185443 2018-05-08 13:21:43 -0700 REGRESSION (r231479): http/tests/appcache/x-frame-options-prevents-framing.php is timing out 2018-05-09 15:03:57 -0700 1 1 1 Unclassified WebKit Tools / Tests WebKit Nightly Build Unspecified Unspecified RESOLVED FIXED https://bugs.webkit.org/show_bug.cgi?id=185412 InRadar P1 Normal --- 185410 1 dbates dbates aestes cdumez ews-watchlist japhet lforschler webkit-bug-importer youennf oldest_to_newest 1421900 0 dbates 2018-05-08 13:21:43 -0700 Following <https://trac.webkit.org/changeset/231479> (bug #185410) the test http/tests/appcache/x-frame-options-prevents-framing.php is timing out. Here is the diff output: [[ --- /Volumes/.../OpenSource/WebKitBuild/Debug/layout-test-results/http/tests/appcache/x-frame-options-prevents-framing-expected.txt +++ /Volumes/.../OpenSource/WebKitBuild/Debug/layout-test-results/http/tests/appcache/x-frame-options-prevents-framing-actual.txt @@ -1,10 +1,5 @@ CONSOLE MESSAGE: line 1: ApplicationCache is deprecated. Please use ServiceWorkers instead. -CONSOLE MESSAGE: Refused to display 'http://127.0.0.1:8000/appcache/x-frame-options-prevents-framing.php' in a frame because it set 'X-Frame-Options' to 'deny'. -The following iframe is a document that was cached in the application cache. -It also had "x-frame-options: deny" set, so it should not actually show up in the iframe +CONSOLE MESSAGE: line 1: ApplicationCache is deprecated. Please use ServiceWorkers instead. +#PID UNRESPONSIVE - com.apple.WebKit.WebContent.Development (pid 75567) +FAIL: Timed out waiting for notifyDone to be called - --------- -Frame: '<!--frame1-->' --------- - ]] 1421915 1 youennf 2018-05-08 13:50:14 -0700 FWIW, DTL is only skipping its security checks if the response source is network process. See isResponseComingFromNetworkProcess in DocumentThreadableLoader.cpp 1422384 2 webkit-bug-importer 2018-05-09 11:54:32 -0700 <rdar://problem/40100660> 1422473 3 dbates 2018-05-09 14:18:13 -0700 The issue is that loads for ApplicationCache go through DocumentLoader::responseReceived(). So, we need to process CSP frame-ancestors and X-Frame-Options regardless of whether we are using WebKit2 and experimental feature Restricted HTTP Response Access is enabled. Although the fix for this issue would likely fallout naturally from fixing bug #185412. I do not see the need to gate fixing this bug on fixing bug #185412. 1422497 4 340032 dbates 2018-05-09 14:43:02 -0700 Created attachment 340032 Patch 1422502 5 dbates 2018-05-09 14:48:52 -0700 Committed r231597: <https://trac.webkit.org/changeset/231597> 1422514 6 340032 youennf 2018-05-09 15:03:57 -0700 Comment on attachment 340032 Patch View in context: https://bugs.webkit.org/attachment.cgi?id=340032&action=review > Source/WebCore/loader/DocumentLoader.cpp:771 > + if (m_substituteData.isValid() || !m_frame->settings().networkProcessCSPFrameAncestorsCheckingEnabled() || !RuntimeEnabledFeatures::sharedFeatures().restrictedHTTPResponseAccess()) { I believe that we are currently skipping CSP checks if the response is coming from Memory Cache or from Service Worker. We should probably fix that. As I said previously, DocumentThreadableLoader is disabling CSP checks only if the response is coming from NetworkProcess and if platformStrategies()->loaderStrategy()->isDoingLoadingSecurityChecks() returns true. Please look at DocumentThreadableLoader::redirectReceived and isResponseComingFromNetworkProcess. We should also probably unskip http/tests/appcache/x-frame-options-prevents-framing.php after this patch. 