RESOLVED FIXED 185522
NetworkCORSPreflightChecker should proceed when having a ProtectionSpaceAuthenticationSchemeServerTrustEvaluationRequested challenge 
https://bugs.webkit.org/show_bug.cgi?id=185522
Summary NetworkCORSPreflightChecker should proceed when having a ProtectionSpaceAuthe...
youenn fablet
Reported 2018-05-10 11:49:37 PDT
NetworkCORSPreflightChecker should proceed when having a ProtectionSpaceAuthenticationSchemeServerTrustEvaluationRequested challenge
Attachments
Patch (2.61 KB, patch)
2018-05-10 11:55 PDT, youenn fablet 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
youenn fablet
Comment 1 2018-05-10 11:50:02 PDT
<rdar://problem/39987152>
youenn fablet
Comment 2 2018-05-10 11:55:56 PDT
Created attachment 340114 [details] Patch
youenn fablet
Comment 3 2018-05-10 14:38:41 PDT
Testing of this feature would require writing an API test using an HTTP server. It would also require that the certificate would be valid. This patch is also missing the ability to let the certificates be validated by UIProcess when the connection is created by the preflight request.
Brent Fulgham
Comment 4 2018-05-10 16:02:39 PDT
Comment on attachment 340114 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=340114&action=review This looks correct to me. r=me. > Source/WebKit/ChangeLog:10 > + Previously, we were failing right away which is not right in case preflight is the request triggering the connection. If the issue is that preflight doesn't use credentials, couldn't this be an issue with any of the authentication scheme's needing credentials (e.g., ProtectionSpaceAuthenticationSchemeClientCertificateRequested)? Or is it something special about the behavior of ProtectionSpaceAuthenticationSchemeServerTrustEvaluationRequested? Looking through the rest of the code, it seems like ServerTrust is handled specially and rejects as you propose here in similar cases.
youenn fablet
Comment 5 2018-05-10 23:54:54 PDT
Thanks for the review. > If the issue is that preflight doesn't use credentials, couldn't this be an > issue with any of the authentication scheme's needing credentials (e.g., > ProtectionSpaceAuthenticationSchemeClientCertificateRequested)? Or is it > something special about the behavior of > ProtectionSpaceAuthenticationSchemeServerTrustEvaluationRequested? My understanding is that with other authentication schemes, the browser receives a 401. This is then transmitted to the preflight checker which always fail. In the case of ProtectionSpaceAuthenticationSchemeServerTrustEvaluationRequested, we must react appropriately to the fact that the connection is credential-less.
youenn fablet
Comment 6 2018-05-10 23:56:38 PDT
I still wonder whether we should validate server certificates like we do for regular loads. There is an option to do that within network process, which would be easier to implement although we could consider doing the full path to UIProcess for consistency.
WebKit Commit Bot
Comment 7 2018-05-11 00:22:17 PDT
Comment on attachment 340114 [details] Patch Clearing flags on attachment: 340114 Committed r231694: <https://trac.webkit.org/changeset/231694>
WebKit Commit Bot
Comment 8 2018-05-11 00:22:19 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.