126518 2014-01-06 05:37:02 -0800 REGRESSION(r161176): http/tests/misc/authentication-redirect-3/authentication-sent-to-redirect-same-origin-with-location-credentials.html is failing on GTK 2014-01-15 08:57:05 -0800 1 1 1 Unclassified WebKit WebKitGTK 528+ (Nightly build) Unspecified Unspecified RESOLVED FIXED Gtk, LayoutTestFailure, Regression P2 Normal --- 1 zan webkit-unassigned cdumez cgarcia commit-queue danw gustavo mrobinson rakuco oldest_to_newest 964603 0 zan 2014-01-06 05:37:02 -0800 The http/tests/misc/authentication-redirect-3/authentication-sent-to-redirect-same-origin-with-location-credentials.html layout test is failing after r161176. http://trac.webkit.org/changeset/161176 http://webkit-test-results.appspot.com/dashboards/flakiness_dashboard.html#showAllRuns=true&tests=http%2Ftests%2Fmisc%2Fauthentication-redirect-3%2Fauthentication-sent-to-redirect-same-origin-with-location-credentials.html Here's the diff: --- /home/slave/webkitgtk/gtk-linux-64-release/build/layout-test-results/http/tests/misc/authentication-redirect-3/authentication-sent-to-redirect-same-origin-with-location-credentials-expected.txt +++ /home/slave/webkitgtk/gtk-linux-64-release/build/layout-test-results/http/tests/misc/authentication-redirect-3/authentication-sent-to-redirect-same-origin-with-location-credentials-actual.txt @@ -9,19 +9,19 @@ -------- Frame: '<!--framePath //<!--frame0-->-->' -------- -Resource loaded with HTTP authentication username 'redirectuser' and password 'redirectpassword' +Resource loaded with HTTP authentication username 'testUser' and password 'testPassword' -------- Frame: '<!--framePath //<!--frame1-->-->' -------- -Resource loaded with HTTP authentication username 'redirectuser' and password 'redirectpassword' +Resource loaded with HTTP authentication username 'testUser' and password 'testPassword' -------- Frame: '<!--framePath //<!--frame2-->-->' -------- -Resource loaded with HTTP authentication username 'redirectuser' and password 'redirectpassword' +Resource loaded with HTTP authentication username 'testUser' and password 'testPassword' -------- Frame: '<!--framePath //<!--frame3-->-->' -------- -Resource loaded with HTTP authentication username 'redirectuser' and password 'redirectpassword' +Resource loaded with HTTP authentication username 'testUser' and password 'testPassword' 964604 1 zan 2014-01-06 05:38:50 -0800 And http/tests/security/redirect-BLOCKED-to-localURL.html as well. Diff: --- /home/slave/webkitgtk/gtk-linux-64-release/build/layout-test-results/http/tests/security/redirect-BLOCKED-to-localURL-expected.txt +++ /home/slave/webkitgtk/gtk-linux-64-release/build/layout-test-results/http/tests/security/redirect-BLOCKED-to-localURL-actual.txt @@ -1,2 +1,3 @@ +CONSOLE MESSAGE: Not allowed to load local resource: file-redirect-target.html This attempts to open a redirect link to a file URL, which should be blocked. 