[wpe-webkit] Allowing CORS for custom URI scheme

Ryan Walklin ryan at testtoast.com
Wed May 15 03:18:45 PDT 2019 

> On Tue, 7 May 2019, at 1:52 AM, Adrian Perez de Castro wrote:
> > As far as I understand our API documentation, this is supposed to work.
> > I have not checked the actual WebKit code yet, so it may as well be that
> > we have some bug which prevents it to work.

I've dug around the code a bit, and found the relevant point at which the CORS check is made in WPENetworkProcess (and fails):

* thread #1, name = 'WPENetworkProce', stop reason = breakpoint 2.1
    frame #0: 0x00007f3e55f2a4ca libWPEWebKit-1.0.so.2`WebCore::passesAccessControlCheck(response=0x00007f3e4fbec220, storedCredentialsPolicy=DoNotUse, securityOrigin=0x00007f3e4fbe6000, errorDescription=0x00007ffdfafe5910) at CrossOriginAccessControl.cpp:172:112
   169 	{
   170 	    // A wildcard Access-Control-Allow-Origin can not be used if credentials are to be sent,
   171 	    // even with Access-Control-Allow-Credentials set to true.
   172	    const String& accessControlOriginString = response.httpHeaderField(HTTPHeaderName::AccessControlAllowOrigin);
-> 173 	    if (accessControlOriginString == "*" && storedCredentialsPolicy == StoredCredentialsPolicy::DoNotUse)
   174 	        return true;
Target 0: (WPENetworkProcess) stopped.
(lldb) bt
* thread #1, name = 'WPENetworkProce', stop reason = breakpoint 2.1
  * frame #0: 0x00007f3e55f2a4ca libWPEWebKit-1.0.so.2`WebCore::passesAccessControlCheck(response=0x00007f3e4fbec220, storedCredentialsPolicy=DoNotUse, securityOrigin=0x00007f3e4fbe6000, errorDescription=0x00007ffdfafe5910) at CrossOriginAccessControl.cpp:172:112
    frame #1: 0x00007f3e54f4b345 libWPEWebKit-1.0.so.2`WebKit::NetworkLoadChecker::validateResponse(this=0x00007f3e4fbec500, response=0x00007f3e4fbec220) at NetworkLoadChecker.cpp:173:34   170 	    return true;

