RESOLVED FIXED 188639
Stop using canAuthenticateAgainstProtectionSpace in modern WebKit 
https://bugs.webkit.org/show_bug.cgi?id=188639
Summary Stop using canAuthenticateAgainstProtectionSpace in modern WebKit
Alex Christensen
Reported 2018-08-15 22:50:34 PDT
Stop using canAuthenticateAgainstProtectionSpace in modern WebKit
Attachments
Patch (40.13 KB, patch)
2018-08-15 22:56 PDT, Alex Christensen 		no flags
DetailsFormatted DiffDiff
Archive of layout-test-results from ews104 for mac-sierra-wk2 (3.30 MB, application/zip)
2018-08-15 23:52 PDT, EWS Watchlist 		no flags
Details
Patch (40.64 KB, patch)
2018-08-16 10:03 PDT, Alex Christensen 		youennf: review+
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
Alex Christensen
Comment 1 2018-08-15 22:56:27 PDT
Created attachment 347248 [details] Patch
EWS Watchlist
Comment 2 2018-08-15 23:52:52 PDT
Comment on attachment 347248 [details] Patch Attachment 347248 [details] did not pass mac-wk2-ews (mac-wk2): Output: https://webkit-queues.webkit.org/results/8877013 New failing tests: accessibility/smart-invert-reference.html
EWS Watchlist
Comment 3 2018-08-15 23:52:54 PDT
Created attachment 347251 [details] Archive of layout-test-results from ews104 for mac-sierra-wk2 The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews. Bot: ews104 Port: mac-sierra-wk2 Platform: Mac OS X 10.12.6
youenn fablet
Comment 4 2018-08-16 09:56:10 PDT
Comment on attachment 347248 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=347248&action=review > Source/WebKit/ChangeLog:12 > + with the 1 client that still uses it (not for long, see rdar://problem/43358403) and simplify and optimize No public API is impacted? > Source/WebKit/NetworkProcess/NetworkCORSPreflightChecker.cpp:-106 > - NetworkProcess::singleton().canAuthenticateAgainstProtectionSpace(challenge.protectionSpace(), m_parameters.pageID, m_parameters.frameID, [this, weakThis = makeWeakPtr(this), completionHandler = WTFMove(completionHandler), challenge = WTFMove(challenge)] (bool canAuthenticate) mutable { NetworkCORSPreflightChecker no longer needs to be weakptr. > Source/WebKit/NetworkProcess/NetworkLoad.cpp:254 > void NetworkLoad::didReceiveChallenge(AuthenticationChallenge&& challenge, ChallengeCompletionHandler&& completionHandler) We probably no longer need to pass an AuthenticationChallenge&&. > Source/WebKit/NetworkProcess/NetworkLoad.cpp:269 > +#endif We do not have this handling in NetworkCORSPreflightChecker, is that fine? Should we move that code in NetworkDataTaskCocoa::didReceiveChallenge?
Alex Christensen
Comment 5 2018-08-16 09:58:24 PDT
Comment on attachment 347248 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=347248&action=review >> Source/WebKit/NetworkProcess/NetworkCORSPreflightChecker.cpp:-106 >> - NetworkProcess::singleton().canAuthenticateAgainstProtectionSpace(challenge.protectionSpace(), m_parameters.pageID, m_parameters.frameID, [this, weakThis = makeWeakPtr(this), completionHandler = WTFMove(completionHandler), challenge = WTFMove(challenge)] (bool canAuthenticate) mutable { > > NetworkCORSPreflightChecker no longer needs to be weakptr. Right! >> Source/WebKit/NetworkProcess/NetworkLoad.cpp:254 >> void NetworkLoad::didReceiveChallenge(AuthenticationChallenge&& challenge, ChallengeCompletionHandler&& completionHandler) > > We probably no longer need to pass an AuthenticationChallenge&&. I think we still should for conceptual correctness. >> Source/WebKit/NetworkProcess/NetworkLoad.cpp:269 >> +#endif > > We do not have this handling in NetworkCORSPreflightChecker, is that fine? > Should we move that code in NetworkDataTaskCocoa::didReceiveChallenge? That's fine. This is actually from SPI just for testing that I plan to remove soon.
Alex Christensen
Comment 6 2018-08-16 10:03:28 PDT
Created attachment 347271 [details] Patch
Alex Christensen
Comment 7 2018-08-16 10:08:23 PDT
(In reply to youenn fablet from comment #4) > Comment on attachment 347248 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=347248&action=review > > > Source/WebKit/ChangeLog:12 > > + with the 1 client that still uses it (not for long, see rdar://problem/43358403) and simplify and optimize > > No public API is impacted? No public API is impacted. The only public API we have is WKNavigationDelegate's didReceiveAuthenticationChallenge which works "the right way". This is removing old stuff.
youenn fablet
Comment 8 2018-08-16 10:16:49 PDT
Comment on attachment 347271 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=347271&action=review > Source/WebKit/NetworkProcess/PreconnectTask.h:-53 > - void canAuthenticateAgainstProtectionSpaceAsync(const WebCore::ProtectionSpace&) final; Maybe PreconnectTask no longer needs either to be CanMakeWeakPtr either.
youenn fablet
Comment 9 2018-08-16 10:18:20 PDT
For extra safety, I would tend to verify we do not regress CORS preflight+ ProtectionSpaceAuthenticationSchemeServerTrustEvaluationRequested challenges with this patch.
youenn fablet
Comment 10 2018-08-16 10:20:13 PDT
Given how much we regress this, we should write a test for such case. Do we receive a ProtectionSpaceAuthenticationSchemeServerTrustEvaluationRequested challenge when loading https://localhost:8443? If so, we could crash the network process and then do a CORS preflight.
Alex Christensen
Comment 11 2018-08-16 10:59:43 PDT
http://trac.webkit.org/r234941
Radar WebKit Bug Importer
Comment 12 2018-08-16 11:00:21 PDT
<rdar://problem/43388361>
Note You need to log in before you can comment on or make changes to this bug.