WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
116075
Fix problems with cross-origin redirects
https://bugs.webkit.org/show_bug.cgi?id=116075
Summary
Fix problems with cross-origin redirects
Ryosuke Niwa
Reported
2013-05-13 16:34:36 PDT
We might want to merge
https://chromium.googlesource.com/chromium/blink/+/7ea774e478f84f355748108d2aaabca15355d512
Three problems exist in the current code: 1) If a same-origin request causes a redirect to a different origin, do not enforce access control checks for the redirect response itself, because the request which resulted in the redirect was same-origin. 2) If a same-origin request causes a redirect to a different origin, use the original request's URL as the origin for the new request; do not use a unique security origin. 3) Track whether the client (i.e., XMLHttpRequest) actually requested that credentials be sent in the first place. When a same-origin request redirects to a different origin, the original request will send cookies whether requested or not, because it is same-origin. The new cross-origin request should not send cookies unless they were requested, so that the access control checks on the response will succeed if the server granted "Access-Control-Allow-Origin=*".
Attachments
Patch
(46.08 KB, patch)
2014-02-17 03:29 PST
,
youenn fablet
no flags
Details
Formatted Diff
Diff
Rebasing
(51.98 KB, patch)
2016-01-12 02:18 PST
,
youenn fablet
no flags
Details
Formatted Diff
Diff
Archive of layout-test-results from ews103 for mac-yosemite
(859.09 KB, application/zip)
2016-01-12 03:32 PST
,
Build Bot
no flags
Details
Archive of layout-test-results from ews112 for mac-yosemite
(812.82 KB, application/zip)
2016-01-12 03:32 PST
,
Build Bot
no flags
Details
Archive of layout-test-results from ews105 for mac-yosemite-wk2
(776.49 KB, application/zip)
2016-01-12 03:35 PST
,
Build Bot
no flags
Details
Rebasing wpt tests
(56.75 KB, patch)
2016-01-12 05:06 PST
,
youenn fablet
no flags
Details
Formatted Diff
Diff
Archive of layout-test-results from ews101 for mac-yosemite
(694.08 KB, application/zip)
2016-01-12 06:10 PST
,
Build Bot
no flags
Details
Archive of layout-test-results from ews106 for mac-yosemite-wk2
(700.86 KB, application/zip)
2016-01-12 06:13 PST
,
Build Bot
no flags
Details
Archive of layout-test-results from ews114 for mac-yosemite
(760.35 KB, application/zip)
2016-01-12 06:16 PST
,
Build Bot
no flags
Details
Rebasing wpt tests
(58.80 KB, patch)
2016-01-12 06:22 PST
,
youenn fablet
no flags
Details
Formatted Diff
Diff
Removing WPT test changes
(57.78 KB, patch)
2016-01-12 07:24 PST
,
youenn fablet
no flags
Details
Formatted Diff
Diff
Patch for landing
(55.64 KB, patch)
2016-01-13 23:42 PST
,
youenn fablet
no flags
Details
Formatted Diff
Diff
Show Obsolete
(11)
View All
Add attachment
proposed patch, testcase, etc.
youenn fablet
Comment 1
2014-02-17 03:29:11 PST
Created
attachment 224351
[details]
Patch
youenn fablet
Comment 2
2014-03-21 02:27:27 PDT
ping review
Brent Fulgham
Comment 3
2016-01-11 11:41:21 PST
This patch doesn't apply cleanly anymore. I'd like to try to integrate this if we could get something current. (Sorry it's sat here for so long). Is there any hope we could get a revised patch?
