185522 2018-05-10 11:49:37 -0700 NetworkCORSPreflightChecker should proceed when having a ProtectionSpaceAuthenticationSchemeServerTrustEvaluationRequested challenge 2018-05-23 10:45:50 -0700 1 1 1 Unclassified WebKit WebKit Misc. WebKit Nightly Build Unspecified Unspecified RESOLVED FIXED InRadar P2 Normal --- 185840 1 youennf youennf bfulgham commit-queue webkit-bug-importer oldest_to_newest 1422801 0 youennf 2018-05-10 11:49:37 -0700 NetworkCORSPreflightChecker should proceed when having a ProtectionSpaceAuthenticationSchemeServerTrustEvaluationRequested challenge 1422802 1 youennf 2018-05-10 11:50:02 -0700 <rdar://problem/39987152> 1422807 2 340114 youennf 2018-05-10 11:55:56 -0700 Created attachment 340114 Patch 1422882 3 youennf 2018-05-10 14:38:41 -0700 Testing of this feature would require writing an API test using an HTTP server. It would also require that the certificate would be valid. This patch is also missing the ability to let the certificates be validated by UIProcess when the connection is created by the preflight request. 1422920 4 340114 bfulgham 2018-05-10 16:02:39 -0700 Comment on attachment 340114 Patch View in context: https://bugs.webkit.org/attachment.cgi?id=340114&action=review This looks correct to me. r=me. > Source/WebKit/ChangeLog:10 > + Previously, we were failing right away which is not right in case preflight is the request triggering the connection. If the issue is that preflight doesn't use credentials, couldn't this be an issue with any of the authentication scheme's needing credentials (e.g., ProtectionSpaceAuthenticationSchemeClientCertificateRequested)? Or is it something special about the behavior of ProtectionSpaceAuthenticationSchemeServerTrustEvaluationRequested? Looking through the rest of the code, it seems like ServerTrust is handled specially and rejects as you propose here in similar cases. 1423066 5 youennf 2018-05-10 23:54:54 -0700 Thanks for the review. > If the issue is that preflight doesn't use credentials, couldn't this be an > issue with any of the authentication scheme's needing credentials (e.g., > ProtectionSpaceAuthenticationSchemeClientCertificateRequested)? Or is it > something special about the behavior of > ProtectionSpaceAuthenticationSchemeServerTrustEvaluationRequested? My understanding is that with other