<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[173516] trunk</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/173516">173516</a></dd>
<dt>Author</dt> <dd>commit-queue@webkit.org</dd>
<dt>Date</dt> <dd>2014-09-11 10:20:18 -0700 (Thu, 11 Sep 2014)</dd>
</dl>
<h3>Log Message</h3>
<pre>[WK2] Authentication dialog is displayed for cross-origin XHR
https://bugs.webkit.org/show_bug.cgi?id=131349
Patch by Youenn Fablet <youenn.fablet@crf.canon.fr> on 2014-09-11
Reviewed by Alexey Proskuryakov.
Source/WebCore:
* WebCore.exp.in: Export of isAllowedToAskUserForCredentials.
* loader/ResourceLoader.cpp:
(WebCore::ResourceLoader::isAllowedToAskUserForCredentials): Replacing clientCredentialPolicy method. Returns true if credentials can be requested to the user.
(WebCore::ResourceLoader::didReceiveAuthenticationChallenge): Updated to use isAllowedToAskUserForCredentials.
* loader/ResourceLoader.h: Removing clientCredentialPolicy method and adding isAllowedToAskUserForCredentials method.
Source/WebKit2:
Precomputing client credential policy in the Web Process before sending the resource load task to the Network Process.
* NetworkProcess/NetworkResourceLoader.cpp:
(WebKit::NetworkResourceLoader::didReceiveAuthenticationChallenge): Added an ASSERT to ensure that credential policy is never set to DoNotAskClientForCrossOriginCredentials.
* WebProcess/Network/WebResourceLoadScheduler.cpp:
(WebKit::WebResourceLoadScheduler::scheduleLoad): Precomputing client credential policy to handle the case of cross-origin requests.
* WebProcess/Network/WebResourceLoader.cpp:
(WebKit::WebResourceLoader::willSendRequest): Added a TODO to check whether redirections need a specific handling.
LayoutTests:
* platform/mac-wk2/TestExpectations: Unskipped tests.</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkLayoutTestsChangeLog">trunk/LayoutTests/ChangeLog</a></li>
<li><a href="#trunkLayoutTestsplatformmacwk2TestExpectations">trunk/LayoutTests/platform/mac-wk2/TestExpectations</a></li>
<li><a href="#trunkSourceWebCoreChangeLog">trunk/Source/WebCore/ChangeLog</a></li>
<li><a href="#trunkSourceWebCoreWebCoreexpin">trunk/Source/WebCore/WebCore.exp.in</a></li>
<li><a href="#trunkSourceWebCoreloaderResourceLoadercpp">trunk/Source/WebCore/loader/ResourceLoader.cpp</a></li>
<li><a href="#trunkSourceWebCoreloaderResourceLoaderh">trunk/Source/WebCore/loader/ResourceLoader.h</a></li>
<li><a href="#trunkSourceWebKit2ChangeLog">trunk/Source/WebKit2/ChangeLog</a></li>
<li><a href="#trunkSourceWebKit2NetworkProcessNetworkResourceLoadercpp">trunk/Source/WebKit2/NetworkProcess/NetworkResourceLoader.cpp</a></li>
<li><a href="#trunkSourceWebKit2WebProcessNetworkWebResourceLoadSchedulercpp">trunk/Source/WebKit2/WebProcess/Network/WebResourceLoadScheduler.cpp</a></li>
<li><a href="#trunkSourceWebKit2WebProcessNetworkWebResourceLoadercpp">trunk/Source/WebKit2/WebProcess/Network/WebResourceLoader.cpp</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkLayoutTestsChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/ChangeLog (173515 => 173516)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/ChangeLog 2014-09-11 16:13:23 UTC (rev 173515)
+++ trunk/LayoutTests/ChangeLog 2014-09-11 17:20:18 UTC (rev 173516)
</span><span class="lines">@@ -1,3 +1,12 @@
</span><ins>+2014-09-11 Youenn Fablet <youenn.fablet@crf.canon.fr>
+
+ [WK2] Authentication dialog is displayed for cross-origin XHR
+ https://bugs.webkit.org/show_bug.cgi?id=131349
+
+ Reviewed by Alexey Proskuryakov.
+
+ * platform/mac-wk2/TestExpectations: Unskipped tests.
+
</ins><span class="cx"> 2014-09-11 Chris Fleizach <cfleizach@apple.com>
</span><span class="cx">
</span><span class="cx"> AX: Children inside a <legend> are not accessible
</span></span></pre></div>
<a id="trunkLayoutTestsplatformmacwk2TestExpectations"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/platform/mac-wk2/TestExpectations (173515 => 173516)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/platform/mac-wk2/TestExpectations 2014-09-11 16:13:23 UTC (rev 173515)
+++ trunk/LayoutTests/platform/mac-wk2/TestExpectations 2014-09-11 17:20:18 UTC (rev 173516)
</span><span class="lines">@@ -341,10 +341,6 @@
</span><span class="cx">
</span><span class="cx"> webkit.org/b/127960 [ MountainLion ] http/tests/security/cross-origin-plugin-private-browsing-toggled.html [ Pass Failure ]
</span><span class="cx">
</span><del>-webkit.org/b/131349 http/tests/xmlhttprequest/access-control-preflight-credential-async.html [ Failure ]
-webkit.org/b/131349 http/tests/xmlhttprequest/cross-origin-no-authorization.html [ Failure ]
-webkit.org/b/131349 http/tests/xmlhttprequest/cross-origin-no-credential-prompt.html [ Failure ]
-
</del><span class="cx"> webkit.org/b/134550 [ Mavericks ] http/tests/cache/iframe-304-crash.html [ Pass Failure ]
</span><span class="cx">
</span><span class="cx"> # Subpixel wrong cliprect on WK2
</span></span></pre></div>
<a id="trunkSourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/ChangeLog (173515 => 173516)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/ChangeLog 2014-09-11 16:13:23 UTC (rev 173515)
+++ trunk/Source/WebCore/ChangeLog 2014-09-11 17:20:18 UTC (rev 173516)
</span><span class="lines">@@ -1,3 +1,16 @@
</span><ins>+2014-09-11 Youenn Fablet <youenn.fablet@crf.canon.fr>
+
+ [WK2] Authentication dialog is displayed for cross-origin XHR
+ https://bugs.webkit.org/show_bug.cgi?id=131349
+
+ Reviewed by Alexey Proskuryakov.
+
+ * WebCore.exp.in: Export of isAllowedToAskUserForCredentials.
+ * loader/ResourceLoader.cpp:
+ (WebCore::ResourceLoader::isAllowedToAskUserForCredentials): Replacing clientCredentialPolicy method. Returns true if credentials can be requested to the user.
+ (WebCore::ResourceLoader::didReceiveAuthenticationChallenge): Updated to use isAllowedToAskUserForCredentials.
+ * loader/ResourceLoader.h: Removing clientCredentialPolicy method and adding isAllowedToAskUserForCredentials method.
+
</ins><span class="cx"> 2014-09-11 Chris Fleizach <cfleizach@apple.com>
</span><span class="cx">
</span><span class="cx"> AX: Children inside a <legend> are not accessible
</span></span></pre></div>
<a id="trunkSourceWebCoreWebCoreexpin"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/WebCore.exp.in (173515 => 173516)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/WebCore.exp.in 2014-09-11 16:13:23 UTC (rev 173515)
+++ trunk/Source/WebCore/WebCore.exp.in 2014-09-11 17:20:18 UTC (rev 173516)
</span><span class="lines">@@ -1693,6 +1693,7 @@
</span><span class="cx"> __ZNK7WebCore14ResourceBuffer7isEmptyEv
</span><span class="cx"> __ZNK7WebCore14ResourceHandle10connectionEv
</span><span class="cx"> __ZNK7WebCore14ResourceLoader11frameLoaderEv
</span><ins>+__ZNK7WebCore14ResourceLoader32isAllowedToAskUserForCredentialsEv
</ins><span class="cx"> __ZNK7WebCore14ScrollableArea13scrolledToTopEv
</span><span class="cx"> __ZNK7WebCore14ScrollableArea14scrollAnimatorEv
</span><span class="cx"> __ZNK7WebCore14ScrollableArea14scrolledToLeftEv
</span></span></pre></div>
<a id="trunkSourceWebCoreloaderResourceLoadercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/loader/ResourceLoader.cpp (173515 => 173516)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/loader/ResourceLoader.cpp 2014-09-11 16:13:23 UTC (rev 173515)
+++ trunk/Source/WebCore/loader/ResourceLoader.cpp 2014-09-11 17:20:18 UTC (rev 173516)
</span><span class="lines">@@ -538,6 +538,11 @@
