<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[206009] trunk</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/206009">206009</a></dd>
<dt>Author</dt> <dd>commit-queue@webkit.org</dd>
<dt>Date</dt> <dd>2016-09-16 00:33:44 -0700 (Fri, 16 Sep 2016)</dd>
</dl>
<h3>Log Message</h3>
<pre>[Fetch API] Referrer and Origin header should not be considered as safe request headers
https://bugs.webkit.org/show_bug.cgi?id=161902
Patch by Youenn Fablet <youenn@apple.com> on 2016-09-16
Reviewed by Sam Weinig.
LayoutTests/imported/w3c:
* web-platform-tests/fetch/api/cors/cors-preflight-referrer-expected.txt:
* web-platform-tests/fetch/api/cors/cors-preflight-referrer-worker-expected.txt:
* web-platform-tests/fetch/api/cors/cors-preflight-referrer.js:
(corsPreflightReferrer): Adding check of the preflight Access-Control-Request-Headers header value.
Added new tests to check for non-default referrer values.
Source/WebCore:
Test: http/tests/fetch/fetch-cors-with-referrer.html and updated WPT tests.
Removing Origin and Referrer from safe request headers.
Making referrer header setting after preflight for fetch API code path.
Ensuring that no ThreadableLoader client sets Origin or Referrer headers of the ResourceRequest, as they should use the proper mechanisms for that.
Handling no-referrer referrer special value by setting the referrer-policy to NoReferrer in FetchLoader.
* Modules/fetch/FetchLoader.cpp:
(WebCore::FetchLoader::start): Computing referrer value and handling special "client"and "no-referrer" cases.
Passing the value directly to ThreadableLoader.
* Modules/fetch/FetchRequest.cpp:
(WebCore::FetchRequest::internalRequest): Removing setting of ResourceRequest referrer header.
(WebCore::FetchRequest::clone): Removing obsolete FIXME.
* Modules/fetch/FetchRequest.h:
* loader/CrossOriginAccessControl.cpp:
(WebCore::isOnAccessControlSimpleRequestHeaderWhitelist): Removing Origin and Referrer headers.
* loader/DocumentThreadableLoader.cpp:
(WebCore::DocumentThreadableLoader::create): Updated to take a referrer as parameter.
(WebCore::DocumentThreadableLoader::DocumentThreadableLoader): Ditto.
* loader/DocumentThreadableLoader.h: Ditto.
* loader/ThreadableLoader.cpp: Ditto.
(WebCore::ThreadableLoader::create): Ditto.
* loader/ThreadableLoader.h: Ditto.
* loader/WorkerThreadableLoader.cpp: Ditto.
(WebCore::WorkerThreadableLoader::WorkerThreadableLoader): Ditto.
(WebCore::WorkerThreadableLoader::loadResourceSynchronously): Ditto.
* loader/WorkerThreadableLoader.h: Ditto.
(WebCore::WorkerThreadableLoader::create): Ditto.
* platform/network/ResourceRequestBase.cpp:
(WebCore::ResourceRequestBase::hasHTTPReferrer): Added to enable asserting that no threadable loader client sets the referrer in the request.
* platform/network/ResourceRequestBase.h:
LayoutTests:
* http/tests/fetch/fetch-cors-with-referrer-expected.txt: Added.
* http/tests/fetch/fetch-cors-with-referrer.html: Added.</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkLayoutTestsChangeLog">trunk/LayoutTests/ChangeLog</a></li>
<li><a href="#trunkLayoutTestsimportedw3cChangeLog">trunk/LayoutTests/imported/w3c/ChangeLog</a></li>
<li><a href="#trunkLayoutTestsimportedw3cwebplatformtestsfetchapicorscorspreflightreferrerexpectedtxt">trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-preflight-referrer-expected.txt</a></li>
<li><a href="#trunkLayoutTestsimportedw3cwebplatformtestsfetchapicorscorspreflightreferrerworkerexpectedtxt">trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-preflight-referrer-worker-expected.txt</a></li>
<li><a href="#trunkLayoutTestsimportedw3cwebplatformtestsfetchapicorscorspreflightreferrerjs">trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-preflight-referrer.js</a></li>
<li><a href="#trunkSourceWebCoreChangeLog">trunk/Source/WebCore/ChangeLog</a></li>
<li><a href="#trunkSourceWebCoreModulesfetchFetchLoadercpp">trunk/Source/WebCore/Modules/fetch/FetchLoader.cpp</a></li>
<li><a href="#trunkSourceWebCoreModulesfetchFetchRequestcpp">trunk/Source/WebCore/Modules/fetch/FetchRequest.cpp</a></li>
<li><a href="#trunkSourceWebCoreModulesfetchFetchRequesth">trunk/Source/WebCore/Modules/fetch/FetchRequest.h</a></li>
<li><a href="#trunkSourceWebCoreloaderCrossOriginAccessControlcpp">trunk/Source/WebCore/loader/CrossOriginAccessControl.cpp</a></li>
<li><a href="#trunkSourceWebCoreloaderDocumentThreadableLoadercpp">trunk/Source/WebCore/loader/DocumentThreadableLoader.cpp</a></li>
