WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
66340
REGRESSION (
r89086
): All worker xhr requests trigger preflight requests.
https://bugs.webkit.org/show_bug.cgi?id=66340
Summary
REGRESSION (r89086): All worker xhr requests trigger preflight requests.
David Levin
Reported
2011-08-16 15:30:25 PDT
This happens in WebKit nightlies and chromium for both shared and dedicated workers. After
http://trac.webkit.org/changeset/89086
(which I helped review), the referer header is set before DocumentThreadableLoader::create is called. DocumentThreadableLoader::create checks to see if a preflight request is needed but the referer header isn't listed as a simple header (because it can't be set by the xhr request at all), so this header being present triggers the preflight request. Just adding Nate as an fyi. In progress fix: * I'll add "referer" to the whitelist in isOnAccessControlSimpleRequestHeaderWhitelist in Source/WebCore/loader/CrossOriginAccessControl.cpp and all will be happiness. * Add a simple test for cross origin stuff for workers/shared workers.
Attachments
Patch
(1.90 KB, patch)
2011-08-16 18:14 PDT
,
David Levin
no flags
Details
Formatted Diff
Diff
Patch
(39.49 KB, patch)
2011-08-19 13:25 PDT
,
David Levin
no flags
Details
Formatted Diff
Diff
Test for preflight for simple request from web workers.
(7.09 KB, patch)
2011-08-22 11:57 PDT
,
David Levin
darin
: review+
levin
: commit-queue-
Details
Formatted Diff
Diff
Show Obsolete
(2)
View All
Add attachment
proposed patch, testcase, etc.
Alexey Proskuryakov
Comment 1
2011-08-16 16:11:08 PDT
I guess we can add all headers in XMLHttpRequest::m_forbiddenRequestHeaders to CORS simple request whitelist now, since they can only be set by the engine, not by JS code.
David Levin
Comment 2
2011-08-16 18:14:01 PDT
Created
attachment 104136
[details]
Patch
Adam Barth
Comment 3
2011-08-16 18:15:43 PDT
Comment on
attachment 104136
[details]
Patch Yeah, I agree with Alexey.
David Levin
Comment 4
2011-08-16 18:17:05 PDT
I'll add another patch with tests and add the other headers after I land this one.
David Levin
Comment 5
2011-08-16 18:55:12 PDT
Comment on
attachment 104136
[details]
Patch Committed as
http://trac.webkit.org/changeset/93188
Keeping bug open to work on the bigger fix.
Per-Erik Brodin
Comment 6
2011-08-16 19:05:07 PDT
(In reply to
comment #1
)
> I guess we can add all headers in XMLHttpRequest::m_forbiddenRequestHeaders to CORS simple request whitelist now, since they can only be set by the engine, not by JS code.
Another option would be to fix
https://bugs.webkit.org/show_bug.cgi?id=63460
Now Referer and Origin will be incorrectly included in Access-Control-Request-Headers whenever there is a preflight.
David Levin
Comment 7
2011-08-19 13:25:04 PDT
Created
attachment 104552
[details]
Patch
David Levin
Comment 8
2011-08-22 11:45:21 PDT
Comment on
attachment 104552
[details]
Patch
> Despite what I said in
comment 1
, I'm not sure if it's the best approach to move > headers that are special cased in XMLHttpRequest to some shared location. It's > ThreadableLoader client (in this case, XHR) who really knows if JavaScript code > called one of those methods that added non-engine headers. Many other clients > simply don't provide any way to specify custom headers, so doing checks on these > is pointless.
> What do you think?
It seemed reasonable to move these checks over here as you suggested previously. I suspect the added cost is negligible and this doesn't seem like a performance sensitive path. However, I don't really care to have all of this moved over and mostly did it due to the suggestion :). So I'll withdraw this patch and do one with only the test code which should help us catch any future regressions.
David Levin
Comment 9
2011-08-22 11:57:06 PDT
Created
attachment 104709
[details]
Test for preflight for simple request from web workers.
Darin Adler
Comment 10
2011-08-22 13:10:24 PDT
Comment on
attachment 104709
[details]
Test for preflight for simple request from web workers. View in context:
https://bugs.webkit.org/attachment.cgi?id=104709&action=review
> LayoutTests/http/tests/xmlhttprequest/workers/resources/access-control-basic-get-fail-non-simple-test.js:19 > +worker.onmessage = function(evt)
Why eve instead of event?
David Levin
Comment 11
2011-08-22 13:12:19 PDT
Comment on
attachment 104709
[details]
Test for preflight for simple request from web workers. I'll change the test to event and submit it.
David Levin
Comment 12
2011-08-22 13:46:32 PDT
Committed (tests) as
http://trac.webkit.org/changeset/93536
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug