181330 – Fetch algorithm does not strip out URL credentials in case of redirections

Bug 181330 - Fetch algorithm does not strip out URL credentials in case of redirections

Summary: Fetch algorithm does not strip out URL credentials in case of redirections

Status:	NEW

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	Service Workers (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	youenn fablet

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2018-01-05 10:16 PST by youenn fablet
Modified:	2018-01-25 13:42 PST (History)
CC List:	12 users (show)

See Also:

Attachments
Patch (5.96 KB, patch) 2018-01-05 10:18 PST, youenn fablet	no flags	Details \| Formatted Diff \| Diff
Archive of layout-test-results from ews103 for mac-elcapitan (2.17 MB, application/zip) 2018-01-05 11:15 PST, EWS Watchlist	no flags	Details
Archive of layout-test-results from ews106 for mac-elcapitan-wk2 (2.68 MB, application/zip) 2018-01-05 11:26 PST, EWS Watchlist	no flags	Details
Archive of layout-test-results from ews122 for ios-simulator-wk2 (2.37 MB, application/zip) 2018-01-05 11:29 PST, EWS Watchlist	no flags	Details
Archive of layout-test-results from ews117 for mac-elcapitan (3.04 MB, application/zip) 2018-01-05 11:35 PST, EWS Watchlist	no flags	Details
Patch (107.95 KB, patch) 2018-01-05 14:41 PST, youenn fablet	no flags	Details \| Formatted Diff \| Diff
Patch (109.35 KB, patch) 2018-01-06 19:25 PST, Michael Catanzaro	no flags	Details \| Formatted Diff \| Diff
Patch (110.08 KB, patch) 2018-01-08 13:06 PST, Basuke Suzuki	no flags	Details \| Formatted Diff \| Diff
Added a new test (114.26 KB, patch) 2018-01-10 06:37 PST, youenn fablet	no flags	Details \| Formatted Diff \| Diff
Added a new test (115.82 KB, patch) 2018-01-10 06:43 PST, youenn fablet	ews-watchlist: commit-queue-	Details \| Formatted Diff \| Diff
Archive of layout-test-results from ews107 for mac-sierra-wk2 (3.12 MB, application/zip) 2018-01-10 14:29 PST, EWS Watchlist	no flags	Details
Archive of layout-test-results from ews100 for mac-sierra (2.36 MB, application/zip) 2018-01-10 16:23 PST, EWS Watchlist	no flags	Details
Show Obsolete (5) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description youenn fablet 2018-01-05 10:16:46 PST

Instead, when doing CORS, it fails loading if the redirect URL contains credentials

Comment 1 youenn fablet 2018-01-05 10:18:00 PST

Created attachment 330555 [details]
Patch

Comment 2 youenn fablet 2018-01-05 10:18:43 PST

This is probably sensitive here so will need additional discussions and tests to go forward.

Comment 3 EWS Watchlist 2018-01-05 11:15:11 PST

Comment on attachment 330555 [details]
Patch

Attachment 330555 [details] did not pass mac-ews (mac):
Output: http://webkit-queues.webkit.org/results/5943594

New failing tests:
imported/w3c/web-platform-tests/fetch/api/cors/cors-redirect-credentials.any.html
imported/w3c/web-platform-tests/fetch/api/cors/cors-redirect-credentials.any.worker.html
http/tests/xmlhttprequest/access-control-and-redirects-async.html

Comment 4 EWS Watchlist 2018-01-05 11:15:13 PST

Created attachment 330560 [details]
Archive of layout-test-results from ews103 for mac-elcapitan

The attached test failures were seen while running run-webkit-tests on the mac-ews.
Bot: ews103  Port: mac-elcapitan  Platform: Mac OS X 10.11.6

Comment 5 EWS Watchlist 2018-01-05 11:26:43 PST

Comment on attachment 330555 [details]
Patch

Attachment 330555 [details] did not pass mac-wk2-ews (mac-wk2):
Output: http://webkit-queues.webkit.org/results/5943605

