Cherry-pick 259548.39@safari-7615-branch (c68b7da). https://bugs.webk…

…it.org/show_bug.cgi?id=251282 Cross-Site Information Leak: CSP violation reports may contain a post-redirect URL https://bugs.webkit.org/show_bug.cgi?id=251282 rdar://104753003 Reviewed by Yusuke Suzuki. The source-file field of a CSP violation report may contain a URL which has sensitive data in the query string if it was the result of a redirect. The CSP spec in non-normative terms suggests that in the case of a redirect (such as a login flow which appends a login token) we should report violations in the resulting resource with the pre-redirect URL to avoid cross-site information leaks via the CSP reporting API. Source/JavaScriptCore: Plubming code to make pre-redirect URLs available in ScriptCallStacks. When a ScriptCallStack is created by the StackVisitor the ScriptCallFrame objects will be populated with the pre-redirect URL by consulting the SourceProvider. WebCore will conditionally set the preRedirectURL member if the resource was obtained via a redirected response. * Source/JavaScriptCore/API/JSScript.mm: (-[JSScript sourceCode]): * Source/JavaScriptCore/API/JSScriptRef.cpp: * Source/JavaScriptCore/inspector/ScriptCallFrame.cpp: (Inspector::ScriptCallFrame::ScriptCallFrame): (Inspector::ScriptCallFrame::isEqual const): * Source/JavaScriptCore/inspector/ScriptCallFrame.h: * Source/JavaScriptCore/inspector/ScriptCallStackFactory.cpp: (Inspector::CreateScriptCallStackFunctor::operator() const): * Source/JavaScriptCore/interpreter/StackVisitor.cpp: (JSC::StackVisitor::Frame::preRedirectURL const): * Source/JavaScriptCore/interpreter/StackVisitor.h: * Source/JavaScriptCore/parser/SourceProvider.cpp: (JSC::SourceProvider::SourceProvider): (JSC::BaseWebAssemblySourceProvider::BaseWebAssemblySourceProvider): * Source/JavaScriptCore/parser/SourceProvider.h: (JSC::SourceProvider::preRedirectURL const): (JSC::StringSourceProvider::StringSourceProvider): * Source/JavaScriptCore/runtime/CachedTypes.cpp: (JSC::CachedSourceProviderShape::encode): * Source/JavaScriptCore/runtime/ScriptExecutable.h: (JSC::ScriptExecutable::preRedirectURL const): Source/WebCore: This updates the constructors for ScriptSourceCode objects to pass null strings for the preRedirectURL parameter. In the cases where we can detect whether a redirect happened or not we pass the pre-redirect URL to the SourceProvider. * Source/WebCore/bindings/js/CachedScriptSourceProvider.h: (WebCore::CachedScriptSourceProvider::CachedScriptSourceProvider): * Source/WebCore/bindings/js/ScriptBufferSourceProvider.h: * Source/WebCore/bindings/js/ScriptModuleLoader.cpp: (WebCore::ScriptModuleLoader::notifyFinished): * Source/WebCore/bindings/js/ScriptSourceCode.h: (WebCore::ScriptSourceCode::ScriptSourceCode): * Source/WebCore/workers/WorkerGlobalScope.cpp: (WebCore::WorkerGlobalScope::importScripts): * Source/WebCore/workers/WorkerThread.cpp: (WebCore::WorkerThread::evaluateScriptIfNecessary): * Source/WebCore/page/csp/ContentSecurityPolicy.cpp: (WebCore::ContentSecurityPolicy::reportViolation const): To populate the source-file field of a CSP report we consult the JavaScript call stack. The source URL of the frame may be the result of a redirect in which case we should use the pre-redirect URL in the report to avoid leaking potentially sensitive data in the post-redirect URL. Canonical link: https://commits.webkit.org/259548.39@safari-7615-branch
WebKit · Apr 3, 2023 · 7bb6ffc · 7bb6ffc
1 parent cd1fcbe
commit 7bb6ffc
Show file tree

