WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
Bug 162785
[Fetch API] Forbid redirection to non-HTTP(s) URL in non-navigation mode
https://bugs.webkit.org/show_bug.cgi?id=162785
Summary
[Fetch API] Forbid redirection to non-HTTP(s) URL in non-navigation mode
youenn fablet
Reported
2016-09-30 06:16:52 PDT
As per the spec, we should not follow redirections to other URLs than HTTP(s).
Attachments
Patch
(20.61 KB, patch)
2016-09-30 06:46 PDT
,
youenn fablet
no flags
Details
Formatted Diff
Diff
Patch for landing
(20.45 KB, patch)
2016-10-06 02:19 PDT
,
youenn fablet
no flags
Details
Formatted Diff
Diff
Patch for landing
(21.54 KB, patch)
2016-10-06 02:22 PDT
,
youenn fablet
no flags
Details
Formatted Diff
Diff
Patch for landing
(20.45 KB, patch)
2016-10-06 02:29 PDT
,
youenn fablet
no flags
Details
Formatted Diff
Diff
Show Obsolete
(3)
View All
Add attachment
proposed patch, testcase, etc.
youenn fablet
Comment 1
2016-09-30 06:18:25 PDT
There is some discussions at
https://github.com/whatwg/fetch/issues/393
to relax this rule for data URLs since at least in WebKit, we can load data URLs in no-cors mode. For the moment, it is better though to restrict to not allowing data URLs redirections for fetch API.
youenn fablet
Comment 2
2016-09-30 06:46:59 PDT
Created
attachment 290329
[details]
Patch
Alex Christensen
Comment 3
2016-09-30 08:15:30 PDT
Comment on
attachment 290329
[details]
Patch View in context:
https://bugs.webkit.org/attachment.cgi?id=290329&action=review
> Source/WebCore/loader/DocumentThreadableLoader.cpp:221 > + client.didFail(ResourceError(errorDomainWebKitInternal, 0, url, "Redirection to URL with a scheme that is not HTTP(S).", ResourceError::Type::AccessControl));
Is this tested?
> Source/WebCore/loader/cache/CachedResourceLoader.cpp:656 > + // We are passing url as well as request, as request url may contain a fragment identifier.
I think we should add a test with a fragment instead of this comment.
youenn fablet
Comment 4
2016-09-30 08:42:42 PDT
(In reply to
comment #3
)
> Comment on
attachment 290329
[details]
> Patch > > View in context: >
https://bugs.webkit.org/attachment.cgi?id=290329&action=review
> > > Source/WebCore/loader/DocumentThreadableLoader.cpp:221 > > + client.didFail(ResourceError(errorDomainWebKitInternal, 0, url, "Redirection to URL with a scheme that is not HTTP(S).", ResourceError::Type::AccessControl)); > > Is this tested?
Without this check, the no-cors redirect URL would fail. Ideally, we would like to log erros in the console, as done for xhr. The issue is that this makes some tests flaky, see
bug 160546
for the logging See
bug 161310
for improving the test framework.
> > Source/WebCore/loader/cache/CachedResourceLoader.cpp:656 > > + // We are passing url as well as request, as request url may contain a fragment identifier. > > I think we should add a test with a fragment instead of this comment.
There are some tests that would break otherwise. I can remove the comment. Ideally there should be no frag ids at loader level.
WebKit Commit Bot
Comment 5
2016-10-02 07:01:43 PDT
Comment on
attachment 290329
[details]
Patch Clearing flags on attachment: 290329 Committed
r206716
: <
http://trac.webkit.org/changeset/206716
>
WebKit Commit Bot
Comment 6
2016-10-02 07:01:49 PDT
All reviewed patches have been landed. Closing bug.