340032 2018-05-09 14:43:02 -0700 2018-05-09 14:44:30 -0700 Patch bug-185443-20180509144301.patch text/plain 2359 dbates U3VidmVyc2lvbiBSZXZpc2lvbjogMjMxNTkzCmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViQ29yZS9D aGFuZ2VMb2cgYi9Tb3VyY2UvV2ViQ29yZS9DaGFuZ2VMb2cKaW5kZXggNjFkYmE4N2IxNzNjMjVi OTgyNTkyMjRlMTNjMWU2M2UzOWU0MGIwNS4uNmU2NmFmOWIzMjQyODc2N2ViODVhYTkzOTIyMzQ3 MzBjOTI5MjgzMiAxMDA2NDQKLS0tIGEvU291cmNlL1dlYkNvcmUvQ2hhbmdlTG9nCisrKyBiL1Nv dXJjZS9XZWJDb3JlL0NoYW5nZUxvZwpAQCAtMSwzICsxLDIwIEBACisyMDE4LTA1LTA5ICBEYW5p ZWwgQmF0ZXMgIDxkYWJhdGVzQGFwcGxlLmNvbT4KKworICAgICAgICBSRUdSRVNTSU9OIChyMjMx NDc5KTogaHR0cC90ZXN0cy9hcHBjYWNoZS94LWZyYW1lLW9wdGlvbnMtcHJldmVudHMtZnJhbWlu Zy5waHAgaXMgdGltaW5nIG91dAorICAgICAgICBodHRwczovL2J1Z3Mud2Via2l0Lm9yZy9zaG93 X2J1Zy5jZ2k/aWQ9MTg1NDQzCisgICAgICAgIDxyZGFyOi8vcHJvYmxlbS80MDEwMDY2MD4KKwor ICAgICAgICBSZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4KKworICAgICAgICBGb2xsb3dpbmcg cjIzMTQ3OSB3aGVuIHVzaW5nIFdlYktpdDIgYW5kIFJlc3RyaWN0ZWQgSFRUUCBSZXNwb25zZSBB Y2Nlc3MgaXMgZW5hYmxlZCAoZW5hYmxlZCBpbgorICAgICAgICBXZWJLaXRUZXN0UnVubmVyKSB3 ZSBvbmx5IGNoZWNrIHRoZSBDU1AgZnJhbWUtYW5jZXN0b3JzIGRpcmVjdGl2ZSBhbmQgWC1GcmFt ZS1PcHRpb25zIGluCisgICAgICAgIE5ldHdvcmtQcm9jZXNzLiBXZSBuZWVkIHRvIGNoZWNrIHRo ZXNlIHNlY3VyaXR5IHJlcXVpcmVtZW50cyBpbiBXZWJDb250ZW50IHByb2Nlc3Mgd2hlbmV2ZXIK KyAgICAgICAgd2UgYXJlIHBlcmZvcm1pbmcgYSBzdWJzdGl0dXRlIGRhdGEgbG9hZCwgc3VjaCBh cyBmb3IgYXBwIGNhY2hlLCBhcyB0aGVzZSBsb2FkcyBkbyBub3QgZ28KKyAgICAgICAgdGhyb3Vn aCBOZXR3b3JrUHJvY2Vzcy4KKworICAgICAgICAqIGxvYWRlci9Eb2N1bWVudExvYWRlci5jcHA6 CisgICAgICAgIChXZWJDb3JlOjpEb2N1bWVudExvYWRlcjo6cmVzcG9uc2VSZWNlaXZlZCk6CisK IDIwMTgtMDUtMDkgIEp1c3RpbiBGYW4gIDxqdXN0aW5fZmFuQGFwcGxlLmNvbT4KIAogICAgICAg ICBIb29rZWQgdXAgQVNUQyBzdXBwb3J0IGluIFdlYkdMOyByZXF1aXJlcyBPcGVuR0wgRVMgMyBj b250ZXh0IHRvIHdvcmsuIApkaWZmIC0tZ2l0IGEvU291cmNlL1dlYkNvcmUvbG9hZGVyL0RvY3Vt ZW50TG9hZGVyLmNwcCBiL1NvdXJjZS9XZWJDb3JlL2xvYWRlci9Eb2N1bWVudExvYWRlci5jcHAK aW5kZXggYmQ4ZTRiNGQxYzI3OTgyM2RhYjQwNjNiMDdlYjk1YzAzOGI5YjMxMi4uMmUyYjc2Mzgx MzY3MjI4Njg0MjE4MTViOTJjNzRlMzBjMThhZjg3MCAxMDA2NDQKLS0tIGEvU291cmNlL1dlYkNv cmUvbG9hZGVyL0RvY3VtZW50TG9hZGVyLmNwcAorKysgYi9Tb3VyY2UvV2ViQ29yZS9sb2FkZXIv RG9jdW1lbnRMb2FkZXIuY3BwCkBAIC03NjgsNyArNzY4LDcgQEAgdm9pZCBEb2N1bWVudExvYWRl cjo6cmVzcG9uc2VSZWNlaXZlZChjb25zdCBSZXNvdXJjZVJlc3BvbnNlJiByZXNwb25zZSwgQ29t cGxldGkKICAgICB1bnNpZ25lZCBsb25nIGlkZW50aWZpZXIgPSBtX2lkZW50aWZpZXJGb3JMb2Fk V2l0aG91dFJlc291cmNlTG9hZGVyID8gbV9pZGVudGlmaWVyRm9yTG9hZFdpdGhvdXRSZXNvdXJj ZUxvYWRlciA6IG1fbWFpblJlc291cmNlLT5pZGVudGlmaWVyKCk7CiAgICAgQVNTRVJUKGlkZW50 aWZpZXIpOwogCi0gICAgaWYgKCFtX2ZyYW1lLT5zZXR0aW5ncygpLm5ldHdvcmtQcm9jZXNzQ1NQ RnJhbWVBbmNlc3RvcnNDaGVja2luZ0VuYWJsZWQoKSB8fCAhUnVudGltZUVuYWJsZWRGZWF0dXJl czo6c2hhcmVkRmVhdHVyZXMoKS5yZXN0cmljdGVkSFRUUFJlc3BvbnNlQWNjZXNzKCkpIHsKKyAg ICBpZiAobV9zdWJzdGl0dXRlRGF0YS5pc1ZhbGlkKCkgfHwgIW1fZnJhbWUtPnNldHRpbmdzKCku bmV0d29ya1Byb2Nlc3NDU1BGcmFtZUFuY2VzdG9yc0NoZWNraW5nRW5hYmxlZCgpIHx8ICFSdW50 aW1lRW5hYmxlZEZlYXR1cmVzOjpzaGFyZWRGZWF0dXJlcygpLnJlc3RyaWN0ZWRIVFRQUmVzcG9u c2VBY2Nlc3MoKSkgewogICAgICAgICBhdXRvIHVybCA9IHJlc3BvbnNlLnVybCgpOwogICAgICAg ICBDb250ZW50U2VjdXJpdHlQb2xpY3kgY29udGVudFNlY3VyaXR5UG9saWN5KFVSTCB7IHVybCB9 LCB0aGlzKTsKICAgICAgICAgY29udGVudFNlY3VyaXR5UG9saWN5LmRpZFJlY2VpdmVIZWFkZXJz KENvbnRlbnRTZWN1cml0eVBvbGljeVJlc3BvbnNlSGVhZGVycyB7IHJlc3BvbnNlIH0sIG1fcmVx dWVzdC5odHRwUmVmZXJyZXIoKSk7Cg==