<li><a href="#trunkSourceWebCoreloaderDocumentThreadableLoaderh">trunk/Source/WebCore/loader/DocumentThreadableLoader.h</a></li>
<li><a href="#trunkSourceWebCoreloaderThreadableLoadercpp">trunk/Source/WebCore/loader/ThreadableLoader.cpp</a></li>
<li><a href="#trunkSourceWebCoreloaderThreadableLoaderh">trunk/Source/WebCore/loader/ThreadableLoader.h</a></li>
<li><a href="#trunkSourceWebCoreloaderWorkerThreadableLoadercpp">trunk/Source/WebCore/loader/WorkerThreadableLoader.cpp</a></li>
<li><a href="#trunkSourceWebCoreloaderWorkerThreadableLoaderh">trunk/Source/WebCore/loader/WorkerThreadableLoader.h</a></li>
<li><a href="#trunkSourceWebCoreplatformnetworkResourceRequestBasecpp">trunk/Source/WebCore/platform/network/ResourceRequestBase.cpp</a></li>
<li><a href="#trunkSourceWebCoreplatformnetworkResourceRequestBaseh">trunk/Source/WebCore/platform/network/ResourceRequestBase.h</a></li>
</ul>
<h3>Added Paths</h3>
<ul>
<li><a href="#trunkLayoutTestshttptestsfetchfetchcorswithreferrerexpectedtxt">trunk/LayoutTests/http/tests/fetch/fetch-cors-with-referrer-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestsfetchfetchcorswithreferrerhtml">trunk/LayoutTests/http/tests/fetch/fetch-cors-with-referrer.html</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkLayoutTestsChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/ChangeLog (206008 => 206009)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/ChangeLog 2016-09-16 00:56:14 UTC (rev 206008)
+++ trunk/LayoutTests/ChangeLog 2016-09-16 07:33:44 UTC (rev 206009)
</span><span class="lines">@@ -1,3 +1,13 @@
</span><ins>+2016-09-16 Youenn Fablet <youenn@apple.com>
+
+ [Fetch API] Referrer and Origin header should not be considered as safe request headers
+ https://bugs.webkit.org/show_bug.cgi?id=161902
+
+ Reviewed by Sam Weinig.
+
+ * http/tests/fetch/fetch-cors-with-referrer-expected.txt: Added.
+ * http/tests/fetch/fetch-cors-with-referrer.html: Added.
+
</ins><span class="cx"> 2016-09-13 Jer Noble <jer.noble@apple.com>
</span><span class="cx">
</span><span class="cx"> [media-source] web-platform-test/media-source/mediasource-remove.html test failing
</span></span></pre></div>
<a id="trunkLayoutTestshttptestsfetchfetchcorswithreferrerexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/fetch/fetch-cors-with-referrer-expected.txt (0 => 206009)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/fetch/fetch-cors-with-referrer-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/fetch/fetch-cors-with-referrer-expected.txt 2016-09-16 07:33:44 UTC (rev 206009)
</span><span class="lines">@@ -0,0 +1,3 @@
</span><ins>+
+PASS Ensure setting a referrer does not cause preflighting
+
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestsfetchfetchcorswithreferrerhtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/fetch/fetch-cors-with-referrer.html (0 => 206009)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/fetch/fetch-cors-with-referrer.html (rev 0)
+++ trunk/LayoutTests/http/tests/fetch/fetch-cors-with-referrer.html 2016-09-16 07:33:44 UTC (rev 206009)
</span><span class="lines">@@ -0,0 +1,22 @@
</span><ins>+<!doctype html>
+<html>
+ <head>
+ <meta charset="utf-8">
+ <title>Fetching a cross origin resource with a given referrer</title>
+ <script src="/resources/testharness.js"></script>
+ <script src="/resources/testharnessreport.js"></script>
+ </head>
+ <body>
+ <script>
+promise_test(function(t) {
+ var url = "http://localhost:8000/resources/download-json-with-delay.php?iteration=1&delay=1&cors=true";
+ return fetch(url, {"mode": "cors", "referrer": "http://127.0.0.1:8000/referrer"}).then((response) => {
+ assert_equals(response.type, "cors");
+ return response.arrayBuffer().then((arrayBuffer) => {
+ assert_true(arrayBuffer.byteLength > 0);
+ });
+ });
+}, 'Ensure setting a referrer does not cause preflighting');
+ </script>
+ </body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestsimportedw3cChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/imported/w3c/ChangeLog (206008 => 206009)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/imported/w3c/ChangeLog 2016-09-16 00:56:14 UTC (rev 206008)
+++ trunk/LayoutTests/imported/w3c/ChangeLog 2016-09-16 07:33:44 UTC (rev 206009)
</span><span class="lines">@@ -1,3 +1,16 @@
</span><ins>+2016-09-16 Youenn Fablet <youenn@apple.com>
+
+ [Fetch API] Referrer and Origin header should not be considered as safe request headers
+ https://bugs.webkit.org/show_bug.cgi?id=161902
+
+ Reviewed by Sam Weinig.
