Summary: | REGRESSION (r231479): http/tests/appcache/x-frame-options-prevents-framing.php is timing out | ||||||
---|---|---|---|---|---|---|---|
Product: | WebKit | Reporter: | Daniel Bates <dbates> | ||||
Component: | Tools / Tests | Assignee: | Daniel Bates <dbates> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | Normal | CC: | aestes, cdumez, ews-watchlist, japhet, lforschler, webkit-bug-importer, youennf | ||||
Priority: | P1 | Keywords: | InRadar | ||||
Version: | WebKit Nightly Build | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
See Also: | https://bugs.webkit.org/show_bug.cgi?id=185412 | ||||||
Bug Depends on: | 185410 | ||||||
Bug Blocks: | |||||||
Attachments: |
|
Description
Daniel Bates
2018-05-08 13:21:43 PDT
FWIW, DTL is only skipping its security checks if the response source is network process. See isResponseComingFromNetworkProcess in DocumentThreadableLoader.cpp The issue is that loads for ApplicationCache go through DocumentLoader::responseReceived(). So, we need to process CSP frame-ancestors and X-Frame-Options regardless of whether we are using WebKit2 and experimental feature Restricted HTTP Response Access is enabled. Although the fix for this issue would likely fallout naturally from fixing bug #185412. I do not see the need to gate fixing this bug on fixing bug #185412. Created attachment 340032 [details]
Patch
Committed r231597: <https://trac.webkit.org/changeset/231597> Comment on attachment 340032 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=340032&action=review > Source/WebCore/loader/DocumentLoader.cpp:771 > + if (m_substituteData.isValid() || !m_frame->settings().networkProcessCSPFrameAncestorsCheckingEnabled() || !RuntimeEnabledFeatures::sharedFeatures().restrictedHTTPResponseAccess()) { I believe that we are currently skipping CSP checks if the response is coming from Memory Cache or from Service Worker. We should probably fix that. As I said previously, DocumentThreadableLoader is disabling CSP checks only if the response is coming from NetworkProcess and if platformStrategies()->loaderStrategy()->isDoingLoadingSecurityChecks() returns true. Please look at DocumentThreadableLoader::redirectReceived and isResponseComingFromNetworkProcess. We should also probably unskip http/tests/appcache/x-frame-options-prevents-framing.php after this patch. |