Bug 208924

Summary: Make sure a preflight fails if response headers are invalid
Product: WebKit Reporter: youenn fablet <youennf>
Component: Page LoadingAssignee: youenn fablet <youennf>
Status: RESOLVED FIXED    
Severity: Normal CC: achristensen, beidson, cdumez, commit-queue, ews-watchlist, japhet, rwlbuis, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
none
Patch
none
Patch
none
Patch for landing none

Description youenn fablet 2020-03-11 10:04:00 PDT
Make sure a preflight fails if response headers are invalid
Comment 1 youenn fablet 2020-03-11 10:35:03 PDT
Created attachment 393260 [details]
Patch
Comment 2 youenn fablet 2020-03-12 02:56:15 PDT
Created attachment 393351 [details]
Patch
Comment 3 youenn fablet 2020-03-12 05:51:00 PDT
Created attachment 393362 [details]
Patch
Comment 4 youenn fablet 2020-03-13 10:44:26 PDT
Ping review
Comment 5 Alex Christensen 2020-03-16 11:44:57 PDT
Comment on attachment 393362 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=393362&action=review

> Source/WebCore/ChangeLog:11
> +        Minor refactoring to return Expected/Optional for erro rhandlng instead of passing an out parameter.

error

> Source/WebCore/loader/CrossOriginAccessControl.cpp:273
> +    CrossOriginPreflightResultCache::singleton().appendEntry(securityOrigin.toString(), request.url(), entry.moveToUniquePtr());

Do we want to do this if there was an error?  We didn't before.

> Source/WebCore/loader/CrossOriginPreflightResultCache.h:54
> +    bool allowsCrossOriginMethod(const String&, StoredCredentialsPolicy, String& errorDescription) const;
> +    bool allowsCrossOriginHeaders(const HTTPHeaderMap&, StoredCredentialsPolicy, String& errorDescription) const;

These should return Expected<void, String> instead of having an out parameter.
Comment 6 youenn fablet 2020-03-16 12:02:26 PDT
CrossOriginPreflightResultCache::singleton().appendEntry(securityOrigin.toString(), request.url(), entry.moveToUniquePtr());
> 
> Do we want to do this if there was an error?  We didn't before.

Yes, I think so, this is explained in the change log

> > Source/WebCore/loader/CrossOriginPreflightResultCache.h:54
> > +    bool allowsCrossOriginMethod(const String&, StoredCredentialsPolicy, String& errorDescription) const;
> > +    bool allowsCrossOriginHeaders(const HTTPHeaderMap&, StoredCredentialsPolicy, String& errorDescription) const;
> 
> These should return Expected<void, String> instead of having an out
> parameter.

Sure, this is preexisting and could be dealt with as a follow-up.
This patch moves these method from public to private so that at least we do not make this pattern more widespread.
Comment 7 youenn fablet 2020-03-18 05:51:52 PDT
Created attachment 393838 [details]
Patch for landing
Comment 8 youenn fablet 2020-03-18 07:43:52 PDT
> Sure, this is preexisting and could be dealt with as a follow-up.
> This patch moves these method from public to private so that at least we do
> not make this pattern more widespread.

https://bugs.webkit.org/show_bug.cgi?id=209224
Comment 9 WebKit Commit Bot 2020-03-18 07:49:42 PDT
Comment on attachment 393838 [details]
Patch for landing

Clearing flags on attachment: 393838

Committed r258631: <https://trac.webkit.org/changeset/258631>
Comment 10 WebKit Commit Bot 2020-03-18 07:49:44 PDT
All reviewed patches have been landed.  Closing bug.
Comment 11 Radar WebKit Bug Importer 2020-03-18 07:50:14 PDT
<rdar://problem/60584210>