Bug 185522 - NetworkCORSPreflightChecker should proceed when having a ProtectionSpaceAuthenticationSchemeServerTrustEvaluationRequested challenge
Summary: NetworkCORSPreflightChecker should proceed when having a ProtectionSpaceAuthe...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebKit Misc. (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: youenn fablet
URL:
Keywords: InRadar
Depends on:
Blocks: 185840
  Show dependency treegraph
 
Reported: 2018-05-10 11:49 PDT by youenn fablet
Modified: 2018-05-23 10:45 PDT (History)
3 users (show)

See Also:

Attachments
Patch (2.61 KB, patch)
2018-05-10 11:55 PDT, youenn fablet 		no flags Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description youenn fablet 2018-05-10 11:49:37 PDT 
NetworkCORSPreflightChecker should proceed when having a ProtectionSpaceAuthenticationSchemeServerTrustEvaluationRequested challenge
Comment 1 youenn fablet 2018-05-10 11:50:02 PDT 
<rdar://problem/39987152>
Comment 2 youenn fablet 2018-05-10 11:55:56 PDT 
Created attachment 340114 [details]
Patch
Comment 3 youenn fablet 2018-05-10 14:38:41 PDT 
Testing of this feature would require writing an API test using an HTTP server.
It would also require that the certificate would be valid.

This patch is also missing the ability to let the certificates be validated by UIProcess when the connection is created by the preflight request.
Comment 4 Brent Fulgham 2018-05-10 16:02:39 PDT 
Comment on attachment 340114 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=340114&action=review

This looks correct to me. r=me.

> Source/WebKit/ChangeLog:10
> +        Previously, we were failing right away which is not right in case preflight is the request triggering the connection.

If the issue is that preflight doesn't use credentials, couldn't this be an issue with any of the authentication scheme's needing credentials (e.g., ProtectionSpaceAuthenticationSchemeClientCertificateRequested)? Or is it something special about the behavior of ProtectionSpaceAuthenticationSchemeServerTrustEvaluationRequested?

Looking through the rest of the code, it seems like ServerTrust is handled specially and rejects as you propose here in similar cases.
Comment 5 youenn fablet 2018-05-10 23:54:54 PDT 
Thanks for the review.

> If the issue is that preflight doesn't use credentials, couldn't this be an
> issue with any of the authentication scheme's needing credentials (e.g.,
> ProtectionSpaceAuthenticationSchemeClientCertificateRequested)? Or is it
> something special about the behavior of
> ProtectionSpaceAuthenticationSchemeServerTrustEvaluationRequested?

My understanding is that with other authentication schemes, the browser receives a 401.
This is then transmitted to the preflight checker which always fail.

In the case of ProtectionSpaceAuthenticationSchemeServerTrustEvaluationRequested, we must react appropriately to the fact that the connection is credential-less.
Comment 6 youenn fablet 2018-05-10 23:56:38 PDT 
I still wonder whether we should validate server certificates like we do for regular loads.
There is an option to do that within network process, which would be easier to implement although we could consider doing the full path to UIProcess for consistency.
Comment 7 WebKit Commit Bot 2018-05-11 00:22:17 PDT 
Comment on attachment 340114 [details]
Patch

Clearing flags on attachment: 340114

Committed r231694: <https://trac.webkit.org/changeset/231694>
Comment 8 WebKit Commit Bot 2018-05-11 00:22:19 PDT 
All reviewed patches have been landed.  Closing bug.