208035 2020-02-20 15:32:12 -0800 WKWebViewConfiguration._corsDisablingPatterns should also disable CORS for script tags with crossorigin attributes 2020-02-26 17:42:47 -0800 1 1 1 Unclassified WebKit New Bugs WebKit Nightly Build Unspecified Unspecified RESOLVED FIXED InRadar P2 Normal --- 1 achristensen achristensen cdumez dbates ews-watchlist japhet rniwa timothy webkit-bug-importer youennf oldest_to_newest 1621447 0 achristensen 2020-02-20 15:32:12 -0800 WKWebViewConfiguration._corsDisablingPatterns should also disable CORS for script tags with crossorigin attributes 1621450 1 391344 achristensen 2020-02-20 15:33:48 -0800 Created attachment 391344 Patch 1621451 2 achristensen 2020-02-20 15:33:51 -0800 <rdar://problem/58011337> 1621600 3 391344 youennf 2020-02-21 02:40:18 -0800 Comment on attachment 391344 Patch View in context: https://bugs.webkit.org/attachment.cgi?id=391344&action=review > Source/WebCore/loader/CrossOriginAccessControl.cpp:131 > + if (options.mode != FetchOptions::Mode::NoCors) { If the goal is to change the behaviour for scripts only (as seems to indicate the bug title), I believe we should do the change in CachedScriptFetcher. If we want to do this for all loads, maybe we should update the option in CachedResourceLoader instead. Note also that this change is visible from service workers. 1621638 4 achristensen 2020-02-21 07:29:22 -0800 We do want it for everything, the title just reflects that we found this through scripts. We should change the title, and maybe move this logic to CachedResourceLoader 1622217 5 achristensen 2020-02-24 10:12:41 -0800 I changed the title. http://trac.webkit.org/r257215 Attempts to move this to CachedResourceLoader failed. The only relevant code in that class that is hit in this test is CachedResourceLoader::requestResource and changing the CORS mode then seems too late because it just times out. 1623314 6 achristensen 2020-02-26 17:42:47 -0800 https://trac.webkit.org/changeset/257215/webkit 391344 2020-02-20 15:33:48 -0800 2020-02-20 21:56:54 -0800 Patch bug-208035-20200220153347.patch text/plain 5357 achristensen SW5kZXg6IFNvdXJjZS9XZWJDb3JlL0NoYW5nZUxvZwo9PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBTb3VyY2UvV2Vi Q29yZS9DaGFuZ2VMb2cJKHJldmlzaW9uIDI1Njc3MSkKKysrIFNvdXJjZS9XZWJDb3JlL0NoYW5n