Bug 178356

Summary:

Apply custom header fields from WebsitePolicies to same-domain requests

Product:

WebKit

Reporter:

Alex Christensen <achristensen>

Component:

New Bugs

Assignee:

Alex Christensen <achristensen>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

beidson, buildbot, cdumez, dbates, japhet, webkit-bug-importer

Priority:

Keywords:

InRadar

Version:

WebKit Nightly Build

Hardware:

Unspecified

OS:

Unspecified

Bug Depends on:

177629

Bug Blocks:

Attachments:

Description	Flags
Patch	none
Patch	beidson: review+

Description Alex Christensen 2017-10-16 11:59:23 PDT

Apply custom header fields from WebsitePolicies to same-domain requests

Comment 1 Alex Christensen 2017-10-16 12:05:16 PDT

Created attachment 323925 [details]
Patch

Comment 2 Daniel Bates 2017-10-16 14:08:10 PDT

Comment on attachment 323925 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=323925&action=review

> Source/WebCore/loader/cache/CachedResourceLoader.cpp:770
> +    if (frame() && m_documentLoader && !m_documentLoader->customHeaderFields().isEmpty()) {
> +        bool sameOriginRequest = false;
> +        auto requestedOrigin = SecurityOrigin::create(url);
> +        if (type == CachedResource::Type::MainResource) {
> +            if (frame()->isMainFrame())
> +                sameOriginRequest = true;
> +            else if (auto* topDocument = frame()->mainFrame().document())
> +                sameOriginRequest = topDocument->securityOrigin().isSameSchemeHostPort(requestedOrigin.get());
> +        } else if (document()) {
> +            sameOriginRequest = document()->topDocument().securityOrigin().isSameSchemeHostPort(requestedOrigin.get())
> +                && document()->securityOrigin().isSameSchemeHostPort(requestedOrigin.get());
> +        }
> +        if (sameOriginRequest) {
> +            for (auto& field : m_documentLoader->customHeaderFields())
> +                request.resourceRequest().addHTTPHeaderField(field.name(), field.value());
> +        }
> +    }

This does not seem like it will apply the custom headers to a subframe or child window navigated to about:blank or a blob URL (*) page or sub-resources loaded from them. Notice that about:blank inherits the security origin of its parent/opener frame.

(*) with the same origin as the document that has custom headers

Comment 3 Alex Christensen 2017-10-23 10:53:49 PDT

Created attachment 324566 [details]
Patch

Comment 4 Alex Christensen 2017-10-23 10:54:20 PDT

(In reply to Daniel Bates from comment #2)
> This does not seem like it will apply the custom headers to a subframe or
> child window navigated to about:blank or a blob URL (*) page or
> sub-resources loaded from them. Notice that about:blank inherits the
> security origin of its parent/opener frame.
I added a test verifying that this case behaves correctly.

Comment 5 Alex Christensen 2017-10-24 12:33:31 PDT

http://trac.webkit.org/r223909

Comment 6 Alex Christensen 2017-10-31 11:41:19 PDT

A few problems being fixed in https://bugs.webkit.org/show_bug.cgi?id=179064

Comment 7 Radar WebKit Bug Importer 2017-11-15 13:04:05 PST

<rdar://problem/35568718>