Bug 186090 - REGRESSION (r231479): Unable to buy Odeon cinema tickets in STP (bogus 'X-Frame-Options' to 'SAMEORIGIN')
Summary: REGRESSION (r231479): Unable to buy Odeon cinema tickets in STP (bogus 'X-Fra...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: Frames (show other bugs)
Version: Safari Technology Preview
Hardware: Unspecified Unspecified
: P1 Normal
Assignee: Daniel Bates
URL:
Keywords: InRadar, Regression
Depends on: 185410
Blocks:
  Show dependency treegraph
 
Reported: 2018-05-30 07:14 PDT by Sam Sneddon [:gsnedders]
Modified: 2018-06-26 18:23 PDT (History)
8 users (show)

See Also:

Attachments
Work-in-progress patch (8.85 KB, patch)
2018-06-25 17:12 PDT, Daniel Bates 		no flags Details | Formatted Diff | Diff
Archive of layout-test-results from ews206 for win-future (12.79 MB, application/zip)
2018-06-26 01:32 PDT, EWS Watchlist 		no flags Details
Patch and layout test (12.58 KB, patch)
2018-06-26 13:30 PDT, Daniel Bates 		no flags Details | Formatted Diff | Diff
Show Obsolete (2) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sam Sneddon [:gsnedders] 2018-05-30 07:14:40 PDT 
On https://www.odeon.co.uk I am unable to buy tickets in STP 56, but can in Safari 11.1 (13605.1.33.1.4).

Ultimately, this fails with a frame navigation being refused because 'X-Frame-Options' is set to 'SAMEORIGIN'.

Repro steps:

1. Load https://www.odeon.co.uk/
2. Scroll to "Quick Links", choose any cinema/film/date, hit "Go".
3. Click on one of the times displayed below.
4. Click on the "Book now" link that appears.
5. Click on "Book as guest" after navigation.
6. Select "1" adult ticket (this probably doesn't matter) and click "Confirm tickets".
7. Choose seat (if required), click "Continue".
8. Click "Confirm Order".
9. Enter name and email address, click "Enter card details".
10. Enter card details (Visa test card number 4111111111111111 suffices, card security code "123", expiry any future date).
11. Click "Pay and complete order".

At this point, I expect a navigation or two to happen and then the tickets to be booked (or, using the test card number, a payment failure).

Instead, however, we get logged to the console:

Refused to display 'https://www.odeon.co.uk/bookingserver_ng_live6//booking/paymentHCCReturn.dhtml?bookingProcessId=763dfc57f501c9d639f0b35cc43d3172571753f2&accessible=1&useGETjsessionid=1&dts_reference=3100108257386587' in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN'.

As far as I can tell, this is trying to navigate the externalUrlIframe iframe, and note that externalUrlIframe.parent.origin == "https://www.odeon.co.uk" hence my belief that this X-Frame-Options failure is bogus.
Comment 1 Radar WebKit Bug Importer 2018-05-31 11:21:44 PDT 
<rdar://problem/40692595>
Comment 2 Daniel Bates 2018-06-25 16:57:05 PDT 
When you click the button Pay and complete order the site POSTs a form to <https://hps.datacash.com/hps/?> from a child iframe whose URL is of the form: <https://hps.datacash.com/hps/?HPS_SessionID=7f72d137-0dae-4ec4-b6a6-81509c1915d>. And the URL <https://hps.datacash.com/hps/?> ultimately redirects to a URL of the form: <https://www.odeon.co.uk/bookingserver_ng_live6//booking/paymentHCCReturn.dhtml?bookingProcessId=0eac9e9e5a02305931ab47b2bb78a5685cea0373&accessible=1&useGETjsessionid=1&dts_reference=3000108365129513>. The destination page on www.odeon.co.uk includes "X-Frame-Options: SAMEORIGIN" in its HTTP response.
Comment 3 Daniel Bates 2018-06-25 17:10:22 PDT 
Currently as a performance optimization we compare the request URL (associated with response that includes the X-Frame-Options header) against the source origin of the document that initiated the request when applying the X-Frame-Options policy at <https://trac.webkit.org/browser/trunk/Source/WebKit/NetworkProcess/NetworkResourceLoader.cpp?rev=233157#L377>. This is incorrect. We need to compare against the origin of the document in the top-most frame.

Additionally, NetworkResourceLoadParameters::frameAncestorOrigins is computed incorrectly. In particular, it should not include the security origin of the  frame associated with the navigation request we are applying the X-Frame-Options policy to because this origin represents the origin of the document that initiated the navigation as we have not navigated the frame, yet.
Comment 4 Daniel Bates 2018-06-25 17:12:28 PDT 
Created attachment 343562 [details]
Work-in-progress patch
Comment 5 EWS Watchlist 2018-06-26 01:31:59 PDT 
Comment on attachment 343562 [details]
Work-in-progress patch

Attachment 343562 [details] did not pass win-ews (win):
Output: https://webkit-queues.webkit.org/results/8343967

New failing tests:
http/tests/security/video-poster-cross-origin-crash2.html
Comment 6 EWS Watchlist 2018-06-26 01:32:10 PDT 
Created attachment 343595 [details]
Archive of layout-test-results from ews206 for win-future

The attached test failures were seen while running run-webkit-tests on the win-ews.
Bot: ews206  Port: win-future  Platform: CYGWIN_NT-6.1-2.9.0-0.318-5-3-x86_64-64bit
Comment 7 Daniel Bates 2018-06-26 13:30:54 PDT 
Created attachment 343634 [details]
Patch and layout test
Comment 8 Daniel Bates 2018-06-26 17:01:05 PDT 
(In reply to Build Bot from comment #5)
> Comment on attachment 343562 [details]
> Work-in-progress patch
> 
> Attachment 343562 [details] did not pass win-ews (win):
> Output: https://webkit-queues.webkit.org/results/8343967
> 
> New failing tests:
> http/tests/security/video-poster-cross-origin-crash2.html

There is no crash log in the archive :( Looking at the markup of this test I am unclear how it relates to the changes made in the attached patch.
Comment 9 Daniel Bates 2018-06-26 18:23:17 PDT 
Comment on attachment 343634 [details]
Patch and layout test

Clearing flags on attachment: 343634

Committed r233237: <https://trac.webkit.org/changeset/233237>
Comment 10 Daniel Bates 2018-06-26 18:23:19 PDT 
All reviewed patches have been landed.  Closing bug.