RESOLVED FIXED 146271
[Content Extensions] Block synchronous XMLHTTPRequests 
https://bugs.webkit.org/show_bug.cgi?id=146271
Summary [Content Extensions] Block synchronous XMLHTTPRequests
Alex Christensen
Reported 2015-06-23 18:27:52 PDT
Synchronous loads are currently not blocked. Let's block them.
Attachments
Patch (6.62 KB, patch)
2015-06-23 18:44 PDT, Alex Christensen 		beidson: review-
DetailsFormatted DiffDiff
Patch v2 - Taking over from Alex (5.32 KB, patch)
2015-07-01 22:53 PDT, Brady Eidson 		no flags
DetailsFormatted DiffDiff
Patch v3 (5.31 KB, patch)
2015-07-02 08:37 PDT, Brady Eidson 		no flags
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
Alex Christensen
Comment 1 2015-06-23 18:44:54 PDT
Created attachment 255466 [details] Patch
Alex Christensen
Comment 2 2015-06-23 18:46:41 PDT
It does seem strange to have blocked synchronous requests throw an exception but a asynchronous request just does nothing. Feedback would be appreciated.
Alexey Proskuryakov
Comment 3 2015-06-23 20:43:36 PDT
Comment on attachment 255466 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=255466&action=review > Source/WebCore/ChangeLog:9 > + http://www.w3.org/TR/2007/WD-XMLHttpRequest-20070618/#exceptions I don't know if anything changed in this regard, but this is an extremely old draft that is entirely obsolete. > Source/WebCore/ChangeLog:10 > + This also adds a test for blocking asynchronous XMLHTTPRequests, which just does not call This doesn't seem like good behavior. > Source/WebCore/ChangeLog:11 > + onreadystatechange because it never actually sends the request. Why not handle that as an error case, with onreadystatechange and onerror?
Darin Adler
Comment 4 2015-06-24 15:01:32 PDT
Comment on attachment 255466 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=255466&action=review Besides Alexey’s comments, I have some comments about the specifics of the code. > Source/WebCore/loader/FrameLoader.cpp:3018 > + String urlForError = newRequest.url().string(); Please don’t compute this unused string. > Source/WebCore/loader/FrameLoader.cpp:3020 > + if (m_frame.mainFrame().page() && m_frame.mainFrame().page()->userContentController() && m_documentLoader) > + m_frame.mainFrame().page()->userContentController()->processContentExtensionRulesForLoad(*m_frame.mainFrame().page(), newRequest, ResourceType::Raw, *m_documentLoader); I suggest writing this nested thing: if (m_documentLoader) { if (auto* page = m_frame.page()) { if (auto* controller = page->userContentController()) controller->processContentExtensionRulesForLoad(*page, newRequest, ResourceType::Raw, *m_documentLoader); } }
Daniel Bates
Comment 5 2015-06-29 12:20:21 PDT
<rdar://problem/21573006>
Brady Eidson
Comment 6 2015-07-01 22:53:03 PDT
Created attachment 255992 [details] Patch v2 - Taking over from Alex
WebKit Commit Bot
Comment 7 2015-07-01 22:54:37 PDT
Attachment 255992 [details] did not pass style-queue: ERROR: Source/WebCore/loader/FrameLoader.cpp:95: Alphabetical sorting problem. [build/include_order] [4] Total errors found: 1 in 6 files If any of these errors are false positives, please file a bug against check-webkit-style.
Brady Eidson
Comment 8 2015-07-02 08:37:43 PDT
Created attachment 256011 [details] Patch v3
WebKit Commit Bot
Comment 9 2015-07-02 11:34:22 PDT
Comment on attachment 256011 [details] Patch v3 Clearing flags on attachment: 256011 Committed r186228: <http://trac.webkit.org/changeset/186228>
WebKit Commit Bot
Comment 10 2015-07-02 11:34:26 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.