</span><span class="cx"> return frameLoader()->client().shouldUseCredentialStorage(documentLoader(), identifier());
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+bool ResourceLoader::isAllowedToAskUserForCredentials() const
+{
+ return m_options.clientCredentialPolicy() == AskClientForAllCredentials || (m_options.clientCredentialPolicy() == DoNotAskClientForCrossOriginCredentials && m_frame->document()->securityOrigin()->canRequest(originalRequest().url()));
+}
+
</ins><span class="cx"> void ResourceLoader::didReceiveAuthenticationChallenge(const AuthenticationChallenge& challenge)
</span><span class="cx"> {
</span><span class="cx"> ASSERT(m_handle->hasAuthenticationChallenge());
</span><span class="lines">@@ -547,7 +552,7 @@
</span><span class="cx"> Ref<ResourceLoader> protect(*this);
</span><span class="cx">
</span><span class="cx"> if (m_options.allowCredentials() == AllowStoredCredentials) {
</span><del>- if (m_options.clientCredentialPolicy() == AskClientForAllCredentials || (m_options.clientCredentialPolicy() == DoNotAskClientForCrossOriginCredentials && m_frame->document()->securityOrigin()->canRequest(originalRequest().url()))) {
</del><ins>+ if (isAllowedToAskUserForCredentials()) {
</ins><span class="cx"> frameLoader()->notifier().didReceiveAuthenticationChallenge(this, challenge);
</span><span class="cx"> return;
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceWebCoreloaderResourceLoaderh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/loader/ResourceLoader.h (173515 => 173516)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/loader/ResourceLoader.h 2014-09-11 16:13:23 UTC (rev 173515)
+++ trunk/Source/WebCore/loader/ResourceLoader.h 2014-09-11 17:20:18 UTC (rev 173516)
</span><span class="lines">@@ -122,10 +122,11 @@
</span><span class="cx"> bool shouldSendResourceLoadCallbacks() const { return m_options.sendLoadCallbacks() == SendCallbacks; }
</span><span class="cx"> void setSendCallbackPolicy(SendCallbackPolicy sendLoadCallbacks) { m_options.setSendLoadCallbacks(sendLoadCallbacks); }
</span><span class="cx"> bool shouldSniffContent() const { return m_options.sniffContent() == SniffContent; }
</span><del>- ClientCredentialPolicy clientCredentialPolicy() const { return m_options.clientCredentialPolicy(); }
</del><ins>+ WEBCORE_EXPORT bool isAllowedToAskUserForCredentials() const;
</ins><span class="cx">
</span><span class="cx"> bool reachedTerminalState() const { return m_reachedTerminalState; }
</span><span class="cx">
</span><ins>+
</ins><span class="cx"> const ResourceRequest& request() const { return m_request; }
</span><span class="cx">
</span><span class="cx"> void setDataBufferingPolicy(DataBufferingPolicy);
</span></span></pre></div>
<a id="trunkSourceWebKit2ChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebKit2/ChangeLog (173515 => 173516)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebKit2/ChangeLog 2014-09-11 16:13:23 UTC (rev 173515)
+++ trunk/Source/WebKit2/ChangeLog 2014-09-11 17:20:18 UTC (rev 173516)
</span><span class="lines">@@ -1,3 +1,19 @@
</span><ins>+2014-09-11 Youenn Fablet <youenn.fablet@crf.canon.fr>
+
+ [WK2] Authentication dialog is displayed for cross-origin XHR
+ https://bugs.webkit.org/show_bug.cgi?id=131349
+
+ Reviewed by Alexey Proskuryakov.
+
+ Precomputing client credential policy in the Web Process before sending the resource load task to the Network Process.
+
+ * NetworkProcess/NetworkResourceLoader.cpp:
+ (WebKit::NetworkResourceLoader::didReceiveAuthenticationChallenge): Added an ASSERT to ensure that credential policy is never set to DoNotAskClientForCrossOriginCredentials.
+ * WebProcess/Network/WebResourceLoadScheduler.cpp:
+ (WebKit::WebResourceLoadScheduler::scheduleLoad): Precomputing client credential policy to handle the case of cross-origin requests.
+ * WebProcess/Network/WebResourceLoader.cpp:
+ (WebKit::WebResourceLoader::willSendRequest): Added a TODO to check whether redirections need a specific handling.