authentication schemes, the browser receives a 401. This is then transmitted to the preflight checker which always fail. In the case of ProtectionSpaceAuthenticationSchemeServerTrustEvaluationRequested, we must react appropriately to the fact that the connection is credential-less. 1423067 6 youennf 2018-05-10 23:56:38 -0700 I still wonder whether we should validate server certificates like we do for regular loads. There is an option to do that within network process, which would be easier to implement although we could consider doing the full path to UIProcess for consistency. 1423072 7 340114 commit-queue 2018-05-11 00:22:17 -0700 Comment on attachment 340114 Patch Clearing flags on attachment: 340114 Committed r231694: <https://trac.webkit.org/changeset/231694> 1423073 8 commit-queue 2018-05-11 00:22:19 -0700 All reviewed patches have been landed. Closing bug. 340114 2018-05-10 11:55:56 -0700 2018-05-11 00:22:17 -0700 Patch bug-185522-20180510205554.patch text/plain 2673 youennf U3VidmVyc2lvbiBSZXZpc2lvbjogMjMxNTUyCmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViS2l0L0No YW5nZUxvZyBiL1NvdXJjZS9XZWJLaXQvQ2hhbmdlTG9nCmluZGV4IDUwZDcwMzRmYWI1MGM3YTU1 ZjgyMjMwNWVmZTUzMzQ5ODA5ZmM5ODAuLjU5ZmE0ZmUyMTUwZTU4MjQ1ZmQ0MTFkNzM3NWJjYjZj OGVhN2FlNzIgMTAwNjQ0Ci0tLSBhL1NvdXJjZS9XZWJLaXQvQ2hhbmdlTG9nCisrKyBiL1NvdXJj ZS9XZWJLaXQvQ2hhbmdlTG9nCkBAIC0xLDMgKzEsMTkgQEAKKzIwMTgtMDUtMTAgIFlvdWVubiBG YWJsZXQgIDx5b3Vlbm5AYXBwbGUuY29tPgorCisgICAgICAgIE5ldHdvcmtDT1JTUHJlZmxpZ2h0 Q2hlY2tlciBzaG91bGQgcHJvY2VlZCB3aGVuIGhhdmluZyBhIFByb3RlY3Rpb25TcGFjZUF1dGhl bnRpY2F0aW9uU2NoZW1lU2VydmVyVHJ1c3RFdmFsdWF0aW9uUmVxdWVzdGVkIGNoYWxsZW5nZQor ICAgICAgICBodHRwczovL2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9MTg1NTIyCisg ICAgICAgIDxyZGFyOi8vcHJvYmxlbS8zOTk4NzE1Mj4KKworICAgICAgICBSZXZpZXdlZCBieSBO T0JPRFkgKE9PUFMhKS4KKworICAgICAgICBJbiBjYXNlIG9mIHN1Y2ggY2hhbGxlbmdlLCByZWZ1 c2UgdG8gcHJvY2VlZCB3aXRoIGF1dGhlbnRpY2F0aW9uIHNpbmNlIHByZWZsaWdodCBpcyBub3Qg dXNpbmcgY3JlZGVudGlhbHMuCisgICAgICAgIFByZXZpb3VzbHksIHdlIHdlcmUgZmFpbGluZyBy aWdodCBhd2F5IHdoaWNoIGlzIG5vdCByaWdodCBpbiBjYXNlIHByZWZsaWdodCBpcyB0aGUgcmVx dWVzdCB0cmlnZ2VyaW5nIHRoZSBjb25uZWN0aW9uLgorCisgICAgICAgIE1hbnVhbGx5IHRlc3Rl ZC4KKworICAgICAgICAqIE5ldHdvcmtQcm9jZXNzL05ldHdvcmtDT1JTUHJlZmxpZ2h0Q2hlY2tl ci5jcHA6CisgICAgICAgIChXZWJLaXQ6Ok5ldHdvcmtDT1JTUHJlZmxpZ2h0Q2hlY2tlcjo6ZGlk