[webkit-reviews] review granted: [Bug 241003] HSTS synthesized redirect responses should not be blocked by CORS : [Attachment 459975] Patch
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Jun 2 23:52:09 PDT 2022
youenn fablet <youennf at gmail.com> has granted Alex Christensen
<achristensen at apple.com>'s request for review:
Bug 241003: HSTS synthesized redirect responses should not be blocked by CORS
https://bugs.webkit.org/show_bug.cgi?id=241003
Attachment 459975: Patch
https://bugs.webkit.org/attachment.cgi?id=459975&action=review
--- Comment #4 from youenn fablet <youennf at gmail.com> ---
Comment on attachment 459975
--> https://bugs.webkit.org/attachment.cgi?id=459975
Patch
View in context: https://bugs.webkit.org/attachment.cgi?id=459975&action=review
> Source/WebKit/NetworkProcess/cocoa/NetworkSessionCocoa.mm:640
> + NSString *origin = [request valueForHTTPHeaderField:@"Origin"] ?:
@"*";
If there is no origin header, we probably do not need to add
AccessControlAllowOrigin header. Adding it with '*' does not harm though.
> Source/WebKit/NetworkProcess/cocoa/NetworkSessionCocoa.mm:642
> +
networkDataTask->willPerformHTTPRedirection(WTFMove(synthesizedResponse),
request, [completionHandler = makeBlockPtr(completionHandler), taskIdentifier,
shouldIgnoreHSTS](auto&& request) {
Seems fine for now. There are corner cases that will not work (CORS preflight
for instance)
In the future, we could add a dedicated HSTS upgrade signal and let
NetworkResourceLoader/NetworkLoadChecker deal with the full case.
More information about the webkit-reviews
mailing list