Bug 186441 - http/tests/security/cors-post-redirect-307.html fails with PSON enabled
Summary: http/tests/security/cors-post-redirect-307.html fails with PSON enabled
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: Page Loading (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Chris Dumez
URL:
Keywords: InRadar
Depends on:
Blocks: 186542
  Show dependency treegraph
 
Reported: 2018-06-08 13:12 PDT by Chris Dumez
Modified: 2018-06-13 16:30 PDT (History)
8 users (show)

See Also:

Attachments
For EWS (744 bytes, patch)
2018-06-08 14:12 PDT, Chris Dumez 		no flags Details | Formatted Diff | Diff
WIP Patch (1.97 KB, patch)
2018-06-08 14:24 PDT, Chris Dumez 		no flags Details | Formatted Diff | Diff
Patch (3.90 KB, patch)
2018-06-08 14:30 PDT, Chris Dumez 		no flags Details | Formatted Diff | Diff
Patch (57.78 KB, patch)
2018-06-11 12:32 PDT, Chris Dumez 		no flags Details | Formatted Diff | Diff
Patch (57.36 KB, patch)
2018-06-11 13:50 PDT, Chris Dumez 		no flags Details | Formatted Diff | Diff
Show Obsolete (4) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Chris Dumez 2018-06-08 13:12:56 PDT 
http/tests/security/cors-post-redirect-307.html and http/tests/security/cors-post-redirect-308.html fail with PSON enabled:
--- /Volumes/Data/WebKit/OpenSource/WebKitBuild/Release/layout-test-results/http/tests/security/cors-post-redirect-307-expected.txt
+++ /Volumes/Data/WebKit/OpenSource/WebKitBuild/Release/layout-test-results/http/tests/security/cors-post-redirect-307-actual.txt
@@ -1 +1 @@
-There was no origin header
+Origin header value: null
Comment 1 Chris Dumez 2018-06-08 13:15:45 PDT 
Looks like a legit bug in our PSON implementation. The Origin header should not be present on cross-origin redirect requests.
Comment 2 Chris Dumez 2018-06-08 13:19:00 PDT 
The origin gets cleared in NetworkDataTaskCocoa::willPerformHTTPRedirection() but I suspect we add the header back later on in the case where we decide to do the redirect load in a new process.
Comment 3 Chris Dumez 2018-06-08 13:45:58 PDT 
It is added later on by this code:
    if (origin.isEmpty()) {
        // If we don't know what origin header to attach, we attach the value
        // for an empty origin.
        request.setHTTPOrigin(SecurityOrigin::createUnique()->toString());
        return;
    }

in FrameLoader::addHTTPOriginIfNeeded().
Comment 4 Chris Dumez 2018-06-08 14:12:54 PDT 
Created attachment 342325 [details]
For EWS
Comment 5 Chris Dumez 2018-06-08 14:24:35 PDT 
Created attachment 342330 [details]
WIP Patch
Comment 6 Chris Dumez 2018-06-08 14:30:06 PDT 
Created attachment 342332 [details]
Patch
Comment 7 Daniel Bates 2018-06-08 15:20:55 PDT 
Comment on attachment 342332 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=342332&action=review

> Source/WebCore/loader/FrameLoader.cpp:-2835
> -    if (origin.isEmpty()) {

This code was intentionally added and a reason was given in the comment above. Please read through the comments on  <https://bugs.webkit.org/show_bug.cgi?id=20792> and ensure we are not breaking anything.
Comment 8 Daniel Bates 2018-06-08 15:23:02 PDT 
Obviously think about WebKit legacy.
Comment 9 Chris Dumez 2018-06-08 16:56:11 PDT 
(In reply to Daniel Bates from comment #7)
> Comment on attachment 342332 [details]
> Patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=342332&action=review
> 
> > Source/WebCore/loader/FrameLoader.cpp:-2835
> > -    if (origin.isEmpty()) {
> 
> This code was intentionally added and a reason was given in the comment
> above. Please read through the comments on 
> <https://bugs.webkit.org/show_bug.cgi?id=20792> and ensure we are not
> breaking anything.

Yes, I suspected this was not OK. Still uploaded it without review flag before my lab to see which tests would fail. If this is important behavior, it is sad there is no test coverage for it.
Comment 10 Chris Dumez 2018-06-11 09:55:23 PDT 
I have a proper fix, will upload shortly.
Comment 11 Chris Dumez 2018-06-11 12:32:52 PDT 
Created attachment 342454 [details]
Patch
Comment 12 youenn fablet 2018-06-11 13:44:18 PDT 
Comment on attachment 342454 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=342454&action=review

> Source/WebCore/loader/FrameLoader.cpp:2839
> +        WTFReportBacktrace();

Probably to be removed.
Comment 13 Chris Dumez 2018-06-11 13:49:21 PDT 
(In reply to youenn fablet from comment #12)
> Comment on attachment 342454 [details]
> Patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=342454&action=review
> 
> > Source/WebCore/loader/FrameLoader.cpp:2839
> > +        WTFReportBacktrace();
> 
> Probably to be removed.

LoL XD
Comment 14 Chris Dumez 2018-06-11 13:50:38 PDT 
Created attachment 342461 [details]
Patch
Comment 15 Chris Dumez 2018-06-11 13:52:36 PDT 
Comment on attachment 342461 [details]
Patch

Clearing flags on attachment: 342461

Committed r232730: <https://trac.webkit.org/changeset/232730>
Comment 16 Chris Dumez 2018-06-11 13:52:38 PDT 
All reviewed patches have been landed.  Closing bug.
Comment 17 Radar WebKit Bug Importer 2018-06-11 13:53:24 PDT 
<rdar://problem/41018447>