Bug 205326

Summary: Implement "create a potential-CORS request"
Product: WebKit Reporter: Rob Buis <rbuis>
Component: Page LoadingAssignee: Rob Buis <rbuis>
Status: RESOLVED FIXED    
Severity: Normal CC: beidson, cdumez, commit-queue, dbates, eric.carlson, esprehn+autocc, ews-watchlist, glenn, gyuyoung.kim, japhet, jer.noble, mkwst, philipj, sergio, webkit-bug-importer, youennf
Priority: P2 Keywords: InRadar
Version: Other   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
none
Patch
none
Patch
none
Patch
none
Patch
none
Patch
none
Patch
none
Patch
none
Patch
none
Patch
none
Patch
none
Patch
none
Patch
none
Patch none

Description Rob Buis 2019-12-16 23:41:41 PST 
Implement "create a potential-CORS request" and remove deprecatedSetAsPotentiallyCrossOrigin.
Comment 1 Rob Buis 2019-12-16 23:58:11 PST 
Created attachment 385860 [details]
Patch
Comment 2 Rob Buis 2019-12-17 00:54:15 PST 
Created attachment 385863 [details]
Patch
Comment 3 Rob Buis 2019-12-17 02:39:36 PST 
Created attachment 385871 [details]
Patch
Comment 4 Rob Buis 2019-12-17 03:32:38 PST 
Created attachment 385874 [details]
Patch
Comment 5 Rob Buis 2019-12-17 05:32:53 PST 
Created attachment 385879 [details]
Patch
Comment 6 Rob Buis 2019-12-17 07:22:53 PST 
Created attachment 385886 [details]
Patch
Comment 7 Alexey Proskuryakov 2019-12-17 18:59:56 PST 
Comment on attachment 385886 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=385886&action=review

> LayoutTests/ChangeLog:8
> +        Adjusts test to same-origin fallback behavior by using CORS.

These changes seem to suggest high likelihood of breaking behaviors websites could rely on. What evidence exists to demonstrate them being fine?

> LayoutTests/imported/w3c/web-platform-tests/html/semantics/embedded-content/media-elements/track/track-element/cloneNode-expected.txt:1
> +CONSOLE MESSAGE: Unsafe attempt to load URL javascript:"network error" from origin http://localhost:8800. Domains, protocols and ports must match.

Can you elaborate on why this is right, in particular?
Comment 8 Rob Buis 2019-12-17 22:37:35 PST 
(In reply to Alexey Proskuryakov from comment #7)
> Comment on attachment 385886 [details]
> Patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=385886&action=review
> 
> > LayoutTests/ChangeLog:8
> > +        Adjusts test to same-origin fallback behavior by using CORS.
> 
> These changes seem to suggest high likelihood of breaking behaviors websites
> could rely on. What evidence exists to demonstrate them being fine?

It is specified that way for track loading:
https://html.spec.whatwg.org/multipage/media.html#sourcing-out-of-band-text-tracks:create-a-potential-cors-request

Chrome and Firefox implement it (I should have added that to the Changelog, will fix). 

> > LayoutTests/imported/w3c/web-platform-tests/html/semantics/embedded-content/media-elements/track/track-element/cloneNode-expected.txt:1
> > +CONSOLE MESSAGE: Unsafe attempt to load URL javascript:"network error" from origin http://localhost:8800. Domains, protocols and ports must match.
> 
> Can you elaborate on why this is right, in particular?

That does look a bit odd, I will debug what is triggering those console messages.
Comment 9 Rob Buis 2019-12-18 00:59:45 PST 
Created attachment 385947 [details]
Patch
Comment 10 youenn fablet 2019-12-20 03:16:29 PST 
Comment on attachment 385947 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=385947&action=review

> Source/WebCore/ChangeLog:11
> +        The new behavior matches that of Chrome and Firefox.

Can you detail what behavioural changes are one there?
Comment 11 Rob Buis 2019-12-20 04:29:44 PST 
Created attachment 386201 [details]
Patch
Comment 12 Rob Buis 2019-12-20 05:31:01 PST 
Comment on attachment 385947 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=385947&action=review

>> Source/WebCore/ChangeLog:11
>> +        The new behavior matches that of Chrome and Firefox.
> 
> Can you detail what behavioural changes are one there?

