Bug 128816

Summary:

CORS: Fix the handling of redirected request containing Origin null.

Product:

WebKit

Reporter:

youenn fablet <youennf>

Component:

WebCore Misc.

Assignee:

youenn fablet <youennf>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

ap, bfulgham, buildbot, cdumez, commit-queue, gquan, japhet, rniwa

Priority:

Keywords:

BlinkMergeCandidate

Version:

528+ (Nightly build)

Hardware:

Unspecified

OS:

Unspecified

Bug Depends on:

116075

Bug Blocks:

Attachments:

Description	Flags
Patch	none
Archive of layout-test-results from webkit-ews-14 for mac-mountainlion-wk2	none
Archive of layout-test-results from webkit-ews-07 for mac-mountainlion	none
Archive of layout-test-results from webkit-ews-06 for mac-mountainlion	none
Rebasing	none

Description youenn fablet 2014-02-14 07:38:30 PST

Consider merging: https://chromiumcodereview.appspot.com/20735002

CORS: Fix the handling of redirected request containing Origin null.

Removed the check for securityOrigin->isUnique() in passesAccessControlCheck().
This check was preventing redirected request with "Origin: null" from being
successful even when the response contained "Access-Control-Allow-Origin: null"

The case where the server responds with "Access-Control-Allow-Origin: null"
for a request with "Origin: null" is not a failure case as per the
W3C CORS Resource Sharing alogrithm (http://www.w3.org/TR/cors/#resource-sharing-check-0).
The specification also mentions the following line below Resource Sharing alogrithm:
"The above algorithm also functions when the ASCII serialization of an origin is the string 'null'."

This additional check was added in passesAccessControlCheck() during the
implementation of HTML5 sandbox attribute for iframes. As per the WHATWG
(http://www.whatwg.org/specs/web-apps/current-work/multipage/origin-0.html#sandboxed-origin-browsing-context-flag)
specification when "sandboxed origin browsing context flag" is set it forces
content into a unique origin. For XHR reqests made from the sandboxed iframe CORS
specfication is applicable.
Updated the error description in expected.txt of these related layout test
to match the change. Added another allow test for "Access-Control-Allow-Origin: null"
in addition to the wildcard test ("Access-Control-Allow-Origin: *").

This makes the behavior same as Mozilla Firefox Browser. Also clears the failed tests in
http://w3c-test.org/webappsec/tests/cors/submitted/opera/staging/redirect-origin.htm

Comment 1 youenn fablet 2014-02-14 07:54:08 PST

Created attachment 224215 [details]
Patch

Comment 2 Build Bot 2014-02-14 09:16:58 PST

Comment on attachment 224215 [details]
Patch

Attachment 224215 [details] did not pass mac-wk2-ews (mac-wk2):
Output: http://webkit-queues.appspot.com/results/5238515575029760

New failing tests:
http/tests/xmlhttprequest/redirect-cors-origin-null.html

Comment 3 Build Bot 2014-02-14 09:17:00 PST

Created attachment 224222 [details]
Archive of layout-test-results from webkit-ews-14 for mac-mountainlion-wk2

The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews.
Bot: webkit-ews-14  Port: mac-mountainlion-wk2  Platform: Mac OS X 10.8.5

Comment 4 Build Bot 2014-02-14 09:21:15 PST

Comment on attachment 224215 [details]
Patch

Attachment 224215 [details] did not pass mac-ews (mac):
Output: http://webkit-queues.appspot.com/results/5712387772514304

New failing tests:
http/tests/xmlhttprequest/redirect-cors-origin-null.html

Comment 5 Build Bot 2014-02-14 09:21:16 PST

Created attachment 224224 [details]
Archive of layout-test-results from webkit-ews-07 for mac-mountainlion

The attached test failures were seen while running run-webkit-tests on the mac-ews.
Bot: webkit-ews-07  Port: mac-mountainlion  Platform: Mac OS X 10.8.5

Comment 6 Build Bot 2014-02-14 09:49:38 PST

Comment on attachment 224215 [details]
Patch

Attachment 224215 [details] did not pass mac-ews (mac):
Output: http://webkit-queues.appspot.com/results/5573610399858688

New failing tests:
http/tests/xmlhttprequest/redirect-cors-origin-null.html

Comment 7 Build Bot 2014-02-14 09:49:40 PST

Created attachment 224228 [details]
Archive of layout-test-results from webkit-ews-06 for mac-mountainlion

The attached test failures were seen while running run-webkit-tests on the mac-ews.
Bot: webkit-ews-06  Port: mac-mountainlion  Platform: Mac OS X 10.8.5

Comment 8 youenn fablet 2014-02-17 03:30:15 PST

Patch is failing

Comment 9 youenn fablet 2014-02-17 03:33:16 PST

(In reply to comment #6)
> (From update of attachment 224215 [details])
> Attachment 224215 [details] did not pass mac-ews (mac):
> Output: http://webkit-queues.appspot.com/results/5573610399858688
> 
> New failing tests:
> http/tests/xmlhttprequest/redirect-cors-origin-null.html

Test is failing due to mac port network layer inserting "Accept-Encoding" header which then makes cross origin not simple.
The preflight check fails as "Accept-Encoding" is not authorized.

Patch in https://bugs.webkit.org/show_bug.cgi?id=116075 clears the "Accept-Encoding" header in case of a cross-origin request triggered from a redirect response.

This should take care of the failing test.

Comment 10 youenn fablet 2016-01-14 07:26:58 PST

Created attachment 268962 [details]
Rebasing

Comment 11 Brent Fulgham 2016-01-14 09:05:31 PST

Comment on attachment 268962 [details]
Rebasing

r=me.Please confirm the win and gtk-wk2 EWS bots are green, then you can land.

Comment 12 WebKit Commit Bot 2016-01-15 01:12:06 PST

Comment on attachment 268962 [details]
Rebasing

Clearing flags on attachment: 268962

Committed r195100: <http://trac.webkit.org/changeset/195100>

Comment 13 WebKit Commit Bot 2016-01-15 01:12:09 PST

All reviewed patches have been landed.  Closing bug.