ZUxvZwkod29ya2luZyBjb3B5KQpAQCAtMSwzICsxLDE2IEBACisyMDIwLTAyLTIwICBBbGV4IENo cmlzdGVuc2VuICA8YWNocmlzdGVuc2VuQHdlYmtpdC5vcmc+CisKKyAgICAgICAgV0tXZWJWaWV3 Q29uZmlndXJhdGlvbi5fY29yc0Rpc2FibGluZ1BhdHRlcm5zIHNob3VsZCBhbHNvIGRpc2FibGUg Q09SUyBmb3Igc2NyaXB0IHRhZ3Mgd2l0aCBjcm9zc29yaWdpbiBhdHRyaWJ1dGVzCisgICAgICAg IGh0dHBzOi8vYnVncy53ZWJraXQub3JnL3Nob3dfYnVnLmNnaT9pZD0yMDgwMzUKKyAgICAgICAg PHJkYXI6Ly9wcm9ibGVtLzU4MDExMzM3PgorCisgICAgICAgIFJldmlld2VkIGJ5IE5PQk9EWSAo T09QUyEpLgorCisgICAgICAgIENvdmVyZWQgYnkgYW4gQVBJIHRlc3QuCisKKyAgICAgICAgKiBs b2FkZXIvQ3Jvc3NPcmlnaW5BY2Nlc3NDb250cm9sLmNwcDoKKyAgICAgICAgKFdlYkNvcmU6OmNy ZWF0ZVBvdGVudGlhbEFjY2Vzc0NvbnRyb2xSZXF1ZXN0KToKKwogMjAyMC0wMi0xNyAgUGVuZyBM aXUgIDxwZW5nLmxpdTZAYXBwbGUuY29tPgogCiAgICAgICAgIEZpeCBjaGVjay13ZWJraXQtc3R5 bGUgZXJyb3JzIHJlbGF0ZWQgdG8gQVZGb3VuZGF0aW9uU1BJLmgKSW5kZXg6IFNvdXJjZS9XZWJD b3JlL2xvYWRlci9Dcm9zc09yaWdpbkFjY2Vzc0NvbnRyb2wuY3BwCj09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIFNv dXJjZS9XZWJDb3JlL2xvYWRlci9Dcm9zc09yaWdpbkFjY2Vzc0NvbnRyb2wuY3BwCShyZXZpc2lv biAyNTY3NzEpCisrKyBTb3VyY2UvV2ViQ29yZS9sb2FkZXIvQ3Jvc3NPcmlnaW5BY2Nlc3NDb250 cm9sLmNwcAkod29ya2luZyBjb3B5KQpAQCAtMzIsNiArMzIsNyBAQAogI2luY2x1ZGUgIkhUVFBI ZWFkZXJOYW1lcy5oIgogI2luY2x1ZGUgIkhUVFBQYXJzZXJzLmgiCiAjaW5jbHVkZSAiTGVnYWN5 U2NoZW1lUmVnaXN0cnkuaCIKKyNpbmNsdWRlICJQYWdlLmgiCiAjaW5jbHVkZSAiUmVzb3VyY2VS ZXF1ZXN0LmgiCiAjaW5jbHVkZSAiUmVzb3VyY2VSZXNwb25zZS5oIgogI2luY2x1ZGUgIlNlY3Vy aXR5T3JpZ2luLmgiCkBAIC0xMjcsNiArMTI4LDEzIEBAIENhY2hlZFJlc291cmNlUmVxdWVzdCBj cmVhdGVQb3RlbnRpYWxBY2MKICAgICBlbHNlIGlmIChzYW1lT3JpZ2luRmxhZyA9PSBTYW1lT3Jp Z2luRmxhZzo6WWVzKQogICAgICAgICBvcHRpb25zLm1vZGUgPSBGZXRjaE9wdGlvbnM6Ok1vZGU6 OlNhbWVPcmlnaW47CiAKKyAgICBpZiAob3B0aW9ucy5tb2RlICE9IEZldGNoT3B0aW9uczo6TW9k ZTo6Tm9Db3JzKSB7CisgICAgICAgIGlmIChhdXRvKiBwYWdlID0gZG9jdW1lbnQucGFnZSgpKSB7 CisgICAgICAgICAgICBpZiAocGFnZS0+c2hvdWxkRGlzYWJsZUNvcnNGb3JSZXF1ZXN0VG8ocmVx dWVzdC51cmwoKSkpCisgICAgICAgICAgICAgICAgb3B0aW9ucy5tb2RlID0gRmV0Y2hPcHRpb25z OjpNb2RlOjpOb0NvcnM7CisgICAgICAgIH0KKyAgICB9CisKICAgICBpZiAoY3Jvc3NPcmlnaW5B dHRyaWJ1dGUuaXNOdWxsKCkpIHsKICAgICAgICAgQ2FjaGVkUmVzb3VyY2VSZXF1ZXN0IGNhY2hl ZFJlcXVlc3QgeyBXVEZNb3ZlKHJlcXVlc3QpLCBXVEZNb3ZlKG9wdGlvbnMpIH07CiAgICAgICAg IGNhY2hlZFJlcXVlc3Quc2V0T3JpZ2luKGRvY3VtZW50LnNlY3VyaXR5T3JpZ2luKCkpOwpJbmRl