Summary: | Apply custom header fields from WebsitePolicies to same-domain requests | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | WebKit | Reporter: | Alex Christensen <achristensen> | ||||||
Component: | New Bugs | Assignee: | Alex Christensen <achristensen> | ||||||
Status: | RESOLVED FIXED | ||||||||
Severity: | Normal | CC: | beidson, buildbot, cdumez, dbates, japhet, webkit-bug-importer | ||||||
Priority: | P2 | Keywords: | InRadar | ||||||
Version: | WebKit Nightly Build | ||||||||
Hardware: | Unspecified | ||||||||
OS: | Unspecified | ||||||||
Bug Depends on: | 177629 | ||||||||
Bug Blocks: | |||||||||
Attachments: |
|
Description
Alex Christensen
2017-10-16 11:59:23 PDT
Created attachment 323925 [details]
Patch
Comment on attachment 323925 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=323925&action=review > Source/WebCore/loader/cache/CachedResourceLoader.cpp:770 > + if (frame() && m_documentLoader && !m_documentLoader->customHeaderFields().isEmpty()) { > + bool sameOriginRequest = false; > + auto requestedOrigin = SecurityOrigin::create(url); > + if (type == CachedResource::Type::MainResource) { > + if (frame()->isMainFrame()) > + sameOriginRequest = true; > + else if (auto* topDocument = frame()->mainFrame().document()) > + sameOriginRequest = topDocument->securityOrigin().isSameSchemeHostPort(requestedOrigin.get()); > + } else if (document()) { > + sameOriginRequest = document()->topDocument().securityOrigin().isSameSchemeHostPort(requestedOrigin.get()) > + && document()->securityOrigin().isSameSchemeHostPort(requestedOrigin.get()); > + } > + if (sameOriginRequest) { > + for (auto& field : m_documentLoader->customHeaderFields()) > + request.resourceRequest().addHTTPHeaderField(field.name(), field.value()); > + } > + } This does not seem like it will apply the custom headers to a subframe or child window navigated to about:blank or a blob URL (*) page or sub-resources loaded from them. Notice that about:blank inherits the security origin of its parent/opener frame. (*) with the same origin as the document that has custom headers Created attachment 324566 [details]
Patch
(In reply to Daniel Bates from comment #2) > This does not seem like it will apply the custom headers to a subframe or > child window navigated to about:blank or a blob URL (*) page or > sub-resources loaded from them. Notice that about:blank inherits the > security origin of its parent/opener frame. I added a test verifying that this case behaves correctly. A few problems being fixed in https://bugs.webkit.org/show_bug.cgi?id=179064 |