+
+ * web-platform-tests/fetch/api/cors/cors-preflight-referrer-expected.txt:
+ * web-platform-tests/fetch/api/cors/cors-preflight-referrer-worker-expected.txt:
+ * web-platform-tests/fetch/api/cors/cors-preflight-referrer.js:
+ (corsPreflightReferrer): Adding check of the preflight Access-Control-Request-Headers header value.
+ Added new tests to check for non-default referrer values.
+
</ins><span class="cx"> 2016-09-14 Chris Dumez <cdumez@apple.com>
</span><span class="cx">
</span><span class="cx"> Add support hr.color IDL attribute
</span></span></pre></div>
<a id="trunkLayoutTestsimportedw3cwebplatformtestsfetchapicorscorspreflightreferrerexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-preflight-referrer-expected.txt (206008 => 206009)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-preflight-referrer-expected.txt 2016-09-16 00:56:14 UTC (rev 206008)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-preflight-referrer-expected.txt 2016-09-16 07:33:44 UTC (rev 206009)
</span><span class="lines">@@ -1,7 +1,12 @@
</span><span class="cx">
</span><del>-PASS Referrer policy: no-referrer
-PASS Referrer policy: ""
-PASS Referrer policy: origin
-PASS Referrer policy: origin-when-cross-origin
-PASS Referrer policy: unsafe-url
</del><ins>+PASS Referrer policy: no-referrer ('myreferrer' referrer)
+PASS Referrer policy: no-referrer (default referrer)
+PASS Referrer policy: "" ('myreferrer' referrer)
+PASS Referrer policy: "" (default referrer)
+PASS Referrer policy: origin ('myreferrer' referrer)
+PASS Referrer policy: origin (default referrer)
+PASS Referrer policy: origin-when-cross-origin ('myreferrer' referrer)
+PASS Referrer policy: origin-when-cross-origin (default referrer)
+PASS Referrer policy: unsafe-url ('myreferrer' referrer)
+PASS Referrer policy: unsafe-url (default referrer)
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestsimportedw3cwebplatformtestsfetchapicorscorspreflightreferrerworkerexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-preflight-referrer-worker-expected.txt (206008 => 206009)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-preflight-referrer-worker-expected.txt 2016-09-16 00:56:14 UTC (rev 206008)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-preflight-referrer-worker-expected.txt 2016-09-16 07:33:44 UTC (rev 206009)
</span><span class="lines">@@ -1,7 +1,12 @@
</span><span class="cx">
</span><del>-PASS Referrer policy: no-referrer
-PASS Referrer policy: ""
-PASS Referrer policy: origin
-PASS Referrer policy: origin-when-cross-origin
-PASS Referrer policy: unsafe-url
</del><ins>+PASS Referrer policy: no-referrer ('myreferrer' referrer)
+PASS Referrer policy: no-referrer (default referrer)
+PASS Referrer policy: "" ('myreferrer' referrer)
+PASS Referrer policy: "" (default referrer)
+PASS Referrer policy: origin ('myreferrer' referrer)
+PASS Referrer policy: origin (default referrer)
+PASS Referrer policy: origin-when-cross-origin ('myreferrer' referrer)
+PASS Referrer policy: origin-when-cross-origin (default referrer)
+PASS Referrer policy: unsafe-url ('myreferrer' referrer)
+PASS Referrer policy: unsafe-url (default referrer)
</ins><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestsimportedw3cwebplatformtestsfetchapicorscorspreflightreferrerjs"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-preflight-referrer.js (206008 => 206009)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-preflight-referrer.js 2016-09-16 00:56:14 UTC (rev 206008)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-preflight-referrer.js 2016-09-16 07:33:44 UTC (rev 206009)
</span><span class="lines">@@ -5,12 +5,15 @@
</span><span class="cx"> importScripts("../resources/utils.js");
</span><span class="cx"> }
</span><span class="cx">
</span><del>-function corsPreflightReferrer(desc, corsUrl, referrerPolicy, expectedReferrer) {
</del><ins>+function corsPreflightReferrer(desc, corsUrl, referrerPolicy, referrer, expectedReferrer) {
</ins><span class="cx"> var uuid_token = token();
</span><span class="cx"> var url = corsUrl;
</span><span class="cx"> var urlParameters = "?token=" + uuid_token + "&max_age=0";
</span><span class="cx"> var requestInit = {"mode": "cors", "referrerPolicy": referrerPolicy};
</span><span class="cx">
</span><ins>+ if (referrer)
+ requestInit.referrer = referrer;
+
</ins><span class="cx"> /* Force preflight */
</span><span class="cx"> requestInit["headers"] = {"x-force-preflight": ""};
</span><span class="cx"> urlParameters += "&allow_headers=x-force-preflight";
</span><span class="lines">@@ -23,19 +26,27 @@
