[webkit-changes] [WebKit/WebKit] ecefed: HSTS not partitioned for Fetch (according to priva...
youennf
noreply at github.com
Thu Jan 25 08:41:24 PST 2024
Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: ecefed4aedd09fb161101c151d7b1faab025174e
https://github.com/WebKit/WebKit/commit/ecefed4aedd09fb161101c151d7b1faab025174e
Author: Youenn Fablet <youennf at gmail.com>
Date: 2024-01-25 (Thu, 25 Jan 2024)
Changed paths:
M Source/WebKit/NetworkProcess/cocoa/NetworkSessionCocoa.mm
M Tools/TestWebKitAPI/Tests/WebKitCocoa/HSTS.mm
Log Message:
-----------
HSTS not partitioned for Fetch (according to privacytests.org)
rdar://119047103
Reviewed by Alex Christensen.
When downgrading in WKNetworkSessionDelegate to not use HSTS, we were downgrading by creating the downgraded request and triggering a synthetic redirection.
Fetch is exposing whether a redirection is done via Response.redirected, and this includes synthetic redirections.
This allows a web page to query the HSTS global cache.
To prevent this, we directly downgrade the request and continue the load with the downgraded request.
We do not need the synthetic redirection since the downgraded request should be exactly the same as the initial request.
* Source/WebKit/NetworkProcess/cocoa/NetworkSessionCocoa.mm:
(downgradeRequest):
(-[WKNetworkSessionDelegate URLSession:task:willPerformHTTPRedirection:newRequest:completionHandler:]):
(-[WKNetworkSessionDelegate URLSession:task:_schemeUpgraded:completionHandler:]):
* Tools/TestWebKitAPI/Tests/WebKitCocoa/HSTS.mm:
(TestWebKitAPI::TEST):
Originally-landed-as: 267815.612 at safari-7617-branch (61598c9bb40b). rdar://121480873
Canonical link: https://commits.webkit.org/273503@main
More information about the webkit-changes
mailing list