Bug 236049

Summary: Many CSP tests timing out with "Blocked access to external URL" error
Product: WebKit Reporter: Kate Cheney <katherine_cheney>
Component: New BugsAssignee: Kate Cheney <katherine_cheney>
Status: NEW ---    
Severity: Normal CC: bfulgham, clopez, eric.carlson, ews-watchlist, glenn, jer.noble, mkwst, pgriffis, philipj, sergio, webkit-bug-importer, youennf
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
See Also: https://bugs.webkit.org/show_bug.cgi?id=232223
https://bugs.webkit.org/show_bug.cgi?id=127676
https://bugs.webkit.org/show_bug.cgi?id=160504
Attachments:
Description Flags
Patch
none
WIP 2
none
WIP 3
none
Patch ews-feeder: commit-queue-

Description Kate Cheney 2022-02-02 17:27:53 PST 
Many CSP tests timing out with "Blocked access to external URL" error
Comment 1 Kate Cheney 2022-02-02 17:29:40 PST 
Created attachment 450721 [details]
Patch
Comment 2 EWS Watchlist 2022-02-02 17:31:10 PST 
This patch modifies the imported WPT tests. Please ensure that any changes on the tests (not coming from a WPT import) are exported to WPT. Please see https://trac.webkit.org/wiki/WPTExportProcess
Comment 3 Kate Cheney 2022-02-08 15:42:39 PST 
Created attachment 451315 [details]
WIP 2
Comment 4 youenn fablet 2022-02-09 00:48:38 PST 
Comment on attachment 451315 [details]
WIP 2

View in context: https://bugs.webkit.org/attachment.cgi?id=451315&action=review

> LayoutTests/imported/w3c/web-platform-tests/common/security-features/resources/common.sub.js:977
> +  const crossOriginHost = "127.0.0.1";

const crossOriginHost = {{hosts[alt][]}}

> LayoutTests/imported/w3c/web-platform-tests/common/security-features/subresource/subresource.py:31
> +        return "127.0.0.1"

Can we check whether subdomain is important here or whether we could use alternate here as well?
Comment 5 Kate Cheney 2022-02-09 12:18:01 PST 
Comment on attachment 451315 [details]
WIP 2

View in context: https://bugs.webkit.org/attachment.cgi?id=451315&action=review

>> LayoutTests/imported/w3c/web-platform-tests/common/security-features/resources/common.sub.js:977
>> +  const crossOriginHost = "127.0.0.1";
> 
> const crossOriginHost = {{hosts[alt][]}}

Will change.

>> LayoutTests/imported/w3c/web-platform-tests/common/security-features/subresource/subresource.py:31
>> +        return "127.0.0.1"
> 
> Can we check whether subdomain is important here or whether we could use alternate here as well?

CSP tests use this to perform a swap-origin redirect, which is referenced in the wpt repo (https://github.com/web-platform-tests/wpt/pull/1856) as being when the final origin of the load after redirection is cross origin. That leads me to believe this function is only trying to get a cross origin domain and the existence of a subdomain doesn't actually matter.

This aligns with the if-else which checks the netloc and returns a cross-origin host regardless of whether it exists (e.g. a netloc of ww1.localhost returns localhost, and a netloc of localhost returns ww1.localhost).

A solution that aligns more with our http tests would be to return "127.0.0.1" if netloc is "localhost" and vice versa.
Comment 6 Kate Cheney 2022-02-09 13:15:10 PST 
Created attachment 451433 [details]
WIP 3
Comment 7 Kate Cheney 2022-02-09 13:15:52 PST 
Comment on attachment 451433 [details]
WIP 3

View in context: https://bugs.webkit.org/attachment.cgi?id=451433&action=review

> LayoutTests/imported/w3c/web-platform-tests/common/security-features/subresource/subresource.py:28
> +    if netloc == "localhost":

@Youenn is there a way to get localhost without hardcoding?
Comment 8 Radar WebKit Bug Importer 2022-02-09 17:28:19 PST 
<rdar://problem/88724733>
Comment 9 Kate Cheney 2022-02-10 10:07:52 PST 
Created attachment 451560 [details]
Patch