I tried to add more details in all ChangeLog files. Note that if the same-origin fallback is controversial I can remove it from the patch.
Comment 13 youenn fablet 2020-01-03 01:30:15 PST 
Comment on attachment 386201 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=386201&action=review

> Source/WebCore/ChangeLog:13
> +        not specified.

Could we split the patch in two parts: one which is just a refactoring and then the one about text track loading?

> Source/WebCore/loader/CrossOriginAccessControl.cpp:122
> +CachedResourceRequest createPotentialAccessControlRequest(ResourceRequest&& request, Document& document, const String& crossOriginAttribute, ResourceLoaderOptions&& options, bool sameOriginFlag)

Can we move the options as the second parameter, that will allow to group the moved parameters together.

> Source/WebCore/loader/CrossOriginAccessControl.cpp:131
> +        auto cachedRequest = CachedResourceRequest { WTFMove(request), WTFMove(options) };

CachedResourceRequest cachedRequest { WTFMove(request), WTFMove(options) };

> Source/WebCore/loader/CrossOriginAccessControl.cpp:142
>      auto cachedRequest = CachedResourceRequest { WTFMove(request), WTFMove(options) };

CachedResourceRequest cachedRequest { WTFMove(request), WTFMove(options) };

> Source/WebCore/loader/TextTrackLoader.cpp:163
> +    auto cueRequest = createPotentialAccessControlRequest(WTFMove(resourceRequest), document, element.mediaElementCrossOriginAttribute(), WTFMove(options), true);

An enum would be slightly clearer.
Comment 14 youenn fablet 2020-01-03 01:31:00 PST 
@EricCarlson, any concern about changing text track loading to same-origin by default, as done by Chrome and Firefox nowadays apparently?
Comment 15 Rob Buis 2020-01-03 05:11:25 PST 
Created attachment 386673 [details]
Patch
Comment 16 Rob Buis 2020-01-03 06:08:19 PST 
Comment on attachment 386201 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=386201&action=review

I think I addressed your comments.

>> Source/WebCore/ChangeLog:13
>> +        not specified.
> 
> Could we split the patch in two parts: one which is just a refactoring and then the one about text track loading?

Doing that now, the new patch does not contain the text track loading changes.

>> Source/WebCore/loader/CrossOriginAccessControl.cpp:122
>> +CachedResourceRequest createPotentialAccessControlRequest(ResourceRequest&& request, Document& document, const String& crossOriginAttribute, ResourceLoaderOptions&& options, bool sameOriginFlag)
> 
> Can we move the options as the second parameter, that will allow to group the moved parameters together.

Done and adjusted the call sites.

>> Source/WebCore/loader/CrossOriginAccessControl.cpp:131
>> +        auto cachedRequest = CachedResourceRequest { WTFMove(request), WTFMove(options) };
> 
> CachedResourceRequest cachedRequest { WTFMove(request), WTFMove(options) };

Done.

>> Source/WebCore/loader/CrossOriginAccessControl.cpp:142
>>      auto cachedRequest = CachedResourceRequest { WTFMove(request), WTFMove(options) };
> 
> CachedResourceRequest cachedRequest { WTFMove(request), WTFMove(options) };

Done.
Comment 17 WebKit Commit Bot 2020-01-03 07:27:39 PST 
The commit-queue encountered the following flaky tests while processing attachment 386673 [details]:

imported/w3c/web-platform-tests/IndexedDB/large-requests-abort.html bug 205724 (author: youennf@gmail.com)
imported/w3c/web-platform-tests/IndexedDB/fire-error-event-exception.html bug 201481 (authors: shvaikalesh@gmail.com and youennf@gmail.com)
The commit-queue is continuing to process your patch.
Comment 18 WebKit Commit Bot 2020-01-03 07:27:46 PST 
The commit-queue encountered the following flaky tests while processing attachment 386673 [details]:

imported/w3c/web-platform-tests/IndexedDB/interleaved-cursors-large.html bug 201849
The commit-queue is continuing to process your patch.
Comment 19 WebKit Commit Bot 2020-01-03 08:19:55 PST 
Comment on attachment 386673 [details]
Patch

