Skip to content
Permalink
Browse files
In case of POST navigation redirected by a 302, the 'Origin' header i…
…s kept in the redirected request

https://bugs.webkit.org/show_bug.cgi?id=222653
<rdar://problem/74983521>

Reviewed by Alex Christensen.

Source/WebCore:

Remove Origin header if the navigation request goes from POST to GET.
This aligns with other browsers and removes some known interop issues.
This is consistent with WebKit not sending Origin headers for GET navigations.

Test: http/wpt/fetch/navigation-post-to-get-origin.html

* loader/DocumentLoader.cpp:
(WebCore::isRedirectToGetAfterPost):
(WebCore::DocumentLoader::willSendRequest):

LayoutTests:

* http/wpt/fetch/echo-origin.py: Added.
* http/wpt/fetch/navigation-post-to-get-origin-expected.txt: Added.
* http/wpt/fetch/navigation-post-to-get-origin.html: Added.


Canonical link: https://commits.webkit.org/234866@main
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@273905 268f45cc-cd09-0410-ab3c-d52691b4dbfc
  • Loading branch information
youennf committed Mar 4, 2021
1 parent 037d330 commit 20f7f90cd9ec314d1ea08f4884a3bc272a9bf26c
Showing 6 changed files with 81 additions and 0 deletions.
@@ -1,3 +1,15 @@
2021-03-04 Youenn Fablet <youenn@apple.com>

In case of POST navigation redirected by a 302, the 'Origin' header is kept in the redirected request
https://bugs.webkit.org/show_bug.cgi?id=222653
<rdar://problem/74983521>

Reviewed by Alex Christensen.

* http/wpt/fetch/echo-origin.py: Added.
* http/wpt/fetch/navigation-post-to-get-origin-expected.txt: Added.
* http/wpt/fetch/navigation-post-to-get-origin.html: Added.

2021-03-04 Said Abou-Hallawa <said@apple.com>

Followup (r273764): Use different container sizes in background-svg-image-loading.html
@@ -0,0 +1,8 @@





PASS No origin header after POST submission and 302 redirection
PASS No origin header after POST submission and 303 redirection

@@ -0,0 +1,32 @@
<!doctype html>
<html>
<head>
<meta charset="utf-8">
<title>Navigation and POST to GET redirect</title>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
</head>
<body>
<form id="myform" method="POST" action="/common/redirect.py?status=302&location=/WebKit/fetch/resources/echo-origin.py" target="targetFrame">
<input name="the-input" value="input value goes here">
</form>
<iframe name="targetFrame" src="about:blank"></iframe>
<form id="myform2" method="POST" action="/common/redirect.py?status=303&location=/WebKit/fetch/resources/echo-origin.py" target="targetFrame2">
<input name="the-input" value="input value goes here">
</form>
<iframe name="targetFrame2" src="about:blank"></iframe>
<script>
promise_test(async t => {
myform.submit();
const data = await new Promise(resolve => onmessage = (e) => resolve(e.data));
assert_equals(data, "no header");
}, "No origin header after POST submission and 302 redirection");

promise_test(async t => {
myform2.submit();
const data = await new Promise(resolve => onmessage = (e) => resolve(e.data));
assert_equals(data, "no header");
}, "No origin header after POST submission and 303 redirection");
</script>
</body>
</html>
@@ -0,0 +1,3 @@
def main(request, response):
response.headers.set("Content-Type", "text/html")
response.content = "<script>parent.postMessage('" + request.headers.get("Origin", "no header") + "')</script>"
@@ -1,3 +1,21 @@
2021-03-04 Youenn Fablet <youenn@apple.com>

In case of POST navigation redirected by a 302, the 'Origin' header is kept in the redirected request
https://bugs.webkit.org/show_bug.cgi?id=222653
<rdar://problem/74983521>

Reviewed by Alex Christensen.

Remove Origin header if the navigation request goes from POST to GET.
This aligns with other browsers and removes some known interop issues.
This is consistent with WebKit not sending Origin headers for GET navigations.

Test: http/wpt/fetch/navigation-post-to-get-origin.html

* loader/DocumentLoader.cpp:
(WebCore::isRedirectToGetAfterPost):
(WebCore::DocumentLoader::willSendRequest):

2021-03-04 Chris Dumez <cdumez@apple.com>

Set ownership of IOSurfaces from the GPUProcess instead of the WebProcess
@@ -495,6 +495,11 @@ void DocumentLoader::finishedLoading()
m_applicationCacheHost->finishedLoadingMainResource();
}

static bool isRedirectToGetAfterPost(const ResourceRequest& oldRequest, const ResourceRequest& newRequest)
{
return oldRequest.httpMethod() == "POST" && newRequest.httpMethod() == "GET";
}

bool DocumentLoader::isPostOrRedirectAfterPost(const ResourceRequest& newRequest, const ResourceResponse& redirectResponse)
{
if (newRequest.httpMethod() == "POST")
@@ -660,6 +665,9 @@ void DocumentLoader::willSendRequest(ResourceRequest&& newRequest, const Resourc
if (newRequest.cachePolicy() == ResourceRequestCachePolicy::UseProtocolCachePolicy && isPostOrRedirectAfterPost(newRequest, redirectResponse))
newRequest.setCachePolicy(ResourceRequestCachePolicy::ReloadIgnoringCacheData);

if (isRedirectToGetAfterPost(m_request, newRequest))
newRequest.clearHTTPOrigin();

if (&topFrame != m_frame) {
if (!MixedContentChecker::canDisplayInsecureContent(*m_frame, m_frame->document()->securityOrigin(), MixedContentChecker::ContentType::Active, newRequest.url(), MixedContentChecker::AlwaysDisplayInNonStrictMode::Yes)) {
cancelMainResourceLoad(frameLoader()->cancelledError(newRequest));

0 comments on commit 20f7f90

Please sign in to comment.