RESOLVED FIXED 205326
Implement "create a potential-CORS request" 
https://bugs.webkit.org/show_bug.cgi?id=205326
Summary Implement "create a potential-CORS request"
Rob Buis
Reported 2019-12-16 23:41:41 PST
Implement "create a potential-CORS request" and remove deprecatedSetAsPotentiallyCrossOrigin.
Attachments
Patch (4.97 KB, patch)
2019-12-16 23:58 PST, Rob Buis 		no flags
DetailsFormatted DiffDiff
Patch (7.63 KB, patch)
2019-12-17 00:54 PST, Rob Buis 		no flags
DetailsFormatted DiffDiff
Patch (16.26 KB, patch)
2019-12-17 02:39 PST, Rob Buis 		no flags
DetailsFormatted DiffDiff
Patch (16.98 KB, patch)
2019-12-17 03:32 PST, Rob Buis 		no flags
DetailsFormatted DiffDiff
Patch (23.04 KB, patch)
2019-12-17 05:32 PST, Rob Buis 		no flags
DetailsFormatted DiffDiff
Patch (23.92 KB, patch)
2019-12-17 07:22 PST, Rob Buis 		no flags
DetailsFormatted DiffDiff
Patch (23.99 KB, patch)
2019-12-18 00:59 PST, Rob Buis 		no flags
DetailsFormatted DiffDiff
Patch (24.36 KB, patch)
2019-12-20 04:29 PST, Rob Buis 		no flags
DetailsFormatted DiffDiff
Patch (13.75 KB, patch)
2020-01-03 05:11 PST, Rob Buis 		no flags
DetailsFormatted DiffDiff
Patch (2.30 KB, patch)
2020-01-18 01:04 PST, Rob Buis 		no flags
DetailsFormatted DiffDiff
Patch (3.71 KB, patch)
2020-01-18 01:54 PST, Rob Buis 		no flags
DetailsFormatted DiffDiff
Patch (3.92 KB, patch)
2020-01-20 00:48 PST, Rob Buis 		no flags
DetailsFormatted DiffDiff
Patch (3.96 KB, patch)
2020-01-20 00:49 PST, Rob Buis 		no flags
DetailsFormatted DiffDiff
Patch (4.18 KB, patch)
2020-01-20 03:52 PST, Rob Buis 		no flags
DetailsFormatted DiffDiff
Show Obsolete (13) View All Add attachment proposed patch, testcase, etc.
Rob Buis
Comment 1 2019-12-16 23:58:11 PST
Created attachment 385860 [details] Patch
Rob Buis
Comment 2 2019-12-17 00:54:15 PST
Created attachment 385863 [details] Patch
Rob Buis
Comment 3 2019-12-17 02:39:36 PST
Created attachment 385871 [details] Patch
Rob Buis
Comment 4 2019-12-17 03:32:38 PST
Created attachment 385874 [details] Patch
Rob Buis
Comment 5 2019-12-17 05:32:53 PST
Created attachment 385879 [details] Patch
Rob Buis
Comment 6 2019-12-17 07:22:53 PST
Created attachment 385886 [details] Patch
Alexey Proskuryakov
Comment 7 2019-12-17 18:59:56 PST
Comment on attachment 385886 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=385886&action=review > LayoutTests/ChangeLog:8 > + Adjusts test to same-origin fallback behavior by using CORS. These changes seem to suggest high likelihood of breaking behaviors websites could rely on. What evidence exists to demonstrate them being fine? > LayoutTests/imported/w3c/web-platform-tests/html/semantics/embedded-content/media-elements/track/track-element/cloneNode-expected.txt:1 > +CONSOLE MESSAGE: Unsafe attempt to load URL javascript:"network error" from origin http://localhost:8800. Domains, protocols and ports must match. Can you elaborate on why this is right, in particular?
Rob Buis
Comment 8 2019-12-17 22:37:35 PST
(In reply to Alexey Proskuryakov from comment #7) > Comment on attachment 385886 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=385886&action=review > > > LayoutTests/ChangeLog:8 > > + Adjusts test to same-origin fallback behavior by using CORS. > > These changes seem to suggest high likelihood of breaking behaviors websites > could rely on. What evidence exists to demonstrate them being fine? It is specified that way for track loading: https://html.spec.whatwg.org/multipage/media.html#sourcing-out-of-band-text-tracks:create-a-potential-cors-request Chrome and Firefox implement it (I should have added that to the Changelog, will fix). > > LayoutTests/imported/w3c/web-platform-tests/html/semantics/embedded-content/media-elements/track/track-element/cloneNode-expected.txt:1 > > +CONSOLE MESSAGE: Unsafe attempt to load URL javascript:"network error" from origin http://localhost:8800. Domains, protocols and ports must match. > > Can you elaborate on why this is right, in particular? That does look a bit odd, I will debug what is triggering those console messages.