Clearing flags on attachment: 386673

Committed r254000: <https://trac.webkit.org/changeset/254000>
Comment 20 WebKit Commit Bot 2020-01-03 08:19:57 PST 
All reviewed patches have been landed.  Closing bug.
Comment 21 Radar WebKit Bug Importer 2020-01-03 08:20:24 PST 
<rdar://problem/58298224>
Comment 22 Rob Buis 2020-01-03 09:20:10 PST 
Reopening as a reminder that Eric still needs to react (comment 14) :)
Comment 23 Eric Carlson 2020-01-03 10:05:55 PST 
(In reply to youenn fablet from comment #14)
> @EricCarlson, any concern about changing text track loading to same-origin
> by default, as done by Chrome and Firefox nowadays apparently?

No, I think it is the right thing.
Comment 24 Eric Carlson 2020-01-03 10:06:25 PST 
(In reply to Rob Buis from comment #22)
> Reopening as a reminder that Eric still needs to react (comment 14) :)

Closing bug.

Thanks for checking in Rob!
Comment 25 Rob Buis 2020-01-18 01:04:26 PST 
Reopening to attach new patch.
Comment 26 Rob Buis 2020-01-18 01:04:29 PST 
Created attachment 388140 [details]
Patch
Comment 27 Rob Buis 2020-01-18 01:54:39 PST 
Created attachment 388141 [details]
Patch
Comment 28 Rob Buis 2020-01-20 00:48:49 PST 
Created attachment 388214 [details]
Patch
Comment 29 Rob Buis 2020-01-20 00:49:41 PST 
Created attachment 388215 [details]
Patch
Comment 30 youenn fablet 2020-01-20 01:57:44 PST 
Comment on attachment 388215 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=388215&action=review

> Source/WebCore/loader/CrossOriginAccessControl.cpp:140
> +    options.storedCredentialsPolicy = credentials == FetchOptions::Credentials::Include ? StoredCredentialsPolicy::Use : document.securityOrigin().canRequest(request.url()) ? StoredCredentialsPolicy::Use : StoredCredentialsPolicy::DoNotUse;

Can we write it with something like:
switch (credentials) {
case FetchOptions::Credentials::Omit:
   ...
case FetchOptions::Credentials::Omit:
   ...
case FetchOptions::Credentials::Include:
   ...
case FetchOptions::Credentials::SameOrigin:
   ...
}
This should be easier to use and we would also ensure consistency between the two values (for instance omit => DoNotUse).
Comment 31 Rob Buis 2020-01-20 03:52:26 PST 
Created attachment 388225 [details]
Patch
Comment 32 WebKit Commit Bot 2020-01-20 06:43:16 PST 
The commit-queue encountered the following flaky tests while processing attachment 388225 [details]:

editing/spelling/spellcheck-async-remove-frame.html bug 158401 (authors: morrita@google.com, rniwa@webkit.org, and tony@chromium.org)
The commit-queue is continuing to process your patch.
Comment 33 WebKit Commit Bot 2020-01-20 06:43:50 PST 
Comment on attachment 388225 [details]
Patch

Clearing flags on attachment: 388225

Committed r254821: <https://trac.webkit.org/changeset/254821>
Comment 34 WebKit Commit Bot 2020-01-20 06:43:52 PST 
All reviewed patches have been landed.  Closing bug.
Comment 35 Rob Buis 2020-01-21 00:14:14 PST 
(In reply to youenn fablet from comment #30)
> Comment on attachment 388215 [details]
> Patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=388215&action=review
> 
> > Source/WebCore/loader/CrossOriginAccessControl.cpp:140
> > +    options.storedCredentialsPolicy = credentials == FetchOptions::Credentials::Include ? StoredCredentialsPolicy::Use : document.securityOrigin().canRequest(request.url()) ? StoredCredentialsPolicy::Use : StoredCredentialsPolicy::DoNotUse;
> 
> Can we write it with something like:
> switch (credentials) {
> case FetchOptions::Credentials::Omit:
>    ...
> case FetchOptions::Credentials::Omit:
>    ...
> case FetchOptions::Credentials::Include:
>    ...
> case FetchOptions::Credentials::SameOrigin:
>    ...
> }
> This should be easier to use and we would also ensure consistency between
> the two values (for instance omit => DoNotUse).

Yes, this did make the code easier to read and reason about.