RESOLVED FIXED 128816
CORS: Fix the handling of redirected request containing Origin null. 
https://bugs.webkit.org/show_bug.cgi?id=128816
Summary CORS: Fix the handling of redirected request containing Origin null.
youenn fablet
Reported 2014-02-14 07:38:30 PST
Consider merging: https://chromiumcodereview.appspot.com/20735002 CORS: Fix the handling of redirected request containing Origin null. Removed the check for securityOrigin->isUnique() in passesAccessControlCheck(). This check was preventing redirected request with "Origin: null" from being successful even when the response contained "Access-Control-Allow-Origin: null" The case where the server responds with "Access-Control-Allow-Origin: null" for a request with "Origin: null" is not a failure case as per the W3C CORS Resource Sharing alogrithm (http://www.w3.org/TR/cors/#resource-sharing-check-0). The specification also mentions the following line below Resource Sharing alogrithm: "The above algorithm also functions when the ASCII serialization of an origin is the string 'null'." This additional check was added in passesAccessControlCheck() during the implementation of HTML5 sandbox attribute for iframes. As per the WHATWG (http://www.whatwg.org/specs/web-apps/current-work/multipage/origin-0.html#sandboxed-origin-browsing-context-flag) specification when "sandboxed origin browsing context flag" is set it forces content into a unique origin. For XHR reqests made from the sandboxed iframe CORS specfication is applicable. Updated the error description in expected.txt of these related layout test to match the change. Added another allow test for "Access-Control-Allow-Origin: null" in addition to the wildcard test ("Access-Control-Allow-Origin: *"). This makes the behavior same as Mozilla Firefox Browser. Also clears the failed tests in http://w3c-test.org/webappsec/tests/cors/submitted/opera/staging/redirect-origin.htm
Attachments
Patch (12.96 KB, patch)
2014-02-14 07:54 PST, youenn fablet 		no flags
DetailsFormatted DiffDiff
Archive of layout-test-results from webkit-ews-14 for mac-mountainlion-wk2 (497.31 KB, application/zip)
2014-02-14 09:17 PST, Build Bot 		no flags
Details
Archive of layout-test-results from webkit-ews-07 for mac-mountainlion (489.25 KB, application/zip)
2014-02-14 09:21 PST, Build Bot 		no flags
Details
Archive of layout-test-results from webkit-ews-06 for mac-mountainlion (542.14 KB, application/zip)
2014-02-14 09:49 PST, Build Bot 		no flags
Details
Rebasing (13.09 KB, patch)
2016-01-14 07:26 PST, youenn fablet 		no flags
DetailsFormatted DiffDiff
Show Obsolete (4) View All Add attachment proposed patch, testcase, etc.
youenn fablet
Comment 1 2014-02-14 07:54:08 PST
Created attachment 224215 [details] Patch
Build Bot
Comment 2 2014-02-14 09:16:58 PST
Comment on attachment 224215 [details] Patch Attachment 224215 [details] did not pass mac-wk2-ews (mac-wk2): Output: http://webkit-queues.appspot.com/results/5238515575029760 New failing tests: http/tests/xmlhttprequest/redirect-cors-origin-null.html
Build Bot
Comment 3 2014-02-14 09:17:00 PST
Created attachment 224222 [details] Archive of layout-test-results from webkit-ews-14 for mac-mountainlion-wk2 The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews. Bot: webkit-ews-14 Port: mac-mountainlion-wk2 Platform: Mac OS X 10.8.5
Build Bot
Comment 4 2014-02-14 09:21:15 PST
Comment on attachment 224215 [details] Patch Attachment 224215 [details] did not pass mac-ews (mac): Output: http://webkit-queues.appspot.com/results/5712387772514304 New failing tests: http/tests/xmlhttprequest/redirect-cors-origin-null.html
Build Bot
Comment 5 2014-02-14 09:21:16 PST
Created attachment 224224 [details] Archive of layout-test-results from webkit-ews-07 for mac-mountainlion The attached test failures were seen while running run-webkit-tests on the mac-ews. Bot: webkit-ews-07 Port: mac-mountainlion Platform: Mac OS X 10.8.5
Build Bot
Comment 6 2014-02-14 09:49:38 PST
Comment on attachment 224215 [details] Patch Attachment 224215 [details] did not pass mac-ews (mac): Output: http://webkit-queues.appspot.com/results/5573610399858688 New failing tests: http/tests/xmlhttprequest/redirect-cors-origin-null.html
Build Bot
Comment 7 2014-02-14 09:49:40 PST
Created attachment 224228 [details] Archive of layout-test-results from webkit-ews-06 for mac-mountainlion The attached test failures were seen while running run-webkit-tests on the mac-ews. Bot: webkit-ews-06 Port: mac-mountainlion Platform: Mac OS X 10.8.5
youenn fablet
Comment 8 2014-02-17 03:30:15 PST
Patch is failing
youenn fablet
Comment 9 2014-02-17 03:33:16 PST
(In reply to comment #6) > (From update of attachment 224215 [details]) > Attachment 224215 [details] did not pass mac-ews (mac): > Output: http://webkit-queues.appspot.com/results/5573610399858688 > > New failing tests: > http/tests/xmlhttprequest/redirect-cors-origin-null.html Test is failing due to mac port network layer inserting "Accept-Encoding" header which then makes cross origin not simple. The preflight check fails as "Accept-Encoding" is not authorized. Patch in https://bugs.webkit.org/show_bug.cgi?id=116075 clears the "Accept-Encoding" header in case of a cross-origin request triggered from a redirect response. This should take care of the failing test.
youenn fablet
Comment 10 2016-01-14 07:26:58 PST
Created attachment 268962 [details] Rebasing
Brent Fulgham
Comment 11 2016-01-14 09:05:31 PST
Comment on attachment 268962 [details] Rebasing r=me.Please confirm the win and gtk-wk2 EWS bots are green, then you can land.
WebKit Commit Bot
Comment 12 2016-01-15 01:12:06 PST
Comment on attachment 268962 [details] Rebasing Clearing flags on attachment: 268962 Committed r195100: <http://trac.webkit.org/changeset/195100>
WebKit Commit Bot
Comment 13 2016-01-15 01:12:09 PST
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.