<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[213126] trunk</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/213126">213126</a></dd>
<dt>Author</dt> <dd>achristensen@apple.com</dd>
<dt>Date</dt> <dd>2017-02-28 00:30:44 -0800 (Tue, 28 Feb 2017)</dd>
</dl>
<h3>Log Message</h3>
<pre>Main resource requests need cachePartition
https://bugs.webkit.org/show_bug.cgi?id=168806
Source/WebCore:
<rdar://30639764>
Reviewed by Brady Eidson.
Test: http/tests/security/credentials-main-resource.html
<a href="http://trac.webkit.org/projects/webkit/changeset/211751">r211751</a> caused an unintended regression on pages whose main resource is protected
by basic authentication. We were not setting the cache partition for main resource
requests, and we use the cache partition now for credentials, so the credentials for
the main resource were not being put into a partition in the CredentialStorage that
would not be used for subresources of the page, whose requests had the correct partition
for the domain of the page. This caused users to have to enter their credentials twice,
once for the main resource and once for any subresources. This is fixed by using the
domain from the main resource request as the cache partition. Elsewhere the Document is
used to get the cache partition, but there is no Document yet when requesting the main resource.
* loader/DocumentLoader.cpp:
(WebCore::DocumentLoader::startLoadingMainResource):
Set the cache partition for the main resource loads based on the SecurityOrigin of the
initial request if we are loading the main resource for a new top document. If the main resource
request is redirected, then we will still use the partition of the initial request because that is
what the user requested and that is where the user entered the credentials.
* loader/cache/CachedResourceLoader.h:
* loader/cache/CachedResourceRequest.cpp:
(WebCore::CachedResourceRequest::setDomainForCachePartition):
* loader/cache/CachedResourceRequest.h:
Source/WebKit2:
Reviewed by Brady Eidson.
* NetworkProcess/NetworkResourceLoader.cpp:
(WebKit::NetworkResourceLoader::continueWillSendRequest):
LayoutTests:
Reviewed by Brady Eidson.
* http/tests/security/credentials-main-resource-expected.txt: Added.
* http/tests/security/credentials-main-resource.html: Added.
* http/tests/security/resources/credentials-main-resource.php: Added.</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkLayoutTestsChangeLog">trunk/LayoutTests/ChangeLog</a></li>
<li><a href="#trunkSourceWebCoreChangeLog">trunk/Source/WebCore/ChangeLog</a></li>
<li><a href="#trunkSourceWebCoreloaderDocumentLoadercpp">trunk/Source/WebCore/loader/DocumentLoader.cpp</a></li>
<li><a href="#trunkSourceWebCoreloadercacheCachedResourceLoaderh">trunk/Source/WebCore/loader/cache/CachedResourceLoader.h</a></li>
<li><a href="#trunkSourceWebCoreloadercacheCachedResourceRequestcpp">trunk/Source/WebCore/loader/cache/CachedResourceRequest.cpp</a></li>
<li><a href="#trunkSourceWebCoreloadercacheCachedResourceRequesth">trunk/Source/WebCore/loader/cache/CachedResourceRequest.h</a></li>
<li><a href="#trunkSourceWebKit2ChangeLog">trunk/Source/WebKit2/ChangeLog</a></li>
<li><a href="#trunkSourceWebKit2NetworkProcessNetworkResourceLoadercpp">trunk/Source/WebKit2/NetworkProcess/NetworkResourceLoader.cpp</a></li>
</ul>
<h3>Added Paths</h3>
<ul>
<li><a href="#trunkLayoutTestshttptestssecuritycredentialsmainresourceexpectedtxt">trunk/LayoutTests/http/tests/security/credentials-main-resource-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycredentialsmainresourcehtml">trunk/LayoutTests/http/tests/security/credentials-main-resource.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityresourcescredentialsmainresourcephp">trunk/LayoutTests/http/tests/security/resources/credentials-main-resource.php</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkLayoutTestsChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/ChangeLog (213125 => 213126)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/ChangeLog 2017-02-28 08:28:33 UTC (rev 213125)
+++ trunk/LayoutTests/ChangeLog 2017-02-28 08:30:44 UTC (rev 213126)
</span><span class="lines">@@ -1,5 +1,16 @@
</span><span class="cx"> 2017-02-28 Alex Christensen <achristensen@webkit.org>
</span><span class="cx">
</span><ins>+ Main resource requests need cachePartition
+ https://bugs.webkit.org/show_bug.cgi?id=168806
+
+ Reviewed by Brady Eidson.
+
+ * http/tests/security/credentials-main-resource-expected.txt: Added.
+ * http/tests/security/credentials-main-resource.html: Added.
+ * http/tests/security/resources/credentials-main-resource.php: Added.
+
+2017-02-28 Alex Christensen <achristensen@webkit.org>
+
</ins><span class="cx"> REGRESSION: LayoutTest http/tests/security/credentials-iframes.html is failing on ios-simulator
</span><span class="cx"> https://bugs.webkit.org/show_bug.cgi?id=167967
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycredentialsmainresourceexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/credentials-main-resource-expected.txt (0 => 213126)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/credentials-main-resource-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/credentials-main-resource-expected.txt 2017-02-28 08:30:44 UTC (rev 213126)
</span><span class="lines">@@ -0,0 +1,3 @@
</span><ins>+ALERT: Authenticated as user: testuser password: testpass
+Main Resource Credentials: testuser, testpass
+
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycredentialsmainresourcehtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/credentials-main-resource.html (0 => 213126)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/credentials-main-resource.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/credentials-main-resource.html 2017-02-28 08:30:44 UTC (rev 213126)
</span><span class="lines">@@ -0,0 +1,8 @@
</span><ins>+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+ internals.settings.setStorageBlockingPolicy('BlockThirdParty');
+}
+window.location = "http://testuser:testpass@127.0.0.1:8000/security/resources/credentials-main-resource.php";
+</script>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityresourcescredentialsmainresourcephp"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/resources/credentials-main-resource.php (0 => 213126)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/resources/credentials-main-resource.php (rev 0)
+++ trunk/LayoutTests/http/tests/security/resources/credentials-main-resource.php 2017-02-28 08:30:44 UTC (rev 213126)
</span><span class="lines">@@ -0,0 +1,24 @@
</span><ins>+<?php
+ if (!isset($_SERVER['PHP_AUTH_USER'])) {
+ header('WWW-Authenticate: Basic realm="WebKit test - credentials-in-main-resource"');
+ header('HTTP/1.0 401 Unauthorized');
+ exit;
+ }
+ echo "Main Resource Credentials: " . $_SERVER['PHP_AUTH_USER'] . ", " . $_SERVER['PHP_AUTH_PW'] . "<br/>";
+?>
+<script>
+
+if (window.internals)
+ internals.settings.setStorageBlockingPolicy('BlockThirdParty');
+
+var request = new XMLHttpRequest();
+request.onreadystatechange = function () {
+ if (this.readyState == 4) {
+ alert(this.responseText);
+ if (window.testRunner)
+ testRunner.notifyDone();
+ }
+};
+request.open('GET', 'http://127.0.0.1:8000/security/resources/basic-auth.php?username=testuser&password=testpass', true);
+request.send(null);
+</script>
</ins></span></pre></div>
<a id="trunkSourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/ChangeLog (213125 => 213126)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/ChangeLog 2017-02-28 08:28:33 UTC (rev 213125)
+++ trunk/Source/WebCore/ChangeLog 2017-02-28 08:30:44 UTC (rev 213126)
</span><span class="lines">@@ -1,5 +1,36 @@
</span><span class="cx"> 2017-02-28 Alex Christensen <achristensen@webkit.org>
</span><span class="cx">
</span><ins>+ Main resource requests need cachePartition
+ https://bugs.webkit.org/show_bug.cgi?id=168806
+ <rdar://30639764>
+
+ Reviewed by Brady Eidson.
+
+ Test: http/tests/security/credentials-main-resource.html
+
+ r211751 caused an unintended regression on pages whose main resource is protected
+ by basic authentication. We were not setting the cache partition for main resource
+ requests, and we use the cache partition now for credentials, so the credentials for
+ the main resource were not being put into a partition in the CredentialStorage that
+ would not be used for subresources of the page, whose requests had the correct partition
+ for the domain of the page. This caused users to have to enter their credentials twice,
+ once for the main resource and once for any subresources. This is fixed by using the
+ domain from the main resource request as the cache partition. Elsewhere the Document is
+ used to get the cache partition, but there is no Document yet when requesting the main resource.
+
+ * loader/DocumentLoader.cpp:
+ (WebCore::DocumentLoader::startLoadingMainResource):
+ Set the cache partition for the main resource loads based on the SecurityOrigin of the
+ initial request if we are loading the main resource for a new top document. If the main resource
+ request is redirected, then we will still use the partition of the initial request because that is
+ what the user requested and that is where the user entered the credentials.
+ * loader/cache/CachedResourceLoader.h:
+ * loader/cache/CachedResourceRequest.cpp:
+ (WebCore::CachedResourceRequest::setDomainForCachePartition):
+ * loader/cache/CachedResourceRequest.h:
+
+2017-02-28 Alex Christensen <achristensen@webkit.org>
+
</ins><span class="cx"> REGRESSION: LayoutTest http/tests/security/credentials-iframes.html is failing on ios-simulator
</span><span class="cx"> https://bugs.webkit.org/show_bug.cgi?id=167967
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceWebCoreloaderDocumentLoadercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/loader/DocumentLoader.cpp (213125 => 213126)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/loader/DocumentLoader.cpp 2017-02-28 08:28:33 UTC (rev 213125)
+++ trunk/Source/WebCore/loader/DocumentLoader.cpp 2017-02-28 08:30:44 UTC (rev 213126)
</span><span class="lines">@@ -1479,7 +1479,16 @@
</span><span class="cx"> RELEASE_LOG_IF_ALLOWED("startLoadingMainResource: Starting load (frame = %p, main = %d)", m_frame, m_frame->isMainFrame());
</span><span class="cx">
</span><span class="cx"> static NeverDestroyed<ResourceLoaderOptions> mainResourceLoadOptions(SendCallbacks, SniffContent, BufferData, AllowStoredCredentials, ClientCredentialPolicy::MayAskClientForCredentials, FetchOptions::Credentials::Include, SkipSecurityCheck, FetchOptions::Mode::NoCors, IncludeCertificateInfo, ContentSecurityPolicyImposition::SkipPolicyCheck, DefersLoadingPolicy::AllowDefersLoading, CachingPolicy::AllowCaching);
</span><del>- m_mainResource = m_cachedResourceLoader->requestMainResource(CachedResourceRequest(ResourceRequest(request), mainResourceLoadOptions));
</del><ins>+ CachedResourceRequest mainResourceRequest(ResourceRequest(request), mainResourceLoadOptions);
+ if (!m_frame->isMainFrame() && m_frame->document()) {
+ // If we are loading the main resource of a subframe, use the cache partition of the main document.
+ mainResourceRequest.setDomainForCachePartition(*m_frame->document());
+ } else {
+ auto origin = SecurityOrigin::create(request.url());
+ origin->setStorageBlockingPolicy(frameLoader()->frame().settings().storageBlockingPolicy());
+ mainResourceRequest.setDomainForCachePartition(origin->domainForCachePartition());
+ }
+ m_mainResource = m_cachedResourceLoader->requestMainResource(WTFMove(mainResourceRequest));
</ins><span class="cx">
</span><span class="cx"> #if ENABLE(CONTENT_EXTENSIONS)
</span><span class="cx"> if (m_mainResource && m_mainResource->errorOccurred() && m_frame->page() && m_mainResource->resourceError().domain() == ContentExtensions::WebKitContentBlockerDomain) {
</span></span></pre></div>
<a id="trunkSourceWebCoreloadercacheCachedResourceLoaderh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/loader/cache/CachedResourceLoader.h (213125 => 213126)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/loader/cache/CachedResourceLoader.h 2017-02-28 08:28:33 UTC (rev 213125)
+++ trunk/Source/WebCore/loader/cache/CachedResourceLoader.h 2017-02-28 08:30:44 UTC (rev 213126)
</span><span class="lines">@@ -53,6 +53,7 @@
</span><span class="cx"> class DocumentLoader;
</span><span class="cx"> class Frame;
</span><span class="cx"> class ImageLoader;
</span><ins>+class Settings;
</ins><span class="cx"> class URL;
</span><span class="cx">
</span><span class="cx"> // The CachedResourceLoader provides a per-context interface to the MemoryCache
</span></span></pre></div>
<a id="trunkSourceWebCoreloadercacheCachedResourceRequestcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/loader/cache/CachedResourceRequest.cpp (213125 => 213126)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/loader/cache/CachedResourceRequest.cpp 2017-02-28 08:28:33 UTC (rev 213125)
+++ trunk/Source/WebCore/loader/cache/CachedResourceRequest.cpp 2017-02-28 08:30:44 UTC (rev 213126)
</span><span class="lines">@@ -134,6 +134,11 @@
</span><span class="cx"> m_resourceRequest.setDomainForCachePartition(document.topOrigin().domainForCachePartition());
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+void CachedResourceRequest::setDomainForCachePartition(const String& domain)
+{
+ m_resourceRequest.setDomainForCachePartition(domain);
+}
+
</ins><span class="cx"> static inline String acceptHeaderValueFromType(CachedResource::Type type)
</span><span class="cx"> {
</span><span class="cx"> switch (type) {
</span></span></pre></div>
<a id="trunkSourceWebCoreloadercacheCachedResourceRequesth"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/loader/cache/CachedResourceRequest.h (213125 => 213126)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/loader/cache/CachedResourceRequest.h 2017-02-28 08:28:33 UTC (rev 213125)
+++ trunk/Source/WebCore/loader/cache/CachedResourceRequest.h 2017-02-28 08:30:44 UTC (rev 213126)
</span><span class="lines">@@ -76,6 +76,7 @@
</span><span class="cx"> void applyBlockedStatus(const ContentExtensions::BlockedStatus&);
</span><span class="cx"> #endif
</span><span class="cx"> void setDomainForCachePartition(Document&);
</span><ins>+ void setDomainForCachePartition(const String&);
</ins><span class="cx"> bool isLinkPreload() const { return m_isLinkPreload; }
</span><span class="cx"> void setIsLinkPreload() { m_isLinkPreload = true; }
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceWebKit2ChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebKit2/ChangeLog (213125 => 213126)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebKit2/ChangeLog 2017-02-28 08:28:33 UTC (rev 213125)
+++ trunk/Source/WebKit2/ChangeLog 2017-02-28 08:30:44 UTC (rev 213126)
</span><span class="lines">@@ -1,3 +1,13 @@
</span><ins>+2017-02-28 Alex Christensen <achristensen@webkit.org>
+
+ Main resource requests need cachePartition
+ https://bugs.webkit.org/show_bug.cgi?id=168806
+
+ Reviewed by Brady Eidson.
+
+ * NetworkProcess/NetworkResourceLoader.cpp:
+ (WebKit::NetworkResourceLoader::continueWillSendRequest):
+
</ins><span class="cx"> 2017-02-27 Alex Christensen <achristensen@webkit.org>
</span><span class="cx">
</span><span class="cx"> Begin enabling WebRTC on 64-bit
</span></span></pre></div>
<a id="trunkSourceWebKit2NetworkProcessNetworkResourceLoadercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebKit2/NetworkProcess/NetworkResourceLoader.cpp (213125 => 213126)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebKit2/NetworkProcess/NetworkResourceLoader.cpp 2017-02-28 08:28:33 UTC (rev 213125)
+++ trunk/Source/WebKit2/NetworkProcess/NetworkResourceLoader.cpp 2017-02-28 08:30:44 UTC (rev 213126)
</span><span class="lines">@@ -472,8 +472,9 @@
</span><span class="cx"> {
</span><span class="cx"> RELEASE_LOG_IF_ALLOWED("continueWillSendRequest: (pageID = %" PRIu64 ", frameID = %" PRIu64 ", resourceID = %" PRIu64 ")", m_parameters.webPageID, m_parameters.webFrameID, m_parameters.identifier);
</span><span class="cx">
</span><del>- // If there is a match in the network cache, we need to reuse the original cache policy.
</del><ins>+ // If there is a match in the network cache, we need to reuse the original cache policy and partition.
</ins><span class="cx"> newRequest.setCachePolicy(originalRequest().cachePolicy());
</span><ins>+ newRequest.setCachePartition(originalRequest().cachePartition());
</ins><span class="cx">
</span><span class="cx"> #if ENABLE(NETWORK_CACHE)
</span><span class="cx"> if (m_isWaitingContinueWillSendRequestForCachedRedirect) {
</span></span></pre>
</div>
</div>
</body>
</html>