NEW181330
Fetch algorithm does not strip out URL credentials in case of redirections 
https://bugs.webkit.org/show_bug.cgi?id=181330
Summary Fetch algorithm does not strip out URL credentials in case of redirections
youenn fablet
Reported 2018-01-05 10:16:46 PST
Instead, when doing CORS, it fails loading if the redirect URL contains credentials
Attachments
Patch (5.96 KB, patch)
2018-01-05 10:18 PST, youenn fablet 		no flags
DetailsFormatted DiffDiff
Archive of layout-test-results from ews103 for mac-elcapitan (2.17 MB, application/zip)
2018-01-05 11:15 PST, EWS Watchlist 		no flags
Details
Archive of layout-test-results from ews106 for mac-elcapitan-wk2 (2.68 MB, application/zip)
2018-01-05 11:26 PST, EWS Watchlist 		no flags
Details
Archive of layout-test-results from ews122 for ios-simulator-wk2 (2.37 MB, application/zip)
2018-01-05 11:29 PST, EWS Watchlist 		no flags
Details
Archive of layout-test-results from ews117 for mac-elcapitan (3.04 MB, application/zip)
2018-01-05 11:35 PST, EWS Watchlist 		no flags
Details
Patch (107.95 KB, patch)
2018-01-05 14:41 PST, youenn fablet 		no flags
DetailsFormatted DiffDiff
Patch (109.35 KB, patch)
2018-01-06 19:25 PST, Michael Catanzaro 		no flags
DetailsFormatted DiffDiff
Patch (110.08 KB, patch)
2018-01-08 13:06 PST, Basuke Suzuki 		no flags
DetailsFormatted DiffDiff
Added a new test (114.26 KB, patch)
2018-01-10 06:37 PST, youenn fablet 		no flags
DetailsFormatted DiffDiff
Added a new test (115.82 KB, patch)
2018-01-10 06:43 PST, youenn fablet 		ews-watchlist: commit-queue-
DetailsFormatted DiffDiff
Archive of layout-test-results from ews107 for mac-sierra-wk2 (3.12 MB, application/zip)
2018-01-10 14:29 PST, EWS Watchlist 		no flags
Details
Archive of layout-test-results from ews100 for mac-sierra (2.36 MB, application/zip)
2018-01-10 16:23 PST, EWS Watchlist 		no flags
Details
Show Obsolete (5) View All Add attachment proposed patch, testcase, etc.
youenn fablet
Comment 1 2018-01-05 10:18:00 PST
Created attachment 330555 [details] Patch
youenn fablet
Comment 2 2018-01-05 10:18:43 PST
This is probably sensitive here so will need additional discussions and tests to go forward.
EWS Watchlist
Comment 3 2018-01-05 11:15:11 PST
Comment on attachment 330555 [details] Patch Attachment 330555 [details] did not pass mac-ews (mac): Output: http://webkit-queues.webkit.org/results/5943594 New failing tests: imported/w3c/web-platform-tests/fetch/api/cors/cors-redirect-credentials.any.html imported/w3c/web-platform-tests/fetch/api/cors/cors-redirect-credentials.any.worker.html http/tests/xmlhttprequest/access-control-and-redirects-async.html
EWS Watchlist
Comment 4 2018-01-05 11:15:13 PST
Created attachment 330560 [details] Archive of layout-test-results from ews103 for mac-elcapitan The attached test failures were seen while running run-webkit-tests on the mac-ews. Bot: ews103 Port: mac-elcapitan Platform: Mac OS X 10.11.6
EWS Watchlist
Comment 5 2018-01-05 11:26:43 PST
Comment on attachment 330555 [details] Patch Attachment 330555 [details] did not pass mac-wk2-ews (mac-wk2): Output: http://webkit-queues.webkit.org/results/5943605 New failing tests: imported/w3c/web-platform-tests/fetch/api/cors/cors-redirect-credentials.any.html imported/w3c/web-platform-tests/fetch/api/cors/cors-redirect-credentials.any.worker.html http/tests/xmlhttprequest/access-control-and-redirects-async.html
EWS Watchlist
Comment 6 2018-01-05 11:26:44 PST
