[webkit-changes] [WebKit/WebKit] ecefed: HSTS not partitioned for Fetch (according to priva...

youennf noreply at github.com
Thu Jan 25 08:41:24 PST 2024


  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: ecefed4aedd09fb161101c151d7b1faab025174e
      https://github.com/WebKit/WebKit/commit/ecefed4aedd09fb161101c151d7b1faab025174e
  Author: Youenn Fablet <youennf at gmail.com>
  Date:   2024-01-25 (Thu, 25 Jan 2024)

  Changed paths:
    M Source/WebKit/NetworkProcess/cocoa/NetworkSessionCocoa.mm
    M Tools/TestWebKitAPI/Tests/WebKitCocoa/HSTS.mm

  Log Message:
  -----------
  HSTS not partitioned for Fetch (according to privacytests.org)
rdar://119047103

Reviewed by Alex Christensen.

When downgrading in WKNetworkSessionDelegate to not use HSTS, we were downgrading by creating the downgraded request and triggering a synthetic redirection.
Fetch is exposing whether a redirection is done via Response.redirected, and this includes synthetic redirections.
This allows a web page to query the HSTS global cache.

To prevent this, we directly downgrade the request and continue the load with the downgraded request.
We do not need the synthetic redirection since the downgraded request should be exactly the same as the initial request.

* Source/WebKit/NetworkProcess/cocoa/NetworkSessionCocoa.mm:
(downgradeRequest):
(-[WKNetworkSessionDelegate URLSession:task:willPerformHTTPRedirection:newRequest:completionHandler:]):
(-[WKNetworkSessionDelegate URLSession:task:_schemeUpgraded:completionHandler:]):
* Tools/TestWebKitAPI/Tests/WebKitCocoa/HSTS.mm:
(TestWebKitAPI::TEST):

Originally-landed-as: 267815.612 at safari-7617-branch (61598c9bb40b). rdar://121480873
Canonical link: https://commits.webkit.org/273503@main




More information about the webkit-changes mailing list