Rob Buis
Comment 9 2019-12-18 00:59:45 PST
Created attachment 385947 [details] Patch
youenn fablet
Comment 10 2019-12-20 03:16:29 PST
Comment on attachment 385947 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=385947&action=review > Source/WebCore/ChangeLog:11 > + The new behavior matches that of Chrome and Firefox. Can you detail what behavioural changes are one there?
Rob Buis
Comment 11 2019-12-20 04:29:44 PST
Created attachment 386201 [details] Patch
Rob Buis
Comment 12 2019-12-20 05:31:01 PST
Comment on attachment 385947 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=385947&action=review >> Source/WebCore/ChangeLog:11 >> + The new behavior matches that of Chrome and Firefox. > > Can you detail what behavioural changes are one there? I tried to add more details in all ChangeLog files. Note that if the same-origin fallback is controversial I can remove it from the patch.
youenn fablet
Comment 13 2020-01-03 01:30:15 PST
Comment on attachment 386201 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=386201&action=review > Source/WebCore/ChangeLog:13 > + not specified. Could we split the patch in two parts: one which is just a refactoring and then the one about text track loading? > Source/WebCore/loader/CrossOriginAccessControl.cpp:122 > +CachedResourceRequest createPotentialAccessControlRequest(ResourceRequest&& request, Document& document, const String& crossOriginAttribute, ResourceLoaderOptions&& options, bool sameOriginFlag) Can we move the options as the second parameter, that will allow to group the moved parameters together. > Source/WebCore/loader/CrossOriginAccessControl.cpp:131 > + auto cachedRequest = CachedResourceRequest { WTFMove(request), WTFMove(options) }; CachedResourceRequest cachedRequest { WTFMove(request), WTFMove(options) }; > Source/WebCore/loader/CrossOriginAccessControl.cpp:142 > auto cachedRequest = CachedResourceRequest { WTFMove(request), WTFMove(options) }; CachedResourceRequest cachedRequest { WTFMove(request), WTFMove(options) }; > Source/WebCore/loader/TextTrackLoader.cpp:163 > + auto cueRequest = createPotentialAccessControlRequest(WTFMove(resourceRequest), document, element.mediaElementCrossOriginAttribute(), WTFMove(options), true); An enum would be slightly clearer.
youenn fablet
Comment 14 2020-01-03 01:31:00 PST
@EricCarlson, any concern about changing text track loading to same-origin by default, as done by Chrome and Firefox nowadays apparently?
Rob Buis
Comment 15 2020-01-03 05:11:25 PST
Created attachment 386673 [details] Patch
Rob Buis
Comment 16 2020-01-03 06:08:19 PST
Comment on attachment 386201 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=386201&action=review I think I addressed your comments. >> Source/WebCore/ChangeLog:13 >> + not specified. > > Could we split the patch in two parts: one which is just a refactoring and then the one about text track loading? Doing that now, the new patch does not contain the text track loading changes. >> Source/WebCore/loader/CrossOriginAccessControl.cpp:122 >> +CachedResourceRequest createPotentialAccessControlRequest(ResourceRequest&& request, Document& document, const String& crossOriginAttribute, ResourceLoaderOptions&& options, bool sameOriginFlag) > > Can we move the options as the second parameter, that will allow to group the moved parameters together. Done and adjusted the call sites. >> Source/WebCore/loader/CrossOriginAccessControl.cpp:131 >> + auto cachedRequest = CachedResourceRequest { WTFMove(request), WTFMove(options) }; > > CachedResourceRequest cachedRequest { WTFMove(request), WTFMove(options) }; Done. >> Source/WebCore/loader/CrossOriginAccessControl.cpp:142 >> auto cachedRequest = CachedResourceRequest { WTFMove(request), WTFMove(options) }; > > CachedResourceRequest cachedRequest { WTFMove(request), WTFMove(options) }; Done.
WebKit Commit Bot
Comment 17 2020-01-03 07:27:39 PST
The commit-queue encountered the following flaky tests while processing attachment 386673 [details]: imported/w3c/web-platform-tests/IndexedDB/large-requests-abort.html bug 205724 (author: youennf@gmail.com) imported/w3c/web-platform-tests/IndexedDB/fire-error-event-exception.html bug 201481 (authors: shvaikalesh@gmail.com and youennf@gmail.com) The commit-queue is continuing to process your patch.
