Bug 178356 - Apply custom header fields from WebsitePolicies to same-domain requests
Summary: Apply custom header fields from WebsitePolicies to same-domain requests
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: New Bugs (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Alex Christensen
URL:
Keywords: InRadar
Depends on: 177629
Blocks:
  Show dependency treegraph
 
Reported: 2017-10-16 11:59 PDT by Alex Christensen
Modified: 2017-11-15 13:04 PST (History)
6 users (show)

See Also:


Attachments
Patch (11.70 KB, patch)
2017-10-16 12:05 PDT, Alex Christensen
no flags Details | Formatted Diff | Diff
Patch (13.00 KB, patch)
2017-10-23 10:53 PDT, Alex Christensen
beidson: review+
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Alex Christensen 2017-10-16 11:59:23 PDT
Apply custom header fields from WebsitePolicies to same-domain requests
Comment 1 Alex Christensen 2017-10-16 12:05:16 PDT
Created attachment 323925 [details]
Patch
Comment 2 Daniel Bates 2017-10-16 14:08:10 PDT
Comment on attachment 323925 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=323925&action=review

> Source/WebCore/loader/cache/CachedResourceLoader.cpp:770
> +    if (frame() && m_documentLoader && !m_documentLoader->customHeaderFields().isEmpty()) {
> +        bool sameOriginRequest = false;
> +        auto requestedOrigin = SecurityOrigin::create(url);
> +        if (type == CachedResource::Type::MainResource) {
> +            if (frame()->isMainFrame())
> +                sameOriginRequest = true;
> +            else if (auto* topDocument = frame()->mainFrame().document())
> +                sameOriginRequest = topDocument->securityOrigin().isSameSchemeHostPort(requestedOrigin.get());
> +        } else if (document()) {
> +            sameOriginRequest = document()->topDocument().securityOrigin().isSameSchemeHostPort(requestedOrigin.get())
> +                && document()->securityOrigin().isSameSchemeHostPort(requestedOrigin.get());
> +        }
> +        if (sameOriginRequest) {
> +            for (auto& field : m_documentLoader->customHeaderFields())
> +                request.resourceRequest().addHTTPHeaderField(field.name(), field.value());
> +        }
> +    }

This does not seem like it will apply the custom headers to a subframe or child window navigated to about:blank or a blob URL (*) page or sub-resources loaded from them. Notice that about:blank inherits the security origin of its parent/opener frame.

(*) with the same origin as the document that has custom headers
Comment 3 Alex Christensen 2017-10-23 10:53:49 PDT
Created attachment 324566 [details]
Patch
Comment 4 Alex Christensen 2017-10-23 10:54:20 PDT
(In reply to Daniel Bates from comment #2)
> This does not seem like it will apply the custom headers to a subframe or
> child window navigated to about:blank or a blob URL (*) page or
> sub-resources loaded from them. Notice that about:blank inherits the
> security origin of its parent/opener frame.
I added a test verifying that this case behaves correctly.
Comment 5 Alex Christensen 2017-10-24 12:33:31 PDT
http://trac.webkit.org/r223909
Comment 6 Alex Christensen 2017-10-31 11:41:19 PDT
A few problems being fixed in https://bugs.webkit.org/show_bug.cgi?id=179064
Comment 7 Radar WebKit Bug Importer 2017-11-15 13:04:05 PST
<rdar://problem/35568718>