Non-HTTP responses are interpreted as HTTP/0.9 which may allow exfiltration of data from non-HTTP services. Therefore cancel if the request was made to a non-default port. Also, cancel HTTP/0.9 resource responses if the document was loaded with a different HTTP version.
rdar://problem/25757454
Created attachment 280961 [details] Patch
Comment on attachment 280961 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=280961&action=review Looks good! r=me (assuming all tests continue to pass). > Source/WebCore/ChangeLog:12 > + HTTP/0.9 header tests for positive and negative cases. Could you please attach the Python script and instructions to the Bugzilla bug so others (e.g., GTK people) could do testing later if they need to? > Source/WebCore/loader/ResourceLoader.cpp:435 > + auto url = r.url(); This should really be "m_response.url()" for consistency.
Committed r201895: <http://trac.webkit.org/changeset/201895>
Created attachment 280969 [details] Manual test cases for main document and resource loads I made the Python test as a stand-alone file. Instructions as comments in the top of the file.
Adding Dan Veditz from Mozilla and Joel Weinberger from Google to the CC list so as to facilitate coordination.