UmVjZWl2ZUNoYWxsZW5nZSk6CisKIDIwMTgtMDUtMDkgIFlvdWVubiBGYWJsZXQgIDx5b3Vlbm5A YXBwbGUuY29tPgogCiAgICAgICAgIEFsbG93IFdlYlJlc291cmNlTG9hZGVyIHRvIGNhbmNlbCBh IGxvYWQgc2VydmVkIGZyb20gYSBzZXJ2aWNlIHdvcmtlcgpkaWZmIC0tZ2l0IGEvU291cmNlL1dl YktpdC9OZXR3b3JrUHJvY2Vzcy9OZXR3b3JrQ09SU1ByZWZsaWdodENoZWNrZXIuY3BwIGIvU291 cmNlL1dlYktpdC9OZXR3b3JrUHJvY2Vzcy9OZXR3b3JrQ09SU1ByZWZsaWdodENoZWNrZXIuY3Bw CmluZGV4IDdiNzcwYTdjODA4YzBhNTY5YmI5NDMzZGEzNWE3YTM2ZjEyY2UwOTQuLjMyNzQzMjZi NWRmYzYwMDYxZDk4OWVjODhjYWMzNTYzNWQ1NzFiMTIgMTAwNjQ0Ci0tLSBhL1NvdXJjZS9XZWJL aXQvTmV0d29ya1Byb2Nlc3MvTmV0d29ya0NPUlNQcmVmbGlnaHRDaGVja2VyLmNwcAorKysgYi9T b3VyY2UvV2ViS2l0L05ldHdvcmtQcm9jZXNzL05ldHdvcmtDT1JTUHJlZmxpZ2h0Q2hlY2tlci5j cHAKQEAgLTc4LDkgKzc4LDE1IEBAIHZvaWQgTmV0d29ya0NPUlNQcmVmbGlnaHRDaGVja2VyOjp3 aWxsUGVyZm9ybUhUVFBSZWRpcmVjdGlvbihXZWJDb3JlOjpSZXNvdXJjZVJlCiAgICAgbV9jb21w bGV0aW9uQ2FsbGJhY2soUmVzb3VyY2VFcnJvciB7IGVycm9yRG9tYWluV2ViS2l0SW50ZXJuYWws IDAsIG1fcGFyYW1ldGVycy5vcmlnaW5hbFJlcXVlc3QudXJsKCksIEFTQ0lJTGl0ZXJhbCgiUHJl ZmxpZ2h0IHJlc3BvbnNlIGlzIG5vdCBzdWNjZXNzZnVsIiksIFJlc291cmNlRXJyb3I6OlR5cGU6 OkFjY2Vzc0NvbnRyb2wgfSk7CiB9CiAKLXZvaWQgTmV0d29ya0NPUlNQcmVmbGlnaHRDaGVja2Vy OjpkaWRSZWNlaXZlQ2hhbGxlbmdlKGNvbnN0IFdlYkNvcmU6OkF1dGhlbnRpY2F0aW9uQ2hhbGxl bmdlJiwgQ2hhbGxlbmdlQ29tcGxldGlvbkhhbmRsZXImJiBjb21wbGV0aW9uSGFuZGxlcikKK3Zv aWQgTmV0d29ya0NPUlNQcmVmbGlnaHRDaGVja2VyOjpkaWRSZWNlaXZlQ2hhbGxlbmdlKGNvbnN0 IFdlYkNvcmU6OkF1dGhlbnRpY2F0aW9uQ2hhbGxlbmdlJiBjaGFsbGVuZ2UsIENoYWxsZW5nZUNv bXBsZXRpb25IYW5kbGVyJiYgY29tcGxldGlvbkhhbmRsZXIpCiB7CiAgICAgUkVMRUFTRV9MT0df SUZfQUxMT1dFRCgiZGlkUmVjZWl2ZUNoYWxsZW5nZSIpOworCisgICAgaWYgKGNoYWxsZW5nZS5w cm90ZWN0aW9uU3BhY2UoKS5hdXRoZW50aWNhdGlvblNjaGVtZSgpID09IFByb3RlY3Rpb25TcGFj ZUF1dGhlbnRpY2F0aW9uU2NoZW1lU2VydmVyVHJ1c3RFdmFsdWF0aW9uUmVxdWVzdGVkKSB7Cisg ICAgICAgIGNvbXBsZXRpb25IYW5kbGVyKEF1dGhlbnRpY2F0aW9uQ2hhbGxlbmdlRGlzcG9zaXRp b246OlJlamVjdFByb3RlY3Rpb25TcGFjZSwgeyB9KTsKKyAgICAgICAgcmV0dXJuOworICAgIH0K KwogICAgIGNvbXBsZXRpb25IYW5kbGVyKEF1dGhlbnRpY2F0aW9uQ2hhbGxlbmdlRGlzcG9zaXRp b246OkNhbmNlbCwgeyB9KTsKICAgICBtX2NvbXBsZXRpb25DYWxsYmFjayhSZXNvdXJjZUVycm9y IHsgZXJyb3JEb21haW5XZWJLaXRJbnRlcm5hbCwgMCwgbV9wYXJhbWV0ZXJzLm9yaWdpbmFsUmVx dWVzdC51cmwoKSwgQVNDSUlMaXRlcmFsKCJQcmVmbGlnaHQgcmVzcG9uc2UgaXMgbm90IHN1Y2Nl c3NmdWwiKSwgUmVzb3VyY2VFcnJvcjo6VHlwZTo6QWNjZXNzQ29udHJvbCB9KTsKIH0K