NetworkProcess should use CSP/content blockers for sync XHR
Created attachment 338271 [details] Patch
Comment on attachment 338271 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=338271&action=review > LayoutTests/http/tests/contentextensions/sync-xhr-redirection-blocked.html:1 > +<head> Pleae add a <!DOCTYPE html>. > LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/insecure-sync-xhr-in-main-frame-window.html:1 > +<html> Please add a <!DOCTYPE html>. Also, is this markup well formed? > LayoutTests/platform/mac-wk1/TestExpectations:100 > +# WK1 sync XHR unsupported features. I am unclear what this comment means. WebKit1 supports sync XHR last I recall. Or did we remove such support? WebKit1 does not support context extensions. > LayoutTests/platform/win/TestExpectations:2214 > +# WK1 sync XHR unsupported features. Ditto.
> I am unclear what this comment means. WebKit1 supports sync XHR last I > recall. Or did we remove such support? WebKit1 does not support context > extensions. Sync XHR in WK2 now supports handling of CORS/CSP/ContentBlockers for redirections. This is not the case in WK1.
Comment on attachment 338271 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=338271&action=review r=me with comments. >> LayoutTests/http/tests/contentextensions/sync-xhr-redirection-blocked.html:1 >> +<head> > > Pleae add a <!DOCTYPE html>. +1 >> LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/insecure-sync-xhr-in-main-frame-window.html:1 >> +<html> > > Please add a <!DOCTYPE html>. Also, is this markup well formed? +1 > LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/insecure-sync-xhr-in-main-frame-window.html:2 > +<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests"> I think it'd be nicer to put the meta tag inside a <head> > LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/insecure-sync-xhr-in-main-frame-window.html:7 > + xhr = new XMLHttpRequest(); const xhr = I do not think it needs to be global. > LayoutTests/platform/mac-wk1/TestExpectations:101 > +http/tests/contentextensions/sync-xhr-redirection-blocked.html [ Skip ] This folder is skipped globally and only enabled on mac-wk2 so this entry should not be needed. > LayoutTests/platform/mac-wk1/TestExpectations:102 > +http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-sync-xhr-in-main-frame.html [ Skip ] I am assuming this fails on WK1 because you fixed Sync XHR + CSP for WK2 only. I think this is fine but the comment should be clearer if this is the case. > LayoutTests/platform/win/TestExpectations:2215 > +http/tests/contentextensions/sync-xhr-redirection-blocked.html [ Skip ] Ditto. > LayoutTests/platform/win/TestExpectations:2216 > +http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-sync-xhr-in-main-frame.html [ Skip ] ditto.
Created attachment 338330 [details] Patch for landing
Comment on attachment 338330 [details] Patch for landing Clearing flags on attachment: 338330 Committed r230810: <https://trac.webkit.org/changeset/230810>
All reviewed patches have been landed. Closing bug.
<rdar://problem/39569304>