    frame #2: 0x00007f3e54f5bd2a libWPEWebKit-1.0.so.2`WebKit::NetworkResourceLoader::didReceiveResponse(this=0x00007f3e4fbec000, receivedResponse=<unavailable>, completionHandler=0x00007ffdfafe5fe8)>&&) at NetworkResourceLoader.cpp:445:71
    frame #3: 0x00007f3e54f41d52 libWPEWebKit-1.0.so.2`WebKit::NetworkDataTask::didReceiveResponse(WebCore::ResourceResponse&&, WTF::CompletionHandler<void (WebCore::PolicyAction)>&&) at NetworkDataTask.cpp:112:33
    frame #4: 0x00007f3e54fbd164 libWPEWebKit-1.0.so.2`WebKit::NetworkDataTaskSoup::dispatchDidReceiveResponse(this=0x00007f3e0d9f8000) at NetworkDataTaskSoup.cpp:362:23
    frame #5: 0x00007f3e54fbd31e libWPEWebKit-1.0.so.2`WebKit::NetworkDataTaskSoup::didSendRequest(this=0x00007f3e0d9f8000, inputStream=0x00007ffdfafe6228) at NetworkDataTaskSoup.cpp:344:31
    frame #6: 0x00007f3e54fbd7d5 libWPEWebKit-1.0.so.2`WebKit::NetworkDataTaskSoup::sendRequestCallback(soupRequest=0x000000000069f330, result=0x00007f3de0014830, task=0x00007f3e0d9f8000) at NetworkDataTaskSoup.cpp:308:29
    frame #7: 0x00007f3e51acba9a libgio-2.0.so.0`___lldb_unnamed_symbol1500$$libgio-2.0.so.0 + 58
    frame #8: 0x00007f3e51acc66d libgio-2.0.so.0`___lldb_unnamed_symbol1508$$libgio-2.0.so.0 + 141
frame #9: 0x00007f3e54f755cb libWPEWebKit-1.0.so.2`WebKit::LegacyCustomProtocolManager::didLoadData(this=<unavailable>, customProtocolID=<unavailable>, dataReference=0x00007ffdfafe6350) at LegacyCustomProtocolManagerSoup.cpp:174:30
    frame #10: 0x00007f3e54f35a11 libWPEWebKit-1.0.so.2`WebKit::LegacyCustomProtocolManager::didReceiveMessage(IPC::Connection&, IPC::Decoder&) [inlined] void IPC::callMemberFunctionImpl<WebKit::LegacyCustomProtocolManager, void (WebKit::LegacyCustomProtocolManager::*)(unsigned long, IPC::DataReference const&), std::tuple<unsigned long, IPC::DataReference>, 0ul, 1ul>(args=<unavailable>, function=<unavailable>, object=<unavailable>)(unsigned long, IPC::DataReference const&), std::tuple<unsigned long, IPC::DataReference>&&, std::integer_sequence<unsigned long, 0ul, 1ul>) at HandleMessage.h:41:24
    frame #11: 0x00007f3e54f35a01 libWPEWebKit-1.0.so.2`WebKit::LegacyCustomProtocolManager::didReceiveMessage(IPC::Connection&, IPC::Decoder&) [inlined] void IPC::callMemberFunction<WebKit::LegacyCustomProtocolManager, void (WebKit::LegacyCustomProtocolManager::*)(unsigned long, IPC::DataReference const&), std::tuple<unsigned long, IPC::DataReference>, std::integer_sequence<unsigned long, 0ul, 1ul> >(function=<unavailable>, object=<unavailable>, args=<unavailable>)(unsigned long, IPC::DataReference const&)) at HandleMessage.h:47
    frame #12: 0x00007f3e54f35a01 libWPEWebKit-1.0.so.2`WebKit::LegacyCustomProtocolManager::didReceiveMessage(IPC::Connection&, IPC::Decoder&) [inlined] void IPC::handleMessage<Messages::LegacyCustomProtocolManager::DidLoadData, WebKit::LegacyCustomProtocolManager, void (WebKit::LegacyCustomProtocolManager::*)(unsigned long, IPC::DataReference const&)>(function=<unavailable>, object=0x000000000066ebb0, decoder=0x00007f3e4fbd9b40)(unsigned long, IPC::DataReference const&)) at HandleMessage.h:147
    frame #13: 0x00007f3e54f359bd libWPEWebKit-1.0.so.2`WebKit::LegacyCustomProtocolManager::didReceiveMessage(this=0x000000000066ebb0, connection=<unavailable>, decoder=0x00007f3e4fbd9b40) at LegacyCustomProtocolManagerMessageReceiver.cpp:49
    frame #14: 0x00007f3e54fcbebf libWPEWebKit-1.0.so.2`IPC::MessageReceiverMap::dispatchMessage(this=<unavailable>, connection=0x00007f3e4fbf2000, decoder=<unavailable>) at MessageReceiverMap.cpp:123:43
    frame #15: 0x00007f3e54f5da37 libWPEWebKit-1.0.so.2`WebKit::NetworkProcess::didReceiveMessage(this=0x00007f3e581e5420, connection=0x00007f3e4fbf2000, decoder=0x00007f3e4fbd9b40) at NetworkProcess.cpp:203:45
    frame #16: 0x00007f3e54fc5bd0 libWPEWebKit-1.0.so.2`IPC::Connection::dispatchMessage(IPC::Decoder&) at Connection.cpp:978:31
    frame #17: 0x00007f3e54fc7028 libWPEWebKit-1.0.so.2`IPC::Connection::dispatchMessage(this=0x00007f3e4fbf2000, message=0x7f3e4fbd9b40) at Connection.cpp:1005:24
    frame #18: 0x00007f3e54fc7934 libWPEWebKit-1.0.so.2`IPC::Connection::dispatchOneIncomingMessage(this=0x00007f3e4fbf2000) at Connection.cpp:1074:20
    frame #19: 0x00007f3e57621585 libWPEWebKit-1.0.so.2`WTF::RunLoop::performWork() [inlined] WTF::Function<void ()>::operator(this=<unavailable>)() const at Function.h:57:63
    frame #20: 0x00007f3e57621580 libWPEWebKit-1.0.so.2`WTF::RunLoop::performWork(this=0x00007f3e4fbfa000) at RunLoop.cpp:106
    frame #21: 0x00007f3e576706e9 libWPEWebKit-1.0.so.2`_FUN [inlined] operator(__closure=0x000000001b3a8a00, userData=<unavailable>) at RunLoopGLib.cpp:68:53
    frame #22: 0x00007f3e576706e4 libWPEWebKit-1.0.so.2`_FUN((null)=<unavailable>) at RunLoopGLib.cpp:70
    frame #23: 0x00007f3e518e7fd0 libglib-2.0.so.0`g_main_context_dispatch + 352
    frame #24: 0x00007f3e518e8368 libglib-2.0.so.0`___lldb_unnamed_symbol194$$libglib-2.0.so.0 + 520
    frame #25: 0x00007f3e518e86b3 libglib-2.0.so.0`g_main_loop_run + 195
    frame #26: 0x00007f3e576710c0 libWPEWebKit-1.0.so.2`WTF::RunLoop::run() at RunLoopGLib.cpp:96:24
    frame #27: 0x00007f3e54fc1440 libWPEWebKit-1.0.so.2`int WebKit::AuxiliaryProcessMain<WebKit::NetworkProcess, WebKit::NetworkProcessMain>(argc=3, argv=<unavailable>) at AuxiliaryProcessMain.h:66:17
    frame #28: 0x00007f3e512e0f33 libc.so.6`.annobin_libc_start.c + 243
    frame #29: 0x0000000000400ade WPENetworkProcess`_start + 46

I'm afraid to say I cheated and monkey-patched passesAccessControlCheck() to unconditionally return true, which is obviously a security nightmare but works and allows the XHR responses from my custom scheme to pass. At least I can get on with my project now, but it would be great if there was a way to properly allow these.

Regards,

Ryan

More information about the webkit-wpe mailing list