RESOLVED FIXED207102
Fix behavior of pings regarding Origin header 
https://bugs.webkit.org/show_bug.cgi?id=207102
Summary Fix behavior of pings regarding Origin header
Rob Buis
Reported 2020-02-02 08:52:00 PST
Import WPT tests to verify pings do not send a origin header.
Attachments
Patch (16.76 KB, patch)
2020-02-02 08:54 PST, Rob Buis 		no flags
DetailsFormatted DiffDiff
Patch (23.43 KB, patch)
2020-02-02 09:58 PST, Rob Buis 		no flags
DetailsFormatted DiffDiff
Patch (26.29 KB, patch)
2020-02-06 01:56 PST, Rob Buis 		no flags
DetailsFormatted DiffDiff
Patch (28.36 KB, patch)
2020-02-25 02:02 PST, Rob Buis 		no flags
DetailsFormatted DiffDiff
Patch (28.47 KB, patch)
2020-03-02 08:23 PST, Rob Buis 		no flags
DetailsFormatted DiffDiff
Show Obsolete (4) View All Add attachment proposed patch, testcase, etc.
Rob Buis
Comment 1 2020-02-02 08:54:08 PST
Created attachment 389475 [details] Patch
Rob Buis
Comment 2 2020-02-02 09:58:12 PST
Created attachment 389478 [details] Patch
Rob Buis
Comment 3 2020-02-06 01:56:05 PST
Created attachment 389940 [details] Patch
youenn fablet
Comment 4 2020-02-07 00:19:21 PST
Comment on attachment 389940 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=389940&action=review > Source/WebCore/ChangeLog:3 > + Import WPT tests to verify pings do not send a origin header Can we change the title of the bug since we are changing behavior and not only adding tests? > LayoutTests/imported/w3c/ChangeLog:10 > + https://fetch.spec.whatwg.org/#append-a-request-origin-header How about implementing this in this patch? It seems we would regress the case where people really want to have a 'null' origin.
Rob Buis
Comment 5 2020-02-25 02:02:13 PST
Created attachment 391639 [details] Patch
Rob Buis
Comment 6 2020-02-25 02:51:02 PST
Comment on attachment 389940 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=389940&action=review >> Source/WebCore/ChangeLog:3 >> + Import WPT tests to verify pings do not send a origin header > > Can we change the title of the bug since we are changing behavior and not only adding tests? Good point, done. >> LayoutTests/imported/w3c/ChangeLog:10 >> + https://fetch.spec.whatwg.org/#append-a-request-origin-header > > How about implementing this in this patch? > It seems we would regress the case where people really want to have a 'null' origin. Yes, I added it in the latest patch.
youenn fablet
Comment 7 2020-03-02 06:31:43 PST
Comment on attachment 391639 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=391639&action=review > Source/WebCore/loader/PingLoader.cpp:138 > + FrameLoader::addHTTPOriginIfNeeded(request, SecurityPolicy::generateOriginHeader(document.referrerPolicy(), request.url(), sourceOrigin.toString())); It might be nice to only create the origin value when we need to set the header. How about adding something like FrameLoader::addHTTPOriginIfNeeded(ResourceRequest&, ReferrerPolicy, const SecurityOrigin&) or FrameLoader::addHTTPOriginIfNeeded(ResourceRequest&, const Document&) > Source/WebCore/page/SecurityPolicy.cpp:134 > +String SecurityPolicy::generateOriginHeader(ReferrerPolicy referrerPolicy, const URL& url, const String& origin) It seems passing a SecurityOrigin would be better in the StrictOrigin/StrictOriginWhenCrossOrigin/SameOrigin cases. > Source/WebCore/page/SecurityPolicy.cpp:138 > + return "null"; "null"-> "null"_s here and below. > Source/WebCore/page/SecurityPolicy.cpp:149 > + default: Can we enumerate all enum values instead of having default?
Rob Buis
Comment 8 2020-03-02 08:23:09 PST
Created attachment 392142 [details] Patch
Rob Buis
Comment 9 2020-03-02 12:17:38 PST
Comment on attachment 391639 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=391639&action=review >> Source/WebCore/loader/PingLoader.cpp:138 >> + FrameLoader::addHTTPOriginIfNeeded(request, SecurityPolicy::generateOriginHeader(document.referrerPolicy(), request.url(), sourceOrigin.toString())); > > It might be nice to only create the origin value when we need to set the header. > How about adding something like > FrameLoader::addHTTPOriginIfNeeded(ResourceRequest&, ReferrerPolicy, const SecurityOrigin&) > or > FrameLoader::addHTTPOriginIfNeeded(ResourceRequest&, const Document&) You have a good point. I will do this later since generateOriginHeader should indeed be called within addHTTPOriginIfNeeded and may fix some other tests. >> Source/WebCore/page/SecurityPolicy.cpp:134 >> +String SecurityPolicy::generateOriginHeader(ReferrerPolicy referrerPolicy, const URL& url, const String& origin) > > It seems passing a SecurityOrigin would be better in the StrictOrigin/StrictOriginWhenCrossOrigin/SameOrigin cases. Done. >> Source/WebCore/page/SecurityPolicy.cpp:138 >> + return "null"; > > "null"-> "null"_s here and below. Done. >> Source/WebCore/page/SecurityPolicy.cpp:149 >> + default: > > Can we enumerate all enum values instead of having default? Done.
WebKit Commit Bot
Comment 10 2020-03-02 13:08:01 PST
Comment on attachment 392142 [details] Patch Clearing flags on attachment: 392142 Committed r257729: <https://trac.webkit.org/changeset/257729>
WebKit Commit Bot
Comment 11 2020-03-02 13:08:03 PST
All reviewed patches have been landed. Closing bug.
Radar WebKit Bug Importer
Comment 12 2020-03-02 13:09:16 PST
<rdar://problem/59964311>
Note You need to log in before you can comment on or make changes to this bug.