriginAccessRequest(ResourceRequest&& request) > { > ASSERT(m_options.mode == FetchOptions::Mode::Cors); > >- if ((m_options.preflightPolicy == PreflightPolicy::Consider && isSimpleCrossOriginAccessRequest(request.httpMethod(), request.httpHeaderFields())) || m_options.preflightPolicy == PreflightPolicy::Prevent) >- makeSimpleCrossOriginAccessRequest(WTFMove(request)); >- else { >+ // Cross-origin requests are only allowed for HTTP and registered schemes. We would catch this when checking response headers later, but there is no reason to send a request that's guaranteed to be denied. >+ if ((m_options.preflightPolicy == PreflightPolicy::Consider && isSimpleCrossOriginAccessRequest(request.httpMethod(), request.httpHeaderFields())) || m_options.preflightPolicy == PreflightPolicy::Prevent || isDoingSecurityChecksInNetworkProcess()) { >+ if (checkURLSchemeAsCORSEnabled(request.url())) >+ makeSimpleCrossOriginAccessRequest(WTFMove(request)); >+ } else { > #if ENABLE(SERVICE_WORKER) > if (m_options.serviceWorkersMode == ServiceWorkersMode::All && m_async) { > if (m_options.serviceWorkerRegistrationIdentifier || document().activeServiceWorker()) { >@@ -172,6 +199,9 @@ void DocumentThreadableLoader::makeCrossOriginAccessRequest(ResourceRequest&& re > } > } > #endif >+ if (!checkURLSchemeAsCORSEnabled(request.url())) >+ return; >+ > m_simpleRequest = false; > if (CrossOriginPreflightResultCache::singleton().canSkipPreflight(securityOrigin().toString(), request.url(), m_options.storedCredentialsPolicy, request.httpMethod(), request.httpHeaderFields())) > preflightSuccess(WTFMove(request)); >@@ -182,14 +212,8 @@ void DocumentThreadableLoader::makeCrossOriginAccessRequest(ResourceRequest&& re > > void DocumentThreadableLoader::makeSimpleCrossOriginAccessRequest(ResourceRequest&& request) > { >- ASSERT(m_options.preflightPolicy != PreflightPolicy::Force); >- ASSERT(m_options.preflightPolicy == PreflightPolicy::Prevent || isSimpleCrossOriginAccessRequest(request.httpMethod(), request.httpHeaderFields())); >- >- // Cross-origin requests are only allowed for HTTP and registered schemes. We would catch this when checking response headers later, but there is no reason to send a request that's guaranteed to be denied. >- if (!SchemeRegistry::shouldTreatURLSchemeAsCORSEnabled(request.url().protocol().toStringWithoutCopying())) { >- logErrorAndFail(ResourceError(errorDomainWebKitInternal, 0, request.url(), "Cross origin requests are only supported for HTTP.", ResourceError::Type::AccessControl)); >- return; >- } >+ ASSERT(m_options.preflightPolicy != PreflightPolicy::Force || isDoingSecurityChecksInNetworkProcess()); >+ ASSERT(m_options.preflightPolicy == PreflightPolicy::Prevent || isSimpleCrossOriginAccessRequest(request.httpMethod(), request.httpHeaderFields()) || isDoingSecurityChecksInNetworkProcess()); > > updateRequestForAccessControl(request, securityOrigin(), m_options.storedCredentialsPolicy); > loadRequest(WTFMove(request), DoSecurityCheck); >@@ -247,6 +271,12 @@ void DocumentThreadableLoader::clearResource() > m_preflightChecker = std::nullopt; > } > >+static inline bool isResponseComingFromNetworkProcess(const ResourceResponse& response) >+{ >+ auto source = response.source(); >+ return source == ResourceResponse::Source::Network || source == ResourceResponse::Source::DiskCache || source == ResourceResponse::Source::DiskCacheAfterValidation; >+} >+ > void DocumentThreadableLoader::redirectReceived(CachedResource& resource, ResourceRequest&& request, const ResourceResponse& redirectResponse, CompletionHandler<void(ResourceRequest&&)>&& completionHandler) > { > ASSERT(m_client); >@@ -264,6 +294,11 @@ void DocumentThreadableLoader::redirectReceived(CachedResource& resource, Resour > return completionHandler(WTFMove(request)); > } > >+ if (isDoingSecurityChecksInNetworkProcess() && isResponseComingFromNetworkProcess(redirectResponse)) { >+ completionHandler(WTFMove(request)); >+ return; >+ } >+ > if (!isAllowedByContentSecurityPolicy(request.url(), redirectResponse.isNull() ? ContentSecurityPolicy::RedirectResponseReceived::No : ContentSecurityPolicy::RedirectResponseReceived::Yes)) { > reportContentSecurityPolicyError(redirectResponse.url()); > clearResource(); >@@ -436,6 +471,15 @@ void DocumentThreadableLoader::didFail(unsigned long, const ResourceError& error > return; > } > #endif >+ >+ // NetworkProcess might return a CSP violation as an AccessControl error. Let's check this to report it if needed. >+ // FIXME: We should introduce an error dedicated to CSP violation. >+ if (isDoingSecurityChecksInNetworkProcess() && error.isAccessControl() && !isAllowedByContentSecurityPolicy(error.failingURL(), m_options.maxRedirectCount < 20 ? ContentSecurityPolicy::RedirectResponseReceived::Yes : ContentSecurityPolicy::RedirectResponseReceived::No)) { >+ reportContentSecurityPolicyError(m_resource->resourceRequest().url()); >+ return; >+ } >+ >+ > if (m_shouldLogError == ShouldLogError::Yes) > logError(m_document, error, m_options.initiator); > >@@ -536,11 +580,13 @@ void DocumentThreadableLoader::loadRequest(ResourceRequest&& request, SecurityCh > didFinishLoading(identifier); > return; > } >+ if (error.isAccessControl()) >+ error = ResourceError { errorDomainWebKitInternal, error.errorCode(), error.failingURL(), error.localizedDescription(), ResourceError::Type::AccessControl }; > logErrorAndFail(error); > return; > } > >- if (!platformStrategies()->loaderStrategy()->isDoingLoadingSecurityChecks()) { >+ if (!isDoingSecurityChecksInNetworkProcess()) { > // FIXME: FrameLoader::loadSynchronously() does not tell us whether a redirect happened or not, so we guess by comparing the > // request and response URLs. This isn't a perfect test though, since a server can serve a redirect to the same URL that was > // requested. Also comparing the request and response URLs as strings will fail if the requestURL still has its credentials. >diff --git a/Source/WebCore/loader/DocumentThreadableLoader.h b/Source/WebCore/loader/DocumentThreadableLoader.h >index c2bbc4d3369734ebd075d23e5af25ee63d1bb30e..38382edf4cdd31ea21f546bd7da6481acb17eb19 100644 >--- a/Source/WebCore/loader/DocumentThreadableLoader.h >+++ b/Source/WebCore/loader/DocumentThreadableLoader.h >@@ -118,6 +118,9 @@ namespace WebCore { > void reportIntegrityMetadataError(const URL&); > void logErrorAndFail(const ResourceError&); > >+ bool shouldSetHTTPHeadersToKeep() const; >+ bool checkURLSchemeAsCORSEnabled(const URL&); >+ > CachedResourceHandle<CachedRawResource> m_resource; > ThreadableLoaderClient* m_client; > Document& m_document; >diff --git a/Source/WebCore/loader/SubresourceLoader.cpp b/Source/WebCore/loader/SubresourceLoader.cpp >index 08d766d6d42e7c2b4ebe1f2c7113787a4680ca3f..f547035f3e3f273227408ed3ec4604417f5e3319 100644 >--- a/Source/WebCore/loader/SubresourceLoader.cpp >+++ b/Source/WebCore/loader/SubresourceLoader.cpp >@@ -530,7 +530,8 @@ bool SubresourceLoader::checkResponseCrossOriginAccessControl(const ResourceResp > #endif > > ASSERT(m_origin); >- return passesAccessControlCheck(response, options().storedCredentialsPolicy, *m_origin, errorDescription); >+ >+ return passesAccessControlCheck(response, options().credentials == FetchOptions::Credentials::Include ? StoredCredentialsPolicy::Use : StoredCredentialsPolicy::DoNotUse, *m_origin, errorDescription); > } > > bool SubresourceLoader::checkRedirectionCrossOriginAccessControl(const ResourceRequest& previousRequest, const ResourceResponse& redirectResponse, ResourceRequest& newRequest, String& errorMessage) >@@ -571,7 +572,7 @@ bool SubresourceLoader::checkRedirectionCrossOriginAccessControl(const ResourceR > updateReferrerPolicy(redirectResponse.httpHeaderField(HTTPHeaderName::ReferrerPolicy)); > > if (redirectingToNewOrigin) { >- cleanHTTPRequestHeadersForAccessControl(newRequest); >+ cleanHTTPRequestHeadersForAccessControl(newRequest, options().httpHeadersToKeep); > updateRequestForAccessControl(newRequest, *m_origin, options().storedCredentialsPolicy); > } > >diff --git a/Source/WebCore/loader/cache/CachedResourceLoader.cpp b/Source/WebCore/loader/cache/CachedResourceLoader.cpp >index ca68167bb958413df1b2abfd12e0b2ff5c86130b..85daf03ad6470a67e82c4909678dc1c22c077011 100644 >--- a/Source/WebCore/loader/cache/CachedResourceLoader.cpp >+++ b/Source/WebCore/loader/cache/CachedResourceLoader.cpp >@@ -776,8 +776,11 @@ ResourceErrorOr<CachedResourceHandle<CachedResource>> CachedResourceLoader::requ > > // Entry point to https://fetch.spec.whatwg.org/#main-fetch. > std::unique_ptr<ResourceRequest> originalRequest; >- if (CachedResource::shouldUsePingLoad(type)) >+ if (CachedResource::shouldUsePingLoad(type) || request.options().destination == FetchOptions::Destination::EmptyString) { > originalRequest = std::make_unique<ResourceRequest>(request.resourceRequest()); >+ originalRequest->clearHTTPReferrer(); >+ originalRequest->clearHTTPOrigin(); >+ } > > if (Document* document = this->document()) > request.upgradeInsecureRequestIfNeeded(*document); >diff --git a/Source/WebKit/NetworkProcess/NetworkCORSPreflightChecker.cpp b/Source/WebKit/NetworkProcess/NetworkCORSPreflightChecker.cpp >index de833d64ef142bfce25c5276af4ea42354d8dede..c68825b81b467f0c1ab6d29bb8dcdda7e90bdca9 100644 >--- a/Source/WebKit/NetworkProcess/NetworkCORSPreflightChecker.cpp >+++ b/Source/WebKit/NetworkProcess/NetworkCORSPreflightChecker.cpp >@@ -97,11 +97,15 @@ void NetworkCORSPreflightChecker::didReceiveData(Ref<WebCore::SharedBuffer>&&) > RELEASE_LOG_IF_ALLOWED("didReceiveData"); > } > >-void NetworkCORSPreflightChecker::didCompleteWithError(const WebCore::ResourceError& error, const WebCore::NetworkLoadMetrics&) >+void NetworkCORSPreflightChecker::didCompleteWithError(const WebCore::ResourceError& preflightError, const WebCore::NetworkLoadMetrics&) > { >- if (!error.isNull()) { >+ if (!preflightError.isNull()) { > RELEASE_LOG_IF_ALLOWED("didCompleteWithError"); >- m_completionCallback(ResourceError { errorDomainWebKitInternal, 0, m_parameters.originalRequest.url(), ASCIILiteral("Preflight response is not successful"), ResourceError::Type::AccessControl }); >+ auto error = preflightError; >+ if (error.isNull() || error.isGeneral()) >+ error.setType(ResourceError::Type::AccessControl); >+ >+ m_completionCallback(ResourceError { error }); > return; > } > >diff --git a/Source/WebKit/NetworkProcess/NetworkLoad.cpp b/Source/WebKit/NetworkProcess/NetworkLoad.cpp >index b74d7da4738f780881e029fefa7d4e1ed2c41c49..3e51354955de4b00633e49580aaacfc305ecd103 100644 >--- a/Source/WebKit/NetworkProcess/NetworkLoad.cpp >+++ b/Source/WebKit/NetworkProcess/NetworkLoad.cpp >@@ -239,6 +239,7 @@ void NetworkLoad::willPerformHTTPRedirection(ResourceResponse&& redirectResponse > ASSERT(RunLoop::isMain()); > ASSERT(!m_redirectCompletionHandler); > >+ redirectResponse.setSource(ResourceResponse::Source::Network); > m_redirectCompletionHandler = WTFMove(completionHandler); > > #if ENABLE(NETWORK_CAPTURE) >diff --git a/Source/WebKit/NetworkProcess/NetworkLoadChecker.cpp b/Source/WebKit/NetworkProcess/NetworkLoadChecker.cpp >index 46f9aab83f8291f6fcfa7ac7a61f39d8e6a952c3..b5f27402fd39ef01ddf693a62b7bb91e944b92da 100644 >--- a/Source/WebKit/NetworkProcess/NetworkLoadChecker.cpp >+++ b/Source/WebKit/NetworkProcess/NetworkLoadChecker.cpp >@@ -122,6 +122,11 @@ ResourceError NetworkLoadChecker::validateResponse(ResourceResponse& response) > if (m_redirectCount) > response.setRedirected(true); > >+ if (response.type() == ResourceResponse::Type::Opaqueredirect) { >+ response.setTainting(ResourceResponse::Tainting::Opaqueredirect); >+ return { }; >+ } >+ > if (m_isSameOriginRequest) { > response.setTainting(ResourceResponse::Tainting::Basic); > return { }; >@@ -237,13 +242,13 @@ void NetworkLoadChecker::checkCORSRedirectedRequest(ResourceRequest&& request, V > // https://fetch.spec.whatwg.org/#concept-http-redirect-fetch (Step 10). > if (!m_origin || !m_origin->isUnique()) > m_origin = SecurityOrigin::createUnique(); >- >- // FIXME: Add support for SameOrigin credentials. > } > > // FIXME: We should set the request referrer according the referrer policy. > > // Let's fetch the request with the original headers (equivalent to request cloning specified by fetch algorithm). >+ if (!request.httpHeaderFields().contains(HTTPHeaderName::Authorization)) >+ m_firstRequestHeaders.remove(HTTPHeaderName::Authorization); > request.setHTTPHeaderFields(m_firstRequestHeaders); > > checkCORSRequest(WTFMove(request), WTFMove(handler)); >@@ -272,11 +277,8 @@ void NetworkLoadChecker::checkCORSRequestWithPreflight(ResourceRequest&& request > m_sessionID, > m_storedCredentialsPolicy > }; >- m_corsPreflightChecker = std::make_unique<NetworkCORSPreflightChecker>(WTFMove(parameters), [this, request = WTFMove(request), handler = WTFMove(handler)](auto&& error) mutable { >- if (error.isCancellation()) >- return; >- >- RELEASE_LOG_IF_ALLOWED("checkCORSRequestWithPreflight - makeCrossOriginAccessRequestWithPreflight preflight complete, success: %d forRedirect? %d", error.isNull(), isRedirected()); >+ m_corsPreflightChecker = std::make_unique<NetworkCORSPreflightChecker>(WTFMove(parameters), [this, request = WTFMove(request), handler = WTFMove(handler), isRedirected = isRedirected()](auto&& error) mutable { >+ RELEASE_LOG_IF_ALLOWED("checkCORSRequestWithPreflight - makeCrossOriginAccessRequestWithPreflight preflight complete, success: %d forRedirect? %d", error.isNull(), isRedirected); > > if (!error.isNull()) { > handler(makeUnexpected(WTFMove(error))); >diff --git a/Source/WebKit/NetworkProcess/NetworkResourceLoader.cpp b/Source/WebKit/NetworkProcess/NetworkResourceLoader.cpp >index 2a5dd40d68fcda75b6c9718e7908c5511a67ec54..5289943004c7e2d988b412c4aa1f4cd60f9ea501 100644 >--- a/Source/WebKit/NetworkProcess/NetworkResourceLoader.cpp >+++ b/Source/WebKit/NetworkProcess/NetworkResourceLoader.cpp >@@ -90,18 +90,6 @@ static void sendReplyToSynchronousRequest(NetworkResourceLoader::SynchronousLoad > data.delayedReply = nullptr; > } > >-static inline bool shouldUseNetworkLoadChecker(bool isSynchronous, const NetworkResourceLoadParameters& parameters) >-{ >- if (isSynchronous) >- return true; >- >- if (!parameters.shouldRestrictHTTPResponseAccess) >- return false; >- >- // FIXME: Add support for Document and EmptyString. >- return parameters.options.destination != FetchOptions::Destination::Document && parameters.options.destination != FetchOptions::Destination::EmptyString; >-} >- > NetworkResourceLoader::NetworkResourceLoader(NetworkResourceLoadParameters&& parameters, NetworkConnectionToWebProcess& connection, RefPtr<Messages::NetworkConnectionToWebProcess::PerformSynchronousLoad::DelayedReply>&& synchronousReply) > : m_parameters { WTFMove(parameters) } > , m_connection { connection } >@@ -122,7 +110,7 @@ NetworkResourceLoader::NetworkResourceLoader(NetworkResourceLoadParameters&& par > } > } > >- if (shouldUseNetworkLoadChecker(!!synchronousReply, m_parameters)) { >+ if (synchronousReply || parameters.shouldRestrictHTTPResponseAccess) { > m_networkLoadChecker = NetworkLoadChecker::create(FetchOptions { m_parameters.options }, m_parameters.sessionID, HTTPHeaderMap { m_parameters.originalRequestHeaders }, URL { m_parameters.request.url() }, m_parameters.sourceOrigin.copyRef(), m_parameters.preflightPolicy); > if (m_parameters.cspResponseHeaders) > m_networkLoadChecker->setCSPResponseHeaders(ContentSecurityPolicyResponseHeaders { m_parameters.cspResponseHeaders.value() }); >@@ -559,6 +547,14 @@ void NetworkResourceLoader::willSendRedirectedRequest(ResourceRequest&& request, > if (!result.has_value()) { > if (result.error().isCancellation()) > return; >+ >+ if (m_parameters.options.redirect == FetchOptions::Redirect::Manual) { >+ redirectResponse.setType(ResourceResponse::Type::Opaqueredirect); >+ this->didReceiveResponse(WTFMove(redirectResponse)); >+ this->didFinishLoading({ }); >+ return; >+ } >+ > this->didFailLoading(result.error()); > return; > } >diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog >index 5517df52d02dc29a2679746a8526d0f8e9a925c2..84474f93ba45aca9ecad434fbec146691593b3a8 100644 >--- a/LayoutTests/ChangeLog >+++ b/LayoutTests/ChangeLog >@@ -1,3 +1,31 @@ >+2018-04-26 Youenn Fablet <youenn@apple.com> >+ >+ Use NetworkLoadChecker for XHR/fetch loads >+ https://bugs.webkit.org/show_bug.cgi?id=184741 >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ * TestExpectations: >+ * http/tests/security/contentSecurityPolicy/1.1/child-src/worker-redirect-blocked-expected.txt: >+ * http/tests/security/contentSecurityPolicy/connect-src-eventsource-redirect-to-blocked-expected.txt: >+ * http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-redirect-to-blocked-expected.txt: >+ * http/tests/security/contentSecurityPolicy/worker-csp-blocks-xhr-redirect-cross-origin-expected.txt: >+ * http/tests/xmlhttprequest/access-control-and-redirects-async-expected.txt: >+ * http/tests/xmlhttprequest/access-control-and-redirects-expected.txt: >+ * platform/mac-wk1/http/tests/security/contentSecurityPolicy/connect-src-eventsource-redirect-to-blocked-expected.txt: Added. >+ * platform/mac-wk1/http/tests/security/contentSecurityPolicy/worker-csp-blocks-xhr-redirect-cross-origin-expected.txt: Added. >+ * platform/mac-wk1/http/tests/xmlhttprequest/access-control-and-redirects-async-expected.txt: Added. >+ * platform/mac-wk1/imported/w3c/web-platform-tests/XMLHttpRequest/late-upload-events-expected.txt: Added. >+ * platform/mac-wk1/imported/w3c/web-platform-tests/XMLHttpRequest/send-authentication-basic-cors-expected.txt: Added. >+ * platform/mac-wk1/imported/w3c/web-platform-tests/XMLHttpRequest/send-network-error-async-events.sub-expected.txt: Added. >+ * platform/win/http/tests/security/contentSecurityPolicy/connect-src-eventsource-redirect-to-blocked-expected.txt: Added. >+ * platform/win/http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-redirect-to-blocked-expected.txt: Added. >+ * platform/win/http/tests/security/contentSecurityPolicy/worker-csp-blocks-xhr-redirect-cross-origin-expected.txt: Added. >+ * platform/win/http/tests/xmlhttprequest/access-control-and-redirects-async-expected.txt: Added. >+ * platform/win/imported/w3c/web-platform-tests/XMLHttpRequest/late-upload-events-expected.txt: Added. >+ * platform/win/imported/w3c/web-platform-tests/XMLHttpRequest/send-authentication-basic-cors-expected.txt: Added. >+ * platform/win/imported/w3c/web-platform-tests/XMLHttpRequest/send-network-error-async-events.sub-expected.txt: Added. >+ > 2018-04-25 Youenn Fablet <youenn@apple.com> > > Make cross origin redirection error messages consistent between SubresourceLoader and NetworkLoadChecker >diff --git a/LayoutTests/imported/w3c/ChangeLog b/LayoutTests/imported/w3c/ChangeLog >index 0e96cbaf7374cc7d130c67f03d9b193b52d4de96..5a82ec28507910521d37c60dd85760b65923eb23 100644 >--- a/LayoutTests/imported/w3c/ChangeLog >+++ b/LayoutTests/imported/w3c/ChangeLog >@@ -1,3 +1,19 @@ >+2018-04-26 Youenn Fablet <youenn@apple.com> >+ >+ Use NetworkLoadChecker for XHR/fetch loads >+ https://bugs.webkit.org/show_bug.cgi?id=184741 >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ * web-platform-tests/XMLHttpRequest/send-authentication-basic-cors-expected.txt: >+ * web-platform-tests/XMLHttpRequest/send-network-error-async-events.sub-expected.txt: >+ * web-platform-tests/cors/late-upload-events-expected.txt: >+ * web-platform-tests/fetch/api/basic/mode-same-origin.any-expected.txt: >+ * web-platform-tests/fetch/api/basic/scheme-about.any-expected.txt: >+ * web-platform-tests/fetch/api/basic/scheme-about.any.worker-expected.txt: >+ * web-platform-tests/fetch/api/redirect/redirect-to-dataurl-expected.txt: >+ * web-platform-tests/service-workers/service-worker/redirected-response.https-expected.txt: >+ > 2018-04-25 Youenn Fablet <youenn@apple.com> > > Mak cross origin redirection error messages consistent between SubresourceLoader and NetworkLoadChecker >diff --git a/LayoutTests/TestExpectations b/LayoutTests/TestExpectations >index 4a2289def4b4c39616cd075c5b2aa0def2d2e06b..6db340bbd0bda94479a6dd8471ae53f613de02d7 100644 >--- a/LayoutTests/TestExpectations >+++ b/LayoutTests/TestExpectations >@@ -202,6 +202,12 @@ imported/w3c/web-platform-tests/html/browsers/history/the-location-interface/loc > http/tests/security/frame-loading-via-document-write.html [ DumpJSConsoleLogInStdErr ] > http/tests/security/frame-loading-via-document-write-async-delegates.html [ DumpJSConsoleLogInStdErr ] > >+imported/w3c/web-platform-tests/fetch/api/basic/mode-same-origin.any.html [ DumpJSConsoleLogInStdErr ] >+imported/w3c/web-platform-tests/fetch/api/basic/scheme-about.any.html [ DumpJSConsoleLogInStdErr ] >+imported/w3c/web-platform-tests/fetch/api/basic/scheme-about.any.worker.html [ DumpJSConsoleLogInStdErr ] >+imported/w3c/web-platform-tests/fetch/api/redirect/redirect-mode-worker.html [ DumpJSConsoleLogInStdErr ] >+imported/w3c/web-platform-tests/fetch/api/redirect/redirect-to-dataurl.html [ DumpJSConsoleLogInStdErr ] >+ > webkit.org/b/181901 imported/w3c/web-platform-tests/service-workers/service-worker/fetch-cors-xhr.https.html [ DumpJSConsoleLogInStdErr ] > webkit.org/b/181897 imported/w3c/web-platform-tests/service-workers/service-worker/fetch-canvas-tainting.https.html [ DumpJSConsoleLogInStdErr ] > webkit.org/b/181900 imported/w3c/web-platform-tests/service-workers/service-worker/fetch-canvas-tainting-cache.https.html [ DumpJSConsoleLogInStdErr ] >diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/worker-redirect-blocked-expected.txt b/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/worker-redirect-blocked-expected.txt >index bf190b127e9f58109243af38cbd2a6438e37dcae..9aba0fcc8133d390cb1e15366a524ed96d0c6fe4 100644 >--- a/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/worker-redirect-blocked-expected.txt >+++ b/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/worker-redirect-blocked-expected.txt >@@ -1,6 +1,8 @@ > CONSOLE MESSAGE: Unsafe attempt to load URL http://localhost:8000/security/contentSecurityPolicy/resources/alert-fail.js from origin http://127.0.0.1:8000. Domains, protocols and ports must match. > >-CONSOLE MESSAGE: Cannot load http://localhost:8000/security/contentSecurityPolicy/resources/alert-fail.js due to access control checks. >+CONSOLE MESSAGE: Refused to load http://localhost:8000/security/contentSecurityPolicy/resources/alert-fail.js because it does not appear in the child-src directive of the Content Security Policy. >+CONSOLE MESSAGE: Cross-origin redirection denied by Content Security Policy. >+CONSOLE MESSAGE: Cannot load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.php?url=http://localhost:8000/security/contentSecurityPolicy/resources/alert-fail.js due to access control checks. > This tests that the Content Security Policy of the page blocks loading a Web Worker's script from a different origin through a redirect. > > On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE". >diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-eventsource-redirect-to-blocked-expected.txt b/LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-eventsource-redirect-to-blocked-expected.txt >index 49f26713c4f2ac598f0a03f7cbfa4c1e354cdea4..4e4961e0c0d8224803dd024449edecf23c8dcbb7 100644 >--- a/LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-eventsource-redirect-to-blocked-expected.txt >+++ b/LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-eventsource-redirect-to-blocked-expected.txt >@@ -1,3 +1,4 @@ >+CONSOLE MESSAGE: Blocked http://localhost:8000/eventsource/resources/simple-event-stream.asis by Content Security Policy > CONSOLE MESSAGE: Refused to connect to http://localhost:8000/eventsource/resources/simple-event-stream.asis because it does not appear in the connect-src directive of the Content Security Policy. > CONSOLE MESSAGE: Cross-origin redirection denied by Content Security Policy. > CONSOLE MESSAGE: EventSource cannot load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.php?url=http://localhost:8000/eventsource/resources/simple-event-stream.asis due to access control checks. >diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-redirect-to-blocked-expected.txt b/LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-redirect-to-blocked-expected.txt >index 8ecc3cb8e5017d19079675a24257dd76644cacd0..87e8d0342a792ae53795e84e44579cf1185599d7 100644 >--- a/LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-redirect-to-blocked-expected.txt >+++ b/LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-redirect-to-blocked-expected.txt >@@ -1,3 +1,4 @@ >+CONSOLE MESSAGE: Blocked http://localhost:8000/security/contentSecurityPolicy/resources/xhr-redirect-not-allowed.pl by Content Security Policy > CONSOLE MESSAGE: Refused to connect to http://localhost:8000/security/contentSecurityPolicy/resources/xhr-redirect-not-allowed.pl because it does not appear in the connect-src directive of the Content Security Policy. > CONSOLE MESSAGE: Cross-origin redirection denied by Content Security Policy. > CONSOLE MESSAGE: XMLHttpRequest cannot load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.php?url=http://localhost:8000/security/contentSecurityPolicy/resources/xhr-redirect-not-allowed.pl due to access control checks. >diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/worker-csp-blocks-xhr-redirect-cross-origin-expected.txt b/LayoutTests/http/tests/security/contentSecurityPolicy/worker-csp-blocks-xhr-redirect-cross-origin-expected.txt >index f8e8d594de70b8aa0d9e45108a40974543e63721..0423a3ea76ecd3f0b81a9d4e12c897d6c99de6ff 100644 >--- a/LayoutTests/http/tests/security/contentSecurityPolicy/worker-csp-blocks-xhr-redirect-cross-origin-expected.txt >+++ b/LayoutTests/http/tests/security/contentSecurityPolicy/worker-csp-blocks-xhr-redirect-cross-origin-expected.txt >@@ -1,3 +1,4 @@ >+CONSOLE MESSAGE: Blocked http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow.cgi by Content Security Policy > This tests an XHR request made from a worker is blocked if it redirects to a cross-origin resource that is not listed as a connect-src in the CSP of the worker. > > PASS threw exception NetworkError: A network error occurred.. >diff --git a/LayoutTests/http/tests/xmlhttprequest/access-control-and-redirects-async-expected.txt b/LayoutTests/http/tests/xmlhttprequest/access-control-and-redirects-async-expected.txt >index b7fe7446c7e2e630af5e4fcb80a0443460f2e806..593f6c62c082a17aa229bcd69b9d0b47bae1fec1 100644 >--- a/LayoutTests/http/tests/xmlhttprequest/access-control-and-redirects-async-expected.txt >+++ b/LayoutTests/http/tests/xmlhttprequest/access-control-and-redirects-async-expected.txt >@@ -1,5 +1,5 @@ > CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi denied by Cross-Origin Resource Sharing policy: Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin. >-CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi due to access control checks. >+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi due to access control checks. > CONSOLE MESSAGE: Cross-origin redirection to foo://bar.cgi denied by Cross-Origin Resource Sharing policy: URL is either a non-HTTP URL or contains credentials. > CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url=foo://bar.cgi&%20%20access-control-allow-origin=http://127.0.0.1:8000 due to access control checks. > CONSOLE MESSAGE: Preflight response is not successful >diff --git a/LayoutTests/http/tests/xmlhttprequest/access-control-and-redirects-expected.txt b/LayoutTests/http/tests/xmlhttprequest/access-control-and-redirects-expected.txt >index 97418aa44bf85a45c712e64d1263ef9046b1cf31..ceca46892ca3db6c7af3ffb15af0e6fc621df765 100644 >--- a/LayoutTests/http/tests/xmlhttprequest/access-control-and-redirects-expected.txt >+++ b/LayoutTests/http/tests/xmlhttprequest/access-control-and-redirects-expected.txt >@@ -1,11 +1,11 @@ > CONSOLE MESSAGE: line 25: Cross-origin redirection to http://127.0.0.1:8000/xmlhttprequest/resources/access-control-basic-allow.cgi denied by Cross-Origin Resource Sharing policy: Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin. > CONSOLE MESSAGE: line 25: XMLHttpRequest cannot load http://127.0.0.1:8000/xmlhttprequest/resources/access-control-basic-allow.cgi due to access control checks. > CONSOLE MESSAGE: Cross-origin redirection to http://127.0.0.1:8000/xmlhttprequest/resources/access-control-basic-allow.cgi denied by Cross-Origin Resource Sharing policy: Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin. >-CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/resources/redirect.php?url=http://127.0.0.1:8000/xmlhttprequest/resources/access-control-basic-allow.cgi due to access control checks. >+CONSOLE MESSAGE: XMLHttpRequest cannot load http://127.0.0.1:8000/xmlhttprequest/resources/access-control-basic-allow.cgi due to access control checks. > CONSOLE MESSAGE: line 25: Cross-origin redirection to http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow.cgi denied by Cross-Origin Resource Sharing policy: Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin. > CONSOLE MESSAGE: line 25: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow.cgi due to access control checks. > CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow.cgi denied by Cross-Origin Resource Sharing policy: Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin. >-CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/resources/redirect.