[webkit-changes] [WebKit/WebKit] d933b2: HTTPS-Only should fail on an initial HTTP load and...

Matthew Finkel noreply at github.com
Tue Aug 22 16:14:06 PDT 2023


  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: d933b28b5045856895963997211e3292aa94549b
      https://github.com/WebKit/WebKit/commit/d933b28b5045856895963997211e3292aa94549b
  Author: Matthew Finkel <sysrqb at apple.com>
  Date:   2023-08-22 (Tue, 22 Aug 2023)

  Changed paths:
    M Source/WebCore/en.lproj/Localizable.strings
    M Source/WebCore/loader/DocumentLoader.cpp
    M Source/WebCore/loader/EmptyClients.cpp
    M Source/WebCore/loader/EmptyFrameLoaderClient.h
    M Source/WebCore/loader/FrameLoader.cpp
    M Source/WebCore/loader/FrameLoader.h
    M Source/WebCore/loader/LocalFrameLoaderClient.h
    M Source/WebCore/loader/cache/CachedResourceLoader.cpp
    M Source/WebKit/Shared/API/APIError.h
    M Source/WebKit/Shared/WebErrors.cpp
    M Source/WebKit/Shared/WebErrors.h
    M Source/WebKit/UIProcess/API/Cocoa/WKErrorPrivate.h
    M Source/WebKit/WebProcess/WebCoreSupport/WebLocalFrameLoaderClient.cpp
    M Source/WebKit/WebProcess/WebCoreSupport/WebLocalFrameLoaderClient.h
    M Source/WebKitLegacy/mac/WebCoreSupport/WebFrameLoaderClient.h
    M Source/WebKitLegacy/mac/WebCoreSupport/WebFrameLoaderClient.mm
    M Tools/TestWebKitAPI/Tests/WebKitCocoa/Navigation.mm

  Log Message:
  -----------
  HTTPS-Only should fail on an initial HTTP load and support redirects from https to http
https://bugs.webkit.org/show_bug.cgi?id=260221
rdar://problem/113989408

Reviewed by Alex Christensen.

HTTPS-Only expects that request for an initial load should not require
upgrading from HTTP to HTTPS. If the load should use HTTPS, then the
application should request that scheme. Therefore, if an initial request is
HTTP then WebKit should fail the load after considering all other upgrade
options, including HSTS and content extensions. The existing implementation
incorrectly upgraded the request as a last resort. This patch changes that
behavior and introduces a new error type for this case. This patch also
modifies the relevant API test appropriately.

* Source/WebCore/en.lproj/Localizable.strings:
* Source/WebCore/loader/DocumentLoader.cpp:
(WebCore::DocumentLoader::loadMainResource):
* Source/WebCore/loader/EmptyClients.cpp:
(WebCore::EmptyFrameLoaderClient::httpsOnlyHTTPURLError const):
* Source/WebCore/loader/EmptyFrameLoaderClient.h:
* Source/WebCore/loader/FrameLoader.cpp:
(WebCore::FrameLoader::shouldUpgradeRequestforHTTPSOnly const):
(WebCore::FrameLoader::upgradeRequestforHTTPSOnlyIfNeeded const):
* Source/WebCore/loader/FrameLoader.h:
* Source/WebCore/loader/LocalFrameLoaderClient.h:
* Source/WebCore/loader/cache/CachedResourceLoader.cpp:
(WebCore::CachedResourceLoader::requestResource):
* Source/WebKit/Shared/API/APIError.h:
* Source/WebKit/Shared/WebErrors.cpp:
(WebKit::httpsOnlyHTTPURLError):
* Source/WebKit/Shared/WebErrors.h:
* Source/WebKit/UIProcess/API/Cocoa/WKErrorPrivate.h:
* Source/WebKit/WebProcess/WebCoreSupport/WebLocalFrameLoaderClient.cpp:
(WebKit::WebLocalFrameLoaderClient::httpsOnlyHTTPURLError const):
* Source/WebKit/WebProcess/WebCoreSupport/WebLocalFrameLoaderClient.h:
* Source/WebKitLegacy/mac/WebCoreSupport/WebFrameLoaderClient.h:
* Source/WebKitLegacy/mac/WebCoreSupport/WebFrameLoaderClient.mm:
(WebFrameLoaderClient::httpsUpgradeRedirectLoopError const):
(WebFrameLoaderClient::httpsOnlyHTTPURLError const):
* Tools/TestWebKitAPI/Tests/WebKitCocoa/Navigation.mm:
(TEST):

Canonical link: https://commits.webkit.org/267156@main




More information about the webkit-changes mailing list