Hide file tree

Showing 18 changed files with 66 additions and 23 deletions.
diff --git a/Source/JavaScriptCore/API/JSScript.mm b/Source/JavaScriptCore/API/JSScript.mm
@@ -273,7 +273,7 @@ - (unsigned)hash
     URL url = URL({ }, filename);
     auto type = m_type == kJSScriptTypeModule ? JSC::SourceProviderSourceType::Module : JSC::SourceProviderSourceType::Program;
     JSC::SourceOrigin origin(url);
-    Ref<JSScriptSourceProvider> sourceProvider = JSScriptSourceProvider::create(self, origin, WTFMove(filename), startPosition, type);
+    Ref<JSScriptSourceProvider> sourceProvider = JSScriptSourceProvider::create(self, origin, WTFMove(filename), String(), startPosition, type);
     JSC::SourceCode sourceCode(WTFMove(sourceProvider), startPosition.m_line.oneBasedInt(), startPosition.m_column.oneBasedInt());
     return sourceCode;
 }

diff --git a/Source/JavaScriptCore/API/JSScriptRef.cpp b/Source/JavaScriptCore/API/JSScriptRef.cpp
@@ -58,7 +58,7 @@ struct OpaqueJSScript final : public SourceProvider {
 
 private:
     OpaqueJSScript(VM& vm, const SourceOrigin& sourceOrigin, String&& filename, int startingLineNumber, const String& source)
-        : SourceProvider(sourceOrigin, WTFMove(filename), TextPosition(OrdinalNumber::fromOneBasedInt(startingLineNumber), OrdinalNumber()), SourceProviderSourceType::Program)
+        : SourceProvider(sourceOrigin, WTFMove(filename), String(), TextPosition(OrdinalNumber::fromOneBasedInt(startingLineNumber), OrdinalNumber()), SourceProviderSourceType::Program)
         , m_vm(vm)
         , m_source(source.isNull() ? *StringImpl::empty() : *source.impl())
     {

diff --git a/Source/JavaScriptCore/inspector/ScriptCallFrame.cpp b/Source/JavaScriptCore/inspector/ScriptCallFrame.cpp
@@ -43,6 +43,16 @@ ScriptCallFrame::ScriptCallFrame(const String& functionName, const String& scrip
 {
 }
 
+ScriptCallFrame::ScriptCallFrame(const String& functionName, const String& scriptName, const String& preRedirectURL, JSC::SourceID sourceID, unsigned lineNumber, unsigned column)
+    : m_functionName(functionName)
+    , m_scriptName(scriptName)
+    , m_preRedirectURL(preRedirectURL)
+    , m_sourceID(sourceID)
+    , m_lineNumber(lineNumber)
+    , m_column(column)
+{
+}
+
 ScriptCallFrame::~ScriptCallFrame()
 {
 }
@@ -53,6 +63,7 @@ bool ScriptCallFrame::isEqual(const ScriptCallFrame& o) const
     // that would get different script identifiers, but are otherwise the same.
     return m_functionName == o.m_functionName
         && m_scriptName == o.m_scriptName
+        && m_preRedirectURL == o.m_preRedirectURL
         && m_lineNumber == o.m_lineNumber
         && m_column == o.m_column;
 }

diff --git a/Source/JavaScriptCore/inspector/ScriptCallFrame.h b/Source/JavaScriptCore/inspector/ScriptCallFrame.h
@@ -40,11 +40,13 @@ namespace Inspector {
 
 class JS_EXPORT_PRIVATE ScriptCallFrame  {
 public:
-    ScriptCallFrame(const String& functionName, const String& scriptName, JSC::SourceID sourceID, unsigned lineNumber, unsigned column);
+    ScriptCallFrame(const String& functionName, const String& scriptName, JSC::SourceID, unsigned lineNumber, unsigned column);
+    ScriptCallFrame(const String& functionName, const String& scriptName, const String& preRedirectURL, JSC::SourceID, unsigned lineNumber, unsigned column);
     ~ScriptCallFrame();
 
