Bug 233640

Summary: passthrough service workers should respect redirects when propagating navigation origin header
Product: WebKit Reporter: Ben Kelly <ben>
Component: Service WorkersAssignee: Nobody <webkit-unassigned>
Status: NEW ---    
Severity: Normal CC: achristensen, cdumez, webkit-bug-importer, wilander, youennf
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   

Description Ben Kelly 2021-11-30 08:46:49 PST 
Please see:

https://github.com/whatwg/fetch/pull/1345

Webkit already implements part of this spec change.  Specifically, it seems to propagate the requests origin for passthrough service workers that do `evt.respondWith(fetch(evt.request))`.

It does not, however, correctly set the origin header to `origin:null` if the FetchEvent.request is a navigation that redirected through a cross-origin URL.

The WPT tests for this change are at:

https://wpt.fyi/results/service-workers/service-worker/navigation-headers.https.html?label=experimental&label=master&aligned

Many of the failures there are for things not implemented by webkit yet and can be ignored.  The failures that matter for this bug are the test cases:

* "POST Navigation, same-origin with same-site redirect and passthrough service worker sets correct origin and referer headers."
* "POST Navigation, same-origin with cross-site redirect and passthrough service worker sets correct origin and referer headers."
* "POST Navigation, same-origin with cross-site redirect, same-origin redirect, and passthrough service worker sets correct origin and referer headers."
Comment 1 Ben Kelly 2021-11-30 12:54:08 PST 
Hmm, I didn't realize webkit implements some samesite cookies features as well.  It seems those are not taking the origin of the passthrough request into account currently.  See the failures in:

https://wpt.fyi/results/service-workers/service-worker/same-site-cookies.https.html?label=experimental&label=master&aligned

For example, the test case "cross-site, window.open with passthrough".
Comment 2 Radar WebKit Bug Importer 2021-12-01 00:48:18 PST 
<rdar://problem/85911487>