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow.cgi due to access control checks. >+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow.cgi due to access control checks. > Tests that redirects between origins are never allowed, even when access control is involved. > > Per the spec, these test cases should be allowed, but cross-origin redirects are currently unsupported in WebCore. >diff --git a/LayoutTests/imported/w3c/web-platform-tests/XMLHttpRequest/send-authentication-basic-cors-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/XMLHttpRequest/send-authentication-basic-cors-expected.txt >index 503780260b5e301f2eb9a8077969e9fc6219b46f..50328c60d08c8c46207f4b4b610515e74f4cd9da 100644 >--- a/LayoutTests/imported/w3c/web-platform-tests/XMLHttpRequest/send-authentication-basic-cors-expected.txt >+++ b/LayoutTests/imported/w3c/web-platform-tests/XMLHttpRequest/send-authentication-basic-cors-expected.txt >@@ -1,5 +1,5 @@ >-CONSOLE MESSAGE: CORS-preflight request was blocked >-CONSOLE MESSAGE: XMLHttpRequest cannot load http://www1.localhost:8800/XMLHttpRequest/resources/auth1/corsenabled.py due to access control checks. >+Blocked access to external URL http://www1.localhost:8800/XMLHttpRequest/resources/auth1/corsenabled.py >+CONSOLE MESSAGE: line 31: XMLHttpRequest cannot load http://www1.localhost:8800/XMLHttpRequest/resources/auth1/corsenabled.py due to access control checks. > > PASS XMLHttpRequest: send() - "Basic" authenticated CORS requests with user name and password passed to open() (asserts failure) > >diff --git a/LayoutTests/imported/w3c/web-platform-tests/XMLHttpRequest/send-network-error-async-events.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/XMLHttpRequest/send-network-error-async-events.sub-expected.txt >index b20bc2c0caf7796d748f6222702b0f8f2002edf2..2f459f587478eae2dd51c9dde619374d795b9057 100644 >--- a/LayoutTests/imported/w3c/web-platform-tests/XMLHttpRequest/send-network-error-async-events.sub-expected.txt >+++ b/LayoutTests/imported/w3c/web-platform-tests/XMLHttpRequest/send-network-error-async-events.sub-expected.txt >@@ -1,5 +1,5 @@ >-CONSOLE MESSAGE: CORS-preflight request was blocked >-CONSOLE MESSAGE: XMLHttpRequest cannot load http://nonexistent-origin.localhost:8800/ due to access control checks. >+Blocked access to external URL http://nonexistent-origin.localhost:8800/ >+CONSOLE MESSAGE: line 43: XMLHttpRequest cannot load http://nonexistent-origin.localhost:8800/ due to access control checks. > > PASS XMLHttpRequest: The send() method: Fire a progress event named error when Network error happens (synchronous flag is unset) > >diff --git a/LayoutTests/imported/w3c/web-platform-tests/cors/late-upload-events-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/cors/late-upload-events-expected.txt >index 5d86ccf4c2b74c2dcf17fc7a78bdd00213a08375..53a459396bced652d4f84a359026bd3dc532ac4d 100644 >--- a/LayoutTests/imported/w3c/web-platform-tests/cors/late-upload-events-expected.txt >+++ b/LayoutTests/imported/w3c/web-platform-tests/cors/late-upload-events-expected.txt >@@ -1,7 +1,7 @@ > Blocked access to external URL http://www1.localhost:8800/cors/resources/status.py?headers=custom-header > CONSOLE MESSAGE: line 30: XMLHttpRequest cannot load http://www1.localhost:8800/cors/resources/status.py?headers=custom-header due to access control checks. >-CONSOLE MESSAGE: CORS-preflight request was blocked >-CONSOLE MESSAGE: XMLHttpRequest cannot load http://www1.localhost:8800/cors/resources/status.py?headers=custom-header due to access control checks. >+Blocked access to external URL http://www1.localhost:8800/cors/resources/status.py?headers=custom-header >+CONSOLE MESSAGE: line 30: XMLHttpRequest cannot load http://www1.localhost:8800/cors/resources/status.py?headers=custom-header due to access control checks. > Adding upload event listeners after send() > > >diff --git a/LayoutTests/imported/w3c/web-platform-tests/fetch/api/basic/mode-same-origin.any-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/fetch/api/basic/mode-same-origin.any-expected.txt >index b9b8b766b72c2a4dfbb7389977fe225f90dec0ab..dee6efae508a512f737becda361158564d1e4593 100644 >--- a/LayoutTests/imported/w3c/web-platform-tests/fetch/api/basic/mode-same-origin.any-expected.txt >+++ b/LayoutTests/imported/w3c/web-platform-tests/fetch/api/basic/mode-same-origin.any-expected.txt >@@ -1,9 +1,3 @@ >-CONSOLE MESSAGE: line 12: Fetch API cannot load https://localhost:9443/fetch/api/resources/top.txt. >-CONSOLE MESSAGE: line 12: Fetch API cannot load http://127.0.0.1:8800/fetch/api/resources/top.txt. >-CONSOLE MESSAGE: Unsafe attempt to load URL https://localhost:9443/fetch/api/resources/top.txt?location=https%3A%2F%2Flocalhost%3A9443%2Ffetch%2Fapi%2Fresources%2Ftop.txt&count=1 from origin http://localhost:8800. Domains, protocols and ports must match. >- >-CONSOLE MESSAGE: Unsafe attempt to load URL http://127.0.0.1:8800/fetch/api/resources/top.txt?location=http%3A%2F%2F127.0.0.1%3A8800%2Ffetch%2Fapi%2Fresources%2Ftop.txt&count=1 from origin http://localhost:8800. Domains, protocols and ports must match. >- > > PASS Fetch ../resources/top.txt with same-origin mode > PASS Fetch http://localhost:8800/fetch/api/resources/top.txt with same-origin mode >diff --git a/LayoutTests/imported/w3c/web-platform-tests/fetch/api/basic/scheme-about.any-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/fetch/api/basic/scheme-about.any-expected.txt >index 0b36df4e386622d3f3f810a7973d013f073396f5..9944d1bd5afb4cfab04eb7e9c20bf4af31b1f24c 100644 >--- a/LayoutTests/imported/w3c/web-platform-tests/fetch/api/basic/scheme-about.any-expected.txt >+++ b/LayoutTests/imported/w3c/web-platform-tests/fetch/api/basic/scheme-about.any-expected.txt >@@ -1,18 +1,6 @@ >-CONSOLE MESSAGE: line 10: Cross origin requests are only supported for HTTP. >-CONSOLE MESSAGE: line 10: Fetch API cannot load about:blank due to access control checks. >-CONSOLE MESSAGE: Preflight response is not successful >-CONSOLE MESSAGE: Fetch API cannot load about:blank due to access control checks. >-CONSOLE MESSAGE: line 10: Cross origin requests are only supported for HTTP. >-CONSOLE MESSAGE: line 10: Fetch API cannot load about:blank due to access control checks. >-CONSOLE MESSAGE: line 27: Cross origin requests are only supported for HTTP. >-CONSOLE MESSAGE: line 27: Fetch API cannot load about:invalid.com due to access control checks. >-CONSOLE MESSAGE: line 27: Cross origin requests are only supported for HTTP. >-CONSOLE MESSAGE: line 27: Fetch API cannot load about:config due to access control checks. >-CONSOLE MESSAGE: line 27: Cross origin requests are only supported for HTTP. >-CONSOLE MESSAGE: line 27: Fetch API cannot load about:unicorn due to access control checks. > > FAIL Fetching about:blank (GET) is OK promise_test: Unhandled rejection with value: object "TypeError: Cross origin requests are only