New failing tests:
imported/w3c/web-platform-tests/fetch/api/cors/cors-redirect-credentials.any.html
imported/w3c/web-platform-tests/fetch/api/cors/cors-redirect-credentials.any.worker.html
http/tests/xmlhttprequest/access-control-and-redirects-async.html

Comment 6 EWS Watchlist 2018-01-05 11:26:44 PST

Created attachment 330561 [details]
Archive of layout-test-results from ews106 for mac-elcapitan-wk2

The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews.
Bot: ews106  Port: mac-elcapitan-wk2  Platform: Mac OS X 10.11.6

Comment 7 EWS Watchlist 2018-01-05 11:29:06 PST

Comment on attachment 330555 [details]
Patch

Attachment 330555 [details] did not pass ios-sim-ews (ios-simulator-wk2):
Output: http://webkit-queues.webkit.org/results/5943485

New failing tests:
imported/w3c/web-platform-tests/fetch/api/cors/cors-redirect-credentials.any.html
imported/w3c/web-platform-tests/fetch/api/cors/cors-redirect-credentials.any.worker.html
http/tests/xmlhttprequest/access-control-and-redirects-async.html

Comment 8 EWS Watchlist 2018-01-05 11:29:08 PST

Created attachment 330563 [details]
Archive of layout-test-results from ews122 for ios-simulator-wk2

The attached test failures were seen while running run-webkit-tests on the ios-sim-ews.
Bot: ews122  Port: ios-simulator-wk2  Platform: Mac OS X 10.12.6

Comment 9 EWS Watchlist 2018-01-05 11:35:49 PST

Comment on attachment 330555 [details]
Patch

Attachment 330555 [details] did not pass mac-debug-ews (mac):
Output: http://webkit-queues.webkit.org/results/5943595

New failing tests:
imported/w3c/web-platform-tests/fetch/api/cors/cors-redirect-credentials.any.html
imported/w3c/web-platform-tests/fetch/api/cors/cors-redirect-credentials.any.worker.html
http/tests/xmlhttprequest/access-control-and-redirects-async.html

Comment 10 EWS Watchlist 2018-01-05 11:35:50 PST

Created attachment 330564 [details]
Archive of layout-test-results from ews117 for mac-elcapitan

The attached test failures were seen while running run-webkit-tests on the mac-debug-ews.
Bot: ews117  Port: mac-elcapitan  Platform: Mac OS X 10.11.6

Comment 11 youenn fablet 2018-01-05 14:41:54 PST

Created attachment 330587 [details]
Patch

Comment 12 Alexey Proskuryakov 2018-01-05 19:15:10 PST

Comment on attachment 330587 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=330587&action=review

> LayoutTests/ChangeLog:9
> +        * http/tests/xmlhttprequest/access-control-and-redirects-async.html:

Do other browsers behave in accordance with the updated test?

Comment 13 youenn fablet 2018-01-06 00:53:42 PST

(In reply to Alexey Proskuryakov from comment #12)
> Comment on attachment 330587 [details]
> Patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=330587&action=review
> 
> > LayoutTests/ChangeLog:9
> > +        * http/tests/xmlhttprequest/access-control-and-redirects-async.html:
> 
> Do other browsers behave in accordance with the updated test?

Chrome and Firefox are behaving consistently with the proposed patch.
The updated test is somehow redundant with rebased fetch API tests which are also passing consistently in Chrome and Firefox (see https://wpt.fyi/fetch/api/cors/cors-redirect-credentials.any.html).

Comment 14 youenn fablet 2018-01-06 00:54:27 PST

I guess we should also update the soup backend, not sure about curl backend...

Comment 15 Michael Catanzaro 2018-01-06 18:13:17 PST

(In reply to youenn fablet from comment #14)
> I guess we should also update the soup backend, not sure about curl
> backend...

CCing Don for curl

Comment 16 Michael Catanzaro 2018-01-06 19:24:53 PST

(In reply to youenn fablet from comment #14)
> I guess we should also update the soup backend, not sure about curl
> backend...

I updated the soup backend.

Not sure how to handle curl either... it's different.