eDogVG9vbHMvQ2hhbmdlTG9nCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIFRvb2xzL0NoYW5nZUxvZwkocmV2aXNp b24gMjU3MDk4KQorKysgVG9vbHMvQ2hhbmdlTG9nCSh3b3JraW5nIGNvcHkpCkBAIC0xLDMgKzEs MTMgQEAKKzIwMjAtMDItMjAgIEFsZXggQ2hyaXN0ZW5zZW4gIDxhY2hyaXN0ZW5zZW5Ad2Via2l0 Lm9yZz4KKworICAgICAgICBXS1dlYlZpZXdDb25maWd1cmF0aW9uLl9jb3JzRGlzYWJsaW5nUGF0 dGVybnMgc2hvdWxkIGFsc28gZGlzYWJsZSBDT1JTIGZvciBzY3JpcHQgdGFncyB3aXRoIGNyb3Nz b3JpZ2luIGF0dHJpYnV0ZXMKKyAgICAgICAgaHR0cHM6Ly9idWdzLndlYmtpdC5vcmcvc2hvd19i dWcuY2dpP2lkPTIwODAzNQorICAgICAgICA8cmRhcjovL3Byb2JsZW0vNTgwMTEzMzc+CisKKyAg ICAgICAgUmV2aWV3ZWQgYnkgTk9CT0RZIChPT1BTISkuCisKKyAgICAgICAgKiBUZXN0V2ViS2l0 QVBJL1Rlc3RzL1dlYktpdENvY29hL1dLVVJMU2NoZW1lSGFuZGxlci0xLm1tOgorCiAyMDIwLTAy LTIwICBGdWppaSBIaXJvbm9yaSAgPEhpcm9ub3JpLkZ1amlpQHNvbnkuY29tPgogCiAgICAgICAg IFtXaW5dW01pbmlCcm93c2VyXSBBZGQgcHJldHRpZXIgdG9vbGJhciBidXR0b24gaWNvbnMKSW5k ZXg6IFRvb2xzL1Rlc3RXZWJLaXRBUEkvVGVzdHMvV2ViS2l0Q29jb2EvV0tVUkxTY2hlbWVIYW5k bGVyLTEubW0KPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PQotLS0gVG9vbHMvVGVzdFdlYktpdEFQSS9UZXN0cy9XZWJLaXRD b2NvYS9XS1VSTFNjaGVtZUhhbmRsZXItMS5tbQkocmV2aXNpb24gMjU2NzcxKQorKysgVG9vbHMv VGVzdFdlYktpdEFQSS9UZXN0cy9XZWJLaXRDb2NvYS9XS1VSTFNjaGVtZUhhbmRsZXItMS5tbQko d29ya2luZyBjb3B5KQpAQCAtODgyLDYgKzg4Miw2MCBAQCBURVNUKFVSTFNjaGVtZUhhbmRsZXIs IERpc2FibGVDT1JTKQogICAgIEVYUEVDVF9GQUxTRShjb3JzZmFpbHVyZSk7CiB9CiAKK1RFU1Qo VVJMU2NoZW1lSGFuZGxlciwgRGlzYWJsZUNPUlNTY3JpcHQpCit7CisgICAgVGVzdFdlYktpdEFQ STo6SFRUUFNlcnZlciBzZXJ2ZXIoeworICAgICAgICB7ICIvIiwgeyAiZmV0Y2goJ2xvYWRTdWNj ZXNzJykiIH0gfQorICAgIH0pOworCisgICAgYm9vbCBsb2FkU3VjY2VzcyA9IGZhbHNlOworICAg IGJvb2wgbG9hZEZhaWwgPSBmYWxzZTsKKyAgICBib29sIGRvbmUgPSBmYWxzZTsKKworICAgIGF1 dG8gaGFuZGxlciA9IGFkb3B0TlMoW1Rlc3RVUkxTY2hlbWVIYW5kbGVyIG5ld10pOworCisgICAg V0tXZWJWaWV3Q29uZmlndXJhdGlvbiAqY29uZmlndXJhdGlvbiA9IFtbW1dLV2ViVmlld0NvbmZp Z3VyYXRpb24gYWxsb2NdIGluaXRdIGF1dG9yZWxlYXNlXTsKKyAgICBbY29uZmlndXJhdGlvbiBz ZXRVUkxTY2hlbWVIYW5kbGVyOmhhbmRsZXIuZ2V0KCkgZm9yVVJMU2NoZW1lOkAiY29ycyJdOwor CisgICAgW2hhbmRsZXIgc2V0U3RhcnRVUkxTY2hlbWVUYXNrSGFuZGxlcjpbJl0oV0tXZWJWaWV3 ICosIGlkPFdLVVJMU2NoZW1lVGFzaz4gdGFzaykgeworICAgICAgICBpZiAoW3Rhc2sucmVxdWVz dC5VUkwucGF0aCBpc0VxdWFsVG9TdHJpbmc6QCIvbWFpbi5odG1sIl0pIHsKKyAgICAgICAgICAg IE5TRGF0YSAqZGF0YSA9IFtbTlNTdHJpbmcgc3RyaW5nV2l0aEZvcm1hdDpAIjxzY3JpcHQgdHlw