youenn fablet
Comment 4
2016-01-11 11:49:47 PST
I can take a look tomorrow if that helps
Brent Fulgham
Comment 5
2016-01-11 11:50:22 PST
(In reply to
comment #4
)
> I can take a look tomorrow if that helps
Sure! I'm just so sorry no one looked at it until now. :-(
youenn fablet
Comment 6
2016-01-12 02:18:03 PST
Created
attachment 268751
[details]
Rebasing
Build Bot
Comment 7
2016-01-12 03:32:22 PST
Comment on
attachment 268751
[details]
Rebasing
Attachment 268751
[details]
did not pass mac-ews (mac): Output:
http://webkit-queues.webkit.org/results/682017
New failing tests: imported/w3c/web-platform-tests/XMLHttpRequest/send-redirect-to-non-cors.htm imported/w3c/web-platform-tests/XMLHttpRequest/send-redirect-bogus.htm imported/w3c/web-platform-tests/XMLHttpRequest/send-redirect-to-cors.htm
Build Bot
Comment 8
2016-01-12 03:32:28 PST
Created
attachment 268753
[details]
Archive of layout-test-results from ews103 for mac-yosemite The attached test failures were seen while running run-webkit-tests on the mac-ews. Bot: ews103 Port: mac-yosemite Platform: Mac OS X 10.10.5
Build Bot
Comment 9
2016-01-12 03:32:31 PST
Comment on
attachment 268751
[details]
Rebasing
Attachment 268751
[details]
did not pass mac-debug-ews (mac): Output:
http://webkit-queues.webkit.org/results/682007
New failing tests: imported/w3c/web-platform-tests/XMLHttpRequest/send-redirect-to-non-cors.htm imported/w3c/web-platform-tests/XMLHttpRequest/send-redirect-bogus.htm imported/w3c/web-platform-tests/XMLHttpRequest/send-redirect-to-cors.htm
Build Bot
Comment 10
2016-01-12 03:32:37 PST
Created
attachment 268754
[details]
Archive of layout-test-results from ews112 for mac-yosemite The attached test failures were seen while running run-webkit-tests on the mac-debug-ews. Bot: ews112 Port: mac-yosemite Platform: Mac OS X 10.10.5
Build Bot
Comment 11
2016-01-12 03:35:14 PST
Comment on
attachment 268751
[details]
Rebasing
Attachment 268751
[details]
did not pass mac-wk2-ews (mac-wk2): Output:
http://webkit-queues.webkit.org/results/682020
New failing tests: imported/w3c/web-platform-tests/XMLHttpRequest/send-redirect-to-non-cors.htm imported/w3c/web-platform-tests/XMLHttpRequest/send-redirect-bogus.htm imported/w3c/web-platform-tests/XMLHttpRequest/send-redirect-to-cors.htm
Build Bot
Comment 12
2016-01-12 03:35:20 PST
Created
attachment 268755
[details]
Archive of layout-test-results from ews105 for mac-yosemite-wk2 The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews. Bot: ews105 Port: mac-yosemite-wk2 Platform: Mac OS X 10.10.5
youenn fablet
Comment 13
2016-01-12 05:06:03 PST
Created
attachment 268757
[details]
Rebasing wpt tests
Build Bot
Comment 14
2016-01-12 06:10:29 PST
Comment on
attachment 268757
[details]
Rebasing wpt tests
Attachment 268757
[details]
did not pass mac-ews (mac): Output:
http://webkit-queues.webkit.org/results/682411
New failing tests: imported/w3c/web-platform-tests/XMLHttpRequest/send-redirect-to-non-cors.htm imported/w3c/web-platform-tests/XMLHttpRequest/send-redirect-bogus.htm imported/w3c/web-platform-tests/XMLHttpRequest/send-redirect-to-cors.htm
Build Bot
Comment 15
2016-01-12 06:10:34 PST
Created
attachment 268758
[details]
Archive of layout-test-results from ews101 for mac-yosemite The attached test failures were seen while running run-webkit-tests on the mac-ews. Bot: ews101 Port: mac-yosemite Platform: Mac OS X 10.10.5
Build Bot
Comment 16
2016-01-12 06:13:42 PST
Comment on
attachment 268757
[details]
Rebasing wpt tests
Attachment 268757
[details]
did not pass mac-wk2-ews (mac-wk2): Output:
http://webkit-queues.webkit.org/results/682413
New failing tests: imported/w3c/web-platform-tests/XMLHttpRequest/send-redirect-to-non-cors.htm imported/w3c/web-platform-tests/XMLHttpRequest/send-redirect-bogus.htm imported/w3c/web-platform-tests/XMLHttpRequest/send-redirect-to-cors.htm
Build Bot
Comment 17
2016-01-12 06:13:46 PST
Created
attachment 268759
[details]
Archive of layout-test-results from ews106 for mac-yosemite-wk2 The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews. Bot: ews106 Port: mac-yosemite-wk2 Platform: Mac OS X 10.10.5
Build Bot
Comment 18
2016-01-12 06:16:51 PST
Comment on
attachment 268757
[details]
Rebasing wpt tests
Attachment 268757
[details]
did not pass mac-debug-ews (mac): Output:
http://webkit-queues.webkit.org/results/682417
New failing tests: imported/w3c/web-platform-tests/XMLHttpRequest/send-redirect-to-non-cors.htm imported/w3c/web-platform-tests/XMLHttpRequest/send-redirect-bogus.htm imported/w3c/web-platform-tests/XMLHttpRequest/send-redirect-to-cors.htm
Build Bot
Comment 19
2016-01-12 06:16:55 PST
Created
attachment 268760
[details]
Archive of layout-test-results from ews114 for mac-yosemite The attached test failures were seen while running run-webkit-tests on the mac-debug-ews. Bot: ews114 Port: mac-yosemite Platform: Mac OS X 10.10.5
youenn fablet
Comment 20
2016-01-12 06:22:03 PST
Created
attachment 268761
[details]
Rebasing wpt tests
youenn fablet
Comment 21
2016-01-12 06:28:16 PST
(In reply to
comment #5
)
> (In reply to
comment #4
) > > I can take a look tomorrow if that helps
I did a quick rebase. I did not check whether removing Accept-Encoding is still needed in Mac or not. Is it still needed? I skipped some WPT tests that require access to URLS like: - example.not: no server can be reached - www2.localhost: localhost server should be reached These tests require DRT and WTR to stop blocking these URLS. They also require to update the bots to map localhost-like urls (www2.localhost) to 127.0.0.1. I filed
bug 127676
some time ago for that. Another approach might be to define a list of allowed hostnames somewhere.
