Bug 178356

Summary: Apply custom header fields from WebsitePolicies to same-domain requests
Product: WebKit Reporter: Alex Christensen <achristensen>
Component: New BugsAssignee: Alex Christensen <achristensen>
Status: RESOLVED FIXED    
Severity: Normal CC: beidson, buildbot, cdumez, dbates, japhet, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on: 177629    
Bug Blocks:    
Attachments:
Description Flags
Patch
none
Patch beidson: review+

Alex Christensen
Reported 2017-10-16 11:59:23 PDT
Apply custom header fields from WebsitePolicies to same-domain requests
Attachments
Patch (11.70 KB, patch)
2017-10-16 12:05 PDT, Alex Christensen 		no flags
DetailsFormatted DiffDiff
Patch (13.00 KB, patch)
2017-10-23 10:53 PDT, Alex Christensen 		beidson: review+
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Alex Christensen
Comment 1 2017-10-16 12:05:16 PDT
Created attachment 323925 [details] Patch
Daniel Bates
Comment 2 2017-10-16 14:08:10 PDT
Comment on attachment 323925 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=323925&action=review > Source/WebCore/loader/cache/CachedResourceLoader.cpp:770 > + if (frame() && m_documentLoader && !m_documentLoader->customHeaderFields().isEmpty()) { > + bool sameOriginRequest = false; > + auto requestedOrigin = SecurityOrigin::create(url); > + if (type == CachedResource::Type::MainResource) { > + if (frame()->isMainFrame()) > + sameOriginRequest = true; > + else if (auto* topDocument = frame()->mainFrame().document()) > + sameOriginRequest = topDocument->securityOrigin().isSameSchemeHostPort(requestedOrigin.get()); > + } else if (document()) { > + sameOriginRequest = document()->topDocument().securityOrigin().isSameSchemeHostPort(requestedOrigin.get()) > + && document()->securityOrigin().isSameSchemeHostPort(requestedOrigin.get()); > + } > + if (sameOriginRequest) { > + for (auto& field : m_documentLoader->customHeaderFields()) > + request.resourceRequest().addHTTPHeaderField(field.name(), field.value()); > + } > + } This does not seem like it will apply the custom headers to a subframe or child window navigated to about:blank or a blob URL (*) page or sub-resources loaded from them. Notice that about:blank inherits the security origin of its parent/opener frame. (*) with the same origin as the document that has custom headers
Alex Christensen
Comment 3 2017-10-23 10:53:49 PDT
Created attachment 324566 [details] Patch
Alex Christensen
Comment 4 2017-10-23 10:54:20 PDT
(In reply to Daniel Bates from comment #2) > This does not seem like it will apply the custom headers to a subframe or > child window navigated to about:blank or a blob URL (*) page or > sub-resources loaded from them. Notice that about:blank inherits the > security origin of its parent/opener frame. I added a test verifying that this case behaves correctly.
Alex Christensen
Comment 5 2017-10-24 12:33:31 PDT
http://trac.webkit.org/r223909
Alex Christensen
Comment 6 2017-10-31 11:41:19 PDT
A few problems being fixed in https://bugs.webkit.org/show_bug.cgi?id=179064
Radar WebKit Bug Importer
Comment 7 2017-11-15 13:04:05 PST
<rdar://problem/35568718>
Note You need to log in before you can comment on or make changes to this bug.