Bug 226760

Summary: Origin is null in http requests when baseURL has custom scheme on iOS 15.0
Product: WebKit Reporter: zhuoran1997
Component: PlatformAssignee: Alex Christensen <achristensen>
Status: RESOLVED FIXED    
Severity: Critical CC: achristensen, beidson, cdumez, john.hartmann, niklasmerz, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: Other   
Hardware: iPhone / iPad   
OS: Other   
Bug Depends on: 227560    
Bug Blocks:    
Attachments:
Description Flags
A demo project and results of iOS 14.5 and iOS 15.0
none
Patch
none
Patch
none
Patch ews-feeder: commit-queue-

Description zhuoran1997 2021-06-08 01:20:05 PDT 
Created attachment 430817 [details]
A demo project and results of iOS 14.5 and iOS 15.0

There is a regression in WKWebView on iOS 15.0. When setting the baseURL of the WKWebView to `custom-scheme://` via webView.loadHTMLString(, baseURL:), the Origin in http request header becomes `null` instead of `custom-sheme://` on iOS 15.0. iOS 14.6 doesn't have this issue.

I have attached a demo project. You can run it with Xcode 12.5 and Xcode 13.0 to see the difference. After attaching inspector, press the "Request data" button. Then you can see the different Origin value in network request.
Comment 1 Radar WebKit Bug Importer 2021-06-08 12:22:40 PDT 
<rdar://problem/79027280>
Comment 2 Alex Christensen 2021-06-09 21:43:13 PDT 
Created attachment 431049 [details]
Patch
Comment 3 Chris Dumez 2021-06-09 21:50:23 PDT 
Comment on attachment 431049 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=431049&action=review

> Source/WebCore/page/SecurityOrigin.h:280
> +    origin->m_data = WTFMove(*data);

I have read your change log twice and I still don’t understand this change. It looks suspicious to set the securityorigindata (which is protocol / host / port) right after constructing a security origin with those same protocol / host / port.
Comment 4 Chris Dumez 2021-06-09 22:11:45 PDT 
Comment on attachment 431049 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=431049&action=review

R=me with the change

>> Source/WebCore/page/SecurityOrigin.h:280
>> +    origin->m_data = WTFMove(*data);
> 
> I have read your change log twice and I still don’t understand this change. It looks suspicious to set the securityorigindata (which is protocol / host / port) right after constructing a security origin with those same protocol / host / port.

I looked at the create() function and it looks like it constructs a url from the components, only to then later on extract the components from the URL :( this is a bit unfortunate. I think your change would probably look better if you did:
auto origin = adoptRef(*new SecurityOrigin);
origin->m_data = WTFMove(*data);

It would also be more efficient.
Comment 5 Alex Christensen 2021-06-09 23:16:56 PDT 
Created attachment 431051 [details]
Patch
Comment 6 Alex Christensen 2021-06-10 08:56:26 PDT 
Created attachment 431084 [details]
Patch
Comment 7 Alex Christensen 2021-06-10 16:26:12 PDT 
r278737
Comment 8 Alex Christensen 2021-06-10 16:26:33 PDT 
Thanks for reporting this bug!
Comment 9 Alex Christensen 2021-06-11 17:23:32 PDT 
*** Bug 226769 has been marked as a duplicate of this bug. ***
Comment 10 Niklas Merz 2021-07-01 23:35:07 PDT 
Looks like the latest Developer Beta 2 (19A5281j) brought this issue back. I got CORS issues (failed preflight request) again.

> Failed to load resource: Preflight response is not successful