</span><span class="cx"> assert_equals(resp.headers.get("x-did-preflight"), "1", "Preflight request has been made");
</span><span class="cx"> assert_equals(resp.headers.get("x-preflight-referrer"), expectedReferrer, "Preflight's referrer is correct");
</span><span class="cx"> assert_equals(resp.headers.get("x-referrer"), expectedReferrer, "Request's referrer is correct");
</span><ins>+ assert_equals(resp.headers.get("x-control-request-headers"), "", "Access-Control-Allow-Headers value");
</ins><span class="cx"> });
</span><span class="cx"> });
</span><del>- }, desc);
</del><ins>+ }, desc + (referrer ? " (default referrer)" : " ('myreferrer' referrer)"));
</ins><span class="cx"> }
</span><del>-
</del><span class="cx"> var corsUrl = get_host_info().HTTP_REMOTE_ORIGIN + dirname(location.pathname) + RESOURCES_DIR + "preflight.py";
</span><span class="cx"> var origin = get_host_info().HTTP_ORIGIN + "/";
</span><span class="cx">
</span><del>-corsPreflightReferrer("Referrer policy: no-referrer", corsUrl, "no-referrer", "");
-corsPreflightReferrer("Referrer policy: \"\"", corsUrl, "", location.toString())
</del><ins>+corsPreflightReferrer("Referrer policy: no-referrer", corsUrl, "no-referrer", undefined, "");
+corsPreflightReferrer("Referrer policy: no-referrer", corsUrl, "no-referrer", "myreferrer", "");
</ins><span class="cx">
</span><del>-corsPreflightReferrer("Referrer policy: origin", corsUrl, "origin", origin);
-corsPreflightReferrer("Referrer policy: origin-when-cross-origin", corsUrl, "origin-when-cross-origin", origin);
-corsPreflightReferrer("Referrer policy: unsafe-url", corsUrl, "unsafe-url", location.toString());
</del><ins>+corsPreflightReferrer("Referrer policy: \"\"", corsUrl, "", undefined, location.toString())
+corsPreflightReferrer("Referrer policy: \"\"", corsUrl, "", "myreferrer", new URL("myreferrer", location).toString());
</ins><span class="cx">
</span><ins>+corsPreflightReferrer("Referrer policy: origin", corsUrl, "origin", undefined, origin);
+corsPreflightReferrer("Referrer policy: origin", corsUrl, "origin", "myreferrer", origin);
+
+corsPreflightReferrer("Referrer policy: origin-when-cross-origin", corsUrl, "origin-when-cross-origin", undefined, origin);
+corsPreflightReferrer("Referrer policy: origin-when-cross-origin", corsUrl, "origin-when-cross-origin", "myreferrer", origin);
+
+corsPreflightReferrer("Referrer policy: unsafe-url", corsUrl, "unsafe-url", undefined, location.toString());
+corsPreflightReferrer("Referrer policy: unsafe-url", corsUrl, "unsafe-url", "myreferrer", new URL("myreferrer", location).toString());
+
</ins><span class="cx"> done();
</span></span></pre></div>
<a id="trunkSourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/ChangeLog (206008 => 206009)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/ChangeLog 2016-09-16 00:56:14 UTC (rev 206008)
+++ trunk/Source/WebCore/ChangeLog 2016-09-16 07:33:44 UTC (rev 206009)
</span><span class="lines">@@ -1,3 +1,44 @@
</span><ins>+2016-09-16 Youenn Fablet <youenn@apple.com>
+
+ [Fetch API] Referrer and Origin header should not be considered as safe request headers
+ https://bugs.webkit.org/show_bug.cgi?id=161902
+
+ Reviewed by Sam Weinig.
+
+ Test: http/tests/fetch/fetch-cors-with-referrer.html and updated WPT tests.
+
+ Removing Origin and Referrer from safe request headers.
+ Making referrer header setting after preflight for fetch API code path.
+
+ Ensuring that no ThreadableLoader client sets Origin or Referrer headers of the ResourceRequest, as they should use the proper mechanisms for that.
+
+ Handling no-referrer referrer special value by setting the referrer-policy to NoReferrer in FetchLoader.
+
+ * Modules/fetch/FetchLoader.cpp:
+ (WebCore::FetchLoader::start): Computing referrer value and handling special "client"and "no-referrer" cases.
+ Passing the value directly to ThreadableLoader.
+ * Modules/fetch/FetchRequest.cpp:
+ (WebCore::FetchRequest::internalRequest): Removing setting of ResourceRequest referrer header.
+ (WebCore::FetchRequest::clone): Removing obsolete FIXME.
+ * Modules/fetch/FetchRequest.h:
+ * loader/CrossOriginAccessControl.cpp:
+ (WebCore::isOnAccessControlSimpleRequestHeaderWhitelist): Removing Origin and Referrer headers.
+ * loader/DocumentThreadableLoader.cpp:
+ (WebCore::DocumentThreadableLoader::create): Updated to take a referrer as parameter.
+ (WebCore::DocumentThreadableLoader::DocumentThreadableLoader): Ditto.
+ * loader/DocumentThreadableLoader.h: Ditto.
+ * loader/ThreadableLoader.cpp: Ditto.
+ (WebCore::ThreadableLoader::create): Ditto.
+ * loader/ThreadableLoader.h: Ditto.
+ * loader/WorkerThreadableLoader.cpp: Ditto.
+ (WebCore::WorkerThreadableLoader::WorkerThreadableLoader): Ditto.
+ (WebCore::WorkerThreadableLoader::loadResourceSynchronously): Ditto.
+ * loader/WorkerThreadableLoader.h: Ditto.
+ (WebCore::WorkerThreadableLoader::create): Ditto.
+ * platform/network/ResourceRequestBase.cpp:
+ (WebCore::ResourceRequestBase::hasHTTPReferrer): Added to enable asserting that no threadable loader client sets the referrer in the request.
+ * platform/network/ResourceRequestBase.h:
+
</ins><span class="cx"> 2016-09-15 Dave Hyatt <hyatt@apple.com>
</span><span class="cx">
</span><span class="cx"> [CSS Parser] Get CSSParserFastPaths.cpp compiling
</span></span></pre></div>
<a id="trunkSourceWebCoreModulesfetchFetchLoadercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/Modules/fetch/FetchLoader.cpp (206008 => 206009)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/Modules/fetch/FetchLoader.cpp 2016-09-16 00:56:14 UTC (rev 206008)
+++ trunk/Source/WebCore/Modules/fetch/FetchLoader.cpp 2016-09-16 07:33:44 UTC (rev 206009)
</span><span class="lines">@@ -92,7 +92,14 @@
</span><span class="cx"> return;
</span><span class="cx"> }
</span><span class="cx">
</span><del>- m_loader = ThreadableLoader::create(context, *this, WTFMove(fetchRequest), options);
</del><ins>+ String referrer = request.internalRequestReferrer();
+ if (referrer == "no-referrer") {
+ options.referrerPolicy = FetchOptions::ReferrerPolicy::NoReferrer;
+ referrer = String();
+ } else
+ referrer = (referrer == "client") ? context.url().strippedForUseAsReferrer() : URL(context.url(), referrer).strippedForUseAsReferrer();
+
+ m_loader = ThreadableLoader::create(context, *this, WTFMove(fetchRequest), options, WTFMove(referrer));
</ins><span class="cx"> m_isStarted = m_loader;
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceWebCoreModulesfetchFetchRequestcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/Modules/fetch/FetchRequest.cpp (206008 => 206009)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/Modules/fetch/FetchRequest.cpp 2016-09-16 00:56:14 UTC (rev 206008)
+++ trunk/Source/WebCore/Modules/fetch/FetchRequest.cpp 2016-09-16 07:33:44 UTC (rev 206009)
</span><span class="lines">@@ -304,10 +304,6 @@
</span><span class="cx"> request.setHTTPHeaderFields(m_headers->internalHeaders());
</span><span class="cx"> request.setHTTPBody(body().bodyForInternalRequest(*scriptExecutionContext()));
</span><span class="cx">
</span><del>- // FIXME: Support no-referrer and client. Ensure this case-sensitive comparison is ok.
- if (m_internalRequest.referrer != "no-referrer" && m_internalRequest.referrer != "client")
- request.setHTTPReferrer(URL(URL(), m_internalRequest.referrer).strippedForUseAsReferrer());
-
</del><span class="cx"> return request;
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -318,7 +314,6 @@
</span><span class="cx"> return nullptr;
</span><span class="cx"> }
</span><span class="cx">
</span><del>- // FIXME: Validate body teeing.
</del><span class="cx"> return adoptRef(*new FetchRequest(context, FetchBody(m_body), FetchHeaders::create(m_headers.get()), FetchRequest::InternalRequest(m_internalRequest)));
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceWebCoreModulesfetchFetchRequesth"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/Modules/fetch/FetchRequest.h (206008 => 206009)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/Modules/fetch/FetchRequest.h 2016-09-16 00:56:14 UTC (rev 206008)
+++ trunk/Source/WebCore/Modules/fetch/FetchRequest.h 2016-09-16 07:33:44 UTC (rev 206009)
</span><span class="lines">@@ -92,6 +92,8 @@
</span><span class="cx"> const FetchOptions& fetchOptions() const { return m_internalRequest.options; }
</span><span class="cx"> ResourceRequest internalRequest() const;
</span><span class="cx">
</span><ins>+ const String& internalRequestReferrer() const { return m_internalRequest.referrer; }
+
</ins><span class="cx"> private:
</span><span class="cx"> FetchRequest(ScriptExecutionContext&, FetchBody&&, Ref<FetchHeaders>&&, InternalRequest&&);
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceWebCoreloaderCrossOriginAccessControlcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/loader/CrossOriginAccessControl.cpp (206008 => 206009)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/loader/CrossOriginAccessControl.cpp 2016-09-16 00:56:14 UTC (rev 206008)
+++ trunk/Source/WebCore/loader/CrossOriginAccessControl.cpp 2016-09-16 07:33:44 UTC (rev 206009)
</span><span class="lines">@@ -51,8 +51,6 @@
</span><span class="cx"> case HTTPHeaderName::Accept:
</span><span class="cx"> case HTTPHeaderName::AcceptLanguage:
</span><span class="cx"> case HTTPHeaderName::ContentLanguage:
</span><del>- case HTTPHeaderName::Origin:
- case HTTPHeaderName::Referer:
</del><span class="cx"> return true;
</span><span class="cx"> case HTTPHeaderName::ContentType: {
</span><span class="cx"> // Preflight is required for MIME types that can not be sent via form submission.
</span></span></pre></div>
<a id="trunkSourceWebCoreloaderDocumentThreadableLoadercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/loader/DocumentThreadableLoader.cpp (206008 => 206009)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/loader/DocumentThreadableLoader.cpp 2016-09-16 00:56:14 UTC (rev 206008)
+++ trunk/Source/WebCore/loader/DocumentThreadableLoader.cpp 2016-09-16 07:33:44 UTC (rev 206009)
</span><span class="lines">@@ -76,9 +76,9 @@
</span><span class="cx"> return loader;
</span><span class="cx"> }
</span><span class="cx">
</span><del>-RefPtr<DocumentThreadableLoader> DocumentThreadableLoader::create(Document& document, ThreadableLoaderClient& client, ResourceRequest&& request, const ThreadableLoaderOptions& options)
</del><ins>+RefPtr<DocumentThreadableLoader> DocumentThreadableLoader::create(Document& document, ThreadableLoaderClient& client, ResourceRequest&& request, const ThreadableLoaderOptions& options, String&& referrer)
</ins><span class="cx"> {
</span><del>- return create(document, client, WTFMove(request), options, nullptr, nullptr, String());
</del><ins>+ return create(document, client, WTFMove(request), options, nullptr, nullptr, WTFMove(referrer));
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> DocumentThreadableLoader::DocumentThreadableLoader(Document& document, ThreadableLoaderClient& client, BlockingBehavior blockingBehavior, ResourceRequest&& request, const ThreadableLoaderOptions& options, RefPtr<SecurityOrigin>&& origin, std::unique_ptr<ContentSecurityPolicy>&& contentSecurityPolicy, String&& referrer)
</span><span class="lines">@@ -92,9 +92,12 @@
</span><span class="cx"> , m_async(blockingBehavior == LoadAsynchronously)
</span><span class="cx"> , m_contentSecurityPolicy(WTFMove(contentSecurityPolicy))
</span><span class="cx"> {
</span><del>- // Setting an outgoing referer is only supported in the async code path.
- ASSERT(m_async || request.httpReferrer().isEmpty());
</del><ins>+ // Setting a referrer header is only supported in the async code path.
+ ASSERT(m_async || m_referrer.isEmpty());
</ins><span class="cx">
</span><ins>+ // Referrer and Origin headers should be set after the preflight if any.
+ ASSERT(!request.hasHTTPReferrer() && !request.hasHTTPOrigin());
+
</ins><span class="cx"> ASSERT_WITH_SECURITY_IMPLICATION(isAllowedByContentSecurityPolicy(request.url()));
</span><span class="cx">
</span><span class="cx"> m_options.allowCredentials = (m_options.credentials == FetchOptions::Credentials::Include || (m_options.credentials == FetchOptions::Credentials::SameOrigin && m_sameOriginRequest)) ? AllowStoredCredentials : DoNotAllowStoredCredentials;
</span></span></pre></div>
<a id="trunkSourceWebCoreloaderDocumentThreadableLoaderh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/loader/DocumentThreadableLoader.h (206008 => 206009)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/loader/DocumentThreadableLoader.h 2016-09-16 00:56:14 UTC (rev 206008)
+++ trunk/Source/WebCore/loader/DocumentThreadableLoader.h 2016-09-16 07:33:44 UTC (rev 206009)
</span><span class="lines">@@ -49,7 +49,7 @@
</span><span class="cx"> static void loadResourceSynchronously(Document&, ResourceRequest&&, ThreadableLoaderClient&, const ThreadableLoaderOptions&);
</span><span class="cx">
</span><span class="cx"> static RefPtr<DocumentThreadableLoader> create(Document&, ThreadableLoaderClient&, ResourceRequest&&, const ThreadableLoaderOptions&, RefPtr<SecurityOrigin>&&, std::unique_ptr<ContentSecurityPolicy>&&, String&& referrer);
</span><del>- static RefPtr<DocumentThreadableLoader> create(Document&, ThreadableLoaderClient&, ResourceRequest&&, const ThreadableLoaderOptions&);
</del><ins>+ static RefPtr<DocumentThreadableLoader> create(Document&, ThreadableLoaderClient&, ResourceRequest&&, const ThreadableLoaderOptions&, String&& referrer = String());
</ins><span class="cx">
</span><span class="cx"> virtual ~DocumentThreadableLoader();
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceWebCoreloaderThreadableLoadercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/loader/ThreadableLoader.cpp (206008 => 206009)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/loader/ThreadableLoader.cpp 2016-09-16 00:56:14 UTC (rev 206008)
+++ trunk/Source/WebCore/loader/ThreadableLoader.cpp 2016-09-16 07:33:44 UTC (rev 206009)
</span><span class="lines">@@ -59,12 +59,12 @@
</span><span class="cx"> {
</span><span class="cx"> }
</span><span class="cx">