     const String& functionName() const { return m_functionName; }
     const String& sourceURL() const { return m_scriptName; }
+    const String& preRedirectURL() const { return m_preRedirectURL; }
     unsigned lineNumber() const { return m_lineNumber; }
     unsigned columnNumber() const { return m_column; }
     JSC::SourceID sourceID() const { return m_sourceID; }
@@ -59,6 +61,7 @@ class JS_EXPORT_PRIVATE ScriptCallFrame  {
 private:
     String m_functionName;
     String m_scriptName;
+    String m_preRedirectURL;
     JSC::SourceID m_sourceID;
     unsigned m_lineNumber;
     unsigned m_column;

diff --git a/Source/JavaScriptCore/inspector/ScriptCallStackFactory.cpp b/Source/JavaScriptCore/inspector/ScriptCallStackFactory.cpp
@@ -71,7 +71,7 @@ class CreateScriptCallStackFunctor {
             unsigned line;
             unsigned column;
             visitor->computeLineAndColumn(line, column);
-            m_frames.append(ScriptCallFrame(visitor->functionName(), visitor->sourceURL(), visitor->sourceID(), line, column));
+            m_frames.append(ScriptCallFrame(visitor->functionName(), visitor->sourceURL(), visitor->preRedirectURL(), visitor->sourceID(), line, column));
 
             m_remainingCapacityForFrameCapture--;
             return IterationStatus::Continue;

diff --git a/Source/JavaScriptCore/interpreter/StackVisitor.cpp b/Source/JavaScriptCore/interpreter/StackVisitor.cpp
@@ -331,6 +331,28 @@ String StackVisitor::Frame::sourceURL() const
     return traceLine.isNull() ? emptyString() : traceLine;
 }
 
+String StackVisitor::Frame::preRedirectURL() const
+{
+    String traceLine;
+
+    switch (codeType()) {
+    case CodeType::Eval:
+    case CodeType::Module:
+    case CodeType::Function:
+    case CodeType::Global: {
+        String preRedirectURL = codeBlock()->ownerExecutable()->preRedirectURL();
+        if (!preRedirectURL.isEmpty())
+            traceLine = preRedirectURL.impl();
+        break;
+    }
+    case CodeType::Native:
+    case CodeType::Wasm:
+        break;
+    }
+
+    return traceLine.isNull() ? emptyString() : traceLine;
+}
+
 String StackVisitor::Frame::toString() const
 {
     String functionName = this->functionName();

diff --git a/Source/JavaScriptCore/interpreter/StackVisitor.h b/Source/JavaScriptCore/interpreter/StackVisitor.h
@@ -88,6 +88,7 @@ class StackVisitor {
 
         JS_EXPORT_PRIVATE String functionName() const;
         JS_EXPORT_PRIVATE String sourceURL() const;
+        JS_EXPORT_PRIVATE String preRedirectURL() const;
         JS_EXPORT_PRIVATE String toString() const;
 
         JS_EXPORT_PRIVATE SourceID sourceID();

diff --git a/Source/JavaScriptCore/parser/SourceProvider.cpp b/Source/JavaScriptCore/parser/SourceProvider.cpp
@@ -30,10 +30,11 @@ namespace JSC {
 
 DEFINE_ALLOCATOR_WITH_HEAP_IDENTIFIER(StringSourceProvider);
 
-SourceProvider::SourceProvider(const SourceOrigin& sourceOrigin, String&& sourceURL, const TextPosition& startPosition, SourceProviderSourceType sourceType)
+SourceProvider::SourceProvider(const SourceOrigin& sourceOrigin, String&& sourceURL, String&& preRedirectURL, const TextPosition& startPosition, SourceProviderSourceType sourceType)
     : m_sourceType(sourceType)
     , m_sourceOrigin(sourceOrigin)
     , m_sourceURL(WTFMove(sourceURL))
+    , m_preRedirectURL(WTFMove(preRedirectURL))
     , m_startPosition(startPosition)
 {
 }
@@ -53,7 +54,7 @@ void SourceProvider::getID()
 
