182579 – Disallow cross-origin subresources from asking for credentials

RESOLVED FIXED 182579

Disallow cross-origin subresources from asking for credentials

https://bugs.webkit.org/show_bug.cgi?id=182579

Summary Disallow cross-origin subresources from asking for credentials

Daniel Bates

Reported 2018-02-07 13:40:08 PST

Disallow cross-origin subresources from asking for credentials

Attachments
Patch and layout tests (91.46 KB, patch) 2018-02-07 14:53 PST, Daniel Bates	no flags	Details Formatted Diff Diff
Patch and layout tests (91.69 KB, patch) 2018-02-07 15:06 PST, Daniel Bates	no flags	Details Formatted Diff Diff
Patch and layout tests (92.59 KB, patch) 2018-02-07 15:17 PST, Daniel Bates	no flags	Details Formatted Diff Diff
Archive of layout-test-results from ews101 for mac-sierra (2.19 MB, application/zip) 2018-02-07 16:37 PST, EWS Watchlist	no flags	Details
Patch and layout tests (92.57 KB, patch) 2018-02-07 16:41 PST, Daniel Bates	no flags	Details Formatted Diff Diff
Archive of layout-test-results from ews204 for win-future (11.49 MB, application/zip) 2018-02-07 18:57 PST, EWS Watchlist	no flags	Details
Patch and layout tests (94.33 KB, patch) 2018-02-08 11:43 PST, Daniel Bates	no flags	Details Formatted Diff Diff
Patch and layout tests (94.33 KB, patch) 2018-02-08 11:45 PST, Daniel Bates	aestes: review+	Details Formatted Diff Diff
Show Obsolete (7) View All Add attachment proposed patch, testcase, etc.

Daniel Bates

Comment 1 2018-02-07 13:41:03 PST

<rdar://problem/36162271>

Daniel Bates

Comment 2 2018-02-07 14:53:01 PST

Created attachment 333316 [details] Patch and layout tests

Daniel Bates

Comment 3 2018-02-07 15:06:50 PST

Created attachment 333318 [details] Patch and layout tests

Daniel Bates

Comment 4 2018-02-07 15:12:04 PST

Comment on attachment 333318 [details] Patch and layout tests View in context: https://bugs.webkit.org/attachment.cgi?id=333318&action=review > LayoutTests/http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image.https-expected.txt:7 > -PASS did load image. > +FAIL did not load image. This is expected since the image is cross origin with the origin of the page and hence it will be blocked from loading. Will change test to print PASS instead of FAIL.

Daniel Bates

Comment 5 2018-02-07 15:17:53 PST

Created attachment 333321 [details] Patch and layout tests

EWS Watchlist

Comment 6 2018-02-07 16:37:11 PST Comment hidden (obsolete)

Comment on attachment 333321 [details] Patch and layout tests Attachment 333321 [details] did not pass mac-ews (mac): Output: http://webkit-queues.webkit.org/results/6405534 New failing tests: http/tests/security/mixedContent/secure-redirect-to-secure-redirect-to-basic-auth-secure-image.https.html

EWS Watchlist

Comment 7 2018-02-07 16:37:12 PST Comment hidden (obsolete)

Created attachment 333336 [details] Archive of layout-test-results from ews101 for mac-sierra The attached test failures were seen while running run-webkit-tests on the mac-ews. Bot: ews101 Port: mac-sierra Platform: Mac OS X 10.12.6

Daniel Bates

Comment 8 2018-02-07 16:41:14 PST

Created attachment 333337 [details] Patch and layout tests

EWS Watchlist

Comment 9 2018-02-07 18:57:38 PST Comment hidden (obsolete)

Comment on attachment 333337 [details] Patch and layout tests Attachment 333337 [details] did not pass win-ews (win): Output: http://webkit-queues.webkit.org/results/6407424 New failing tests: http/tests/security/basic-auth-subresource.html http/tests/security/credentials-iframes-allowCrossOriginSubresourcesToAskForCredentials.html

EWS Watchlist

Comment 10 2018-02-07 18:57:48 PST Comment hidden (obsolete)

Created attachment 333350 [details] Archive of layout-test-results from ews204 for win-future The attached test failures were seen while running run-webkit-tests on the win-ews. Bot: ews204 Port: win-future Platform: CYGWIN_NT-6.1-2.9.0-0.318-5-3-x86_64-64bit

Daniel Bates

Comment 11 2018-02-08 11:43:14 PST

Created attachment 333396 [details] Patch and layout tests Add Windows-specific results for http/tests/security/basic-auth-subresource.html due to <https://bugs.webkit.org/show_bug.cgi?id=182609>. Skip allowCrossOriginSubresourcesToAskForCredentials-suffixed tests on Windows since DumpRenderTree does not support parsing test options. See <https://bugs.webkit.org/show_bug.cgi?id=17328> for more details.