WebKit Commit Bot
Comment 7
2016-10-02 07:25:41 PDT
Re-opened since this is blocked by
bug 162858
youenn fablet
Comment 8
2016-10-03 11:00:01 PDT
Mac CMakbe Debug bot is failing due to the following error: In file included from /Volumes/Data/slave/elcapitan-cmake-debug/build/Source/WebKit/mac/WebView/WebHTMLView.mm:79: In file included from /Volumes/Data/slave/elcapitan-cmake-debug/build/WebKitBuild/Debug/DerivedSources/ForwardingHeaders/WebCore/CachedResourceLoader.h:1: /Volumes/Data/slave/elcapitan-cmake-debug/build/Source/WebCore/loader/cache/CachedResourceLoader.h:33:10: fatal error: 'ContentSecurityPolicy.h' file not found #include "ContentSecurityPolicy.h" ^ 1 error generated. make[2]: *** [Source/WebKit/CMakeFiles/WebKit.dir/mac/WebView/WebHTMLView.mm.o] Error 1 Any idea why it is not able to find this header file?
youenn fablet
Comment 9
2016-10-06 02:19:29 PDT
Created
attachment 290799
[details]
Patch for landing
youenn fablet
Comment 10
2016-10-06 02:20:29 PDT
(In reply to
comment #9
)
> Created
attachment 290799
[details]
> Patch for landing
Relanding it as CMake build bot is still broken. I'll be happy to help on fixing the bot.
WebKit Commit Bot
Comment 11
2016-10-06 02:20:49 PDT
Comment on
attachment 290799
[details]
Patch for landing Rejecting
attachment 290799
[details]
from commit-queue. Failed to run "['/Volumes/Data/EWS/WebKit/Tools/Scripts/webkit-patch', '--status-host=webkit-queues.webkit.org', '--bot-id=webkit-cq-03', 'validate-changelog', '--check-oops', '--non-interactive', 290799, '--port=mac']" exit_code: 1 cwd: /Volumes/Data/EWS/WebKit ChangeLog entry in LayoutTests/imported/w3c/ChangeLog contains OOPS!. Full output:
http://webkit-queues.webkit.org/results/2230263
youenn fablet
Comment 12
2016-10-06 02:22:34 PDT
Created
attachment 290800
[details]
Patch for landing
WebKit Commit Bot
Comment 13
2016-10-06 02:23:15 PDT
Comment on
attachment 290800
[details]
Patch for landing Rejecting
attachment 290800
[details]
from commit-queue. Failed to run "['/Volumes/Data/EWS/WebKit/Tools/Scripts/webkit-patch', '--status-host=webkit-queues.webkit.org', '--bot-id=webkit-cq-03', 'apply-attachment', '--no-update', '--non-interactive', 290800, '--port=mac']" exit_code: 2 cwd: /Volumes/Data/EWS/WebKit Last 500 characters of output: tching file Source/WebCore/loader/cache/CachedResourceLoader.h patching file LayoutTests/imported/w3c/ChangeLog Hunk #1 succeeded at 1 with fuzz 3. patching file LayoutTests/imported/w3c/web-platform-tests/fetch/api/redirect/redirect-to-dataurl-expected.txt patching file LayoutTests/imported/w3c/web-platform-tests/fetch/api/redirect/redirect-to-dataurl-worker-expected.txt Failed to run "[u'/Volumes/Data/EWS/WebKit/Tools/Scripts/svn-apply', '--force']" exit_code: 1 cwd: /Volumes/Data/EWS/WebKit Full output:
http://webkit-queues.webkit.org/results/2230271
youenn fablet
Comment 14
2016-10-06 02:29:01 PDT
Created
attachment 290801
[details]
Patch for landing
WebKit Commit Bot
Comment 15
2016-10-06 03:02:58 PDT
Comment on
attachment 290801
[details]
Patch for landing Clearing flags on attachment: 290801 Committed
r206858
: <
http://trac.webkit.org/changeset/206858
>
WebKit Commit Bot
Comment 16
2016-10-06 03:03:03 PDT
All reviewed patches have been landed. Closing bug.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug