[webkit-changes] [WebKit/WebKit] 63145f: Safari reuses Authorization header on second call ...

youennf noreply at github.com
Wed Nov 16 00:55:25 PST 2022 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 63145fa91bb8fb40c7103b9971d7292b6a3e0517
      https://github.com/WebKit/WebKit/commit/63145fa91bb8fb40c7103b9971d7292b6a3e0517
  Author: Youenn Fablet <youennf at gmail.com>
  Date:   2022-11-16 (Wed, 16 Nov 2022)

  Changed paths:
    A LayoutTests/http/wpt/fetch/fetch-permanent-redirect-same-origin-authorization-expected.txt
    A LayoutTests/http/wpt/fetch/fetch-permanent-redirect-same-origin-authorization.html
    A LayoutTests/http/wpt/fetch/resources/dump-authorization-header.py
    A LayoutTests/http/wpt/fetch/resources/redirect301.py
    M Source/WebKit/NetworkProcess/NetworkResourceLoader.cpp
    M Source/WebKit/NetworkProcess/cache/NetworkCache.cpp
    M Source/WebKit/NetworkProcess/cocoa/NetworkDataTaskCocoa.mm

  Log Message:
  -----------
  Safari reuses Authorization header on second call to 301 redirects even if the header value changed when replaying the request
https://bugs.webkit.org/show_bug.cgi?id=247418
rdar://problem/101935060

Reviewed by Chris Dumez.

In case of serving a redirection from HTTP cache, we cannot reuse the Authorization header of the past redirect request.
Instead, we should reuse the latest request Authorization header.

To do this, we remove Authorization header from stored redirected requests in network cache.
This handles the case of a cached redirection stored with authorization and reused without authorization.

We also move the NetworkDataTaskCocoa code used to reuse the original request Authorization header to NetworkResourceLoader,
so that it handles both the cache code path as well as the regular network code path.

* LayoutTests/http/wpt/fetch/fetch-permanent-redirect-same-origin-authorization-expected.txt: Added.
* LayoutTests/http/wpt/fetch/fetch-permanent-redirect-same-origin-authorization.html: Added.
* LayoutTests/http/wpt/fetch/resources/dump-authorization-header.py: Added.
(main):
* LayoutTests/http/wpt/fetch/resources/redirect301.py: Added.
(main):
* Source/WebKit/NetworkProcess/NetworkResourceLoader.cpp:
(WebKit::NetworkResourceLoader::willSendRedirectedRequestInternal):
* Source/WebKit/NetworkProcess/cache/NetworkCache.cpp:
(WebKit::NetworkCache::Cache::makeRedirectEntry):
* Source/WebKit/NetworkProcess/cocoa/NetworkDataTaskCocoa.mm:
(WebKit::NetworkDataTaskCocoa::willPerformHTTPRedirection):

Canonical link: https://commits.webkit.org/256726@main

More information about the webkit-changes mailing list