</span><del>-RefPtr<ThreadableLoader> ThreadableLoader::create(ScriptExecutionContext& context, ThreadableLoaderClient& client, ResourceRequest&& request, const ThreadableLoaderOptions& options)
</del><ins>+RefPtr<ThreadableLoader> ThreadableLoader::create(ScriptExecutionContext& context, ThreadableLoaderClient& client, ResourceRequest&& request, const ThreadableLoaderOptions& options, String&& referrer)
</ins><span class="cx"> {
</span><span class="cx"> if (is<WorkerGlobalScope>(context))
</span><del>- return WorkerThreadableLoader::create(downcast<WorkerGlobalScope>(context), client, WorkerRunLoop::defaultMode(), WTFMove(request), options);
</del><ins>+ return WorkerThreadableLoader::create(downcast<WorkerGlobalScope>(context), client, WorkerRunLoop::defaultMode(), WTFMove(request), options, referrer);
</ins><span class="cx">
</span><del>- return DocumentThreadableLoader::create(downcast<Document>(context), client, WTFMove(request), options);
</del><ins>+ return DocumentThreadableLoader::create(downcast<Document>(context), client, WTFMove(request), options, WTFMove(referrer));
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> void ThreadableLoader::loadResourceSynchronously(ScriptExecutionContext& context, ResourceRequest&& request, ThreadableLoaderClient& client, const ThreadableLoaderOptions& options)
</span></span></pre></div>
<a id="trunkSourceWebCoreloaderThreadableLoaderh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/loader/ThreadableLoader.h (206008 => 206009)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/loader/ThreadableLoader.h 2016-09-16 00:56:14 UTC (rev 206008)
+++ trunk/Source/WebCore/loader/ThreadableLoader.h 2016-09-16 07:33:44 UTC (rev 206009)
</span><span class="lines">@@ -80,7 +80,7 @@
</span><span class="cx"> WTF_MAKE_NONCOPYABLE(ThreadableLoader);
</span><span class="cx"> public:
</span><span class="cx"> static void loadResourceSynchronously(ScriptExecutionContext&, ResourceRequest&&, ThreadableLoaderClient&, const ThreadableLoaderOptions&);
</span><del>- static RefPtr<ThreadableLoader> create(ScriptExecutionContext&, ThreadableLoaderClient&, ResourceRequest&&, const ThreadableLoaderOptions&);
</del><ins>+ static RefPtr<ThreadableLoader> create(ScriptExecutionContext&, ThreadableLoaderClient&, ResourceRequest&&, const ThreadableLoaderOptions&, String&& referrer = String());
</ins><span class="cx">
</span><span class="cx"> virtual void cancel() = 0;
</span><span class="cx"> void ref() { refThreadableLoader(); }
</span></span></pre></div>
<a id="trunkSourceWebCoreloaderWorkerThreadableLoadercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/loader/WorkerThreadableLoader.cpp (206008 => 206009)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/loader/WorkerThreadableLoader.cpp 2016-09-16 00:56:14 UTC (rev 206008)
+++ trunk/Source/WebCore/loader/WorkerThreadableLoader.cpp 2016-09-16 07:33:44 UTC (rev 206009)
</span><span class="lines">@@ -50,10 +50,10 @@
</span><span class="cx">
</span><span class="cx"> static const char loadResourceSynchronouslyMode[] = "loadResourceSynchronouslyMode";
</span><span class="cx">
</span><del>-WorkerThreadableLoader::WorkerThreadableLoader(WorkerGlobalScope& workerGlobalScope, ThreadableLoaderClient& client, const String& taskMode, ResourceRequest&& request, const ThreadableLoaderOptions& options)
</del><ins>+WorkerThreadableLoader::WorkerThreadableLoader(WorkerGlobalScope& workerGlobalScope, ThreadableLoaderClient& client, const String& taskMode, ResourceRequest&& request, const ThreadableLoaderOptions& options, const String& referrer)
</ins><span class="cx"> : m_workerGlobalScope(workerGlobalScope)
</span><span class="cx"> , m_workerClientWrapper(ThreadableLoaderClientWrapper::create(client))
</span><del>- , m_bridge(*new MainThreadBridge(m_workerClientWrapper.get(), workerGlobalScope.thread().workerLoaderProxy(), taskMode, WTFMove(request), options, workerGlobalScope.url().strippedForUseAsReferrer(), workerGlobalScope.securityOrigin(), workerGlobalScope.contentSecurityPolicy()))
</del><ins>+ , m_bridge(*new MainThreadBridge(m_workerClientWrapper.get(), workerGlobalScope.thread().workerLoaderProxy(), taskMode, WTFMove(request), options, referrer.isEmpty() ? workerGlobalScope.url().strippedForUseAsReferrer() : referrer, workerGlobalScope.securityOrigin(), workerGlobalScope.contentSecurityPolicy()))
</ins><span class="cx"> {
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -70,7 +70,7 @@
</span><span class="cx"> String mode = loadResourceSynchronouslyMode;
</span><span class="cx"> mode.append(String::number(runLoop.createUniqueId()));
</span><span class="cx">