+
</ins><span class="cx"> 2014-09-11 Carlos Garcia Campos <cgarcia@igalia.com>
</span><span class="cx">
</span><span class="cx"> [GTK] Merge WebKitAuthenticationWidget into WebKitAuthenticationDialog
</span></span></pre></div>
<a id="trunkSourceWebKit2NetworkProcessNetworkResourceLoadercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebKit2/NetworkProcess/NetworkResourceLoader.cpp (173515 => 173516)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebKit2/NetworkProcess/NetworkResourceLoader.cpp 2014-09-11 16:13:23 UTC (rev 173515)
+++ trunk/Source/WebKit2/NetworkProcess/NetworkResourceLoader.cpp 2014-09-11 17:20:18 UTC (rev 173516)
</span><span class="lines">@@ -357,10 +357,9 @@
</span><span class="cx"> void NetworkResourceLoader::didReceiveAuthenticationChallenge(ResourceHandle* handle, const AuthenticationChallenge& challenge)
</span><span class="cx"> {
</span><span class="cx"> ASSERT_UNUSED(handle, handle == m_handle);
</span><ins>+ // NetworkResourceLoader does not know whether the request is cross origin, so Web process computes an applicable credential policy for it.
+ ASSERT(m_parameters.clientCredentialPolicy != DoNotAskClientForCrossOriginCredentials);
</ins><span class="cx">
</span><del>- // FIXME (http://webkit.org/b/115291): Since we go straight to the UI process for authentication we don't get WebCore's
- // cross-origin check before asking the client for credentials.
- // Therefore we are too permissive in the case where the ClientCredentialPolicy is DoNotAskClientForCrossOriginCredentials.
</del><span class="cx"> if (m_parameters.clientCredentialPolicy == DoNotAskClientForAnyCredentials) {
</span><span class="cx"> challenge.authenticationClient()->receivedRequestToContinueWithoutCredential(challenge);
</span><span class="cx"> return;
</span></span></pre></div>
<a id="trunkSourceWebKit2WebProcessNetworkWebResourceLoadSchedulercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebKit2/WebProcess/Network/WebResourceLoadScheduler.cpp (173515 => 173516)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebKit2/WebProcess/Network/WebResourceLoadScheduler.cpp 2014-09-11 16:13:23 UTC (rev 173515)
+++ trunk/Source/WebKit2/WebProcess/Network/WebResourceLoadScheduler.cpp 2014-09-11 17:20:18 UTC (rev 173516)
</span><span class="lines">@@ -169,7 +169,7 @@
</span><span class="cx"> loadParameters.contentSniffingPolicy = contentSniffingPolicy;
</span><span class="cx"> loadParameters.allowStoredCredentials = allowStoredCredentials;
</span><span class="cx"> // If there is no WebFrame then this resource cannot be authenticated with the client.
</span><del>- loadParameters.clientCredentialPolicy = (webFrame && webPage) ? resourceLoader->clientCredentialPolicy() : DoNotAskClientForAnyCredentials;
</del><ins>+ loadParameters.clientCredentialPolicy = (webFrame && webPage && resourceLoader->isAllowedToAskUserForCredentials()) ? AskClientForAllCredentials : DoNotAskClientForAnyCredentials;
</ins><span class="cx"> loadParameters.shouldClearReferrerOnHTTPSToHTTPRedirect = shouldClearReferrerOnHTTPSToHTTPRedirect;
</span><span class="cx"> loadParameters.isMainResource = resource && resource->type() == CachedResource::MainResource;
</span><span class="cx"> loadParameters.defersLoading = resourceLoader->defersLoading();
</span></span></pre></div>
<a id="trunkSourceWebKit2WebProcessNetworkWebResourceLoadercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebKit2/WebProcess/Network/WebResourceLoader.cpp (173515 => 173516)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebKit2/WebProcess/Network/WebResourceLoader.cpp 2014-09-11 16:13:23 UTC (rev 173515)
+++ trunk/Source/WebKit2/WebProcess/Network/WebResourceLoader.cpp 2014-09-11 17:20:18 UTC (rev 173516)
</span><span class="lines">@@ -89,6 +89,7 @@
</span><span class="cx"> ResourceRequest newRequest = proposedRequest;
</span><span class="cx"> if (m_coreLoader->documentLoader()->applicationCacheHost()->maybeLoadFallbackForRedirect(m_coreLoader.get(), newRequest, redirectResponse))
</span><span class="cx"> return;
</span><ins>+ // FIXME: Do we need to update NetworkResourceLoader clientCredentialPolicy in case loader policy is DoNotAskClientForCrossOriginCredentials?
</ins><span class="cx"> m_coreLoader->willSendRequest(newRequest, redirectResponse);
</span><span class="cx">
</span><span class="cx"> if (!m_coreLoader)
</span></span></pre>
</div>
</div>
</body>
</html>