In case of POST navigation redirected by a 302, the 'Origin' header i…

…s kept in the redirected request

https://bugs.webkit.org/show_bug.cgi?id=222653
<rdar://problem/74983521>

Reviewed by Alex Christensen.

Source/WebCore:

Remove Origin header if the navigation request goes from POST to GET.
This aligns with other browsers and removes some known interop issues.
This is consistent with WebKit not sending Origin headers for GET navigations.

Test: http/wpt/fetch/navigation-post-to-get-origin.html

* loader/DocumentLoader.cpp:
(WebCore::isRedirectToGetAfterPost):
(WebCore::DocumentLoader::willSendRequest):

LayoutTests:

* http/wpt/fetch/echo-origin.py: Added.
* http/wpt/fetch/navigation-post-to-get-origin-expected.txt: Added.
* http/wpt/fetch/navigation-post-to-get-origin.html: Added.


Canonical link: https://commits.webkit.org/234866@main
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@273905 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog

@@ -1,3 +1,15 @@
+2021-03-04  Youenn Fablet  <youenn@apple.com>
+
+        In case of POST navigation redirected by a 302, the 'Origin' header is kept in the redirected request
+        https://bugs.webkit.org/show_bug.cgi?id=222653
+        <rdar://problem/74983521>
+
+        Reviewed by Alex Christensen.
+
+        * http/wpt/fetch/echo-origin.py: Added.
+        * http/wpt/fetch/navigation-post-to-get-origin-expected.txt: Added.
+        * http/wpt/fetch/navigation-post-to-get-origin.html: Added.
+
 2021-03-04  Said Abou-Hallawa  <said@apple.com>
 
         Followup (r273764): Use different container sizes in background-svg-image-loading.html

LayoutTests/http/wpt/fetch/navigation-post-to-get-origin-expected.txt

@@ -0,0 +1,8 @@
+
+
+
+
+
+PASS No origin header after POST submission and 302 redirection
+PASS No origin header after POST submission and 303 redirection
+

LayoutTests/http/wpt/fetch/navigation-post-to-get-origin.html

@@ -0,0 +1,32 @@
+<!doctype html>
+<html>
+  <head>
+    <meta charset="utf-8">
+    <title>Navigation and POST to GET redirect</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+  </head>
+  <body>
+<form id="myform" method="POST" action="/common/redirect.py?status=302&location=/WebKit/fetch/resources/echo-origin.py" target="targetFrame">
+  <input name="the-input" value="input value goes here">
+</form>
+<iframe name="targetFrame" src="about:blank"></iframe>
+<form id="myform2" method="POST" action="/common/redirect.py?status=303&location=/WebKit/fetch/resources/echo-origin.py" target="targetFrame2">
+  <input name="the-input" value="input value goes here">
+</form>
+<iframe name="targetFrame2" src="about:blank"></iframe>
+<script>
+promise_test(async t => {
+    myform.submit();
+    const data = await new Promise(resolve => onmessage = (e) => resolve(e.data));
+    assert_equals(data, "no header");
+}, "No origin header after POST submission and 302 redirection");
+
+promise_test(async t => {
+    myform2.submit();
+    const data = await new Promise(resolve => onmessage = (e) => resolve(e.data));
+    assert_equals(data, "no header");
+}, "No origin header after POST submission and 303 redirection");
+</script>
+  </body>
+</html>

LayoutTests/http/wpt/fetch/resources/echo-origin.py

@@ -0,0 +1,3 @@
+def main(request, response):
+    response.headers.set("Content-Type", "text/html")
+    response.content = "<script>parent.postMessage('" + request.headers.get("Origin", "no header") + "')</script>"

Source/WebCore/ChangeLog

@@ -1,3 +1,21 @@
+2021-03-04  Youenn Fablet  <youenn@apple.com>
+
+        In case of POST navigation redirected by a 302, the 'Origin' header is kept in the redirected request
+        https://bugs.webkit.org/show_bug.cgi?id=222653
+        <rdar://problem/74983521>
+
+        Reviewed by Alex Christensen.
+
+        Remove Origin header if the navigation request goes from POST to GET.
+        This aligns with other browsers and removes some known interop issues.
+        This is consistent with WebKit not sending Origin headers for GET navigations.
+
+        Test: http/wpt/fetch/navigation-post-to-get-origin.html
+
+        * loader/DocumentLoader.cpp:
+        (WebCore::isRedirectToGetAfterPost):
+        (WebCore::DocumentLoader::willSendRequest):
+
 2021-03-04  Chris Dumez  <cdumez@apple.com>
 
         Set ownership of IOSurfaces from the GPUProcess instead of the WebProcess

Source/WebCore/loader/DocumentLoader.cpp

@@ -495,6 +495,11 @@ void DocumentLoader::finishedLoading()
     m_applicationCacheHost->finishedLoadingMainResource();
 }
 
+static bool isRedirectToGetAfterPost(const ResourceRequest& oldRequest, const ResourceRequest& newRequest)
+{
+    return oldRequest.httpMethod() == "POST" && newRequest.httpMethod() == "GET";
+}
+
 bool DocumentLoader::isPostOrRedirectAfterPost(const ResourceRequest& newRequest, const ResourceResponse& redirectResponse)
 {
     if (newRequest.httpMethod() == "POST")
@@ -660,6 +665,9 @@ void DocumentLoader::willSendRequest(ResourceRequest&& newRequest, const Resourc
     if (newRequest.cachePolicy() == ResourceRequestCachePolicy::UseProtocolCachePolicy && isPostOrRedirectAfterPost(newRequest, redirectResponse))
         newRequest.setCachePolicy(ResourceRequestCachePolicy::ReloadIgnoringCacheData);
 
+    if (isRedirectToGetAfterPost(m_request, newRequest))
+        newRequest.clearHTTPOrigin();
+
     if (&topFrame != m_frame) {
         if (!MixedContentChecker::canDisplayInsecureContent(*m_frame, m_frame->document()->securityOrigin(), MixedContentChecker::ContentType::Active, newRequest.url(), MixedContentChecker::AlwaysDisplayInNonStrictMode::Yes)) {
             cancelMainResourceLoad(frameLoader()->cancelledError(newRequest));