[Webkit-unassigned] [Bug 238238] New: Incorrect CORP/COEP check in 304 responses

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Mar 22 16:28:07 PDT 2022 

https://bugs.webkit.org/show_bug.cgi?id=238238

            Bug ID: 238238
           Summary: Incorrect CORP/COEP check in 304 responses
           Product: WebKit
           Version: Safari Technology Preview
          Hardware: All
                OS: All
            Status: NEW
          Severity: Major
          Priority: P2
         Component: New Bugs
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: dobkin at google.com

When processing 304 (Not Modified) responses, Safari/WebKit blocks the resource even when it should be allowed according to CORP (Cross-Origin-Resource-Policy).

Background: When a top-level page is served with the COEP (Cross-Origin-Embedder-Policy) and COOP (Cross-Origin-Opener-Policy) headers, it is considered cross-origin isolated. The browser requires that the CORP header be present on cross-origin subresources in this case.

According to the HTTP spec, the CORP header must appear on 200 responses but SHOULD NOT appear on 304 responses. However, Safari blocks loading of the resource if the CORP header is missing on the 304 response. The correct behavior is to use the cached value of the header. This behavior causes intermittent failure to load resources in production websites. Caching mechanisms implemented by Apache, etc, automatically discard non-standard headers on 304 responses so this is difficult to work around on the server side.

Demo/proof of concept: https://adobkin.name/test/corp304.php

Steps to repro:

  1. Serve an HTTPS page with with the following headers to opt-in to cross-origin isolation:

     Cross-Origin-Embedder-Policy: require-corp
     Cross-Origin-Opener-Policy: same-origin

     Verify that `window.crossOriginIsolated` is true.

  2. Load a cross-origin resource, e.g.

     <script src="//example.com/resource.js">

     The resource should be served with something along these lines

```
    header('cache-control: no-cache');
    header('content-type: text/javascript');
    header('Cross-Origin-Resource-Policy: cross-origin', true);

    if (isset($_SERVER['HTTP_IF_MODIFIED_SINCE'])) {
        header("HTTP/1.1 304 Not Modified"); 
        exit; 
    }

    header('last-modified: Tue, 08 Mar 2022 11:47:39 GMT');
```

  3. Check that the resource loads successfully on the initial page load. The server will reply with 200 OK.

  4. Upon reload, the resource will load using 304 (Not Modified) and will be blocked due to lack of CORP headers. 

Similar Chromium issue: https://bugs.chromium.org/p/chromium/issues/detail?id=1241264

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20220322/ec111555/attachment.htm>

More information about the webkit-unassigned mailing list