supported for HTTP." >-FAIL Fetching about:blank (PUT) is OK promise_test: Unhandled rejection with value: object "TypeError: Preflight response is not successful" >+FAIL Fetching about:blank (PUT) is OK promise_test: Unhandled rejection with value: object "TypeError: Cross origin requests are only supported for HTTP." > FAIL Fetching about:blank (POST) is OK promise_test: Unhandled rejection with value: object "TypeError: Cross origin requests are only supported for HTTP." > PASS Fetching about:invalid.com is KO > PASS Fetching about:config is KO >diff --git a/LayoutTests/imported/w3c/web-platform-tests/fetch/api/basic/scheme-about.any.worker-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/fetch/api/basic/scheme-about.any.worker-expected.txt >index 45cb15051e5f747be0eb0fa961865238acbbef43..9944d1bd5afb4cfab04eb7e9c20bf4af31b1f24c 100644 >--- a/LayoutTests/imported/w3c/web-platform-tests/fetch/api/basic/scheme-about.any.worker-expected.txt >+++ b/LayoutTests/imported/w3c/web-platform-tests/fetch/api/basic/scheme-about.any.worker-expected.txt >@@ -1,7 +1,6 @@ >-CONSOLE MESSAGE: Preflight response is not successful > > FAIL Fetching about:blank (GET) is OK promise_test: Unhandled rejection with value: object "TypeError: Cross origin requests are only supported for HTTP." >-FAIL Fetching about:blank (PUT) is OK promise_test: Unhandled rejection with value: object "TypeError: Preflight response is not successful" >+FAIL Fetching about:blank (PUT) is OK promise_test: Unhandled rejection with value: object "TypeError: Cross origin requests are only supported for HTTP." > FAIL Fetching about:blank (POST) is OK promise_test: Unhandled rejection with value: object "TypeError: Cross origin requests are only supported for HTTP." > PASS Fetching about:invalid.com is KO > PASS Fetching about:config is KO >diff --git a/LayoutTests/imported/w3c/web-platform-tests/fetch/api/redirect/redirect-to-dataurl-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/fetch/api/redirect/redirect-to-dataurl-expected.txt >index 96d0eae77c6354e08beb60ab62be18c110224064..f6edb426f06f76757124ec94aab8ef5124fc847f 100644 >--- a/LayoutTests/imported/w3c/web-platform-tests/fetch/api/redirect/redirect-to-dataurl-expected.txt >+++ b/LayoutTests/imported/w3c/web-platform-tests/fetch/api/redirect/redirect-to-dataurl-expected.txt >@@ -1,13 +1,3 @@ >-CONSOLE MESSAGE: Cross-origin redirection to data:text/plain;base64,cmVzcG9uc2UncyBib2R5 denied by Cross-Origin Resource Sharing policy: URL is either a non-HTTP URL or contains credentials. >-CONSOLE MESSAGE: Fetch API cannot load http://localhost:8800/fetch/api/resources/redirect.py?cors&location=data%3Atext%2Fplain%3Bbase64%2CcmVzcG9uc2UncyBib2R5 due to access control checks. >-CONSOLE MESSAGE: Redirection to URL with a scheme that is not HTTP(S). >-CONSOLE MESSAGE: Fetch API cannot load data:text/plain;base64,cmVzcG9uc2UncyBib2R5 due to access control checks. >-CONSOLE MESSAGE: Unsafe attempt to load URL data:text/plain;base64,cmVzcG9uc2UncyBib2R5 from origin http://localhost:8800. Domains, protocols and ports must match. >- >-CONSOLE MESSAGE: Cross-origin redirection to data:text/plain;base64,cmVzcG9uc2UncyBib2R5 denied by Cross-Origin Resource Sharing policy: URL is either a non-HTTP URL or contains credentials. >-CONSOLE MESSAGE: Fetch API cannot load http://127.0.0.1:8800/fetch/api/resources/redirect.py?cors&location=data%3Atext%2Fplain%3Bbase64%2CcmVzcG9uc2UncyBib2R5 due to access control checks. >-CONSOLE MESSAGE: Redirection to URL with a scheme that is not HTTP(S). >-CONSOLE MESSAGE: Fetch API cannot load data:text/plain;base64,cmVzcG9uc2UncyBib2R5 due to access control checks. > > PASS Testing data URL loading after same-origin redirection (cors mode) > PASS Testing data URL loading after same-origin redirection (no-cors mode) >diff --git a/LayoutTests/imported/w3c/web-platform-tests/service-workers/service-worker/redirected-response.https-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/service-workers/service-worker/redirected-response.https-expected.txt >index 11bd135a8bba9e3c72079531632dc0ae23eb761c..a44bdd42bd30c64e9e0045eb98cd24b1b4a0898f 100644 >--- a/LayoutTests/imported/w3c/web-platform-tests/service-workers/service-worker/redirected-response.https-expected.txt >+++ b/LayoutTests/imported/w3c/web-platform-tests/service-workers/service-worker/redirected-response.https-expected.txt >@@ -1,3 +1,4 @@ >+CONSOLE MESSAGE: Redirections are not allowed > CONSOLE MESSAGE: Fetch API cannot load https://localhost:9443/service-workers/service-worker/resources/redirect.py?Redirect=https%3A%2F%2Flocalhost%3A9443%2Fservice-workers%2Fservice-worker%2Fresources%2Fsimple.txt%3F&error due to access control checks. > CONSOLE MESSAGE: Response served by service worker has redirections > CONSOLE MESSAGE: Fetch API cannot load https://localhost:9443/service-workers/service-worker/resources/simple.txt? due to access control checks. >diff --git a/LayoutTests/platform/mac-wk1/http/tests/security/contentSecurityPolicy/connect-src-eventsource-redirect-to-blocked-expected.txt b/LayoutTests/platform/mac-wk1/http/tests/security/contentSecurityPolicy/connect-src-eventsource-redirect-to-blocked-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..49f26713c4f2ac598f0a03f7cbfa4c1e354cdea4 >--- /dev/null >+++ b/LayoutTests/platform/mac-wk1/http/tests/security/contentSecurityPolicy/connect-src-eventsource-redirect-to-blocked-expected.txt >@@ -0,0 +1,8 @@ >+CONSOLE MESSAGE: Refused to connect to http://localhost:8000/eventsource/resources/simple-event-stream.asis because it does not appear in the connect-src directive of the Content Security Policy. >+CONSOLE MESSAGE: Cross-origin redirection denied by Content Security Policy. >+CONSOLE MESSAGE: EventSource cannot load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.php?url=http://localhost:8000/eventsource/resources/simple-event-stream.asis due to access control checks. >+PASS EventSource() did not follow the disallowed redirect. >+PASS successfullyParsed is true >+ >+TEST COMPLETE >+ >diff --git a/LayoutTests/platform/mac-wk1/http/tests/security/contentSecurityPolicy/worker-csp-blocks-xhr-redirect-cross-origin-expected.txt b/LayoutTests/platform/mac-wk1/http/tests/security/contentSecurityPolicy/worker-csp-blocks-xhr-redirect-cross-origin-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..f8e8d594de70b8aa0d9e45108a40974543e63721 >--- /dev/null >+++ b/LayoutTests/platform/mac-wk1/http/tests/security/contentSecurityPolicy/worker-csp-blocks-xhr-redirect-cross-origin-expected.txt >@@ -0,0 +1,3 @@ >+This tests an XHR request made from a worker is blocked if it redirects to a cross-origin resource that is not listed as a connect-src in the CSP of the worker. >+ >+PASS threw exception NetworkError: A network error occurred.. >diff --git a/LayoutTests/platform/mac-wk1/http/tests/xmlhttprequest/access-control-and-redirects-async-expected.txt b/LayoutTests/platform/mac-wk1/http/tests/xmlhttprequest/access-control-and-redirects-async-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..b7fe7446c7e2e630af5e4fcb80a0443460f2e806 >--- /dev/null >+++ b/LayoutTests/platform/mac-wk1/http/tests/xmlhttprequest/access-control-and-redirects-async-expected.txt >@@ -0,0 +1,34 @@ >+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi denied by Cross-Origin Resource Sharing policy: Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin. >+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi due to access control checks. >+CONSOLE MESSAGE: Cross-origin redirection to foo://bar.cgi denied by Cross-Origin Resource Sharing policy: URL is either a non-HTTP URL or contains credentials. >+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url=foo://bar.cgi&%20%20access-control-allow-origin=http://127.0.0.1:8000 due to access control checks. >+CONSOLE MESSAGE: Preflight response is not successful >+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?redirect-preflight=true&%20%20url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi&%20%20access-control-allow-origin=* due to access control checks. >+CONSOLE MESSAGE: Request header field x-webkit is not allowed by Access-Control-Allow-Headers. >+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi due to access control checks. >+Tests that asynchronous XMLHttpRequests handle redirects according to the CORS standard. >+ >+Testing http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi without credentials >+Expecting success: false >+PASS: 0 >+Testing http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi& access-control-allow-origin=http://127.0.0.1:8000 without credentials >+Expecting success: true >+PASS: PASS: Cross-domain access allowed. >+ >+Testing http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url=http://username:password@localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi& access-control-allow-origin=http://127.0.0.1:8000 without credentials >+Expecting success: true >+PASS: PASS: Cross-domain access allowed. >+ >+Testing http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url=foo://bar.cgi& access-control-allow-origin=http://127.0.0.1:8000 without credentials >+Expecting success: false >+PASS: 0 >+Testing http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?redirect-preflight=true& url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi& access-control-allow-origin=* without credentials >+Expecting success: false >+PASS: 0 >+Testing http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?redirect-preflight=false& url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi& access-control-allow-origin=*& access-control-allow-headers=x-webkit without credentials >+Expecting success: false >+PASS: 0 >+Testing resources/redirect-cors.php?url=http://127.0.0.1:8000/xmlhttprequest/resources/get.txt without credentials >+Expecting success: true >+PASS: PASS >+ >diff --git a/LayoutTests/platform/mac-wk1/imported/w3c/web-platform-tests/XMLHttpRequest/late-upload-events-expected.txt b/LayoutTests/platform/mac-wk1/imported/w3c/web-platform-tests/XMLHttpRequest/late-upload-events-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..5d86ccf4c2b74c2dcf17fc7a78bdd00213a08375 >--- /dev/null >+++ b/LayoutTests/platform/mac-wk1/imported/w3c/web-platform-tests/XMLHttpRequest/late-upload-events-expected.txt >@@ -0,0 +1,10 @@ >+Blocked access to external URL http://www1.localhost:8800/cors/resources/status.py?headers=custom-header >+CONSOLE MESSAGE: line 30: XMLHttpRequest cannot load http://www1.localhost:8800/cors/resources/status.py?headers=custom-header due to access control checks. >+CONSOLE MESSAGE: CORS-preflight request was blocked >+CONSOLE MESSAGE: XMLHttpRequest cannot load http://www1.localhost:8800/cors/resources/status.py?headers=custom-header due to access control checks. >+Adding upload event listeners after send() >+ >+ >+FAIL Late listeners: No preflight assert_equals: expected 200 but got 0 >+FAIL Late listeners: Preflight assert_equals: expected 200 but got 0 >+ >diff --git a/LayoutTests/platform/mac-wk1/imported/w3c/web-platform-tests/XMLHttpRequest/send-authentication-basic-cors-expected.txt b/LayoutTests/platform/mac-wk1/imported/w3c/web-platform-tests/XMLHttpRequest/send-authentication-basic-cors-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..503780260b5e301f2eb9a8077969e9fc6219b46f >--- /dev/null >+++ b/LayoutTests/platform/mac-wk1/imported/w3c/web-platform-tests/XMLHttpRequest/send-authentication-basic-cors-expected.txt >@@ -0,0 +1,5 @@ >+CONSOLE MESSAGE: CORS-preflight request was blocked >+CONSOLE MESSAGE: XMLHttpRequest cannot load http://www1.localhost:8800/XMLHttpRequest/resources/auth1/corsenabled.py due to access control checks. >+ >+PASS XMLHttpRequest: send() - "Basic" authenticated CORS requests with user name and password passed to open() (asserts failure) >+ >diff --git a/LayoutTests/platform/mac-wk1/imported/w3c/web-platform-tests/XMLHttpRequest/send-network-error-async-events.sub-expected.txt b/LayoutTests/platform/mac-wk1/imported/w3c/web-platform-tests/XMLHttpRequest/send-network-error-async-events.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..b20bc2c0caf7796d748f6222702b0f8f2002edf2 >--- /dev/null >+++ b/LayoutTests/platform/mac-wk1/imported/w3c/web-platform-tests/XMLHttpRequest/send-network-error-async-events.sub-expected.txt >@@ -0,0 +1,5 @@ >+CONSOLE MESSAGE: CORS-preflight request was blocked >+CONSOLE MESSAGE: XMLHttpRequest cannot load http://nonexistent-origin.localhost:8800/ due to access control checks. >+ >+PASS XMLHttpRequest: The send() method: Fire a progress event named error when Network error happens (synchronous flag is unset) >+ >diff --git a/LayoutTests/platform/win/http/tests/security/contentSecurityPolicy/connect-src-eventsource-redirect-to-blocked-expected.txt b/LayoutTests/platform/win/http/tests/security/contentSecurityPolicy/connect-src-eventsource-redirect-to-blocked-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..49f26713c4f2ac598f0a03f7cbfa4c1e354cdea4 >--- /dev/null >+++ b/LayoutTests/platform/win/http/tests/security/contentSecurityPolicy/connect-src-eventsource-redirect-to-blocked-expected.txt >@@ -0,0 +1,8 @@ >+CONSOLE MESSAGE: Refused to connect to http://localhost:8000/eventsource/resources/simple-event-stream.asis because it does not appear in the connect-src directive of the Content Security Policy. >+CONSOLE MESSAGE: Cross-origin redirection denied by Content Security Policy. >+CONSOLE MESSAGE: EventSource cannot load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.php?url=http://localhost:8000/eventsource/resources/simple-event-stream.asis due to access control checks. >+PASS EventSource() did not follow the disallowed redirect. >+PASS successfullyParsed is true >+ >+TEST COMPLETE >+ >diff --git a/LayoutTests/platform/win/http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-redirect-to-blocked-expected.txt b/LayoutTests/platform/win/http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-redirect-to-blocked-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..8ecc3cb8e5017d19079675a24257dd76644cacd0 >--- /dev/null >+++ b/LayoutTests/platform/win/http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-redirect-to-blocked-expected.txt >@@ -0,0 +1,8 @@ >+CONSOLE MESSAGE: Refused to connect to http://localhost:8000/security/contentSecurityPolicy/resources/xhr-redirect-not-allowed.pl because it does not appear in the connect-src directive of the Content Security Policy. >+CONSOLE MESSAGE: Cross-origin redirection