<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[230365] trunk</title>
</head>
<body>

<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt;  }
#msg dl a { font-weight: bold}
#msg dl a:link    { color:#fc3; }
#msg dl a:active  { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff  {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/230365">230365</a></dd>
<dt>Author</dt> <dd>youenn@apple.com</dd>
<dt>Date</dt> <dd>2018-04-06 20:48:55 -0700 (Fri, 06 Apr 2018)</dd>
</dl>

<h3>Log Message</h3>
<pre>Response headers should be filtered when sent from NetworkProcess to WebProcess
https://bugs.webkit.org/show_bug.cgi?id=184310

Reviewed by Ryosuke Niwa.

Source/WebCore:

Did some refactoring to allow ResourceResponse to use header value parsing routines.
We add sanitization levels for regular responses in case responses might be exposed to scripts or not.
If not exposed to scripts, additional filtering is done.

Add internal API to get unfiltered response headers from a fetch response.
Test: http/wpt/service-workers/header-filtering.https.html

* Modules/fetch/FetchResponse.h:
* loader/CrossOriginPreflightResultCache.cpp:
(WebCore::CrossOriginPreflightResultCacheItem::parse):
* platform/network/HTTPParsers.h:
(WebCore::addToAccessControlAllowList):
(WebCore::parseAccessControlAllowList):
* platform/network/ResourceResponseBase.cpp:
(WebCore::isSafeToKeepRedirectionResponseHeader):
(WebCore::isCrossOriginSafeToKeepResponseHeader):
(WebCore::ResourceResponseBase::sanitizeHTTPHeaderFields):
* platform/network/ResourceResponseBase.h:
* testing/ServiceWorkerInternals.cpp:
(WebCore::ServiceWorkerInternals::fetchResponseHeaderList):
* testing/ServiceWorkerInternals.h:
* testing/ServiceWorkerInternals.idl:

Source/WebKit:

Pass destination parameter to NetworkResourceLoader.
Use new sanitization routine to filter response headers as needed:
- Cross-origin routines are filtered by removing any non CORS allowed headers.
- Same-origin responses are filtered by removing non used headers, except when filtering would be visible by JS (XHR, fetch).
In all cases, Set-Cookie/Set-Cookie2 headers are filtered out.

* NetworkProcess/NetworkResourceLoadParameters.cpp:
(WebKit::NetworkResourceLoadParameters::encode const):
(WebKit::NetworkResourceLoadParameters::decode):
* NetworkProcess/NetworkResourceLoadParameters.h:
* NetworkProcess/NetworkResourceLoader.cpp:
(WebKit::NetworkResourceLoader::didReceiveResponse):
(WebKit::NetworkResourceLoader::willSendRedirectedRequest):
(WebKit::NetworkResourceLoader::sanitizeResponseIfPossible):
(WebKit::NetworkResourceLoader::didRetrieveCacheEntry):
(WebKit::NetworkResourceLoader::dispatchWillSendRequestForCacheEntry):
* NetworkProcess/NetworkResourceLoader.h:
* WebProcess/Network/WebLoaderStrategy.cpp:
(WebKit::WebLoaderStrategy::scheduleLoadFromNetworkProcess):
* WebProcess/Storage/WebSWContextManagerConnection.cpp:
(WebKit::WebSWContextManagerConnection::updatePreferencesStore):

LayoutTests:

Rebased tests for WK2 as Server response header is now filtered out for cross-origin and not fetch/XHR loads.

* http/wpt/service-workers/header-filtering-worker.js: Added.
* http/wpt/service-workers/header-filtering.https-expected.txt: Added.
Some tests are failing as navigation loads are not yet filtered and we
have no good way yet to detect cross origin loads.
* http/wpt/service-workers/header-filtering.https.html: Added.
* http/wpt/service-workers/resources/header-filtering-iframe.html: Added.
* http/wpt/service-workers/resources/response-full-of-headers.py: Added.
* http/tests/webarchive/cross-origin-stylesheet-crash-expected.txt: Added.
* http/tests/webarchive/test-preload-resources-expected.txt: Added.
* platform/mac-wk1/http/tests/webarchive/cross-origin-stylesheet-crash-expected.txt: Added.
* platform/mac-wk1/http/tests/webarchive/test-preload-resources-expected.txt: Added.
* platform/win/http/tests/webarchive/cross-origin-stylesheet-crash-expected.txt: Added.
* platform/win/http/tests/webarchive/test-preload-resources-expected.txt: Added.</pre>

<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkLayoutTestsChangeLog">trunk/LayoutTests/ChangeLog</a></li>
<li><a href="#trunkLayoutTestsplatformmachttptestswebarchivecrossoriginstylesheetcrashexpectedtxt">trunk/LayoutTests/platform/mac/http/tests/webarchive/cross-origin-stylesheet-crash-expected.txt</a></li>
<li><a href="#trunkLayoutTestsplatformmachttptestswebarchivetestpreloadresourcesexpectedtxt">trunk/LayoutTests/platform/mac/http/tests/webarchive/test-preload-resources-expected.txt</a></li>
<li><a href="#trunkSourceWebCoreChangeLog">trunk/Source/WebCore/ChangeLog</a></li>
<li><a href="#trunkSourceWebCoreModulesfetchFetchResponseh">trunk/Source/WebCore/Modules/fetch/FetchResponse.h</a></li>
<li><a href="#trunkSourceWebCoreloaderCrossOriginPreflightResultCachecpp">trunk/Source/WebCore/loader/CrossOriginPreflightResultCache.cpp</a></li>
<li><a href="#trunkSourceWebCoreplatformnetworkHTTPParsersh">trunk/Source/WebCore/platform/network/HTTPParsers.h</a></li>
<li><a href="#trunkSourceWebCoreplatformnetworkResourceResponseBasecpp">trunk/Source/WebCore/platform/network/ResourceResponseBase.cpp</a></li>
<li><a href="#trunkSourceWebCoreplatformnetworkResourceResponseBaseh">trunk/Source/WebCore/platform/network/ResourceResponseBase.h</a></li>
<li><a href="#trunkSourceWebCoretestingServiceWorkerInternalscpp">trunk/Source/WebCore/testing/ServiceWorkerInternals.cpp</a></li>
<li><a href="#trunkSourceWebCoretestingServiceWorkerInternalsh">trunk/Source/WebCore/testing/ServiceWorkerInternals.h</a></li>
<li><a href="#trunkSourceWebCoretestingServiceWorkerInternalsidl">trunk/Source/WebCore/testing/ServiceWorkerInternals.idl</a></li>
<li><a href="#trunkSourceWebKitChangeLog">trunk/Source/WebKit/ChangeLog</a></li>
<li><a href="#trunkSourceWebKitNetworkProcessNetworkResourceLoadParameterscpp">trunk/Source/WebKit/NetworkProcess/NetworkResourceLoadParameters.cpp</a></li>
<li><a href="#trunkSourceWebKitNetworkProcessNetworkResourceLoadParametersh">trunk/Source/WebKit/NetworkProcess/NetworkResourceLoadParameters.h</a></li>
<li><a href="#trunkSourceWebKitNetworkProcessNetworkResourceLoadercpp">trunk/Source/WebKit/NetworkProcess/NetworkResourceLoader.cpp</a></li>
<li><a href="#trunkSourceWebKitNetworkProcessNetworkResourceLoaderh">trunk/Source/WebKit/NetworkProcess/NetworkResourceLoader.h</a></li>
<li><a href="#trunkSourceWebKitWebProcessNetworkWebLoaderStrategycpp">trunk/Source/WebKit/WebProcess/Network/WebLoaderStrategy.cpp</a></li>
<li><a href="#trunkSourceWebKitWebProcessStorageWebSWContextManagerConnectioncpp">trunk/Source/WebKit/WebProcess/Storage/WebSWContextManagerConnection.cpp</a></li>
</ul>

<h3>Added Paths</h3>
<ul>
<li><a href="#trunkLayoutTestshttpwptserviceworkersheaderfilteringworkerjs">trunk/LayoutTests/http/wpt/service-workers/header-filtering-worker.js</a></li>
<li><a href="#trunkLayoutTestshttpwptserviceworkersheaderfilteringhttpsexpectedtxt">trunk/LayoutTests/http/wpt/service-workers/header-filtering.https-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttpwptserviceworkersheaderfilteringhttpshtml">trunk/LayoutTests/http/wpt/service-workers/header-filtering.https.html</a></li>
<li><a href="#trunkLayoutTestshttpwptserviceworkersresourcesheaderfilteringiframehtml">trunk/LayoutTests/http/wpt/service-workers/resources/header-filtering-iframe.html</a></li>
<li><a href="#trunkLayoutTestshttpwptserviceworkersresourcesresponsefullofheaderspy">trunk/LayoutTests/http/wpt/service-workers/resources/response-full-of-headers.py</a></li>
<li>trunk/LayoutTests/platform/mac-wk1/http/tests/</li>
<li>trunk/LayoutTests/platform/mac-wk1/http/tests/webarchive/</li>
<li><a href="#trunkLayoutTestsplatformmacwk1httptestswebarchivecrossoriginstylesheetcrashexpectedtxt">trunk/LayoutTests/platform/mac-wk1/http/tests/webarchive/cross-origin-stylesheet-crash-expected.txt</a></li>
<li><a href="#trunkLayoutTestsplatformmacwk1httptestswebarchivetestpreloadresourcesexpectedtxt">trunk/LayoutTests/platform/mac-wk1/http/tests/webarchive/test-preload-resources-expected.txt</a></li>
<li>trunk/LayoutTests/platform/win/http/tests/webarchive/</li>
<li><a href="#trunkLayoutTestsplatformwinhttptestswebarchivecrossoriginstylesheetcrashexpectedtxt">trunk/LayoutTests/platform/win/http/tests/webarchive/cross-origin-stylesheet-crash-expected.txt</a></li>
<li><a href="#trunkLayoutTestsplatformwinhttptestswebarchivetestpreloadresourcesexpectedtxt">trunk/LayoutTests/platform/win/http/tests/webarchive/test-preload-resources-expected.txt</a></li>
</ul>

</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkLayoutTestsChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/ChangeLog (230364 => 230365)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/ChangeLog      2018-04-07 00:33:00 UTC (rev 230364)
+++ trunk/LayoutTests/ChangeLog 2018-04-07 03:48:55 UTC (rev 230365)
</span><span class="lines">@@ -1,3 +1,26 @@
</span><ins>+2018-04-06  Youenn Fablet  <youenn@apple.com>
+
+        Response headers should be filtered when sent from NetworkProcess to WebProcess
+        https://bugs.webkit.org/show_bug.cgi?id=184310
+
+        Reviewed by Ryosuke Niwa.
+
+        Rebased tests for WK2 as Server response header is now filtered out for cross-origin and not fetch/XHR loads.
+
+        * http/wpt/service-workers/header-filtering-worker.js: Added.
+        * http/wpt/service-workers/header-filtering.https-expected.txt: Added.
+        Some tests are failing as navigation loads are not yet filtered and we
+        have no good way yet to detect cross origin loads.
+        * http/wpt/service-workers/header-filtering.https.html: Added.
+        * http/wpt/service-workers/resources/header-filtering-iframe.html: Added.
+        * http/wpt/service-workers/resources/response-full-of-headers.py: Added.
+        * http/tests/webarchive/cross-origin-stylesheet-crash-expected.txt: Added.
+        * http/tests/webarchive/test-preload-resources-expected.txt: Added.
+        * platform/mac-wk1/http/tests/webarchive/cross-origin-stylesheet-crash-expected.txt: Added.
+        * platform/mac-wk1/http/tests/webarchive/test-preload-resources-expected.txt: Added.
+        * platform/win/http/tests/webarchive/cross-origin-stylesheet-crash-expected.txt: Added.
+        * platform/win/http/tests/webarchive/test-preload-resources-expected.txt: Added.
+
</ins><span class="cx"> 2018-04-06  Ryan Haddad  <ryanhaddad@apple.com>
</span><span class="cx"> 
</span><span class="cx">         Mark fast/loader/submit-form-while-parsing-2.html as flaky.
</span></span></pre></div>
<a id="trunkLayoutTestshttpwptserviceworkersheaderfilteringworkerjs"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/wpt/service-workers/header-filtering-worker.js (0 => 230365)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/wpt/service-workers/header-filtering-worker.js                            (rev 0)
+++ trunk/LayoutTests/http/wpt/service-workers/header-filtering-worker.js       2018-04-07 03:48:55 UTC (rev 230365)
</span><span class="lines">@@ -0,0 +1,16 @@
</span><ins>+var source;
+addEventListener("message", (e) => {
+    source = e.source;
+    source.postMessage(e.data === "ready?" ? "ready" : "not ready");
+});
+
+addEventListener("fetch", async (e) => {
+    var promise = fetch(e.request);
+    e.respondWith(promise.then((response) => {
+        if (self.internals)
+            source.postMessage(internals.fetchResponseHeaderList(response).sort());
+        else
+            source.postMessage("Test requires internals API to get all response headers");
+        return response;
+    }));
+});
</ins></span></pre></div>
<a id="trunkLayoutTestshttpwptserviceworkersheaderfilteringhttpsexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/wpt/service-workers/header-filtering.https-expected.txt (0 => 230365)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/wpt/service-workers/header-filtering.https-expected.txt                           (rev 0)
+++ trunk/LayoutTests/http/wpt/service-workers/header-filtering.https-expected.txt      2018-04-07 03:48:55 UTC (rev 230365)
</span><span class="lines">@@ -0,0 +1,13 @@
</span><ins>+
+
+PASS Setup worker 
+PASS Frame controlled by service worker 
+PASS Test same-origin fetch 
+FAIL Test cors cross-origin fetch assert_array_equals: lengths differ, expected 13 got 15
+FAIL Test no-cors cross-origin fetch assert_array_equals: lengths differ, expected 13 got 15
+PASS Test same-origin script load 
+PASS Test no-cors script load 
+PASS Test cors script load 
+FAIL Test HTML load assert_array_equals: lengths differ, expected 13 got 17
+PASS Clean-up 
+
</ins></span></pre></div>
<a id="trunkLayoutTestshttpwptserviceworkersheaderfilteringhttpshtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/wpt/service-workers/header-filtering.https.html (0 => 230365)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/wpt/service-workers/header-filtering.https.html                           (rev 0)
+++ trunk/LayoutTests/http/wpt/service-workers/header-filtering.https.html      2018-04-07 03:48:55 UTC (rev 230365)
</span><span class="lines">@@ -0,0 +1,155 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<title>Service Worker Header Filtering</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+ <script src="/common/get-host-info.sub.js"></script>
+</head>
+<body>
+<script>
+var scope = "resources";
+var registration;
+var frame;
+
+var url1 = "/WebKit/service-workers/resources/response-full-of-headers.py";
+var url2 = get_host_info().HTTPS_REMOTE_ORIGIN + url1;
+
+function withFrame(url)
+{
+    return new Promise((resolve) => {
+        const frame = document.createElement('iframe');
+        frame.src = url;
+        frame.onload = function() { resolve(frame); };
+        document.body.appendChild(frame);
+    });
+}
+
+async function registerServiceWorker(scope)
+{
+    const registration = await navigator.serviceWorker.register("header-filtering-worker.js", { scope : scope });
+    const activeWorker = registration.active;
+    if (activeWorker)
+        return registration;
+    activeWorker = registration.installing;
+    return new Promise(resolve => {
+        activeWorker.addEventListener('statechange', () => {
+            if (activeWorker.state === "activated")
+                resolve(registration);
+        });
+    });
+}
+
+promise_test(async (test) => {
+    registration = await registerServiceWorker(scope);
+    registration.active.postMessage("ready?");
+    return new Promise((resolve) => {
+        navigator.serviceWorker.onmessage = (event) => {
+            assert_equals(event.data, "ready");
+            navigator.serviceWorker.onmessage = undefined;
+            resolve();
+        };
+    });
+}, "Setup worker and register the client");
+
+var processMessage;
+promise_test(async (test) => {
+    frame = await withFrame(scope + "/header-filtering-iframe.html");
+    navigator.serviceWorker.onmessage = (event) => {
+        processMessage(event.data);
+    };
+}, "Add a frame controlled by service worker");
+
+promise_test(async (test) => {
+    const promise = new Promise((resolve) => {
+        processMessage = (data) => {
+            resolve(data);
+        };
+    });
+    frame.contentWindow.fetch(url1 + "?fetch");
+    assert_array_equals(await promise, ["Access-Control-Allow-Credentials","Access-Control-Allow-Methods","Access-Control-Allow-Origin",
+        "Access-Control-Expose-Headers","Cache-Control","Content-Length","Content-Type","Date","Referrer-Policy","Server",
+        "SourceMap","Timing-Allow-Origin","X-SourceMap","x-header1","x-header2"]);
+}, "Test same-origin fetch");
+
+promise_test(async (test) => {
+    const data = new Promise((resolve) => {
+        processMessage = (data) => {
+            resolve(data);
+        };
+    });
+    frame.contentWindow.fetch(url2 + "?fetch-cors", { mode : "cors" });
+    assert_array_equals(await data, ["Access-Control-Allow-Credentials","Access-Control-Allow-Methods","Access-Control-Allow-Origin",
+        "Access-Control-Expose-Headers","Cache-Control","Content-Length","Content-Type","Date","Referrer-Policy",
+        "SourceMap","Timing-Allow-Origin","X-SourceMap","x-Header1"]);
+}, "Test cors cross-origin fetch");
+
+promise_test(async (test) => {
+    const data = new Promise((resolve) => {
+        processMessage = (data) => {
+            resolve(data);
+        };
+    });
+    frame.contentWindow.fetch(url2 + "?fetch-no-cors", { mode : "no-cors" });
+    assert_array_equals(await data, ["Access-Control-Allow-Credentials","Access-Control-Allow-Methods","Access-Control-Allow-Origin",
+        "Access-Control-Expose-Headers","Cache-Control","Content-Length","Content-Type","Date","Referrer-Policy",
+        "SourceMap","Timing-Allow-Origin","X-SourceMap","x-Header1"]);
+}, "Test no-cors cross-origin fetch");
+
+promise_test(async (test) => {
+    const data = new Promise((resolve) => {
+        processMessage = (data) => {
+            resolve(data);
+        };
+    });
+    frame.contentWindow.loadScript(url1 + "?script");
+    assert_array_equals(await data, ["Access-Control-Allow-Credentials","Access-Control-Allow-Methods","Access-Control-Allow-Origin",
+        "Access-Control-Expose-Headers","Cache-Control","Content-Length","Content-Type","Date","Referrer-Policy",
+        "SourceMap","Timing-Allow-Origin","X-SourceMap","x-Header1"]);
+}, "Test same-origin script load");
+
+promise_test(async (test) => {
+    const data = new Promise((resolve) => {
+        processMessage = (data) => {
+            resolve(data);
+        };
+    });
+    frame.contentWindow.loadScript(url2 + "?script-nocors");
+    assert_array_equals(await data, ["Access-Control-Allow-Credentials","Access-Control-Allow-Methods","Access-Control-Allow-Origin",
+        "Access-Control-Expose-Headers","Cache-Control","Content-Length","Content-Type","Date","Referrer-Policy",
+        "SourceMap","Timing-Allow-Origin","X-SourceMap","x-Header1"]);
+}, "Test no-cors script load");
+
+promise_test(async (test) => {
+    const data = new Promise((resolve) => {
+        processMessage = (data) => {
+            resolve(data);
+        };
+    });
+    frame.contentWindow.loadScript(url2 + "?script-cors", "anonymous");
+    assert_array_equals(await data, ["Access-Control-Allow-Credentials","Access-Control-Allow-Methods","Access-Control-Allow-Origin",
+        "Access-Control-Expose-Headers","Cache-Control","Content-Length","Content-Type","Date","Referrer-Policy",
+        "SourceMap","Timing-Allow-Origin","X-SourceMap","x-Header1"]);
+}, "Test cors script load");
+
+promise_test(async (test) => {
+    const data = new Promise((resolve) => {
+        processMessage = (data) => {
+            resolve(data);
+        };
+    });
+    let frame = await withFrame(url1 + "?html");
+    assert_array_equals(await data, ["Access-Control-Allow-Credentials","Access-Control-Allow-Methods","Access-Control-Allow-Origin",
+        "Access-Control-Expose-Headers","Cache-Control","Content-Length","Content-Type","Date","Referrer-Policy",
+        "SourceMap","Timing-Allow-Origin","X-SourceMap","x-Header1"]);
+    frame.remove();
+}, "Test HTML load");
+
+promise_test(async (test) => {
+    await registration.unregister();
+    frame.remove();
+}, "Do some clean-up");
+
+</script>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttpwptserviceworkersresourcesheaderfilteringiframehtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/wpt/service-workers/resources/header-filtering-iframe.html (0 => 230365)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/wpt/service-workers/resources/header-filtering-iframe.html                                (rev 0)
+++ trunk/LayoutTests/http/wpt/service-workers/resources/header-filtering-iframe.html   2018-04-07 03:48:55 UTC (rev 230365)
</span><span class="lines">@@ -0,0 +1,18 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<script>
+function loadScript(url, mode)
+{
+    let script = document.createElement("script");
+    script.src = url;
+    if (mode)
+        script.crossOrigin = mode;
+    document.body.appendChild(script);
+}
+</script>
+</head>
+<body>
+Ready
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttpwptserviceworkersresourcesresponsefullofheaderspy"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/wpt/service-workers/resources/response-full-of-headers.py (0 => 230365)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/wpt/service-workers/resources/response-full-of-headers.py                         (rev 0)
+++ trunk/LayoutTests/http/wpt/service-workers/resources/response-full-of-headers.py    2018-04-07 03:48:55 UTC (rev 230365)
</span><span class="lines">@@ -0,0 +1,18 @@
</span><ins>+def main(request, response):
+    headers = [("Content-type", "text/javascript"),
+        ("Set-Cookie", "1"),
+        ("Set-Cookie2", "2"),
+        ("Access-Control-Allow-Origin", "*"),
+        ("Access-Control-Allow-Credentials", "true"),
+        ("Access-Control-Allow-Methods", "GET, POST, HEAD"),
+        ("Timing-Allow-Origin", "*"),
+        ("Referrer-Policy", "whatever"),
+        ("SourceMap", "1"),
+        ("x-sourcemap", "2"),
+        ("Access-Control-Expose-Headers", "x-Header1, content-length"),
+        ("x-header1", "x-value1"),
+        ("x-header2", "x-value2"),
+        ("Content-Length", "13"),
+        ("Cache-Control", "no-store")
+    ]
+    return headers, "document.body"
</ins></span></pre></div>
<a id="trunkLayoutTestsplatformmachttptestswebarchivecrossoriginstylesheetcrashexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/platform/mac/http/tests/webarchive/cross-origin-stylesheet-crash-expected.txt (230364 => 230365)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/platform/mac/http/tests/webarchive/cross-origin-stylesheet-crash-expected.txt  2018-04-07 00:33:00 UTC (rev 230364)
+++ trunk/LayoutTests/platform/mac/http/tests/webarchive/cross-origin-stylesheet-crash-expected.txt     2018-04-07 03:48:55 UTC (rev 230365)
</span><span class="lines">@@ -55,8 +55,6 @@
</span><span class="cx">                                  <string>"301925-21-45c7d72d3e780"</string>
</span><span class="cx">                                  <key>Last-Modified</key>
</span><span class="cx">                                  <string>Sun, 16 Nov 2008 16:55:00 GMT</string>
</span><del>-                                       <key>Server</key>
-                                       <string>Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7l PHP/5.2.6</string>
</del><span class="cx">                           </dict>
</span><span class="cx">                          <key>expectedContentLength</key>
</span><span class="cx">                          <integer>1</integer>
</span></span></pre></div>
<a id="trunkLayoutTestsplatformmachttptestswebarchivetestpreloadresourcesexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/platform/mac/http/tests/webarchive/test-preload-resources-expected.txt (230364 => 230365)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/platform/mac/http/tests/webarchive/test-preload-resources-expected.txt 2018-04-07 00:33:00 UTC (rev 230364)
+++ trunk/LayoutTests/platform/mac/http/tests/webarchive/test-preload-resources-expected.txt    2018-04-07 03:48:55 UTC (rev 230365)
</span><span class="lines">@@ -65,8 +65,6 @@
</span><span class="cx">                                  <string>"301925-21-45c7d72d3e780"</string>
</span><span class="cx">                                  <key>Last-Modified</key>
</span><span class="cx">                                  <string>Sun, 16 Nov 2008 16:55:00 GMT</string>
</span><del>-                                       <key>Server</key>
-                                       <string>Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7l PHP/5.2.6</string>
</del><span class="cx">                           </dict>
</span><span class="cx">                          <key>expectedContentLength</key>
</span><span class="cx">                          <integer>33</integer>
</span><span class="lines">@@ -102,8 +100,6 @@
</span><span class="cx">                                  <string>"301925-21-45c7d72d3e780"</string>
</span><span class="cx">                                  <key>Last-Modified</key>
</span><span class="cx">                                  <string>Sun, 16 Nov 2008 16:55:00 GMT</string>
</span><del>-                                       <key>Server</key>
-                                       <string>Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7l PHP/5.2.6</string>
</del><span class="cx">                           </dict>
</span><span class="cx">                          <key>expectedContentLength</key>
</span><span class="cx">                          <integer>33</integer>
</span><span class="lines">@@ -139,8 +135,6 @@
</span><span class="cx">                                  <string>"301925-21-45c7d72d3e780"</string>
</span><span class="cx">                                  <key>Last-Modified</key>
</span><span class="cx">                                  <string>Sun, 16 Nov 2008 16:55:00 GMT</string>
</span><del>-                                       <key>Server</key>
-                                       <string>Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7l PHP/5.2.6</string>
</del><span class="cx">                           </dict>
</span><span class="cx">                          <key>expectedContentLength</key>
</span><span class="cx">                          <integer>33</integer>
</span><span class="lines">@@ -176,8 +170,6 @@
</span><span class="cx">                                  <string>"301925-21-45c7d72d3e780"</string>
</span><span class="cx">                                  <key>Last-Modified</key>
</span><span class="cx">                                  <string>Sun, 16 Nov 2008 16:55:00 GMT</string>
</span><del>-                                       <key>Server</key>
-                                       <string>Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7l PHP/5.2.6</string>
</del><span class="cx">                           </dict>
</span><span class="cx">                          <key>expectedContentLength</key>
</span><span class="cx">                          <integer>33</integer>
</span><span class="lines">@@ -213,8 +205,6 @@
</span><span class="cx">                                  <string>"301925-21-45c7d72d3e780"</string>
</span><span class="cx">                                  <key>Last-Modified</key>
</span><span class="cx">                                  <string>Sun, 16 Nov 2008 16:55:00 GMT</string>
</span><del>-                                       <key>Server</key>
-                                       <string>Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7l PHP/5.2.6</string>
</del><span class="cx">                           </dict>
</span><span class="cx">                          <key>expectedContentLength</key>
</span><span class="cx">                          <integer>33</integer>
</span><span class="lines">@@ -250,8 +240,6 @@
</span><span class="cx">                                  <string>"301925-21-45c7d72d3e780"</string>
</span><span class="cx">                                  <key>Last-Modified</key>
</span><span class="cx">                                  <string>Sun, 16 Nov 2008 16:55:00 GMT</string>
</span><del>-                                       <key>Server</key>
-                                       <string>Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7l PHP/5.2.6</string>
</del><span class="cx">                           </dict>
</span><span class="cx">                          <key>expectedContentLength</key>
</span><span class="cx">                          <integer>33</integer>
</span><span class="lines">@@ -287,8 +275,6 @@
</span><span class="cx">                                  <string>"301925-21-45c7d72d3e780"</string>
</span><span class="cx">                                  <key>Last-Modified</key>
</span><span class="cx">                                  <string>Sun, 16 Nov 2008 16:55:00 GMT</string>
</span><del>-                                       <key>Server</key>
-                                       <string>Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7l PHP/5.2.6</string>
</del><span class="cx">                           </dict>
</span><span class="cx">                          <key>expectedContentLength</key>
</span><span class="cx">                          <integer>33</integer>
</span></span></pre></div>
<a id="trunkLayoutTestsplatformmacwk1httptestswebarchivecrossoriginstylesheetcrashexpectedtxtfromrev230364trunkLayoutTestsplatformmachttptestswebarchivecrossoriginstylesheetcrashexpectedtxt"></a>
<div class="copfile"><h4>Copied: trunk/LayoutTests/platform/mac-wk1/http/tests/webarchive/cross-origin-stylesheet-crash-expected.txt (from rev 230364, trunk/LayoutTests/platform/mac/http/tests/webarchive/cross-origin-stylesheet-crash-expected.txt) (0 => 230365)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/platform/mac-wk1/http/tests/webarchive/cross-origin-stylesheet-crash-expected.txt                              (rev 0)
+++ trunk/LayoutTests/platform/mac-wk1/http/tests/webarchive/cross-origin-stylesheet-crash-expected.txt 2018-04-07 03:48:55 UTC (rev 230365)
</span><span class="lines">@@ -0,0 +1,71 @@
</span><ins>+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+       <key>WebMainResource</key>
+       <dict>
+               <key>WebResourceData</key>
+               <string>&lt;html&gt;&lt;head&gt;
+&lt;script&gt;
+if (window.testRunner)
+    testRunner.dumpDOMAsWebArchive();
+&lt;/script&gt;
+&lt;link rel="stylesheet" href="http://localhost:8000/webarchive/resources/localhost-stylesheet.css" type="text/css"&gt;
+&lt;/head&gt;
+&lt;body&gt;
+This HTML links to an external stylesheet from a different security origin.&lt;br&gt;
+Making a webarchive of this page should not crash.
+
+
+&lt;/body&gt;&lt;/html&gt;</string>
+               <key>WebResourceFrameName</key>
+               <string></string>
+               <key>WebResourceMIMEType</key>
+               <string>text/html</string>
+               <key>WebResourceTextEncodingName</key>
+               <string>UTF-8</string>
+               <key>WebResourceURL</key>
+               <string>http://127.0.0.1:8000/webarchive/cross-origin-stylesheet-crash.html</string>
+       </dict>
+       <key>WebSubresources</key>
+       <array>
+               <dict>
+                       <key>WebResourceData</key>
+                       <string>
+</string>
+                       <key>WebResourceMIMEType</key>
+                       <string>text/css</string>
+                       <key>WebResourceResponse</key>
+                       <dict>
+                               <key>MIMEType</key>
+                               <string>text/css</string>
+                               <key>URL</key>
+                               <string>http://localhost:8000/webarchive/resources/localhost-stylesheet.css</string>
+                               <key>allHeaderFields</key>
+                               <dict>
+                                       <key>Accept-Ranges</key>
+                                       <string>bytes</string>
+                                       <key>Content-Length</key>
+                                       <string>1</string>
+                                       <key>Content-Type</key>
+                                       <string>text/css</string>
+                                       <key>Date</key>
+                                       <string>Sun, 16 Nov 2008 17:00:00 GMT</string>
+                                       <key>Etag</key>
+                                       <string>"301925-21-45c7d72d3e780"</string>
+                                       <key>Last-Modified</key>
+                                       <string>Sun, 16 Nov 2008 16:55:00 GMT</string>
+                                       <key>Server</key>
+                                       <string>Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7l PHP/5.2.6</string>
+                               </dict>
+                               <key>expectedContentLength</key>
+                               <integer>1</integer>
+                               <key>statusCode</key>
+                               <integer>200</integer>
+                       </dict>
+                       <key>WebResourceURL</key>
+                       <string>http://localhost:8000/webarchive/resources/localhost-stylesheet.css</string>
+               </dict>
+       </array>
+</dict>
+</plist>
</ins></span></pre></div>
<a id="trunkLayoutTestsplatformmacwk1httptestswebarchivetestpreloadresourcesexpectedtxtfromrev230364trunkLayoutTestsplatformmachttptestswebarchivetestpreloadresourcesexpectedtxt"></a>
<div class="copfile"><h4>Copied: trunk/LayoutTests/platform/mac-wk1/http/tests/webarchive/test-preload-resources-expected.txt (from rev 230364, trunk/LayoutTests/platform/mac/http/tests/webarchive/test-preload-resources-expected.txt) (0 => 230365)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/platform/mac-wk1/http/tests/webarchive/test-preload-resources-expected.txt                             (rev 0)
+++ trunk/LayoutTests/platform/mac-wk1/http/tests/webarchive/test-preload-resources-expected.txt        2018-04-07 03:48:55 UTC (rev 230365)
</span><span class="lines">@@ -0,0 +1,303 @@
</span><ins>+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+       <key>WebMainResource</key>
+       <dict>
+               <key>WebResourceData</key>
+               <string>&lt;html&gt;&lt;head&gt;
+
+&lt;link rel="stylesheet" type="text/css" href="resources/test-preload-resources.css"&gt;
+&lt;link rel="alternate stylesheet" type="text/css" href="resources/test-preload-resources.css?1" title="green"&gt;
+&lt;link rel="alternate stylesheet" type="text/css" href="resources/test-preload-resources.css?2" title="blue"&gt;
+&lt;link rel="alternate stylesheet" type="text/css" href="resources/test-preload-resources.css?3" title="yellow"&gt;
+&lt;link rel="alternate stylesheet" type="text/css" href="resources/test-preload-resources.css?4" title="pink"&gt;
+&lt;link rel="alternate stylesheet" type="text/css" href="resources/test-preload-resources.css?5" title="purple"&gt;
+&lt;link rel="alternate stylesheet" type="text/css" href="resources/test-preload-resources.css?6" title="gray"&gt;
+
+&lt;script&gt;
+if (window.testRunner)
+    testRunner.dumpDOMAsWebArchive();
+&lt;/script&gt;
+
+&lt;/head&gt;&lt;body&gt;
+&lt;div&gt;
+Test for &lt;a href="https://bugs.webkit.org/show_bug.cgi?id=22466"&gt;Bug 22466:
+REGRESSION (35867): Many resources missing when saving webarchive of webkit.org&lt;/a&gt;
+&lt;/div&gt;
+&lt;p&gt;Some resources are missing when saving this page as a webarchive.&lt;/p&gt;
+
+&lt;/body&gt;&lt;/html&gt;</string>
+               <key>WebResourceFrameName</key>
+               <string></string>
+               <key>WebResourceMIMEType</key>
+               <string>text/html</string>
+               <key>WebResourceTextEncodingName</key>
+               <string>UTF-8</string>
+               <key>WebResourceURL</key>
+               <string>http://127.0.0.1:8000/webarchive/test-preload-resources.html</string>
+       </dict>
+       <key>WebSubresources</key>
+       <array>
+               <dict>
+                       <key>WebResourceData</key>
+                       <string>/* test-preload-resources.css */
+</string>
+                       <key>WebResourceMIMEType</key>
+                       <string>text/css</string>
+                       <key>WebResourceResponse</key>
+                       <dict>
+                               <key>MIMEType</key>
+                               <string>text/css</string>
+                               <key>URL</key>
+                               <string>http://127.0.0.1:8000/webarchive/resources/test-preload-resources.css</string>
+                               <key>allHeaderFields</key>
+                               <dict>
+                                       <key>Accept-Ranges</key>
+                                       <string>bytes</string>
+                                       <key>Content-Length</key>
+                                       <string>33</string>
+                                       <key>Content-Type</key>
+                                       <string>text/css</string>
+                                       <key>Date</key>
+                                       <string>Sun, 16 Nov 2008 17:00:00 GMT</string>
+                                       <key>Etag</key>
+                                       <string>"301925-21-45c7d72d3e780"</string>
+                                       <key>Last-Modified</key>
+                                       <string>Sun, 16 Nov 2008 16:55:00 GMT</string>
+                                       <key>Server</key>
+                                       <string>Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7l PHP/5.2.6</string>
+                               </dict>
+                               <key>expectedContentLength</key>
+                               <integer>33</integer>
+                               <key>statusCode</key>
+                               <integer>200</integer>
+                       </dict>
+                       <key>WebResourceURL</key>
+                       <string>http://127.0.0.1:8000/webarchive/resources/test-preload-resources.css</string>
+               </dict>
+               <dict>
+                       <key>WebResourceData</key>
+                       <string>/* test-preload-resources.css */
+</string>
+                       <key>WebResourceMIMEType</key>
+                       <string>text/css</string>
+                       <key>WebResourceResponse</key>
+                       <dict>
+                               <key>MIMEType</key>
+                               <string>text/css</string>
+                               <key>URL</key>
+                               <string>http://127.0.0.1:8000/webarchive/resources/test-preload-resources.css?1</string>
+                               <key>allHeaderFields</key>
+                               <dict>
+                                       <key>Accept-Ranges</key>
+                                       <string>bytes</string>
+                                       <key>Content-Length</key>
+                                       <string>33</string>
+                                       <key>Content-Type</key>
+                                       <string>text/css</string>
+                                       <key>Date</key>
+                                       <string>Sun, 16 Nov 2008 17:00:00 GMT</string>
+                                       <key>Etag</key>
+                                       <string>"301925-21-45c7d72d3e780"</string>
+                                       <key>Last-Modified</key>
+                                       <string>Sun, 16 Nov 2008 16:55:00 GMT</string>
+                                       <key>Server</key>
+                                       <string>Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7l PHP/5.2.6</string>
+                               </dict>
+                               <key>expectedContentLength</key>
+                               <integer>33</integer>
+                               <key>statusCode</key>
+                               <integer>200</integer>
+                       </dict>
+                       <key>WebResourceURL</key>
+                       <string>http://127.0.0.1:8000/webarchive/resources/test-preload-resources.css?1</string>
+               </dict>
+               <dict>
+                       <key>WebResourceData</key>
+                       <string>/* test-preload-resources.css */
+</string>
+                       <key>WebResourceMIMEType</key>
+                       <string>text/css</string>
+                       <key>WebResourceResponse</key>
+                       <dict>
+                               <key>MIMEType</key>
+                               <string>text/css</string>
+                               <key>URL</key>
+                               <string>http://127.0.0.1:8000/webarchive/resources/test-preload-resources.css?2</string>
+                               <key>allHeaderFields</key>
+                               <dict>
+                                       <key>Accept-Ranges</key>
+                                       <string>bytes</string>
+                                       <key>Content-Length</key>
+                                       <string>33</string>
+                                       <key>Content-Type</key>
+                                       <string>text/css</string>
+                                       <key>Date</key>
+                                       <string>Sun, 16 Nov 2008 17:00:00 GMT</string>
+                                       <key>Etag</key>
+                                       <string>"301925-21-45c7d72d3e780"</string>
+                                       <key>Last-Modified</key>
+                                       <string>Sun, 16 Nov 2008 16:55:00 GMT</string>
+                                       <key>Server</key>
+                                       <string>Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7l PHP/5.2.6</string>
+                               </dict>
+                               <key>expectedContentLength</key>
+                               <integer>33</integer>
+                               <key>statusCode</key>
+                               <integer>200</integer>
+                       </dict>
+                       <key>WebResourceURL</key>
+                       <string>http://127.0.0.1:8000/webarchive/resources/test-preload-resources.css?2</string>
+               </dict>
+               <dict>
+                       <key>WebResourceData</key>
+                       <string>/* test-preload-resources.css */
+</string>
+                       <key>WebResourceMIMEType</key>
+                       <string>text/css</string>
+                       <key>WebResourceResponse</key>
+                       <dict>
+                               <key>MIMEType</key>
+                               <string>text/css</string>
+                               <key>URL</key>
+                               <string>http://127.0.0.1:8000/webarchive/resources/test-preload-resources.css?3</string>
+                               <key>allHeaderFields</key>
+                               <dict>
+                                       <key>Accept-Ranges</key>
+                                       <string>bytes</string>
+                                       <key>Content-Length</key>
+                                       <string>33</string>
+                                       <key>Content-Type</key>
+                                       <string>text/css</string>
+                                       <key>Date</key>
+                                       <string>Sun, 16 Nov 2008 17:00:00 GMT</string>
+                                       <key>Etag</key>
+                                       <string>"301925-21-45c7d72d3e780"</string>
+                                       <key>Last-Modified</key>
+                                       <string>Sun, 16 Nov 2008 16:55:00 GMT</string>
+                                       <key>Server</key>
+                                       <string>Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7l PHP/5.2.6</string>
+                               </dict>
+                               <key>expectedContentLength</key>
+                               <integer>33</integer>
+                               <key>statusCode</key>
+                               <integer>200</integer>
+                       </dict>
+                       <key>WebResourceURL</key>
+                       <string>http://127.0.0.1:8000/webarchive/resources/test-preload-resources.css?3</string>
+               </dict>
+               <dict>
+                       <key>WebResourceData</key>
+                       <string>/* test-preload-resources.css */
+</string>
+                       <key>WebResourceMIMEType</key>
+                       <string>text/css</string>
+                       <key>WebResourceResponse</key>
+                       <dict>
+                               <key>MIMEType</key>
+                               <string>text/css</string>
+                               <key>URL</key>
+                               <string>http://127.0.0.1:8000/webarchive/resources/test-preload-resources.css?4</string>
+                               <key>allHeaderFields</key>
+                               <dict>
+                                       <key>Accept-Ranges</key>
+                                       <string>bytes</string>
+                                       <key>Content-Length</key>
+                                       <string>33</string>
+                                       <key>Content-Type</key>
+                                       <string>text/css</string>
+                                       <key>Date</key>
+                                       <string>Sun, 16 Nov 2008 17:00:00 GMT</string>
+                                       <key>Etag</key>
+                                       <string>"301925-21-45c7d72d3e780"</string>
+                                       <key>Last-Modified</key>
+                                       <string>Sun, 16 Nov 2008 16:55:00 GMT</string>
+                                       <key>Server</key>
+                                       <string>Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7l PHP/5.2.6</string>
+                               </dict>
+                               <key>expectedContentLength</key>
+                               <integer>33</integer>
+                               <key>statusCode</key>
+                               <integer>200</integer>
+                       </dict>
+                       <key>WebResourceURL</key>
+                       <string>http://127.0.0.1:8000/webarchive/resources/test-preload-resources.css?4</string>
+               </dict>
+               <dict>
+                       <key>WebResourceData</key>
+                       <string>/* test-preload-resources.css */
+</string>
+                       <key>WebResourceMIMEType</key>
+                       <string>text/css</string>
+                       <key>WebResourceResponse</key>
+                       <dict>
+                               <key>MIMEType</key>
+                               <string>text/css</string>
+                               <key>URL</key>
+                               <string>http://127.0.0.1:8000/webarchive/resources/test-preload-resources.css?5</string>
+                               <key>allHeaderFields</key>
+                               <dict>
+                                       <key>Accept-Ranges</key>
+                                       <string>bytes</string>
+                                       <key>Content-Length</key>
+                                       <string>33</string>
+                                       <key>Content-Type</key>
+                                       <string>text/css</string>
+                                       <key>Date</key>
+                                       <string>Sun, 16 Nov 2008 17:00:00 GMT</string>
+                                       <key>Etag</key>
+                                       <string>"301925-21-45c7d72d3e780"</string>
+                                       <key>Last-Modified</key>
+                                       <string>Sun, 16 Nov 2008 16:55:00 GMT</string>
+                                       <key>Server</key>
+                                       <string>Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7l PHP/5.2.6</string>
+                               </dict>
+                               <key>expectedContentLength</key>
+                               <integer>33</integer>
+                               <key>statusCode</key>
+                               <integer>200</integer>
+                       </dict>
+                       <key>WebResourceURL</key>
+                       <string>http://127.0.0.1:8000/webarchive/resources/test-preload-resources.css?5</string>
+               </dict>
+               <dict>
+                       <key>WebResourceData</key>
+                       <string>/* test-preload-resources.css */
+</string>
+                       <key>WebResourceMIMEType</key>
+                       <string>text/css</string>
+                       <key>WebResourceResponse</key>
+                       <dict>
+                               <key>MIMEType</key>
+                               <string>text/css</string>
+                               <key>URL</key>
+                               <string>http://127.0.0.1:8000/webarchive/resources/test-preload-resources.css?6</string>
+                               <key>allHeaderFields</key>
+                               <dict>
+                                       <key>Accept-Ranges</key>
+                                       <string>bytes</string>
+                                       <key>Content-Length</key>
+                                       <string>33</string>
+                                       <key>Content-Type</key>
+                                       <string>text/css</string>
+                                       <key>Date</key>
+                                       <string>Sun, 16 Nov 2008 17:00:00 GMT</string>
+                                       <key>Etag</key>
+                                       <string>"301925-21-45c7d72d3e780"</string>
+                                       <key>Last-Modified</key>
+                                       <string>Sun, 16 Nov 2008 16:55:00 GMT</string>
+                                       <key>Server</key>
+                                       <string>Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7l PHP/5.2.6</string>
+                               </dict>
+                               <key>expectedContentLength</key>
+                               <integer>33</integer>
+                               <key>statusCode</key>
+                               <integer>200</integer>
+                       </dict>
+                       <key>WebResourceURL</key>
+                       <string>http://127.0.0.1:8000/webarchive/resources/test-preload-resources.css?6</string>
+               </dict>
+       </array>
+</dict>
+</plist>
</ins></span></pre></div>
<a id="trunkLayoutTestsplatformwinhttptestswebarchivecrossoriginstylesheetcrashexpectedtxtfromrev230364trunkLayoutTestsplatformmachttptestswebarchivecrossoriginstylesheetcrashexpectedtxt"></a>
<div class="copfile"><h4>Copied: trunk/LayoutTests/platform/win/http/tests/webarchive/cross-origin-stylesheet-crash-expected.txt (from rev 230364, trunk/LayoutTests/platform/mac/http/tests/webarchive/cross-origin-stylesheet-crash-expected.txt) (0 => 230365)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/platform/win/http/tests/webarchive/cross-origin-stylesheet-crash-expected.txt                          (rev 0)
+++ trunk/LayoutTests/platform/win/http/tests/webarchive/cross-origin-stylesheet-crash-expected.txt     2018-04-07 03:48:55 UTC (rev 230365)
</span><span class="lines">@@ -0,0 +1,71 @@
</span><ins>+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+       <key>WebMainResource</key>
+       <dict>
+               <key>WebResourceData</key>
+               <string>&lt;html&gt;&lt;head&gt;
+&lt;script&gt;
+if (window.testRunner)
+    testRunner.dumpDOMAsWebArchive();
+&lt;/script&gt;
+&lt;link rel="stylesheet" href="http://localhost:8000/webarchive/resources/localhost-stylesheet.css" type="text/css"&gt;
+&lt;/head&gt;
+&lt;body&gt;
+This HTML links to an external stylesheet from a different security origin.&lt;br&gt;
+Making a webarchive of this page should not crash.
+
+
+&lt;/body&gt;&lt;/html&gt;</string>
+               <key>WebResourceFrameName</key>
+               <string></string>
+               <key>WebResourceMIMEType</key>
+               <string>text/html</string>
+               <key>WebResourceTextEncodingName</key>
+               <string>UTF-8</string>
+               <key>WebResourceURL</key>
+               <string>http://127.0.0.1:8000/webarchive/cross-origin-stylesheet-crash.html</string>
+       </dict>
+       <key>WebSubresources</key>
+       <array>
+               <dict>
+                       <key>WebResourceData</key>
+                       <string>
+</string>
+                       <key>WebResourceMIMEType</key>
+                       <string>text/css</string>
+                       <key>WebResourceResponse</key>
+                       <dict>
+                               <key>MIMEType</key>
+                               <string>text/css</string>
+                               <key>URL</key>
+                               <string>http://localhost:8000/webarchive/resources/localhost-stylesheet.css</string>
+                               <key>allHeaderFields</key>
+                               <dict>
+                                       <key>Accept-Ranges</key>
+                                       <string>bytes</string>
+                                       <key>Content-Length</key>
+                                       <string>1</string>
+                                       <key>Content-Type</key>
+                                       <string>text/css</string>
+                                       <key>Date</key>
+                                       <string>Sun, 16 Nov 2008 17:00:00 GMT</string>
+                                       <key>Etag</key>
+                                       <string>"301925-21-45c7d72d3e780"</string>
+                                       <key>Last-Modified</key>
+                                       <string>Sun, 16 Nov 2008 16:55:00 GMT</string>
+                                       <key>Server</key>
+                                       <string>Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7l PHP/5.2.6</string>
+                               </dict>
+                               <key>expectedContentLength</key>
+                               <integer>1</integer>
+                               <key>statusCode</key>
+                               <integer>200</integer>
+                       </dict>
+                       <key>WebResourceURL</key>
+                       <string>http://localhost:8000/webarchive/resources/localhost-stylesheet.css</string>
+               </dict>
+       </array>
+</dict>
+</plist>
</ins></span></pre></div>
<a id="trunkLayoutTestsplatformwinhttptestswebarchivetestpreloadresourcesexpectedtxtfromrev230364trunkLayoutTestsplatformmachttptestswebarchivetestpreloadresourcesexpectedtxt"></a>
<div class="copfile"><h4>Copied: trunk/LayoutTests/platform/win/http/tests/webarchive/test-preload-resources-expected.txt (from rev 230364, trunk/LayoutTests/platform/mac/http/tests/webarchive/test-preload-resources-expected.txt) (0 => 230365)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/platform/win/http/tests/webarchive/test-preload-resources-expected.txt                         (rev 0)
+++ trunk/LayoutTests/platform/win/http/tests/webarchive/test-preload-resources-expected.txt    2018-04-07 03:48:55 UTC (rev 230365)
</span><span class="lines">@@ -0,0 +1,303 @@
</span><ins>+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+       <key>WebMainResource</key>
+       <dict>
+               <key>WebResourceData</key>
+               <string>&lt;html&gt;&lt;head&gt;
+
+&lt;link rel="stylesheet" type="text/css" href="resources/test-preload-resources.css"&gt;
+&lt;link rel="alternate stylesheet" type="text/css" href="resources/test-preload-resources.css?1" title="green"&gt;
+&lt;link rel="alternate stylesheet" type="text/css" href="resources/test-preload-resources.css?2" title="blue"&gt;
+&lt;link rel="alternate stylesheet" type="text/css" href="resources/test-preload-resources.css?3" title="yellow"&gt;
+&lt;link rel="alternate stylesheet" type="text/css" href="resources/test-preload-resources.css?4" title="pink"&gt;
+&lt;link rel="alternate stylesheet" type="text/css" href="resources/test-preload-resources.css?5" title="purple"&gt;
+&lt;link rel="alternate stylesheet" type="text/css" href="resources/test-preload-resources.css?6" title="gray"&gt;
+
+&lt;script&gt;
+if (window.testRunner)
+    testRunner.dumpDOMAsWebArchive();
+&lt;/script&gt;
+
+&lt;/head&gt;&lt;body&gt;
+&lt;div&gt;
+Test for &lt;a href="https://bugs.webkit.org/show_bug.cgi?id=22466"&gt;Bug 22466:
+REGRESSION (35867): Many resources missing when saving webarchive of webkit.org&lt;/a&gt;
+&lt;/div&gt;
+&lt;p&gt;Some resources are missing when saving this page as a webarchive.&lt;/p&gt;
+
+&lt;/body&gt;&lt;/html&gt;</string>
+               <key>WebResourceFrameName</key>
+               <string></string>
+               <key>WebResourceMIMEType</key>
+               <string>text/html</string>
+               <key>WebResourceTextEncodingName</key>
+               <string>UTF-8</string>
+               <key>WebResourceURL</key>
+               <string>http://127.0.0.1:8000/webarchive/test-preload-resources.html</string>
+       </dict>
+       <key>WebSubresources</key>
+       <array>
+               <dict>
+                       <key>WebResourceData</key>
+                       <string>/* test-preload-resources.css */
+</string>
+                       <key>WebResourceMIMEType</key>
+                       <string>text/css</string>
+                       <key>WebResourceResponse</key>
+                       <dict>
+                               <key>MIMEType</key>
+                               <string>text/css</string>
+                               <key>URL</key>
+                               <string>http://127.0.0.1:8000/webarchive/resources/test-preload-resources.css</string>
+                               <key>allHeaderFields</key>
+                               <dict>
+                                       <key>Accept-Ranges</key>
+                                       <string>bytes</string>
+                                       <key>Content-Length</key>
+                                       <string>33</string>
+                                       <key>Content-Type</key>
+                                       <string>text/css</string>
+                                       <key>Date</key>
+                                       <string>Sun, 16 Nov 2008 17:00:00 GMT</string>
+                                       <key>Etag</key>
+                                       <string>"301925-21-45c7d72d3e780"</string>
+                                       <key>Last-Modified</key>
+                                       <string>Sun, 16 Nov 2008 16:55:00 GMT</string>
+                                       <key>Server</key>
+                                       <string>Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7l PHP/5.2.6</string>
+                               </dict>
+                               <key>expectedContentLength</key>
+                               <integer>33</integer>
+                               <key>statusCode</key>
+                               <integer>200</integer>
+                       </dict>
+                       <key>WebResourceURL</key>
+                       <string>http://127.0.0.1:8000/webarchive/resources/test-preload-resources.css</string>
+               </dict>
+               <dict>
+                       <key>WebResourceData</key>
+                       <string>/* test-preload-resources.css */
+</string>
+                       <key>WebResourceMIMEType</key>
+                       <string>text/css</string>
+                       <key>WebResourceResponse</key>
+                       <dict>
+                               <key>MIMEType</key>
+                               <string>text/css</string>
+                               <key>URL</key>
+                               <string>http://127.0.0.1:8000/webarchive/resources/test-preload-resources.css?1</string>
+                               <key>allHeaderFields</key>
+                               <dict>
+                                       <key>Accept-Ranges</key>
+                                       <string>bytes</string>
+                                       <key>Content-Length</key>
+                                       <string>33</string>
+                                       <key>Content-Type</key>
+                                       <string>text/css</string>
+                                       <key>Date</key>
+                                       <string>Sun, 16 Nov 2008 17:00:00 GMT</string>
+                                       <key>Etag</key>
+                                       <string>"301925-21-45c7d72d3e780"</string>
+                                       <key>Last-Modified</key>
+                                       <string>Sun, 16 Nov 2008 16:55:00 GMT</string>
+                                       <key>Server</key>
+                                       <string>Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7l PHP/5.2.6</string>
+                               </dict>
+                               <key>expectedContentLength</key>
+                               <integer>33</integer>
+                               <key>statusCode</key>
+                               <integer>200</integer>
+                       </dict>
+                       <key>WebResourceURL</key>
+                       <string>http://127.0.0.1:8000/webarchive/resources/test-preload-resources.css?1</string>
+               </dict>
+               <dict>
+                       <key>WebResourceData</key>
+                       <string>/* test-preload-resources.css */
+</string>
+                       <key>WebResourceMIMEType</key>
+                       <string>text/css</string>
+                       <key>WebResourceResponse</key>
+                       <dict>
+                               <key>MIMEType</key>
+                               <string>text/css</string>
+                               <key>URL</key>
+                               <string>http://127.0.0.1:8000/webarchive/resources/test-preload-resources.css?2</string>
+                               <key>allHeaderFields</key>
+                               <dict>
+                                       <key>Accept-Ranges</key>
+                                       <string>bytes</string>
+                                       <key>Content-Length</key>
+                                       <string>33</string>
+                                       <key>Content-Type</key>
+                                       <string>text/css</string>
+                                       <key>Date</key>
+                                       <string>Sun, 16 Nov 2008 17:00:00 GMT</string>
+                                       <key>Etag</key>
+                                       <string>"301925-21-45c7d72d3e780"</string>
+                                       <key>Last-Modified</key>
+                                       <string>Sun, 16 Nov 2008 16:55:00 GMT</string>
+                                       <key>Server</key>
+                                       <string>Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7l PHP/5.2.6</string>
+                               </dict>
+                               <key>expectedContentLength</key>
+                               <integer>33</integer>
+                               <key>statusCode</key>
+                               <integer>200</integer>
+                       </dict>
+                       <key>WebResourceURL</key>
+                       <string>http://127.0.0.1:8000/webarchive/resources/test-preload-resources.css?2</string>
+               </dict>
+               <dict>
+                       <key>WebResourceData</key>
+                       <string>/* test-preload-resources.css */
+</string>
+                       <key>WebResourceMIMEType</key>
+                       <string>text/css</string>
+                       <key>WebResourceResponse</key>
+                       <dict>
+                               <key>MIMEType</key>
+                               <string>text/css</string>
+                               <key>URL</key>
+                               <string>http://127.0.0.1:8000/webarchive/resources/test-preload-resources.css?3</string>
+                               <key>allHeaderFields</key>
+                               <dict>
+                                       <key>Accept-Ranges</key>
+                                       <string>bytes</string>
+                                       <key>Content-Length</key>
+                                       <string>33</string>
+                                       <key>Content-Type</key>
+                                       <string>text/css</string>
+                                       <key>Date</key>
+                                       <string>Sun, 16 Nov 2008 17:00:00 GMT</string>
+                                       <key>Etag</key>
+                                       <string>"301925-21-45c7d72d3e780"</string>
+                                       <key>Last-Modified</key>
+                                       <string>Sun, 16 Nov 2008 16:55:00 GMT</string>
+                                       <key>Server</key>
+                                       <string>Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7l PHP/5.2.6</string>
+                               </dict>
+                               <key>expectedContentLength</key>
+                               <integer>33</integer>
+                               <key>statusCode</key>
+                               <integer>200</integer>
+                       </dict>
+                       <key>WebResourceURL</key>
+                       <string>http://127.0.0.1:8000/webarchive/resources/test-preload-resources.css?3</string>
+               </dict>
+               <dict>
+                       <key>WebResourceData</key>
+                       <string>/* test-preload-resources.css */
+</string>
+                       <key>WebResourceMIMEType</key>
+                       <string>text/css</string>
+                       <key>WebResourceResponse</key>
+                       <dict>
+                               <key>MIMEType</key>
+                               <string>text/css</string>
+                               <key>URL</key>
+                               <string>http://127.0.0.1:8000/webarchive/resources/test-preload-resources.css?4</string>
+                               <key>allHeaderFields</key>
+                               <dict>
+                                       <key>Accept-Ranges</key>
+                                       <string>bytes</string>
+                                       <key>Content-Length</key>
+                                       <string>33</string>
+                                       <key>Content-Type</key>
+                                       <string>text/css</string>
+                                       <key>Date</key>
+                                       <string>Sun, 16 Nov 2008 17:00:00 GMT</string>
+                                       <key>Etag</key>
+                                       <string>"301925-21-45c7d72d3e780"</string>
+                                       <key>Last-Modified</key>
+                                       <string>Sun, 16 Nov 2008 16:55:00 GMT</string>
+                                       <key>Server</key>
+                                       <string>Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7l PHP/5.2.6</string>
+                               </dict>
+                               <key>expectedContentLength</key>
+                               <integer>33</integer>
+                               <key>statusCode</key>
+                               <integer>200</integer>
+                       </dict>
+                       <key>WebResourceURL</key>
+                       <string>http://127.0.0.1:8000/webarchive/resources/test-preload-resources.css?4</string>
+               </dict>
+               <dict>
+                       <key>WebResourceData</key>
+                       <string>/* test-preload-resources.css */
+</string>
+                       <key>WebResourceMIMEType</key>
+                       <string>text/css</string>
+                       <key>WebResourceResponse</key>
+                       <dict>
+                               <key>MIMEType</key>
+                               <string>text/css</string>
+                               <key>URL</key>
+                               <string>http://127.0.0.1:8000/webarchive/resources/test-preload-resources.css?5</string>
+                               <key>allHeaderFields</key>
+                               <dict>
+                                       <key>Accept-Ranges</key>
+                                       <string>bytes</string>
+                                       <key>Content-Length</key>
+                                       <string>33</string>
+                                       <key>Content-Type</key>
+                                       <string>text/css</string>
+                                       <key>Date</key>
+                                       <string>Sun, 16 Nov 2008 17:00:00 GMT</string>
+                                       <key>Etag</key>
+                                       <string>"301925-21-45c7d72d3e780"</string>
+                                       <key>Last-Modified</key>
+                                       <string>Sun, 16 Nov 2008 16:55:00 GMT</string>
+                                       <key>Server</key>
+                                       <string>Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7l PHP/5.2.6</string>
+                               </dict>
+                               <key>expectedContentLength</key>
+                               <integer>33</integer>
+                               <key>statusCode</key>
+                               <integer>200</integer>
+                       </dict>
+                       <key>WebResourceURL</key>
+                       <string>http://127.0.0.1:8000/webarchive/resources/test-preload-resources.css?5</string>
+               </dict>
+               <dict>
+                       <key>WebResourceData</key>
+                       <string>/* test-preload-resources.css */
+</string>
+                       <key>WebResourceMIMEType</key>
+                       <string>text/css</string>
+                       <key>WebResourceResponse</key>
+                       <dict>
+                               <key>MIMEType</key>
+                               <string>text/css</string>
+                               <key>URL</key>
+                               <string>http://127.0.0.1:8000/webarchive/resources/test-preload-resources.css?6</string>
+                               <key>allHeaderFields</key>
+                               <dict>
+                                       <key>Accept-Ranges</key>
+                                       <string>bytes</string>
+                                       <key>Content-Length</key>
+                                       <string>33</string>
+                                       <key>Content-Type</key>
+                                       <string>text/css</string>
+                                       <key>Date</key>
+                                       <string>Sun, 16 Nov 2008 17:00:00 GMT</string>
+                                       <key>Etag</key>
+                                       <string>"301925-21-45c7d72d3e780"</string>
+                                       <key>Last-Modified</key>
+                                       <string>Sun, 16 Nov 2008 16:55:00 GMT</string>
+                                       <key>Server</key>
+                                       <string>Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7l PHP/5.2.6</string>
+                               </dict>
+                               <key>expectedContentLength</key>
+                               <integer>33</integer>
+                               <key>statusCode</key>
+                               <integer>200</integer>
+                       </dict>
+                       <key>WebResourceURL</key>
+                       <string>http://127.0.0.1:8000/webarchive/resources/test-preload-resources.css?6</string>
+               </dict>
+       </array>
+</dict>
+</plist>
</ins></span></pre></div>
<a id="trunkSourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/ChangeLog (230364 => 230365)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/ChangeLog   2018-04-07 00:33:00 UTC (rev 230364)
+++ trunk/Source/WebCore/ChangeLog      2018-04-07 03:48:55 UTC (rev 230365)
</span><span class="lines">@@ -1,3 +1,33 @@
</span><ins>+2018-04-06  Youenn Fablet  <youenn@apple.com>
+
+        Response headers should be filtered when sent from NetworkProcess to WebProcess
+        https://bugs.webkit.org/show_bug.cgi?id=184310
+
+        Reviewed by Ryosuke Niwa.
+
+        Did some refactoring to allow ResourceResponse to use header value parsing routines.
+        We add sanitization levels for regular responses in case responses might be exposed to scripts or not.
+        If not exposed to scripts, additional filtering is done.
+
+        Add internal API to get unfiltered response headers from a fetch response.
+        Test: http/wpt/service-workers/header-filtering.https.html
+
+        * Modules/fetch/FetchResponse.h:
+        * loader/CrossOriginPreflightResultCache.cpp:
+        (WebCore::CrossOriginPreflightResultCacheItem::parse):
+        * platform/network/HTTPParsers.h:
+        (WebCore::addToAccessControlAllowList):
+        (WebCore::parseAccessControlAllowList):
+        * platform/network/ResourceResponseBase.cpp:
+        (WebCore::isSafeToKeepRedirectionResponseHeader):
+        (WebCore::isCrossOriginSafeToKeepResponseHeader):
+        (WebCore::ResourceResponseBase::sanitizeHTTPHeaderFields):
+        * platform/network/ResourceResponseBase.h:
+        * testing/ServiceWorkerInternals.cpp:
+        (WebCore::ServiceWorkerInternals::fetchResponseHeaderList):
+        * testing/ServiceWorkerInternals.h:
+        * testing/ServiceWorkerInternals.idl:
+
</ins><span class="cx"> 2018-04-06  Michael Catanzaro  <mcatanzaro@igalia.com>
</span><span class="cx"> 
</span><span class="cx">         Unreviewed, fix unused parameter warning when credential storage is disabled
</span></span></pre></div>
<a id="trunkSourceWebCoreModulesfetchFetchResponseh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/Modules/fetch/FetchResponse.h (230364 => 230365)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/Modules/fetch/FetchResponse.h       2018-04-07 00:33:00 UTC (rev 230364)
+++ trunk/Source/WebCore/Modules/fetch/FetchResponse.h  2018-04-07 03:48:55 UTC (rev 230365)
</span><span class="lines">@@ -109,6 +109,8 @@
</span><span class="cx"> 
</span><span class="cx">     const std::optional<ResourceError>& loadingError() const { return m_loadingError; }
</span><span class="cx"> 
</span><ins>+    const HTTPHeaderMap& internalResponseHeaders() const { return m_internalResponse.httpHeaderFields(); }
+
</ins><span class="cx"> private:
</span><span class="cx">     FetchResponse(ScriptExecutionContext&, std::optional<FetchBody>&&, Ref<FetchHeaders>&&, ResourceResponse&&);
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceWebCoreloaderCrossOriginPreflightResultCachecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/loader/CrossOriginPreflightResultCache.cpp (230364 => 230365)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/loader/CrossOriginPreflightResultCache.cpp  2018-04-07 00:33:00 UTC (rev 230364)
+++ trunk/Source/WebCore/loader/CrossOriginPreflightResultCache.cpp     2018-04-07 03:48:55 UTC (rev 230365)
</span><span class="lines">@@ -52,57 +52,23 @@
</span><span class="cx">     return ok;
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-template<class HashType>
-static void addToAccessControlAllowList(const String& string, unsigned start, unsigned end, HashSet<String, HashType>& set)
-{
-    StringImpl* stringImpl = string.impl();
-    if (!stringImpl)
-        return;
-
-    // Skip white space from start.
-    while (start <= end && isSpaceOrNewline((*stringImpl)[start]))
-        ++start;
-
-    // only white space
-    if (start > end) 
-        return;
-
-    // Skip white space from end.
-    while (end && isSpaceOrNewline((*stringImpl)[end]))
-        --end;
-
-    set.add(string.substring(start, end - start + 1));
-}
-
-template<class HashType>
-static bool parseAccessControlAllowList(const String& string, HashSet<String, HashType>& set)
-{
-    unsigned start = 0;
-    size_t end;
-    while ((end = string.find(',', start)) != notFound) {
-        if (start != end)
-            addToAccessControlAllowList(string, start, end - 1, set);
-        start = end + 1;
-    }
-    if (start != string.length())
-        addToAccessControlAllowList(string, start, string.length() - 1, set);
-
-    return true;
-}
-
</del><span class="cx"> bool CrossOriginPreflightResultCacheItem::parse(const ResourceResponse& response, String& errorDescription)
</span><span class="cx"> {
</span><span class="cx">     m_methods.clear();
</span><del>-    if (!parseAccessControlAllowList(response.httpHeaderField(HTTPHeaderName::AccessControlAllowMethods), m_methods)) {
</del><ins>+    auto methods = parseAccessControlAllowList(response.httpHeaderField(HTTPHeaderName::AccessControlAllowMethods));
+    if (!methods) {
</ins><span class="cx">         errorDescription = "Cannot parse Access-Control-Allow-Methods response header field.";
</span><span class="cx">         return false;
</span><span class="cx">     }
</span><ins>+    m_methods = WTFMove(methods.value());
</ins><span class="cx"> 
</span><span class="cx">     m_headers.clear();
</span><del>-    if (!parseAccessControlAllowList(response.httpHeaderField(HTTPHeaderName::AccessControlAllowHeaders), m_headers)) {
</del><ins>+    auto headers = parseAccessControlAllowList<ASCIICaseInsensitiveHash>(response.httpHeaderField(HTTPHeaderName::AccessControlAllowHeaders));
+    if (!headers) {
</ins><span class="cx">         errorDescription = "Cannot parse Access-Control-Allow-Headers response header field.";
</span><span class="cx">         return false;
</span><span class="cx">     }
</span><ins>+    m_headers = WTFMove(headers.value());
</ins><span class="cx"> 
</span><span class="cx">     Seconds expiryDelta = 0_s;
</span><span class="cx">     if (parseAccessControlMaxAge(response.httpHeaderField(HTTPHeaderName::AccessControlMaxAge), expiryDelta)) {
</span></span></pre></div>
<a id="trunkSourceWebCoreplatformnetworkHTTPParsersh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/platform/network/HTTPParsers.h (230364 => 230365)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/platform/network/HTTPParsers.h      2018-04-07 00:33:00 UTC (rev 230364)
+++ trunk/Source/WebCore/platform/network/HTTPParsers.h 2018-04-07 03:48:55 UTC (rev 230365)
</span><span class="lines">@@ -119,4 +119,43 @@
</span><span class="cx">     return string.stripLeadingAndTrailingMatchedCharacters(isHTTPSpace);
</span><span class="cx"> }
</span><span class="cx"> 
</span><ins>+template<class HashType>
+void addToAccessControlAllowList(const String& string, unsigned start, unsigned end, HashSet<String, HashType>& set)
+{
+    StringImpl* stringImpl = string.impl();
+    if (!stringImpl)
+        return;
+
+    // Skip white space from start.
+    while (start <= end && isSpaceOrNewline((*stringImpl)[start]))
+        ++start;
+
+    // only white space
+    if (start > end)
+        return;
+
+    // Skip white space from end.
+    while (end && isSpaceOrNewline((*stringImpl)[end]))
+        --end;
+
+    set.add(string.substring(start, end - start + 1));
</ins><span class="cx"> }
</span><ins>+
+template<class HashType = DefaultHash<String>::Hash>
+std::optional<HashSet<String, HashType>> parseAccessControlAllowList(const String& string)
+{
+    HashSet<String, HashType> set;
+    unsigned start = 0;
+    size_t end;
+    while ((end = string.find(',', start)) != notFound) {
+        if (start != end)
+            addToAccessControlAllowList(string, start, end - 1, set);
+        start = end + 1;
+    }
+    if (start != string.length())
+        addToAccessControlAllowList(string, start, string.length() - 1, set);
+
+    return set;
+}
+
+}
</ins></span></pre></div>
<a id="trunkSourceWebCoreplatformnetworkResourceResponseBasecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/platform/network/ResourceResponseBase.cpp (230364 => 230365)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/platform/network/ResourceResponseBase.cpp   2018-04-07 00:33:00 UTC (rev 230364)
+++ trunk/Source/WebCore/platform/network/ResourceResponseBase.cpp      2018-04-07 03:48:55 UTC (rev 230365)
</span><span class="lines">@@ -317,7 +317,7 @@
</span><span class="cx">     // FIXME: Should invalidate or update platform response if present.
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-static bool isSafeToKeepRedirectionHeader(HTTPHeaderName name)
</del><ins>+static bool isSafeRedirectionResponseHeader(HTTPHeaderName name)
</ins><span class="cx"> {
</span><span class="cx">     // WebCore needs to keep location and cache related headers as it does caching.
</span><span class="cx">     // We also keep CORS/ReferrerPolicy headers until CORS checks/Referrer computation are done in NetworkProcess.
</span><span class="lines">@@ -330,6 +330,7 @@
</span><span class="cx">         || name == HTTPHeaderName::LastModified
</span><span class="cx">         || name == HTTPHeaderName::Age
</span><span class="cx">         || name == HTTPHeaderName::Pragma
</span><ins>+        || name == HTTPHeaderName::ReferrerPolicy
</ins><span class="cx">         || name == HTTPHeaderName::Refresh
</span><span class="cx">         || name == HTTPHeaderName::Vary
</span><span class="cx">         || name == HTTPHeaderName::AccessControlAllowCredentials
</span><span class="lines">@@ -341,16 +342,90 @@
</span><span class="cx">         || name == HTTPHeaderName::TimingAllowOrigin;
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-void ResourceResponseBase::sanitizeRedirectionHTTPHeaderFields()
</del><ins>+static bool isSafeCrossOriginResponseHeader(HTTPHeaderName name)
</ins><span class="cx"> {
</span><ins>+    // All known response headers used in WebProcesses.
+    return name == HTTPHeaderName::AcceptRanges
+        || name == HTTPHeaderName::AccessControlAllowCredentials
+        || name == HTTPHeaderName::AccessControlAllowHeaders
+        || name == HTTPHeaderName::AccessControlAllowMethods
+        || name == HTTPHeaderName::AccessControlAllowOrigin
+        || name == HTTPHeaderName::AccessControlExposeHeaders
+        || name == HTTPHeaderName::AccessControlMaxAge
+        || name == HTTPHeaderName::AccessControlRequestHeaders
+        || name == HTTPHeaderName::AccessControlRequestMethod
+        || name == HTTPHeaderName::Age
+        || name == HTTPHeaderName::CacheControl
+        || name == HTTPHeaderName::ContentDisposition
+        || name == HTTPHeaderName::ContentEncoding
+        || name == HTTPHeaderName::ContentLanguage
+        || name == HTTPHeaderName::ContentLength
+        || name == HTTPHeaderName::ContentRange
+        || name == HTTPHeaderName::ContentSecurityPolicy
+        || name == HTTPHeaderName::ContentSecurityPolicyReportOnly
+        || name == HTTPHeaderName::ContentType
+        || name == HTTPHeaderName::Date
+        || name == HTTPHeaderName::ETag
+        || name == HTTPHeaderName::Expires
+        || name == HTTPHeaderName::IcyMetaInt
+        || name == HTTPHeaderName::IcyMetadata
+        || name == HTTPHeaderName::LastEventID
+        || name == HTTPHeaderName::LastModified
+        || name == HTTPHeaderName::Link
+        || name == HTTPHeaderName::Pragma
+        || name == HTTPHeaderName::Range
+        || name == HTTPHeaderName::ReferrerPolicy
+        || name == HTTPHeaderName::Refresh
+        || name == HTTPHeaderName::SourceMap
+        || name == HTTPHeaderName::XSourceMap
+        || name == HTTPHeaderName::TimingAllowOrigin
+        || name == HTTPHeaderName::Trailer
+        || name == HTTPHeaderName::Vary
+        || name == HTTPHeaderName::XContentTypeOptions
+        || name == HTTPHeaderName::XDNSPrefetchControl
+        || name == HTTPHeaderName::XFrameOptions
+        || name == HTTPHeaderName::XWebKitCSP
+        || name == HTTPHeaderName::XWebKitCSPReportOnly
+        || name == HTTPHeaderName::XXSSProtection;
+}
+
+void ResourceResponseBase::sanitizeHTTPHeaderFields(SanitizationType type)
+{
</ins><span class="cx">     lazyInit(AllFields);
</span><span class="cx"> 
</span><del>-    auto commonHeaders = WTFMove(m_httpHeaderFields.commonHeaders());
-    for (auto& header : commonHeaders) {
-        if (isSafeToKeepRedirectionHeader(header.key))
-            m_httpHeaderFields.add(header.key, WTFMove(header.value));
</del><ins>+    m_httpHeaderFields.commonHeaders().remove(HTTPHeaderName::SetCookie);
+    m_httpHeaderFields.commonHeaders().remove(HTTPHeaderName::SetCookie2);
+
+    switch (type) {
+    case SanitizationType::RemoveCookies:
+        return;
+    case SanitizationType::Redirection: {
+        auto commonHeaders = WTFMove(m_httpHeaderFields.commonHeaders());
+        for (auto& header : commonHeaders) {
+            if (isSafeRedirectionResponseHeader(header.key))
+                m_httpHeaderFields.add(header.key, WTFMove(header.value));
+        }
+        m_httpHeaderFields.uncommonHeaders().clear();
+        return;
</ins><span class="cx">     }
</span><del>-    m_httpHeaderFields.uncommonHeaders().clear();
</del><ins>+    case SanitizationType::CrossOriginSafe: {
+        HTTPHeaderMap filteredHeaders;
+        for (auto& header : m_httpHeaderFields.commonHeaders()) {
+            if (isSafeCrossOriginResponseHeader(header.key))
+                filteredHeaders.add(header.key, WTFMove(header.value));
+        }
+        if (auto corsSafeHeaderSet = parseAccessControlAllowList(httpHeaderField(HTTPHeaderName::AccessControlExposeHeaders))) {
+            for (auto& headerName : *corsSafeHeaderSet) {
+                if (!filteredHeaders.contains(headerName)) {
+                    auto value = m_httpHeaderFields.get(headerName);
+                    if (!value.isNull())
+                        filteredHeaders.add(headerName, value);
+                }
+            }
+        }
+        m_httpHeaderFields = WTFMove(filteredHeaders);
+    }
+    }
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> bool ResourceResponseBase::isHTTP09() const
</span></span></pre></div>
<a id="trunkSourceWebCoreplatformnetworkResourceResponseBaseh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/platform/network/ResourceResponseBase.h (230364 => 230365)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/platform/network/ResourceResponseBase.h     2018-04-07 00:33:00 UTC (rev 230364)
+++ trunk/Source/WebCore/platform/network/ResourceResponseBase.h        2018-04-07 03:48:55 UTC (rev 230365)
</span><span class="lines">@@ -102,8 +102,10 @@
</span><span class="cx"> 
</span><span class="cx">     WEBCORE_EXPORT const HTTPHeaderMap& httpHeaderFields() const;
</span><span class="cx">     void setHTTPHeaderFields(HTTPHeaderMap&&);
</span><del>-    WEBCORE_EXPORT void sanitizeRedirectionHTTPHeaderFields();
</del><span class="cx"> 
</span><ins>+    enum class SanitizationType { Redirection, RemoveCookies, CrossOriginSafe };
+    WEBCORE_EXPORT void sanitizeHTTPHeaderFields(SanitizationType);
+
</ins><span class="cx">     String httpHeaderField(const String& name) const;
</span><span class="cx">     WEBCORE_EXPORT String httpHeaderField(HTTPHeaderName) const;
</span><span class="cx">     WEBCORE_EXPORT void setHTTPHeaderField(const String& name, const String& value);
</span></span></pre></div>
<a id="trunkSourceWebCoretestingServiceWorkerInternalscpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/testing/ServiceWorkerInternals.cpp (230364 => 230365)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/testing/ServiceWorkerInternals.cpp  2018-04-07 00:33:00 UTC (rev 230364)
+++ trunk/Source/WebCore/testing/ServiceWorkerInternals.cpp     2018-04-07 03:48:55 UTC (rev 230365)
</span><span class="lines">@@ -80,6 +80,15 @@
</span><span class="cx">     return fetchResponse;
</span><span class="cx"> }
</span><span class="cx"> 
</span><ins>+Vector<String> ServiceWorkerInternals::fetchResponseHeaderList(FetchResponse& response)
+{
+    Vector<String> headerNames;
+    headerNames.reserveInitialCapacity(response.internalResponseHeaders().size());
+    for (auto keyValue : response.internalResponseHeaders())
+        headerNames.uncheckedAppend(keyValue.key);
+    return headerNames;
+}
+
</ins><span class="cx"> } // namespace WebCore
</span><span class="cx"> 
</span><span class="cx"> #endif
</span></span></pre></div>
<a id="trunkSourceWebCoretestingServiceWorkerInternalsh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/testing/ServiceWorkerInternals.h (230364 => 230365)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/testing/ServiceWorkerInternals.h    2018-04-07 00:33:00 UTC (rev 230364)
+++ trunk/Source/WebCore/testing/ServiceWorkerInternals.h       2018-04-07 03:48:55 UTC (rev 230365)
</span><span class="lines">@@ -47,6 +47,8 @@
</span><span class="cx">     Ref<FetchEvent> createBeingDispatchedFetchEvent(ScriptExecutionContext&);
</span><span class="cx">     Ref<FetchResponse> createOpaqueWithBlobBodyResponse(ScriptExecutionContext&);
</span><span class="cx"> 
</span><ins>+    Vector<String> fetchResponseHeaderList(FetchResponse&);
+
</ins><span class="cx"> private:
</span><span class="cx">     explicit ServiceWorkerInternals(ServiceWorkerIdentifier);
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceWebCoretestingServiceWorkerInternalsidl"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/testing/ServiceWorkerInternals.idl (230364 => 230365)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/testing/ServiceWorkerInternals.idl  2018-04-07 00:33:00 UTC (rev 230364)
+++ trunk/Source/WebCore/testing/ServiceWorkerInternals.idl     2018-04-07 03:48:55 UTC (rev 230365)
</span><span class="lines">@@ -33,4 +33,6 @@
</span><span class="cx">     Promise<Response> waitForFetchEventToFinish(FetchEvent event);
</span><span class="cx">     [CallWith=ScriptExecutionContext] FetchEvent createBeingDispatchedFetchEvent();
</span><span class="cx">     [CallWith=ScriptExecutionContext] FetchResponse createOpaqueWithBlobBodyResponse();
</span><ins>+
+    sequence<ByteString> fetchResponseHeaderList(FetchResponse response);
</ins><span class="cx"> };
</span></span></pre></div>
<a id="trunkSourceWebKitChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebKit/ChangeLog (230364 => 230365)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebKit/ChangeLog    2018-04-07 00:33:00 UTC (rev 230364)
+++ trunk/Source/WebKit/ChangeLog       2018-04-07 03:48:55 UTC (rev 230365)
</span><span class="lines">@@ -1,3 +1,32 @@
</span><ins>+2018-04-06  Youenn Fablet  <youenn@apple.com>
+
+        Response headers should be filtered when sent from NetworkProcess to WebProcess
+        https://bugs.webkit.org/show_bug.cgi?id=184310
+
+        Reviewed by Ryosuke Niwa.
+
+        Pass destination parameter to NetworkResourceLoader.
+        Use new sanitization routine to filter response headers as needed:
+        - Cross-origin routines are filtered by removing any non CORS allowed headers.
+        - Same-origin responses are filtered by removing non used headers, except when filtering would be visible by JS (XHR, fetch).
+        In all cases, Set-Cookie/Set-Cookie2 headers are filtered out.
+
+        * NetworkProcess/NetworkResourceLoadParameters.cpp:
+        (WebKit::NetworkResourceLoadParameters::encode const):
+        (WebKit::NetworkResourceLoadParameters::decode):
+        * NetworkProcess/NetworkResourceLoadParameters.h:
+        * NetworkProcess/NetworkResourceLoader.cpp:
+        (WebKit::NetworkResourceLoader::didReceiveResponse):
+        (WebKit::NetworkResourceLoader::willSendRedirectedRequest):
+        (WebKit::NetworkResourceLoader::sanitizeResponseIfPossible):
+        (WebKit::NetworkResourceLoader::didRetrieveCacheEntry):
+        (WebKit::NetworkResourceLoader::dispatchWillSendRequestForCacheEntry):
+        * NetworkProcess/NetworkResourceLoader.h:
+        * WebProcess/Network/WebLoaderStrategy.cpp:
+        (WebKit::WebLoaderStrategy::scheduleLoadFromNetworkProcess):
+        * WebProcess/Storage/WebSWContextManagerConnection.cpp:
+        (WebKit::WebSWContextManagerConnection::updatePreferencesStore):
+
</ins><span class="cx"> 2018-04-05  Ryosuke Niwa  <rniwa@webkit.org>
</span><span class="cx"> 
</span><span class="cx">         Make all sync IPCs during ScriptDisallowedScope set DoNotProcessIncomingMessagesWhenWaitingForSyncReply
</span></span></pre></div>
<a id="trunkSourceWebKitNetworkProcessNetworkResourceLoadParameterscpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebKit/NetworkProcess/NetworkResourceLoadParameters.cpp (230364 => 230365)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebKit/NetworkProcess/NetworkResourceLoadParameters.cpp     2018-04-07 00:33:00 UTC (rev 230364)
+++ trunk/Source/WebKit/NetworkProcess/NetworkResourceLoadParameters.cpp        2018-04-07 03:48:55 UTC (rev 230365)
</span><span class="lines">@@ -89,6 +89,7 @@
</span><span class="cx">     if (sourceOrigin)
</span><span class="cx">         encoder << sourceOrigin->data();
</span><span class="cx">     encoder.encodeEnum(mode);
</span><ins>+    encoder.encodeEnum(destination);
</ins><span class="cx">     encoder << cspResponseHeaders;
</span><span class="cx"> 
</span><span class="cx"> #if ENABLE(CONTENT_EXTENSIONS)
</span><span class="lines">@@ -179,6 +180,8 @@
</span><span class="cx">     }
</span><span class="cx">     if (!decoder.decodeEnum(result.mode))
</span><span class="cx">         return false;
</span><ins>+    if (!decoder.decodeEnum(result.destination))
+        return false;
</ins><span class="cx">     if (!decoder.decode(result.cspResponseHeaders))
</span><span class="cx">         return false;
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceWebKitNetworkProcessNetworkResourceLoadParametersh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebKit/NetworkProcess/NetworkResourceLoadParameters.h (230364 => 230365)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebKit/NetworkProcess/NetworkResourceLoadParameters.h       2018-04-07 00:33:00 UTC (rev 230364)
+++ trunk/Source/WebKit/NetworkProcess/NetworkResourceLoadParameters.h  2018-04-07 03:48:55 UTC (rev 230365)
</span><span class="lines">@@ -57,6 +57,7 @@
</span><span class="cx">     Vector<String> derivedCachedDataTypesToRetrieve;
</span><span class="cx">     RefPtr<WebCore::SecurityOrigin> sourceOrigin;
</span><span class="cx">     WebCore::FetchOptions::Mode mode;
</span><ins>+    WebCore::FetchOptions::Destination destination;
</ins><span class="cx">     std::optional<WebCore::ContentSecurityPolicyResponseHeaders> cspResponseHeaders;
</span><span class="cx">     bool shouldRestrictHTTPResponseAccess { false };
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceWebKitNetworkProcessNetworkResourceLoadercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebKit/NetworkProcess/NetworkResourceLoader.cpp (230364 => 230365)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebKit/NetworkProcess/NetworkResourceLoader.cpp     2018-04-07 00:33:00 UTC (rev 230364)
+++ trunk/Source/WebKit/NetworkProcess/NetworkResourceLoader.cpp        2018-04-07 03:48:55 UTC (rev 230365)
</span><span class="lines">@@ -335,10 +335,12 @@
</span><span class="cx"> 
</span><span class="cx">     bool shouldWaitContinueDidReceiveResponse = isMainResource();
</span><span class="cx">     if (shouldSendDidReceiveResponse) {
</span><ins>+        // FIXME: Sanitize response.
+        auto response = sanitizeResponseIfPossible(ResourceResponse { m_response }, ResourceResponse::SanitizationType::CrossOriginSafe);
</ins><span class="cx">         if (isSynchronous())
</span><del>-            m_synchronousLoadData->response = m_response;
</del><ins>+            m_synchronousLoadData->response = WTFMove(response);
</ins><span class="cx">         else
</span><del>-            send(Messages::WebResourceLoader::DidReceiveResponse(m_response, shouldWaitContinueDidReceiveResponse));
</del><ins>+            send(Messages::WebResourceLoader::DidReceiveResponse { response, shouldWaitContinueDidReceiveResponse });
</ins><span class="cx">     }
</span><span class="cx"> 
</span><span class="cx">     // For main resources, the web process is responsible for sending back a NetworkResourceLoader::ContinueDidReceiveResponse message.
</span><span class="lines">@@ -459,13 +461,21 @@
</span><span class="cx">     if (canUseCachedRedirect(request))
</span><span class="cx">         m_cache->storeRedirect(request, redirectResponse, redirectRequest);
</span><span class="cx"> 
</span><del>-    send(Messages::WebResourceLoader::WillSendRequest(redirectRequest, sanitizeRedirectResponseIfPossible(WTFMove(redirectResponse))));
</del><ins>+    send(Messages::WebResourceLoader::WillSendRequest(redirectRequest, sanitizeResponseIfPossible(WTFMove(redirectResponse), ResourceResponse::SanitizationType::Redirection)));
</ins><span class="cx"> }
</span><span class="cx"> 
</span><del>-ResourceResponse NetworkResourceLoader::sanitizeRedirectResponseIfPossible(ResourceResponse&& response)
</del><ins>+ResourceResponse NetworkResourceLoader::sanitizeResponseIfPossible(ResourceResponse&& response, ResourceResponse::SanitizationType type)
</ins><span class="cx"> {
</span><del>-    if (m_parameters.shouldRestrictHTTPResponseAccess)
-        response.sanitizeRedirectionHTTPHeaderFields();
</del><ins>+    if (m_parameters.shouldRestrictHTTPResponseAccess) {
+        if (type == ResourceResponse::SanitizationType::CrossOriginSafe) {
+            // We reduce filtering when it would otherwise be visible to scripts.
+            // FIXME: We should use response tainting once computed in Network Process.
+            bool isSameOrigin = m_parameters.sourceOrigin ? m_parameters.sourceOrigin->canRequest(response.url()) : protocolHostAndPortAreEqual(response.url(), m_parameters.request.url());
+            if (isSameOrigin && m_parameters.destination == FetchOptions::Destination::EmptyString)
+                type = ResourceResponse::SanitizationType::RemoveCookies;
+        }
+        response.sanitizeHTTPHeaderFields(type);
+    }
</ins><span class="cx">     return WTFMove(response);
</span><span class="cx"> }
</span><span class="cx"> 
</span><span class="lines">@@ -568,8 +578,9 @@
</span><span class="cx"> 
</span><span class="cx"> void NetworkResourceLoader::didRetrieveCacheEntry(std::unique_ptr<NetworkCache::Entry> entry)
</span><span class="cx"> {
</span><ins>+    auto response = sanitizeResponseIfPossible(ResourceResponse { entry->response() }, ResourceResponse::SanitizationType::CrossOriginSafe);
</ins><span class="cx">     if (isSynchronous()) {
</span><del>-        m_synchronousLoadData->response = entry->response();
</del><ins>+        m_synchronousLoadData->response = WTFMove(response);
</ins><span class="cx">         sendReplyToSynchronousRequest(*m_synchronousLoadData, entry->buffer());
</span><span class="cx">         cleanup();
</span><span class="cx">         return;
</span><span class="lines">@@ -576,7 +587,7 @@
</span><span class="cx">     }
</span><span class="cx"> 
</span><span class="cx">     bool needsContinueDidReceiveResponseMessage = isMainResource();
</span><del>-    send(Messages::WebResourceLoader::DidReceiveResponse(entry->response(), needsContinueDidReceiveResponseMessage));
</del><ins>+    send(Messages::WebResourceLoader::DidReceiveResponse { response, needsContinueDidReceiveResponseMessage });
</ins><span class="cx"> 
</span><span class="cx">     if (needsContinueDidReceiveResponseMessage)
</span><span class="cx">         m_cacheEntryWaitingForContinueDidReceiveResponse = WTFMove(entry);
</span><span class="lines">@@ -672,7 +683,7 @@
</span><span class="cx">     LOG(NetworkCache, "(NetworkProcess) Executing cached redirect");
</span><span class="cx"> 
</span><span class="cx">     ++m_redirectCount;
</span><del>-    send(Messages::WebResourceLoader::WillSendRequest { *entry->redirectRequest(), sanitizeRedirectResponseIfPossible(ResourceResponse { entry->response() }) });
</del><ins>+    send(Messages::WebResourceLoader::WillSendRequest { *entry->redirectRequest(), sanitizeResponseIfPossible(ResourceResponse { entry->response() }, ResourceResponse::SanitizationType::Redirection) });
</ins><span class="cx">     m_isWaitingContinueWillSendRequestForCachedRedirect = true;
</span><span class="cx"> }
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceWebKitNetworkProcessNetworkResourceLoaderh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebKit/NetworkProcess/NetworkResourceLoader.h (230364 => 230365)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebKit/NetworkProcess/NetworkResourceLoader.h       2018-04-07 00:33:00 UTC (rev 230364)
+++ trunk/Source/WebKit/NetworkProcess/NetworkResourceLoader.h  2018-04-07 03:48:55 UTC (rev 230365)
</span><span class="lines">@@ -32,6 +32,7 @@
</span><span class="cx"> #include "NetworkLoadClient.h"
</span><span class="cx"> #include "NetworkResourceLoadParameters.h"
</span><span class="cx"> #include "ShareableResource.h"
</span><ins>+#include <WebCore/ResourceResponse.h>
</ins><span class="cx"> #include <WebCore/Timer.h>
</span><span class="cx"> 
</span><span class="cx"> namespace WebCore {
</span><span class="lines">@@ -146,7 +147,7 @@
</span><span class="cx">     void logCookieInformation() const;
</span><span class="cx"> #endif
</span><span class="cx"> 
</span><del>-    WebCore::ResourceResponse sanitizeRedirectResponseIfPossible(WebCore::ResourceResponse&&);
</del><ins>+    WebCore::ResourceResponse sanitizeResponseIfPossible(WebCore::ResourceResponse&&, WebCore::ResourceResponse::SanitizationType);
</ins><span class="cx"> 
</span><span class="cx">     const NetworkResourceLoadParameters m_parameters;
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceWebKitWebProcessNetworkWebLoaderStrategycpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebKit/WebProcess/Network/WebLoaderStrategy.cpp (230364 => 230365)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebKit/WebProcess/Network/WebLoaderStrategy.cpp     2018-04-07 00:33:00 UTC (rev 230364)
+++ trunk/Source/WebKit/WebProcess/Network/WebLoaderStrategy.cpp        2018-04-07 03:48:55 UTC (rev 230365)
</span><span class="lines">@@ -273,6 +273,7 @@
</span><span class="cx">     loadParameters.needsCertificateInfo = resourceLoader.shouldIncludeCertificateInfo();
</span><span class="cx">     loadParameters.maximumBufferingTime = maximumBufferingTime;
</span><span class="cx">     loadParameters.derivedCachedDataTypesToRetrieve = resourceLoader.options().derivedCachedDataTypesToRetrieve;
</span><ins>+    loadParameters.destination = resourceLoader.options().destination;
</ins><span class="cx"> 
</span><span class="cx">     // FIXME: We should also sanitize redirect response for navigations.
</span><span class="cx">     loadParameters.shouldRestrictHTTPResponseAccess = RuntimeEnabledFeatures::sharedFeatures().restrictedHTTPResponseAccess() && resourceLoader.options().mode != FetchOptions::Mode::Navigate;
</span><span class="lines">@@ -432,6 +433,8 @@
</span><span class="cx">     loadParameters.clientCredentialPolicy = clientCredentialPolicy;
</span><span class="cx">     loadParameters.shouldClearReferrerOnHTTPSToHTTPRedirect = shouldClearReferrerOnHTTPSToHTTPRedirect(webFrame ? webFrame->coreFrame() : nullptr);
</span><span class="cx">     loadParameters.shouldRestrictHTTPResponseAccess = RuntimeEnabledFeatures::sharedFeatures().restrictedHTTPResponseAccess();
</span><ins>+    // FIXME: Use the proper destination once all fetch options are passed.
+    loadParameters.destination = FetchOptions::Destination::EmptyString;
</ins><span class="cx"> 
</span><span class="cx">     data.shrink(0);
</span><span class="cx"> 
</span><span class="lines">@@ -528,6 +531,8 @@
</span><span class="cx">     parameters.storedCredentialsPolicy = storedCredentialsPolicy;
</span><span class="cx">     parameters.shouldPreconnectOnly = PreconnectOnly::Yes;
</span><span class="cx">     parameters.shouldRestrictHTTPResponseAccess = RuntimeEnabledFeatures::sharedFeatures().restrictedHTTPResponseAccess();
</span><ins>+    // FIXME: Use the proper destination once all fetch options are passed.
+    parameters.destination = FetchOptions::Destination::EmptyString;
</ins><span class="cx"> 
</span><span class="cx">     WebProcess::singleton().ensureNetworkProcessConnection().connection().send(Messages::NetworkConnectionToWebProcess::PreconnectTo(preconnectionIdentifier, WTFMove(parameters)), 0);
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceWebKitWebProcessStorageWebSWContextManagerConnectioncpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebKit/WebProcess/Storage/WebSWContextManagerConnection.cpp (230364 => 230365)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebKit/WebProcess/Storage/WebSWContextManagerConnection.cpp 2018-04-07 00:33:00 UTC (rev 230364)
+++ trunk/Source/WebKit/WebProcess/Storage/WebSWContextManagerConnection.cpp    2018-04-07 03:48:55 UTC (rev 230365)
</span><span class="lines">@@ -128,6 +128,7 @@
</span><span class="cx">     RuntimeEnabledFeatures::sharedFeatures().setUserTimingEnabled(store.getBoolValueForKey(WebPreferencesKey::userTimingEnabledKey()));
</span><span class="cx">     RuntimeEnabledFeatures::sharedFeatures().setResourceTimingEnabled(store.getBoolValueForKey(WebPreferencesKey::resourceTimingEnabledKey()));
</span><span class="cx">     RuntimeEnabledFeatures::sharedFeatures().setFetchAPIKeepAliveEnabled(store.getBoolValueForKey(WebPreferencesKey::fetchAPIKeepAliveEnabledKey()));
</span><ins>+    RuntimeEnabledFeatures::sharedFeatures().setRestrictedHTTPResponseAccess(store.getBoolValueForKey(WebPreferencesKey::restrictedHTTPResponseAccessKey()));
</ins><span class="cx"> 
</span><span class="cx">     m_storageBlockingPolicy = static_cast<SecurityOrigin::StorageBlockingPolicy>(store.getUInt32ValueForKey(WebPreferencesKey::storageBlockingPolicyKey()));
</span><span class="cx"> }
</span></span></pre>
</div>
</div>

</body>
</html>