964633 2 mrobinson 2014-01-06 08:44:00 -0800 Carlos, are you able to fix this or should we roll out the change for now? 964909 3 cgarcia 2014-01-07 00:36:34 -0800 (In reply to comment #2) > Carlos, are you able to fix this or should we roll out the change for now? I'll take a look at it today. 965061 4 cgarcia 2014-01-07 10:22:47 -0800 hmm, both tests pass for me with wk1 and wk2. I indeed ran the tests before landing r161176. Is it flaky in the bots? 965065 5 cgarcia 2014-01-07 10:32:18 -0800 I think I know how to fix it in any case, but I'm unable to reproduce it, I'll fix it tomorrow, today I've been busy working on all other layout tests in the end (see bug #126570). 965384 6 220610 cgarcia 2014-01-08 01:28:15 -0800 Created attachment 220610 Temptative fix This patch restores the previous behaviour, clearing the credentials form the request before calling client()->willSendRequest(), but applying them right before creating the new SoupRequest. I don't know if it actually fixes the problem, because I haven't been able to reproduce it. 965481 7 220610 mrobinson 2014-01-08 07:49:58 -0800 Comment on attachment 220610 Temptative fix View in context: https://bugs.webkit.org/attachment.cgi?id=220610&action=review > Source/WebCore/ChangeLog:11 > + > + Clear the credentials before calling willSendRequest on the client > + to avoid sending the credentials to the API layer, but apply them > + again to the request right before creating the new SoupRequest. > + Hrm. Where are the credentials cleared? I only see you removing newRequest.removeCredentials(); in doRedirect. 965488 8 cgarcia 2014-01-08 08:07:31 -0800 (In reply to comment #7) > (From update of attachment 220610 [details]) > View in context: https://bugs.webkit.org/attachment.cgi?id=220610&action=review > > > Source/WebCore/ChangeLog:11 > > + > > + Clear the credentials before calling willSendRequest on the client > > + to avoid sending the credentials to the API layer, but apply them > > + again to the request right before creating the new SoupRequest. > > + > > Hrm. Where are the credentials cleared? I only see you removing newRequest.removeCredentials(); in doRedirect. http://trac.webkit.org/browser/trunk/Source/WebCore/platform/network/soup/ResourceHandleSoup.cpp#L507 965791 9 cgarcia 2014-01-09 00:01:10 -0800 Committed r161549: <http://trac.webkit.org/changeset/161549> 967222 10 zan 2014-01-13 02:34:52 -0800 (In reply to comment #1) > And http/tests/security/redirect-BLOCKED-to-localURL.html as well. > > Diff: > --- /home/slave/webkitgtk/gtk-linux-64-release/build/layout-test-results/http/tests/security/redirect-BLOCKED-to-localURL-expected.txt > +++ /home/slave/webkitgtk/gtk-linux-64-release/build/layout-test-results/http/tests/security/redirect-BLOCKED-to-localURL-actual.txt > @@ -1,2 +1,3 @@ > +CONSOLE MESSAGE: Not allowed to load local resource: file-redirect-target.html > > This attempts to open a redirect link to a file URL, which should be blocked. This failure still remains. The console message is not expected both in the GTK-specific and Mac-specific baselines, but it is in the global baseline. Is it OK to remove the GTK-specific baseline? Is the console message a progression? http://trac.webkit.org/browser/trunk/LayoutTests/http/tests/security/redirect-BLOCKED-to-localURL-expected.txt http://trac.webkit.org/browser/trunk/LayoutTests/platform/gtk/http/tests/security/redirect-BLOCKED-to-localURL-expected.txt http://trac.webkit.org/browser/trunk/LayoutTests/platform/mac/http/tests/security/redirect-BLOCKED-to-localURL-expected.txt 967307 11 mrobinson 2014-01-13 07:49:51 -0800 (In reply to comment #10) > Is it OK to remove the GTK-specific baseline? Is the console message a progression? It seems like the test is passing as long as you don't see: "FAIL: This page shouldn't load via HTTP redirect to file:" 968290 12 cgarcia 2014-01-15 05:40:34 -0800 (In reply to comment #11) > (In reply to comment #10) > > > Is it OK to remove the GTK-specific baseline? Is the console message a progression? > > > It seems like the test is passing as long as you don't see: "FAIL: This page shouldn't load via HTTP redirect to file:" Right. 968334 13 zan 2014-01-15 08:57:05 -0800 (In reply to comment #12) > (In reply to comment #11) > > (In reply to comment #10) > > > > > Is it OK to remove the GTK-specific baseline? Is the console message a progression? > > > > > > It seems like the test is passing as long as you don't see: "FAIL: This page shouldn't load via HTTP redirect to file:" > > Right. Thanks for the clarifications. Removed in r162068. http://trac.webkit.org/changeset/162068 220610 2014-01-08 01:28:15 -0800 2014-01-08 12:43:58 -0800 Temptative fix wkcore-redirect-credentials.diff text/plain 4555 cgarcia ZGlmZiAtLWdpdCBhL0xheW91dFRlc3RzL0NoYW5nZUxvZyBiL0xheW91dFRlc3RzL0NoYW5nZUxv ZwppbmRleCAzY2MzMGYyLi4zNzczOWM5IDEwMDY0NAotLS0gYS9MYXlvdXRUZXN0cy9DaGFuZ2VM b2cKKysrIGIvTGF5b3V0VGVzdHMvQ2hhbmdlTG9nCkBAIC0xLDMgKzEsMTYgQEAKKzIwMTQtMDEt MDggIENhcmxvcyBHYXJjaWEgQ2FtcG9zICA8Y2dhcmNpYUBpZ2FsaWEuY29tPgorCisgICAgICAg IFJFR1JFU1NJT04ocjE2MTE3Nik6IGh0dHAvdGVzdHMvbWlzYy9hdXRoZW50aWNhdGlvbi1yZWRp cmVjdC0zL2F1dGhlbnRpY2F0aW9uLXNlbnQtdG8tcmVkaXJlY3Qtc2FtZS1vcmlnaW4td2l0aC1s b2NhdGlvbi1jcmVkZW50aWFscy5odG1sIGlzIGZhaWxpbmcgb24gR1RLCisgICAgICAgIGh0dHBz Oi8vYnVncy53ZWJraXQub3JnL3Nob3dfYnVnLmNnaT9pZD0xMjY1MTgKKworICAgICAgICBSZXZp ZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4KKworICAgICAgICBVbnNraXAKKyAgICAgICAgaHR0cC90 