Daniel Bates

Comment 12 2018-02-08 11:45:31 PST

(In reply to Daniel Bates from comment #11) > [...] See <https://bugs.webkit.org/show_bug.cgi?id=17328> for more details. *bug #173281

Daniel Bates

Comment 13 2018-02-08 11:45:58 PST

Created attachment 333398 [details] Patch and layout tests

Daniel Bates

Comment 14 2018-02-09 14:51:26 PST

Comment on attachment 333398 [details] Patch and layout tests View in context: https://bugs.webkit.org/attachment.cgi?id=333398&action=review > Source/WebCore/ChangeLog:18 > + Before landing I will add a remark of the form: Since r224134 WebKit has disallowed mixed content subresources from asking for credentials. Let's go further and forbid all cross-origin subresources from asking for credentials.

Andy Estes

Comment 15 2018-02-14 10:47:27 PST

Comment on attachment 333398 [details] Patch and layout tests View in context: https://bugs.webkit.org/attachment.cgi?id=333398&action=review > Source/WebCore/loader/ResourceLoader.h:190 > + bool canRequestAskUserForCredentials() const; Can this just be called canAskUserForCredentials()? The first time I read this, I interpreted request as a verb and got confused. I get that we're basing the decision on the request URL, but maybe that fact doesn't need to be in the function signature. r=me either way.

Daniel Bates

Comment 16 2018-02-14 11:10:15 PST

(In reply to Andy Estes from comment #15) > Comment on attachment 333398 [details] > Patch and layout tests > > View in context: > https://bugs.webkit.org/attachment.cgi?id=333398&action=review > > > Source/WebCore/loader/ResourceLoader.h:190 > > + bool canRequestAskUserForCredentials() const; > > Can this just be called canAskUserForCredentials()? The first time I read > this, I interpreted request as a verb and got confused. I get that we're > basing the decision on the request URL, but maybe that fact doesn't need to > be in the function signature. r=me either way. I was planning to rename ResourceLoader::isAllowedToAskUserForCredentials() to canAskUserForCredentials() in a subsequent patch. I hope you do not mind that I rename canRequestAskUserForCredentials() to shouldBlockCrossOriginAuthenticationChallenge() before landing.

Daniel Bates

Comment 17 2018-02-14 11:15:20 PST

(In reply to Daniel Bates from comment #16) > (In reply to Andy Estes from comment #15) > > Comment on attachment 333398 [details] > > Patch and layout tests > > > > View in context: > > https://bugs.webkit.org/attachment.cgi?id=333398&action=review > > > > > Source/WebCore/loader/ResourceLoader.h:190 > > > + bool canRequestAskUserForCredentials() const; > > > > Can this just be called canAskUserForCredentials()? The first time I read > > this, I interpreted request as a verb and got confused. I get that we're > > basing the decision on the request URL, but maybe that fact doesn't need to > > be in the function signature. r=me either way. > > I was planning to rename ResourceLoader::isAllowedToAskUserForCredentials() > to canAskUserForCredentials() in a subsequent patch. I hope you do not mind > that I rename canRequestAskUserForCredentials() to > shouldBlockCrossOriginAuthenticationChallenge() before landing. Or maybe shouldAllowResourceToAskForCredentials?

Daniel Bates

Comment 18 2018-02-14 14:28:03 PST

Committed r228486: <https://trac.webkit.org/changeset/228486>

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Local Build

Hardware All

OS All

Product WebKit

Component WebCore Misc.

Assignee

Daniel Bates

Reported

2018-02-07 13:40 PST

Modified

2018-02-14 14:28 PST History

CC List

9 users Show

URL

Keywords InRadar

Depends on

Blocks