WebKit Commit Bot
Comment 18 2020-01-03 07:27:46 PST
The commit-queue encountered the following flaky tests while processing attachment 386673 [details]: imported/w3c/web-platform-tests/IndexedDB/interleaved-cursors-large.html bug 201849 The commit-queue is continuing to process your patch.
WebKit Commit Bot
Comment 19 2020-01-03 08:19:55 PST
Comment on attachment 386673 [details] Patch Clearing flags on attachment: 386673 Committed r254000: <https://trac.webkit.org/changeset/254000>
WebKit Commit Bot
Comment 20 2020-01-03 08:19:57 PST
All reviewed patches have been landed. Closing bug.
Radar WebKit Bug Importer
Comment 21 2020-01-03 08:20:24 PST
<rdar://problem/58298224>
Rob Buis
Comment 22 2020-01-03 09:20:10 PST
Reopening as a reminder that Eric still needs to react (comment 14) :)
Eric Carlson
Comment 23 2020-01-03 10:05:55 PST
(In reply to youenn fablet from comment #14) > @EricCarlson, any concern about changing text track loading to same-origin > by default, as done by Chrome and Firefox nowadays apparently? No, I think it is the right thing.
Eric Carlson
Comment 24 2020-01-03 10:06:25 PST
(In reply to Rob Buis from comment #22) > Reopening as a reminder that Eric still needs to react (comment 14) :) Closing bug. Thanks for checking in Rob!
Rob Buis
Comment 25 2020-01-18 01:04:26 PST
Reopening to attach new patch.
Rob Buis
Comment 26 2020-01-18 01:04:29 PST
Created attachment 388140 [details] Patch
Rob Buis
Comment 27 2020-01-18 01:54:39 PST
Created attachment 388141 [details] Patch
Rob Buis
Comment 28 2020-01-20 00:48:49 PST
Created attachment 388214 [details] Patch
Rob Buis
Comment 29 2020-01-20 00:49:41 PST
Created attachment 388215 [details] Patch
youenn fablet
Comment 30 2020-01-20 01:57:44 PST
Comment on attachment 388215 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=388215&action=review > Source/WebCore/loader/CrossOriginAccessControl.cpp:140 > + options.storedCredentialsPolicy = credentials == FetchOptions::Credentials::Include ? StoredCredentialsPolicy::Use : document.securityOrigin().canRequest(request.url()) ? StoredCredentialsPolicy::Use : StoredCredentialsPolicy::DoNotUse; Can we write it with something like: switch (credentials) { case FetchOptions::Credentials::Omit: ... case FetchOptions::Credentials::Omit: ... case FetchOptions::Credentials::Include: ... case FetchOptions::Credentials::SameOrigin: ... } This should be easier to use and we would also ensure consistency between the two values (for instance omit => DoNotUse).
Rob Buis
Comment 31 2020-01-20 03:52:26 PST
Created attachment 388225 [details] Patch
WebKit Commit Bot
Comment 32 2020-01-20 06:43:16 PST
The commit-queue encountered the following flaky tests while processing attachment 388225 [details]: editing/spelling/spellcheck-async-remove-frame.html bug 158401 (authors: morrita@google.com, rniwa@webkit.org, and tony@chromium.org) The commit-queue is continuing to process your patch.
WebKit Commit Bot
Comment 33 2020-01-20 06:43:50 PST
Comment on attachment 388225 [details] Patch Clearing flags on attachment: 388225 Committed r254821: <https://trac.webkit.org/changeset/254821>
WebKit Commit Bot
Comment 34 2020-01-20 06:43:52 PST
All reviewed patches have been landed. Closing bug.
Rob Buis
Comment 35 2020-01-21 00:14:14 PST
(In reply to youenn fablet from comment #30) > Comment on attachment 388215 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=388215&action=review > > > Source/WebCore/loader/CrossOriginAccessControl.cpp:140 > > + options.storedCredentialsPolicy = credentials == FetchOptions::Credentials::Include ? StoredCredentialsPolicy::Use : document.securityOrigin().canRequest(request.url()) ? StoredCredentialsPolicy::Use : StoredCredentialsPolicy::DoNotUse; > > Can we write it with something like: > switch (credentials) { > case FetchOptions::Credentials::Omit: > ... > case FetchOptions::Credentials::Omit: > ... > case FetchOptions::Credentials::Include: > ... > case FetchOptions::Credentials::SameOrigin: > ... > } > This should be easier to use and we would also ensure consistency between > the two values (for instance omit => DoNotUse). Yes, this did make the code easier to read and reason about.
Note You need to log in before you can comment on or make changes to this bug.