ZT0ndGV4dC9qYXZhc2NyaXB0JyBjcm9zc29yaWdpbj0nYW5vbnltb3VzJyBvbmVycm9yPSdmZXRj aChcImxvYWRGYWlsXCIpJyBzcmM9J2h0dHA6Ly8xMjcuMC4wLjE6JWQvJz48L3NjcmlwdD4iLCBz ZXJ2ZXIucG9ydCgpXSBkYXRhVXNpbmdFbmNvZGluZzpOU1VURjhTdHJpbmdFbmNvZGluZ107Cisg ICAgICAgICAgICAKKyAgICAgICAgICAgIFt0YXNrIGRpZFJlY2VpdmVSZXNwb25zZTpbW1tOU1VS TFJlc3BvbnNlIGFsbG9jXSBpbml0V2l0aFVSTDp0YXNrLnJlcXVlc3QuVVJMIE1JTUVUeXBlOkAi dGV4dC9odG1sIiBleHBlY3RlZENvbnRlbnRMZW5ndGg6ZGF0YS5sZW5ndGggdGV4dEVuY29kaW5n TmFtZTpuaWxdIGF1dG9yZWxlYXNlXV07CisgICAgICAgICAgICBbdGFzayBkaWRSZWNlaXZlRGF0 YTpkYXRhXTsKKyAgICAgICAgICAgIFt0YXNrIGRpZEZpbmlzaF07CisgICAgICAgIH0gZWxzZSBp ZiAoW3Rhc2sucmVxdWVzdC5VUkwucGF0aCBpc0VxdWFsVG9TdHJpbmc6QCIvbG9hZFN1Y2Nlc3Mi XSkgeworICAgICAgICAgICAgbG9hZFN1Y2Nlc3MgPSB0cnVlOworICAgICAgICAgICAgZG9uZSA9 IHRydWU7CisgICAgICAgIH0gZWxzZSBpZiAoW3Rhc2sucmVxdWVzdC5VUkwucGF0aCBpc0VxdWFs VG9TdHJpbmc6QCIvbG9hZEZhaWwiXSkgeworICAgICAgICAgICAgbG9hZEZhaWwgPSB0cnVlOwor ICAgICAgICAgICAgZG9uZSA9IHRydWU7CisgICAgICAgIH0gZWxzZQorICAgICAgICAgICAgQVNT RVJUX05PVF9SRUFDSEVEKCk7CisgICAgfV07CisKKyAgICB7CisgICAgICAgIGF1dG8gd2ViVmll dyA9IGFkb3B0TlMoW1tXS1dlYlZpZXcgYWxsb2NdIGluaXRXaXRoRnJhbWU6Q0dSZWN0TWFrZSgw LCAwLCA4MDAsIDYwMCkgY29uZmlndXJhdGlvbjpjb25maWd1cmF0aW9uXSk7CisgICAgICAgIFt3 ZWJWaWV3IGxvYWRSZXF1ZXN0OltOU1VSTFJlcXVlc3QgcmVxdWVzdFdpdGhVUkw6W05TVVJMIFVS TFdpdGhTdHJpbmc6QCJjb3JzOi8vaG9zdDEvbWFpbi5odG1sIl1dXTsKKyAgICAgICAgVGVzdFdl YktpdEFQSTo6VXRpbDo6cnVuKCZkb25lKTsKKyAgICB9CisgICAgRVhQRUNUX0ZBTFNFKGxvYWRT dWNjZXNzKTsKKyAgICBFWFBFQ1RfVFJVRShsb2FkRmFpbCk7CisgICAgCisgICAgbG9hZFN1Y2Nl c3MgPSBmYWxzZTsKKyAgICBsb2FkRmFpbCA9IGZhbHNlOworICAgIGRvbmUgPSBmYWxzZTsKKwor ICAgIGNvbmZpZ3VyYXRpb24uX2NvcnNEaXNhYmxpbmdQYXR0ZXJucyA9IEBbQCIqOi8vKi8qIl07 CisgICAgeworICAgICAgICBhdXRvIHdlYlZpZXcgPSBhZG9wdE5TKFtbV0tXZWJWaWV3IGFsbG9j XSBpbml0V2l0aEZyYW1lOkNHUmVjdE1ha2UoMCwgMCwgODAwLCA2MDApIGNvbmZpZ3VyYXRpb246 Y29uZmlndXJhdGlvbl0pOworICAgICAgICBbd2ViVmlldyBsb2FkUmVxdWVzdDpbTlNVUkxSZXF1 ZXN0IHJlcXVlc3RXaXRoVVJMOltOU1VSTCBVUkxXaXRoU3RyaW5nOkAiY29yczovL2hvc3QxL21h aW4uaHRtbCJdXV07CisgICAgICAgIFRlc3RXZWJLaXRBUEk6OlV0aWw6OnJ1bigmZG9uZSk7Cisg ICAgfQorICAgIEVYUEVDVF9UUlVFKGxvYWRTdWNjZXNzKTsKKyAgICBFWFBFQ1RfRkFMU0UobG9h ZEZhaWwpOworfQorCiAjZW5kaWYgLy8gSEFWRShORVRXT1JLX0ZSQU1FV09SSykKIAogQGludGVy ZmFjZSBGcmFtZVNjaGVtZUhhbmRsZXIgOiBOU09iamVjdCA8V0tVUkxTY2hlbWVIYW5kbGVyPgo=