Created attachment 330561 [details] Archive of layout-test-results from ews106 for mac-elcapitan-wk2 The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews. Bot: ews106 Port: mac-elcapitan-wk2 Platform: Mac OS X 10.11.6
EWS Watchlist
Comment 7 2018-01-05 11:29:06 PST
Comment on attachment 330555 [details] Patch Attachment 330555 [details] did not pass ios-sim-ews (ios-simulator-wk2): Output: http://webkit-queues.webkit.org/results/5943485 New failing tests: imported/w3c/web-platform-tests/fetch/api/cors/cors-redirect-credentials.any.html imported/w3c/web-platform-tests/fetch/api/cors/cors-redirect-credentials.any.worker.html http/tests/xmlhttprequest/access-control-and-redirects-async.html
EWS Watchlist
Comment 8 2018-01-05 11:29:08 PST
Created attachment 330563 [details] Archive of layout-test-results from ews122 for ios-simulator-wk2 The attached test failures were seen while running run-webkit-tests on the ios-sim-ews. Bot: ews122 Port: ios-simulator-wk2 Platform: Mac OS X 10.12.6
EWS Watchlist
Comment 9 2018-01-05 11:35:49 PST
Comment on attachment 330555 [details] Patch Attachment 330555 [details] did not pass mac-debug-ews (mac): Output: http://webkit-queues.webkit.org/results/5943595 New failing tests: imported/w3c/web-platform-tests/fetch/api/cors/cors-redirect-credentials.any.html imported/w3c/web-platform-tests/fetch/api/cors/cors-redirect-credentials.any.worker.html http/tests/xmlhttprequest/access-control-and-redirects-async.html
EWS Watchlist
Comment 10 2018-01-05 11:35:50 PST
Created attachment 330564 [details] Archive of layout-test-results from ews117 for mac-elcapitan The attached test failures were seen while running run-webkit-tests on the mac-debug-ews. Bot: ews117 Port: mac-elcapitan Platform: Mac OS X 10.11.6
youenn fablet
Comment 11 2018-01-05 14:41:54 PST
Created attachment 330587 [details] Patch
Alexey Proskuryakov
Comment 12 2018-01-05 19:15:10 PST
Comment on attachment 330587 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=330587&action=review > LayoutTests/ChangeLog:9 > + * http/tests/xmlhttprequest/access-control-and-redirects-async.html: Do other browsers behave in accordance with the updated test?
youenn fablet
Comment 13 2018-01-06 00:53:42 PST
(In reply to Alexey Proskuryakov from comment #12) > Comment on attachment 330587 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=330587&action=review > > > LayoutTests/ChangeLog:9 > > + * http/tests/xmlhttprequest/access-control-and-redirects-async.html: > > Do other browsers behave in accordance with the updated test? Chrome and Firefox are behaving consistently with the proposed patch. The updated test is somehow redundant with rebased fetch API tests which are also passing consistently in Chrome and Firefox (see https://wpt.fyi/fetch/api/cors/cors-redirect-credentials.any.html).
youenn fablet
Comment 14 2018-01-06 00:54:27 PST
I guess we should also update the soup backend, not sure about curl backend...
Michael Catanzaro
Comment 15 2018-01-06 18:13:17 PST
(In reply to youenn fablet from comment #14) > I guess we should also update the soup backend, not sure about curl > backend... CCing Don for curl
Michael Catanzaro
Comment 16 2018-01-06 19:24:53 PST
(In reply to youenn fablet from comment #14) > I guess we should also update the soup backend, not sure about curl > backend... I updated the soup backend. Not sure how to handle curl either... it's different.