ZXN0cy9taXNjL2F1dGhlbnRpY2F0aW9uLXJlZGlyZWN0LTMvYXV0aGVudGljYXRpb24tc2VudC10 by1yZWRpcmVjdC1zYW1lLW9yaWdpbi13aXRoLWxvY2F0aW9uLWNyZWRlbnRpYWxzLmh0bWwKKyAg ICAgICAgYW5kIGh0dHAvdGVzdHMvc2VjdXJpdHkvcmVkaXJlY3QtQkxPQ0tFRC10by1sb2NhbFVS TC5odG1sLgorCisgICAgICAgICogcGxhdGZvcm0vZ3RrL1Rlc3RFeHBlY3RhdGlvbnM6CisKIDIw MTQtMDEtMDcgIEFudHRpIEtvaXZpc3RvICA8YW50dGlAYXBwbGUuY29tPgogCiAgICAgICAgIFJF R1JFU1NJT04gKHIxNjExOTUpOiBBY2lkMiByZWdyZXNzaW9uIHRlc3RzIGZyZXF1ZW50bHkgZmFp bApkaWZmIC0tZ2l0IGEvTGF5b3V0VGVzdHMvcGxhdGZvcm0vZ3RrL1Rlc3RFeHBlY3RhdGlvbnMg Yi9MYXlvdXRUZXN0cy9wbGF0Zm9ybS9ndGsvVGVzdEV4cGVjdGF0aW9ucwppbmRleCBhZTMwYTY3 Li44ZGZkOWNlIDEwMDY0NAotLS0gYS9MYXlvdXRUZXN0cy9wbGF0Zm9ybS9ndGsvVGVzdEV4cGVj dGF0aW9ucworKysgYi9MYXlvdXRUZXN0cy9wbGF0Zm9ybS9ndGsvVGVzdEV4cGVjdGF0aW9ucwpA QCAtMTUzMSw5ICsxNTMxLDYgQEAgd2Via2l0Lm9yZy9iLzEyNTQwNiBmYXN0L3JlZ2lvbnMvcmVs YXRpdmUtaW4tYWJzb2x1dGUtYm9yZGVycy1vdmVyZmxvdy5odG1sIFsgSW0KIHdlYmtpdC5vcmcv Yi8xMjY0MjUgZmFzdC9ibG9jay9mbG9hdC9vdmVyaGFuZ2luZy10YWxsLWJsb2NrLmh0bWwgWyBG YWlsdXJlIF0KIHdlYmtpdC5vcmcvYi8xMjY0MjUgc2Nyb2xsYmFycy9zY3JvbGxiYXItbGFyZ2Ut b3ZlcmZsb3ctcmVjdGFuZ2xlLmh0bWwgWyBGYWlsdXJlIF0KIAotd2Via2l0Lm9yZy9iLzEyNjUx OCBodHRwL3Rlc3RzL21pc2MvYXV0aGVudGljYXRpb24tcmVkaXJlY3QtMy9hdXRoZW50aWNhdGlv bi1zZW50LXRvLXJlZGlyZWN0LXNhbWUtb3JpZ2luLXdpdGgtbG9jYXRpb24tY3JlZGVudGlhbHMu aHRtbCBbIEZhaWx1cmUgXQotd2Via2l0Lm9yZy9iLzEyNjUxOCBodHRwL3Rlc3RzL3NlY3VyaXR5 L3JlZGlyZWN0LUJMT0NLRUQtdG8tbG9jYWxVUkwuaHRtbCBbIEZhaWx1cmUgXQotCiB3ZWJraXQu b3JnL2IvMTI2NTE5IGluc3BlY3Rvci1wcm90b2NvbC9tb2RlbC9oaWdobGlnaHQtc2hhcGUtb3V0 c2lkZS1tYXJnaW4uaHRtbCBbIEZhaWx1cmUgXQogCiB3ZWJraXQub3JnL2IvMTI2NTIwIG1lZGlh L2NsaWNrLXZvbHVtZS1iYXItbm90LXBhdXNpbmcuaHRtbCBbIEZhaWx1cmUgXQpkaWZmIC0tZ2l0 IGEvU291cmNlL1dlYkNvcmUvQ2hhbmdlTG9nIGIvU291cmNlL1dlYkNvcmUvQ2hhbmdlTG9nCmlu ZGV4IDk5NTRjNTIuLjA1NTE0NDMgMTAwNjQ0Ci0tLSBhL1NvdXJjZS9XZWJDb3JlL0NoYW5nZUxv ZworKysgYi9Tb3VyY2UvV2ViQ29yZS9DaGFuZ2VMb2cKQEAgLTEsMyArMSwxOCBAQAorMjAxNC0w MS0wOCAgQ2FybG9zIEdhcmNpYSBDYW1wb3MgIDxjZ2FyY2lhQGlnYWxpYS5jb20+CisKKyAgICAg ICAgUkVHUkVTU0lPTihyMTYxMTc2KTogaHR0cC90ZXN0cy9taXNjL2F1dGhlbnRpY2F0aW9uLXJl ZGlyZWN0LTMvYXV0aGVudGljYXRpb24tc2VudC10by1yZWRpcmVjdC1zYW1lLW9yaWdpbi13aXRo LWxvY2F0aW9uLWNyZWRlbnRpYWxzLmh0bWwgaXMgZmFpbGluZyBvbiBHVEsKKyAgICAgICAgaHR0 cHM6Ly9idWdzLndlYmtpdC5vcmcvc2hvd19idWcuY2dpP2lkPTEyNjUxOAorCisgICAgICAgIFJl dmlld2VkIGJ5IE5PQk9EWSAoT09QUyEpLgorCisgICAgICAgIENsZWFyIHRoZSBjcmVkZW50aWFs cyBiZWZvcmUgY2FsbGluZyB3aWxsU2VuZFJlcXVlc3Qgb24gdGhlIGNsaWVudAorICAgICAgICB0 byBhdm9pZCBzZW5kaW5nIHRoZSBjcmVkZW50aWFscyB0byB0aGUgQVBJIGxheWVyLCBidXQgYXBw bHkgdGhlbQorICAgICAgICBhZ2FpbiB0byB0aGUgcmVxdWVzdCByaWdodCBiZWZvcmUgY3JlYXRp bmcgdGhlIG5ldyBTb3VwUmVxdWVzdC4KKworICAgICAgICAqIHBsYXRmb3JtL25ldHdvcmsvc291 