</span><del>- RefPtr<WorkerThreadableLoader> loader = WorkerThreadableLoader::create(workerGlobalScope, client, mode, WTFMove(request), options);
</del><ins>+ RefPtr<WorkerThreadableLoader> loader = WorkerThreadableLoader::create(workerGlobalScope, client, mode, WTFMove(request), options, String());
</ins><span class="cx"> MessageQueueWaitResult result = MessageQueueMessageReceived;
</span><span class="cx"> while (!loader->done() && result != MessageQueueTerminated)
</span><span class="cx"> result = runLoop.runInMode(&workerGlobalScope, mode);
</span></span></pre></div>
<a id="trunkSourceWebCoreloaderWorkerThreadableLoaderh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/loader/WorkerThreadableLoader.h (206008 => 206009)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/loader/WorkerThreadableLoader.h 2016-09-16 00:56:14 UTC (rev 206008)
+++ trunk/Source/WebCore/loader/WorkerThreadableLoader.h 2016-09-16 07:33:44 UTC (rev 206009)
</span><span class="lines">@@ -50,9 +50,9 @@
</span><span class="cx"> WTF_MAKE_FAST_ALLOCATED;
</span><span class="cx"> public:
</span><span class="cx"> static void loadResourceSynchronously(WorkerGlobalScope&, ResourceRequest&&, ThreadableLoaderClient&, const ThreadableLoaderOptions&);
</span><del>- static Ref<WorkerThreadableLoader> create(WorkerGlobalScope& workerGlobalScope, ThreadableLoaderClient& client, const String& taskMode, ResourceRequest&& request, const ThreadableLoaderOptions& options)
</del><ins>+ static Ref<WorkerThreadableLoader> create(WorkerGlobalScope& workerGlobalScope, ThreadableLoaderClient& client, const String& taskMode, ResourceRequest&& request, const ThreadableLoaderOptions& options, const String& referrer)
</ins><span class="cx"> {
</span><del>- return adoptRef(*new WorkerThreadableLoader(workerGlobalScope, client, taskMode, WTFMove(request), options));
</del><ins>+ return adoptRef(*new WorkerThreadableLoader(workerGlobalScope, client, taskMode, WTFMove(request), options, referrer));
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> ~WorkerThreadableLoader();
</span><span class="lines">@@ -120,7 +120,7 @@
</span><span class="cx"> String m_taskMode;
</span><span class="cx"> };
</span><span class="cx">
</span><del>- WorkerThreadableLoader(WorkerGlobalScope&, ThreadableLoaderClient&, const String& taskMode, ResourceRequest&&, const ThreadableLoaderOptions&);
</del><ins>+ WorkerThreadableLoader(WorkerGlobalScope&, ThreadableLoaderClient&, const String& taskMode, ResourceRequest&&, const ThreadableLoaderOptions&, const String& referrer);
</ins><span class="cx">
</span><span class="cx"> Ref<WorkerGlobalScope> m_workerGlobalScope;
</span><span class="cx"> Ref<ThreadableLoaderClientWrapper> m_workerClientWrapper;
</span></span></pre></div>
<a id="trunkSourceWebCoreplatformnetworkResourceRequestBasecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/platform/network/ResourceRequestBase.cpp (206008 => 206009)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/platform/network/ResourceRequestBase.cpp 2016-09-16 00:56:14 UTC (rev 206008)
+++ trunk/Source/WebCore/platform/network/ResourceRequestBase.cpp 2016-09-16 07:33:44 UTC (rev 206009)
</span><span class="lines">@@ -288,6 +288,11 @@
</span><span class="cx"> return httpHeaderField(HTTPHeaderName::Referer);
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+bool ResourceRequestBase::hasHTTPReferrer() const
+{
+ return m_httpHeaderFields.contains(HTTPHeaderName::Referer);
+}
+
</ins><span class="cx"> void ResourceRequestBase::setHTTPReferrer(const String& httpReferrer)
</span><span class="cx"> {
</span><span class="cx"> setHTTPHeaderField(HTTPHeaderName::Referer, httpReferrer);
</span></span></pre></div>
<a id="trunkSourceWebCoreplatformnetworkResourceRequestBaseh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/platform/network/ResourceRequestBase.h (206008 => 206009)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/platform/network/ResourceRequestBase.h 2016-09-16 00:56:14 UTC (rev 206008)
+++ trunk/Source/WebCore/platform/network/ResourceRequestBase.h 2016-09-16 07:33:44 UTC (rev 206009)
</span><span class="lines">@@ -98,6 +98,7 @@
</span><span class="cx"> void clearHTTPContentType();
</span><span class="cx">
</span><span class="cx"> WEBCORE_EXPORT String httpReferrer() const;
</span><ins>+ bool hasHTTPReferrer() const;
</ins><span class="cx"> WEBCORE_EXPORT void setHTTPReferrer(const String&);
</span><span class="cx"> WEBCORE_EXPORT void clearHTTPReferrer();
</span><span class="cx">
</span></span></pre>
</div>
</div>
</body>
</html>