WebKit Bugzilla
Attachment 339857 Details for
Bug 185442
: Do not apply X-Frame-Options and CSP frame-ancestors to Quick Look-applicable responses in NetworkProcess
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch
bug-185442-20180508124735.patch (text/plain), 4.05 KB, created by
Daniel Bates
on 2018-05-08 12:48:47 PDT
(
hide
)
Description:
Patch
Filename:
MIME Type:
Creator:
Daniel Bates
Created:
2018-05-08 12:48:47 PDT
Size:
4.05 KB
patch
obsolete
>Subversion Revision: 231501 >diff --git a/Source/WebKit/ChangeLog b/Source/WebKit/ChangeLog >index 5e74e28f642f548fc5dd5d9f80613ea4e1db5534..918bcb9f0e25158b05419e66bad3e61e8f0d897d 100644 >--- a/Source/WebKit/ChangeLog >+++ b/Source/WebKit/ChangeLog >@@ -1,3 +1,22 @@ >+2018-05-08 Daniel Bates <dabates@apple.com> >+ >+ Do not apply X-Frame-Options and CSP frame-ancestors to QuickLook-applicable responses in NetworkProcess >+ https://bugs.webkit.org/show_bug.cgi?id=185442 >+ <rdar://problem/40067209> >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ Just as we exempt responses in WebContent process that will be handled by QuickLooks from the Content >+ Security Policy frame-ancestors directive and X-Frame-Options checking we need to do the same when >+ such checks are performed in NetworkProcess following r231479. >+ >+ HTTP responses that will be previewed using QuickLook are not considered web pages and are subject >+ to the security model for QuickLook documents. That is, they are exempt from Content Security Policy >+ and X-Frame-Options processing. >+ >+ * NetworkProcess/NetworkResourceLoader.cpp: >+ (WebKit::NetworkResourceLoader::shouldInterruptLoadForCSPFrameAncestorsOrXFrameOptions): >+ > 2018-05-08 John Wilander <wilander@apple.com> > > Storage Access API: Add a request roundtrip to check whether prompting is needed >diff --git a/Source/WebKit/NetworkProcess/NetworkResourceLoader.cpp b/Source/WebKit/NetworkProcess/NetworkResourceLoader.cpp >index 1e01920ff9eeca9bc6ff21ed9c9bf5599965a84f..e447f99f67b8352bbb137e812650aa95968e2d53 100644 >--- a/Source/WebKit/NetworkProcess/NetworkResourceLoader.cpp >+++ b/Source/WebKit/NetworkProcess/NetworkResourceLoader.cpp >@@ -50,6 +50,7 @@ > #include <WebCore/HTTPHeaderNames.h> > #include <WebCore/HTTPParsers.h> > #include <WebCore/NetworkLoadMetrics.h> >+#include <WebCore/PreviewLoader.h> > #include <WebCore/ProtectionSpace.h> > #include <WebCore/SameSiteInfo.h> > #include <WebCore/SecurityOrigin.h> >@@ -430,6 +431,12 @@ bool NetworkResourceLoader::shouldInterruptLoadForXFrameOptions(const String& xF > bool NetworkResourceLoader::shouldInterruptLoadForCSPFrameAncestorsOrXFrameOptions(const ResourceResponse& response) > { > ASSERT(isMainResource()); >+ >+#if USE(QUICK_LOOK) >+ if (PreviewLoader::shouldCreateForMIMEType(response.mimeType())) >+ return; >+#endif >+ > auto url = response.url(); > ContentSecurityPolicy contentSecurityPolicy { URL { url }, this }; > contentSecurityPolicy.didReceiveHeaders(ContentSecurityPolicyResponseHeaders { response }, originalRequest().httpReferrer()); >diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog >index 863d69c3b02b9a23dfa46759edecfe1709868901..84a5787b7686dbbf2c9c95b8e1d16e45d78cc80b 100644 >--- a/LayoutTests/ChangeLog >+++ b/LayoutTests/ChangeLog >@@ -1,3 +1,15 @@ >+2018-05-08 Daniel Bates <dabates@apple.com> >+ >+ Do not apply X-Frame-Options and CSP frame-ancestors to QuickLook-applicable responses in NetworkProcess >+ https://bugs.webkit.org/show_bug.cgi?id=185442 >+ <rdar://problem/40067209> >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ Remove test http/tests/quicklook/csp-header-ignored.html from TestExpectations now that it passes. >+ >+ * platform/ios/TestExpectations: >+ > 2018-05-08 Daniel Bates <dabates@apple.com> > > Mark test http/tests/quicklook/csp-header-ignored.html as Failure. >diff --git a/LayoutTests/platform/ios/TestExpectations b/LayoutTests/platform/ios/TestExpectations >index 14ae78d8d826df7e1bdf8e05a16cd8c16f6f5b92..735f369d7b0e4131b116454ee0ffc78d34e2a778 100644 >--- a/LayoutTests/platform/ios/TestExpectations >+++ b/LayoutTests/platform/ios/TestExpectations >@@ -3296,5 +3296,3 @@ webkit.org/b/180260 http/wpt/resource-timing/rt-resources-per-worker.html [ Pass > webkit.org/b/185028 imported/w3c/web-platform-tests/service-workers/service-worker/fetch-request-redirect.https.html [ Failure ] > > webkit.org/b/185332 animations/duplicate-keys.html [ Pass ImageOnlyFailure ] >- >-webkit.org/b/185442 http/tests/quicklook/csp-header-ignored.html [ Failure ] >\ No newline at end of file
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=339857">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 185442
:
339857
|
339860
|
339871