denied by Content Security Policy. >+CONSOLE MESSAGE: XMLHttpRequest cannot load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.php?url=http://localhost:8000/security/contentSecurityPolicy/resources/xhr-redirect-not-allowed.pl due to access control checks. >+PASS XMLHttpRequest.send() did not follow the disallowed redirect. >+PASS successfullyParsed is true >+ >+TEST COMPLETE >+ >diff --git a/LayoutTests/platform/win/http/tests/security/contentSecurityPolicy/worker-csp-blocks-xhr-redirect-cross-origin-expected.txt b/LayoutTests/platform/win/http/tests/security/contentSecurityPolicy/worker-csp-blocks-xhr-redirect-cross-origin-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..f8e8d594de70b8aa0d9e45108a40974543e63721 >--- /dev/null >+++ b/LayoutTests/platform/win/http/tests/security/contentSecurityPolicy/worker-csp-blocks-xhr-redirect-cross-origin-expected.txt >@@ -0,0 +1,3 @@ >+This tests an XHR request made from a worker is blocked if it redirects to a cross-origin resource that is not listed as a connect-src in the CSP of the worker. >+ >+PASS threw exception NetworkError: A network error occurred.. >diff --git a/LayoutTests/platform/win/http/tests/xmlhttprequest/access-control-and-redirects-async-expected.txt b/LayoutTests/platform/win/http/tests/xmlhttprequest/access-control-and-redirects-async-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..b7fe7446c7e2e630af5e4fcb80a0443460f2e806 >--- /dev/null >+++ b/LayoutTests/platform/win/http/tests/xmlhttprequest/access-control-and-redirects-async-expected.txt >@@ -0,0 +1,34 @@ >+CONSOLE MESSAGE: Cross-origin redirection to http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi denied by Cross-Origin Resource Sharing policy: Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin. >+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi due to access control checks. >+CONSOLE MESSAGE: Cross-origin redirection to foo://bar.cgi denied by Cross-Origin Resource Sharing policy: URL is either a non-HTTP URL or contains credentials. >+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url=foo://bar.cgi&%20%20access-control-allow-origin=http://127.0.0.1:8000 due to access control checks. >+CONSOLE MESSAGE: Preflight response is not successful >+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?redirect-preflight=true&%20%20url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi&%20%20access-control-allow-origin=* due to access control checks. >+CONSOLE MESSAGE: Request header field x-webkit is not allowed by Access-Control-Allow-Headers. >+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi due to access control checks. >+Tests that asynchronous XMLHttpRequests handle redirects according to the CORS standard. >+ >+Testing http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi without credentials >+Expecting success: false >+PASS: 0 >+Testing http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi& access-control-allow-origin=http://127.0.0.1:8000 without credentials >+Expecting success: true >+PASS: PASS: Cross-domain access allowed. >+ >+Testing http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url=http://username:password@localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi& access-control-allow-origin=http://127.0.0.1:8000 without credentials >+Expecting success: true >+PASS: PASS: Cross-domain access allowed. >+ >+Testing http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?url=foo://bar.cgi& access-control-allow-origin=http://127.0.0.1:8000 without credentials >+Expecting success: false >+PASS: 0 >+Testing http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?redirect-preflight=true& url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi& access-control-allow-origin=* without credentials >+Expecting success: false >+PASS: 0 >+Testing http://localhost:8000/xmlhttprequest/resources/redirect-cors.php?redirect-preflight=false& url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi& access-control-allow-origin=*& access-control-allow-headers=x-webkit without credentials >+Expecting success: false >+PASS: 0 >+Testing resources/redirect-cors.php?url=http://127.0.0.1:8000/xmlhttprequest/resources/get.txt without credentials >+Expecting success: true >+PASS: PASS >+ >diff --git a/LayoutTests/platform/win/imported/w3c/web-platform-tests/XMLHttpRequest/late-upload-events-expected.txt b/LayoutTests/platform/win/imported/w3c/web-platform-tests/XMLHttpRequest/late-upload-events-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..5d86ccf4c2b74c2dcf17fc7a78bdd00213a08375 >--- /dev/null >+++ b/LayoutTests/platform/win/imported/w3c/web-platform-tests/XMLHttpRequest/late-upload-events-expected.txt >@@ -0,0 +1,10 @@ >+Blocked access to external URL http://www1.localhost:8800/cors/resources/status.py?headers=custom-header >+CONSOLE MESSAGE: line 30: XMLHttpRequest cannot load http://www1.localhost:8800/cors/resources/status.py?headers=custom-header due to access control checks. >+CONSOLE MESSAGE: CORS-preflight request was blocked >+CONSOLE MESSAGE: XMLHttpRequest cannot load http://www1.localhost:8800/cors/resources/status.py?headers=custom-header due to access control checks. >+Adding upload event listeners after send() >+ >+ >+FAIL Late listeners: No preflight assert_equals: expected 200 but got 0 >+FAIL Late listeners: Preflight assert_equals: expected 200 but got 0 >+ >diff --git a/LayoutTests/platform/win/imported/w3c/web-platform-tests/XMLHttpRequest/send-authentication-basic-cors-expected.txt b/LayoutTests/platform/win/imported/w3c/web-platform-tests/XMLHttpRequest/send-authentication-basic-cors-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..503780260b5e301f2eb9a8077969e9fc6219b46f >--- /dev/null >+++ b/LayoutTests/platform/win/imported/w3c/web-platform-tests/XMLHttpRequest/send-authentication-basic-cors-expected.txt >@@ -0,0 +1,5 @@ >+CONSOLE MESSAGE: CORS-preflight request was blocked >+CONSOLE MESSAGE: XMLHttpRequest cannot load http://www1.localhost:8800/XMLHttpRequest/resources/auth1/corsenabled.py due to access control checks. >+ >+PASS XMLHttpRequest: send() - "Basic" authenticated CORS requests with user name and password passed to open() (asserts failure) >+ >diff --git a/LayoutTests/platform/win/imported/w3c/web-platform-tests/XMLHttpRequest/send-network-error-async-events.sub-expected.txt b/LayoutTests/platform/win/imported/w3c/web-platform-tests/XMLHttpRequest/send-network-error-async-events.sub-expected.txt >new file mode 100644 >index 0000000000000000000000000000000000000000..b20bc2c0caf7796d748f6222702b0f8f2002edf2 >--- /dev/null >+++ b/LayoutTests/platform/win/imported/w3c/web-platform-tests/XMLHttpRequest/send-network-error-async-events.sub-expected.txt >@@ -0,0 +1,5 @@ >+CONSOLE MESSAGE: CORS-preflight request was blocked >+CONSOLE MESSAGE: XMLHttpRequest cannot load http://nonexistent-origin.localhost:8800/ due to access control checks. >+ >+PASS XMLHttpRequest: The send() method: Fire a progress event named error when Network error happens (synchronous flag is unset) >+
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=338900">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 184741
:
338230
|
338244
|
338900
|
338908
|
338911
|
338917
|
338921
|
338925
|
338931
|
338938
|
338949
|
338961