Comment 17 Michael Catanzaro 2018-01-06 19:25:27 PST

Created attachment 330652 [details]
Patch

Comment 18 Basuke Suzuki 2018-01-08 11:26:04 PST

Okay, we'll send our patch pretty soon. About redirect on CORS, as youenn said in the beginning, do we have the agreement for the behavior when the credential will be attached on the redirected request and it may fail?

Comment 19 youenn fablet 2018-01-08 11:32:20 PST

(In reply to Basuke Suzuki from comment #18)
> Okay, we'll send our patch pretty soon. About redirect on CORS, as youenn
> said in the beginning, do we have the agreement for the behavior when the
> credential will be attached on the redirected request and it may fail?

Other browsers seem to do so consistently for fetch/XHR. That seems a safe change
I want to add some more tests though:
- cors image loading
- no-cors image loading
- main resource loading

If there is consistency amongst other browsers for those cases as well, I think we should align.

Comment 20 youenn fablet 2018-01-08 11:32:51 PST

> Other browsers seem to do so consistently for fetch/XHR. That seems a safe
> change
... safe change for fetch/XHR.

Comment 21 Basuke Suzuki 2018-01-08 11:39:31 PST

(In reply to youenn fablet from comment #20)
> > Other browsers seem to do so consistently for fetch/XHR. That seems a safe
> > change
> ... safe change for fetch/XHR.

Got it.

Comment 22 Basuke Suzuki 2018-01-08 13:06:02 PST

Created attachment 330726 [details]
Patch

Added Curl patch

Comment 23 Basuke Suzuki 2018-01-08 14:34:04 PST

youenn, I failed to create a patch. Can you just please delete a line from Curl port?

Source/WebCore/platform/network/curl/ResourceHandleCurlDelegate.cpp:355

Comment 24 youenn fablet 2018-01-08 14:37:23 PST

(In reply to Basuke Suzuki from comment #23)
> youenn, I failed to create a patch. Can you just please delete a line from
> Curl port?
> 
> Source/WebCore/platform/network/curl/ResourceHandleCurlDelegate.cpp:355

Sure, thanks for the filename, I'll update accordingly.

Comment 25 youenn fablet 2018-01-10 06:37:16 PST

Created attachment 330894 [details]
Added a new test

Comment 26 youenn fablet 2018-01-10 06:43:45 PST

Created attachment 330897 [details]
Added a new test

Comment 27 youenn fablet 2018-01-10 06:45:32 PST

Based on the testing (see patch), Firefox is as per spec and WebKit with this patch would be aligned.
Chrome is forbidding any subresource load containing credentials in redirects (https://www.chromestatus.com/feature/5669008342777856).

Comment 28 youenn fablet 2018-01-10 07:03:10 PST

Filed https://github.com/whatwg/fetch/issues/660

Comment 29 EWS Watchlist 2018-01-10 14:29:22 PST

Comment on attachment 330897 [details]
Added a new test

Attachment 330897 [details] did not pass mac-wk2-ews (mac-wk2):
Output: http://webkit-queues.webkit.org/results/6025079

New failing tests:
http/tests/workers/service/postmessage-after-sw-process-crash.https.html

Comment 30 EWS Watchlist 2018-01-10 14:29:24 PST

Created attachment 330963 [details]
Archive of layout-test-results from ews107 for mac-sierra-wk2

The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews.
Bot: ews107  Port: mac-sierra-wk2  Platform: Mac OS X 10.12.6

Comment 31 EWS Watchlist 2018-01-10 16:23:11 PST

Comment on attachment 330897 [details]
Added a new test

Attachment 330897 [details] did not pass mac-ews (mac):
Output: http://webkit-queues.webkit.org/results/6026589

New failing tests:
http/tests/misc/slow-loading-animated-image.html

Comment 32 EWS Watchlist 2018-01-10 16:23:13 PST

Created attachment 330985 [details]
Archive of layout-test-results from ews100 for mac-sierra

The attached test failures were seen while running run-webkit-tests on the mac-ews.
Bot: ews100  Port: mac-sierra  Platform: Mac OS X 10.12.6

Comment 33 Radar WebKit Bug Importer 2018-01-25 13:42:10 PST

<rdar://problem/36881479>