> Sure! I'm just so sorry no one looked at it until now. :-(
Yeah, we, WebKit community should definitely improve on this...
Michael Catanzaro
Comment 22
2016-01-12 07:14:46 PST
Comment on
attachment 268761
[details]
Rebasing wpt tests View in context:
https://bugs.webkit.org/attachment.cgi?id=268761&action=review
> LayoutTests/imported/w3c/web-platform-tests/XMLHttpRequest/send-redirect-to-cors.htm:17 > +console.log(client.readyState);
Looks like a debugging leftover that needs removed.
> LayoutTests/imported/w3c/web-platform-tests/XMLHttpRequest/send-redirect-to-cors.htm:33 > +// redirect("303")
Ditto.
youenn fablet
Comment 23
2016-01-12 07:24:18 PST
Created
attachment 268765
[details]
Removing WPT test changes
youenn fablet
Comment 24
2016-01-12 07:26:08 PST
(In reply to
comment #23
)
> Created
attachment 268765
[details]
> Removing WPT test changes
Thanks, this is fixed in the latest patch.
Brent Fulgham
Comment 25
2016-01-12 09:00:35 PST
Comment on
attachment 268765
[details]
Removing WPT test changes I think this looks good. Let's wait for 'win' to finish, and for Dan Bates to double-check it, then land it. Dan, please r+ this if you agree with the change.
Daniel Bates
Comment 26
2016-01-12 10:34:28 PST
Comment on
attachment 268765
[details]
Removing WPT test changes View in context:
https://bugs.webkit.org/attachment.cgi?id=268765&action=review
> LayoutTests/imported/w3c/web-platform-tests/XMLHttpRequest/send-redirect-bogus-expected.txt:3 > +FAIL: Timed out waiting for notifyDone to be called
This is OK-as-is. I know that this test is expected to time out because WTR/DTR block access to www2.localhost and example.not. Even though this is a timeout failure it seems weird to both include an expected result that has "FAIL" and mark the test as skipped in the TestExpectation file. (I mean, assuming this was not a timeout failure - just a test that failed such sub-test, then the test would be considered to succeed if someone ever removed the test from the list of skipped tests in the TestExpectation file and the failure of the sub-test would likely not be noticed). Unless it is not straightforward to do, I suggest landing the expected success result for this test and mark this test as skipped. Then unskipping this test will lead to a noticeable test failure (currently a timeout) so long as WTR/DRT continue to block www2.localhost and example.not. This also has the benefit of making it straightforward to reason about the state of this test should there be other issues besides the blocking of www2.localhost and example.not since the expected result file represents the actual expected result.
> LayoutTests/imported/w3c/web-platform-tests/XMLHttpRequest/send-redirect-to-cors-expected.txt:2 > +FAIL: Timed out waiting for notifyDone to be called
Ditto.
> LayoutTests/imported/w3c/web-platform-tests/XMLHttpRequest/send-redirect-to-non-cors-expected.txt:5 > +FAIL: Timed out waiting for notifyDone to be called
Ditto.
youenn fablet
Comment 27
2016-01-13 23:42:24 PST
Created
attachment 268943
[details]
Patch for landing
WebKit Commit Bot
Comment 28
2016-01-14 00:39:29 PST
Comment on
attachment 268943
[details]
Patch for landing Clearing flags on attachment: 268943 Committed
r195010
: <
http://trac.webkit.org/changeset/195010
>
WebKit Commit Bot
Comment 29
2016-01-14 00:39:34 PST
All reviewed patches have been landed. Closing bug.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug