[webkit-reviews] review granted: [Bug 241003] HSTS synthesized redirect responses should not be blocked by CORS : [Attachment 459975] Patch

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Jun 2 23:52:09 PDT 2022

youenn fablet <youennf at gmail.com> has granted Alex Christensen
<achristensen at apple.com>'s request for review:
Bug 241003: HSTS synthesized redirect responses should not be blocked by CORS

Attachment 459975: Patch


--- Comment #4 from youenn fablet <youennf at gmail.com> ---
Comment on attachment 459975
  --> https://bugs.webkit.org/attachment.cgi?id=459975

View in context: https://bugs.webkit.org/attachment.cgi?id=459975&action=review

> Source/WebKit/NetworkProcess/cocoa/NetworkSessionCocoa.mm:640
> +	   NSString *origin = [request valueForHTTPHeaderField:@"Origin"] ?:

If there is no origin header, we probably do not need to add
AccessControlAllowOrigin header. Adding it with '*' does not harm though.

> Source/WebKit/NetworkProcess/cocoa/NetworkSessionCocoa.mm:642
> +	  
request, [completionHandler = makeBlockPtr(completionHandler), taskIdentifier,
shouldIgnoreHSTS](auto&& request) {

Seems fine for now. There are corner cases that will not work (CORS preflight
for instance)
In the future, we could add a dedicated HSTS upgrade signal and let
NetworkResourceLoader/NetworkLoadChecker deal with the full case.

More information about the webkit-reviews mailing list