241003 – HSTS synthesized redirect responses should not be blocked by CORS

RESOLVED FIXED 241003

HSTS synthesized redirect responses should not be blocked by CORS

https://bugs.webkit.org/show_bug.cgi?id=241003

Summary HSTS synthesized redirect responses should not be blocked by CORS

Alex Christensen

Reported 2022-05-26 23:13:06 PDT

...

Attachments
Patch (3.28 KB, patch) 2022-05-26 23:17 PDT, Alex Christensen	no flags	Details Formatted Diff Diff
Patch (3.36 KB, patch) 2022-06-02 16:09 PDT, Alex Christensen	no flags	Details Formatted Diff Diff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.

Alex Christensen

Comment 1 2022-05-26 23:17:58 PDT

Created attachment 459803 [details] Patch

Alex Christensen

Comment 2 2022-06-02 16:09:14 PDT

Created attachment 459975 [details] Patch

Radar WebKit Bug Importer

Comment 3 2022-06-02 23:14:15 PDT

<rdar://problem/94331699>

youenn fablet

Comment 4 2022-06-02 23:52:09 PDT

Comment on attachment 459975 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=459975&action=review > Source/WebKit/NetworkProcess/cocoa/NetworkSessionCocoa.mm:640 > + NSString *origin = [request valueForHTTPHeaderField:@"Origin"] ?: @"*"; If there is no origin header, we probably do not need to add AccessControlAllowOrigin header. Adding it with '*' does not harm though. > Source/WebKit/NetworkProcess/cocoa/NetworkSessionCocoa.mm:642 > + networkDataTask->willPerformHTTPRedirection(WTFMove(synthesizedResponse), request, [completionHandler = makeBlockPtr(completionHandler), taskIdentifier, shouldIgnoreHSTS](auto&& request) { Seems fine for now. There are corner cases that will not work (CORS preflight for instance) In the future, we could add a dedicated HSTS upgrade signal and let NetworkResourceLoader/NetworkLoadChecker deal with the full case.

EWS

Comment 5 2022-06-03 14:04:03 PDT

Committed r295230 (251284@main): <https://commits.webkit.org/251284@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 459975 [details].

Alexey Proskuryakov

Comment 6 2022-06-23 13:24:23 PDT

This landed as 251285@main, NOT 251284@main.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Nightly Build

Hardware Unspecified

OS Unspecified

Product WebKit

Component WebKit Misc.

Assignee

Alex Christensen

Reported

2022-05-26 23:13 PDT

Modified

2022-06-23 13:24 PDT History

CC List

3 users Show

URL

Keywords InRadar

Depends on

Blocks