Michael Catanzaro
Comment 17 2018-01-06 19:25:27 PST
Created attachment 330652 [details] Patch
Basuke Suzuki
Comment 18 2018-01-08 11:26:04 PST
Okay, we'll send our patch pretty soon. About redirect on CORS, as youenn said in the beginning, do we have the agreement for the behavior when the credential will be attached on the redirected request and it may fail?
youenn fablet
Comment 19 2018-01-08 11:32:20 PST
(In reply to Basuke Suzuki from comment #18) > Okay, we'll send our patch pretty soon. About redirect on CORS, as youenn > said in the beginning, do we have the agreement for the behavior when the > credential will be attached on the redirected request and it may fail? Other browsers seem to do so consistently for fetch/XHR. That seems a safe change I want to add some more tests though: - cors image loading - no-cors image loading - main resource loading If there is consistency amongst other browsers for those cases as well, I think we should align.
youenn fablet
Comment 20 2018-01-08 11:32:51 PST
> Other browsers seem to do so consistently for fetch/XHR. That seems a safe > change ... safe change for fetch/XHR.
Basuke Suzuki
Comment 21 2018-01-08 11:39:31 PST
(In reply to youenn fablet from comment #20) > > Other browsers seem to do so consistently for fetch/XHR. That seems a safe > > change > ... safe change for fetch/XHR. Got it.
Basuke Suzuki
Comment 22 2018-01-08 13:06:02 PST
Created attachment 330726 [details] Patch Added Curl patch
Basuke Suzuki
Comment 23 2018-01-08 14:34:04 PST
youenn, I failed to create a patch. Can you just please delete a line from Curl port? Source/WebCore/platform/network/curl/ResourceHandleCurlDelegate.cpp:355
youenn fablet
Comment 24 2018-01-08 14:37:23 PST
(In reply to Basuke Suzuki from comment #23) > youenn, I failed to create a patch. Can you just please delete a line from > Curl port? > > Source/WebCore/platform/network/curl/ResourceHandleCurlDelegate.cpp:355 Sure, thanks for the filename, I'll update accordingly.
youenn fablet
Comment 25 2018-01-10 06:37:16 PST
Created attachment 330894 [details] Added a new test
youenn fablet
Comment 26 2018-01-10 06:43:45 PST
Created attachment 330897 [details] Added a new test
youenn fablet
Comment 27 2018-01-10 06:45:32 PST
Based on the testing (see patch), Firefox is as per spec and WebKit with this patch would be aligned. Chrome is forbidding any subresource load containing credentials in redirects (https://www.chromestatus.com/feature/5669008342777856).
youenn fablet
Comment 28 2018-01-10 07:03:10 PST
Filed https://github.com/whatwg/fetch/issues/660
EWS Watchlist
Comment 29 2018-01-10 14:29:22 PST
Comment on attachment 330897 [details] Added a new test Attachment 330897 [details] did not pass mac-wk2-ews (mac-wk2): Output: http://webkit-queues.webkit.org/results/6025079 New failing tests: http/tests/workers/service/postmessage-after-sw-process-crash.https.html
EWS Watchlist
Comment 30 2018-01-10 14:29:24 PST
Created attachment 330963 [details] Archive of layout-test-results from ews107 for mac-sierra-wk2 The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews. Bot: ews107 Port: mac-sierra-wk2 Platform: Mac OS X 10.12.6
EWS Watchlist
Comment 31 2018-01-10 16:23:11 PST
Comment on attachment 330897 [details] Added a new test Attachment 330897 [details] did not pass mac-ews (mac): Output: http://webkit-queues.webkit.org/results/6026589 New failing tests: http/tests/misc/slow-loading-animated-image.html
EWS Watchlist
Comment 32 2018-01-10 16:23:13 PST
Created attachment 330985 [details] Archive of layout-test-results from ews100 for mac-sierra The attached test failures were seen while running run-webkit-tests on the mac-ews. Bot: ews100 Port: mac-sierra Platform: Mac OS X 10.12.6
Radar WebKit Bug Importer
Comment 33 2018-01-25 13:42:10 PST
<rdar://problem/36881479>
Note You need to log in before you can comment on or make changes to this bug.