cC9SZXNvdXJjZUhhbmRsZVNvdXAuY3BwOgorICAgICAgICAoV2ViQ29yZTo6Y29udGludWVBZnRl cldpbGxTZW5kUmVxdWVzdCk6CisgICAgICAgIChXZWJDb3JlOjpkb1JlZGlyZWN0KToKKwogMjAx NC0wMS0wNyAgQW50dGkgS29pdmlzdG8gIDxhbnR0aUBhcHBsZS5jb20+CiAKICAgICAgICAgUkVH UkVTU0lPTiAocjE2MTE5NSk6IEFjaWQyIHJlZ3Jlc3Npb24gdGVzdHMgZnJlcXVlbnRseSBmYWls CmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViQ29yZS9wbGF0Zm9ybS9uZXR3b3JrL3NvdXAvUmVzb3Vy Y2VIYW5kbGVTb3VwLmNwcCBiL1NvdXJjZS9XZWJDb3JlL3BsYXRmb3JtL25ldHdvcmsvc291cC9S ZXNvdXJjZUhhbmRsZVNvdXAuY3BwCmluZGV4IGY3YTU0YmEuLjA3YTUzYTIgMTAwNjQ0Ci0tLSBh L1NvdXJjZS9XZWJDb3JlL3BsYXRmb3JtL25ldHdvcmsvc291cC9SZXNvdXJjZUhhbmRsZVNvdXAu Y3BwCisrKyBiL1NvdXJjZS9XZWJDb3JlL3BsYXRmb3JtL25ldHdvcmsvc291cC9SZXNvdXJjZUhh bmRsZVNvdXAuY3BwCkBAIC00NTUsMTQgKzQ1NSwxOSBAQCBzdGF0aWMgYm9vbCBzaG91bGRSZWRp cmVjdEFzR0VUKFNvdXBNZXNzYWdlKiBtZXNzYWdlLCBVUkwmIG5ld1VSTCwgYm9vbCBjcm9zc09y aQogICAgIHJldHVybiBmYWxzZTsKIH0KIAotc3RhdGljIHZvaWQgY29udGludWVBZnRlcldpbGxT ZW5kUmVxdWVzdChSZXNvdXJjZUhhbmRsZSogaGFuZGxlLCBjb25zdCBSZXNvdXJjZVJlcXVlc3Qm IG5ld1JlcXVlc3QpCitzdGF0aWMgdm9pZCBjb250aW51ZUFmdGVyV2lsbFNlbmRSZXF1ZXN0KFJl c291cmNlSGFuZGxlKiBoYW5kbGUsIGNvbnN0IFJlc291cmNlUmVxdWVzdCYgcmVxdWVzdCkKIHsK ICAgICAvLyB3aWxsU2VuZFJlcXVlc3QgbWlnaHQgY2FuY2VsIHRoZSBsb2FkLgogICAgIGlmICho YW5kbGUtPmNhbmNlbGxlZE9yQ2xpZW50bGVzcygpKQogICAgICAgICByZXR1cm47CiAKKyAgICBS ZXNvdXJjZVJlcXVlc3QgbmV3UmVxdWVzdChyZXF1ZXN0KTsKKyAgICBSZXNvdXJjZUhhbmRsZUlu dGVybmFsKiBkID0gaGFuZGxlLT5nZXRJbnRlcm5hbCgpOworICAgIGlmIChwcm90b2NvbEhvc3RB bmRQb3J0QXJlRXF1YWwobmV3UmVxdWVzdC51cmwoKSwgZC0+bV9yZXNwb25zZS51cmwoKSkpCisg ICAgICAgIGFwcGx5QXV0aGVudGljYXRpb25Ub1JlcXVlc3QoaGFuZGxlLCBuZXdSZXF1ZXN0LCB0 cnVlKTsKKwogICAgIGlmICghY3JlYXRlU291cFJlcXVlc3RBbmRNZXNzYWdlRm9ySGFuZGxlKGhh bmRsZSwgbmV3UmVxdWVzdCwgdHJ1ZSkpIHsKLSAgICAgICAgaGFuZGxlLT5nZXRJbnRlcm5hbCgp LT5jbGllbnQoKS0+Y2Fubm90U2hvd1VSTChoYW5kbGUpOworICAgICAgICBkLT5jbGllbnQoKS0+ Y2Fubm90U2hvd1VSTChoYW5kbGUpOwogICAgICAgICByZXR1cm47CiAgICAgfQogCkBAIC01MTMs MTIgKzUxOCw3IEBAIHN0YXRpYyB2b2lkIGRvUmVkaXJlY3QoUmVzb3VyY2VIYW5kbGUqIGhhbmRs ZSkKIAogICAgICAgICAvLyBUT0RPOiBXZSBhcmUgbG9zaW5nIGFueSB1c2VybmFtZSBhbmQgcGFz c3dvcmQgc3BlY2lmaWVkIGluIHRoZSByZWRpcmVjdCBVUkwsIGFzIHRoaXMgaXMgdGhlIAogICAg ICAgICAvLyBzYW1lIGJlaGF2aW9yIGFzIHRoZSBDRk5ldCBwb3J0LiBXZSBzaG91bGQgaW52ZXN0 aWdhdGUgaWYgdGhpcyBpcyByZWFsbHkgd2hhdCB3ZSB3YW50LgotICAgIH0gZWxzZQotICAgICAg ICBhcHBseUF1dGhlbnRpY2F0aW9uVG9SZXF1ZXN0KGhhbmRsZSwgbmV3UmVxdWVzdCwgdHJ1ZSk7 Ci0KLSAgICAvLyBJZiB3ZSBzZW50IGNyZWRlbnRpYWxzIHdpdGggdGhpcyByZXF1ZXN0J3MgVVJM LCB3ZSBkb24ndCB3YW50IHRoZSByZXNwb25zZSB0byBjYXJyeSB0aGVtIHRvCi0gICAgLy8gdGhl IFdlYktpdCBsYXllci4gVGhleSB3ZXJlIG9ubHkgcGxhY2VkIGluIHRoZSBVUkwgZm9yIHRoZSBi ZW5lZml0IG9mIGxpYnNvdXAuCi0gICAgbmV3UmVxdWVzdC5yZW1vdmVDcmVkZW50aWFscygpOwor ICAgIH0KIAogICAgIGNsZWFudXBTb3VwUmVxdWVzdE9wZXJhdGlvbihoYW5kbGUpOwogCg==