Bug 161434 - [Fetch API] Fetch API should be able to load data URL in Same Origin mode
Summary: [Fetch API] Fetch API should be able to load data URL in Same Origin mode
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebCore Misc. (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: youenn fablet
URL:
Keywords:
Depends on:
Blocks: 151937
  Show dependency treegraph
 
Reported: 2016-08-31 05:38 PDT by youenn fablet
Modified: 2016-08-31 13:20 PDT (History)
4 users (show)

See Also:


Attachments
Patch (23.87 KB, patch)
2016-08-31 06:45 PDT, youenn fablet
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description youenn fablet 2016-08-31 05:38:05 PDT
CachedResourceLoader is forbidding data URL loads in SameOrigin mode currently.
Comment 1 youenn fablet 2016-08-31 06:45:06 PDT
Created attachment 287510 [details]
Patch
Comment 2 Alex Christensen 2016-08-31 09:31:25 PDT
Comment on attachment 287510 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=287510&action=review

> Source/WebCore/loader/cache/CachedResourceLoader.cpp:388
> +static inline bool isSameOriginDataURL(const URL& url, const ResourceLoaderOptions& options, bool didReceiveRedirectResponse)
> +{
> +    return !didReceiveRedirectResponse && url.protocolIsData() && options.sameOriginDataURLFlag == SameOriginDataURLFlag::Set;
> +}

I don't understand why !didReceiveRedirectResponse is here.
Comment 3 youenn fablet 2016-08-31 09:43:12 PDT
(In reply to comment #2)
> Comment on attachment 287510 [details]
> Patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=287510&action=review
> 
> > Source/WebCore/loader/cache/CachedResourceLoader.cpp:388
> > +static inline bool isSameOriginDataURL(const URL& url, const ResourceLoaderOptions& options, bool didReceiveRedirectResponse)
> > +{
> > +    return !didReceiveRedirectResponse && url.protocolIsData() && options.sameOriginDataURLFlag == SameOriginDataURLFlag::Set;
> > +}
> 
> I don't understand why !didReceiveRedirectResponse is here.

Step 7 of https://fetch.spec.whatwg.org/#http-redirect-fetch stipulates that same-origin url flag is unset after a redirection.
Basically, data-url after redirection is only allowed in no-cors mode, and will lead to opaque responses.

I haven't searched for the rationale of this decision, this seems like an edge case.

Also, there is no real interop here: as shown by the new tests, chrome, firefox and webkit have all different behaviours for data urls after redirections.
Comment 4 WebKit Commit Bot 2016-08-31 13:20:37 PDT
Comment on attachment 287510 [details]
Patch

Clearing flags on attachment: 287510

Committed r205265: <http://trac.webkit.org/changeset/205265>
Comment 5 WebKit Commit Bot 2016-08-31 13:20:41 PDT
All reviewed patches have been landed.  Closing bug.