 #if ENABLE(WEBASSEMBLY)
 BaseWebAssemblySourceProvider::BaseWebAssemblySourceProvider(const SourceOrigin& sourceOrigin, String&& sourceURL)
-    : SourceProvider(sourceOrigin, WTFMove(sourceURL), TextPosition(), SourceProviderSourceType::WebAssembly)
+    : SourceProvider(sourceOrigin, WTFMove(sourceURL), String(), TextPosition(), SourceProviderSourceType::WebAssembly)
 {
 }
 #endif

diff --git a/Source/JavaScriptCore/parser/SourceProvider.h b/Source/JavaScriptCore/parser/SourceProvider.h
@@ -55,7 +55,7 @@ class UnlinkedFunctionCodeBlock;
     public:
         static const intptr_t nullID = 1;
 
-        JS_EXPORT_PRIVATE SourceProvider(const SourceOrigin&, String&& sourceURL, const TextPosition& startPosition, SourceProviderSourceType);
+        JS_EXPORT_PRIVATE SourceProvider(const SourceOrigin&, String&& sourceURL, String&& preRedirectURL, const TextPosition& startPosition, SourceProviderSourceType);
 
         JS_EXPORT_PRIVATE virtual ~SourceProvider();
 
@@ -75,6 +75,7 @@ class UnlinkedFunctionCodeBlock;
 
         // This is NOT the path that should be used for computing relative paths from a script. Use SourceOrigin's URL for that, the values may or may not be the same...
         const String& sourceURL() const { return m_sourceURL; }
+        const String& preRedirectURL() const { return m_preRedirectURL; }
         const String& sourceURLDirective() const { return m_sourceURLDirective; }
         const String& sourceMappingURLDirective() const { return m_sourceMappingURLDirective; }
 
@@ -97,6 +98,7 @@ class UnlinkedFunctionCodeBlock;
         SourceProviderSourceType m_sourceType;
         SourceOrigin m_sourceOrigin;
         String m_sourceURL;
+        String m_preRedirectURL;
         String m_sourceURLDirective;
         String m_sourceMappingURLDirective;
         TextPosition m_startPosition;
@@ -124,7 +126,7 @@ class UnlinkedFunctionCodeBlock;
 
     protected:
         StringSourceProvider(const String& source, const SourceOrigin& sourceOrigin, String&& sourceURL, const TextPosition& startPosition, SourceProviderSourceType sourceType)
-            : SourceProvider(sourceOrigin, WTFMove(sourceURL), startPosition, sourceType)
+            : SourceProvider(sourceOrigin, WTFMove(sourceURL), String(), startPosition, sourceType)
             , m_source(source.isNull() ? *StringImpl::empty() : *source.impl())
         {
         }
@@ -142,7 +144,7 @@ class UnlinkedFunctionCodeBlock;
         virtual void unlockUnderlyingBuffer() { }
 
     protected:
-        JS_EXPORT_PRIVATE BaseWebAssemblySourceProvider(const SourceOrigin&, String&&);
+        JS_EXPORT_PRIVATE BaseWebAssemblySourceProvider(const SourceOrigin&, String&& sourceURL);
     };
 
     class WebAssemblySourceProvider final : public BaseWebAssemblySourceProvider {

diff --git a/Source/JavaScriptCore/runtime/CachedTypes.cpp b/Source/JavaScriptCore/runtime/CachedTypes.cpp
@@ -1527,6 +1527,7 @@ class CachedSourceProviderShape : public CachedObject<Source> {
     {
         m_sourceOrigin.encode(encoder, sourceProvider.sourceOrigin());
         m_sourceURL.encode(encoder, sourceProvider.sourceURL());
+        m_preRedirectURL.encode(encoder, sourceProvider.preRedirectURL());
         m_sourceURLDirective.encode(encoder, sourceProvider.sourceURLDirective());
         m_sourceMappingURLDirective.encode(encoder, sourceProvider.sourceMappingURLDirective());
         m_startPosition.encode(encoder, sourceProvider.startPosition());
@@ -1541,6 +1542,7 @@ class CachedSourceProviderShape : public CachedObject<Source> {
 protected:
     CachedSourceOrigin m_sourceOrigin;
     CachedString m_sourceURL;
+    CachedString m_preRedirectURL;
     CachedString m_sourceURLDirective;
     CachedString m_sourceMappingURLDirective;
     CachedTextPosition m_startPosition;

diff --git a/Source/JavaScriptCore/runtime/ScriptExecutable.h b/Source/JavaScriptCore/runtime/ScriptExecutable.h
@@ -50,6 +50,7 @@ class ScriptExecutable : public ExecutableBase {
     const SourceOrigin& sourceOrigin() const { return m_source.provider()->sourceOrigin(); }
     // This is NOT the path that should be used for computing relative paths from a script. Use SourceOrigin's URL for that, the values may or may not be the same... This should only be used for `error.sourceURL` and stack traces.
     const String& sourceURL() const { return m_source.provider()->sourceURL(); }
+    const String& preRedirectURL() const { return m_source.provider()->preRedirectURL(); }
     int firstLine() const { return m_source.firstLine().oneBasedInt(); }
     JS_EXPORT_PRIVATE int lastLine() const;
     unsigned startColumn() const { return m_source.startColumn().oneBasedInt(); }

diff --git a/Source/WebCore/bindings/js/CachedScriptSourceProvider.h b/Source/WebCore/bindings/js/CachedScriptSourceProvider.h
@@ -48,7 +48,7 @@ class CachedScriptSourceProvider : public JSC::SourceProvider, public CachedReso
 
 private:
     CachedScriptSourceProvider(CachedScript* cachedScript, JSC::SourceProviderSourceType sourceType, Ref<CachedScriptFetcher>&& scriptFetcher)
-        : SourceProvider(JSC::SourceOrigin { cachedScript->response().url(), WTFMove(scriptFetcher) }, String(cachedScript->response().url().string()), TextPosition(), sourceType)
+        : SourceProvider(JSC::SourceOrigin { cachedScript->response().url(), WTFMove(scriptFetcher) }, String(cachedScript->response().url().string()), cachedScript->response().isRedirected() ? String(cachedScript->url().string()) : String(), TextPosition(), sourceType)
         , m_cachedScript(cachedScript)
     {
         m_cachedScript->addClient(*this);

diff --git a/Source/WebCore/bindings/js/ScriptBufferSourceProvider.h b/Source/WebCore/bindings/js/ScriptBufferSourceProvider.h
@@ -42,9 +42,9 @@ class AbstractScriptBufferHolder : public CanMakeWeakPtr<AbstractScriptBufferHol
 class ScriptBufferSourceProvider final : public JSC::SourceProvider, public AbstractScriptBufferHolder {
     WTF_MAKE_FAST_ALLOCATED;
 public:
-    static Ref<ScriptBufferSourceProvider> create(const ScriptBuffer& scriptBuffer, const JSC::SourceOrigin& sourceOrigin, String sourceURL, const TextPosition& startPosition = TextPosition(), JSC::SourceProviderSourceType sourceType = JSC::SourceProviderSourceType::Program)
+    static Ref<ScriptBufferSourceProvider> create(const ScriptBuffer& scriptBuffer, const JSC::SourceOrigin& sourceOrigin, String sourceURL, String preRedirectURL, const TextPosition& startPosition = TextPosition(), JSC::SourceProviderSourceType sourceType = JSC::SourceProviderSourceType::Program)
     {
-        return adoptRef(*new ScriptBufferSourceProvider(scriptBuffer, sourceOrigin, WTFMove(sourceURL), startPosition, sourceType));
+        return adoptRef(*new ScriptBufferSourceProvider(scriptBuffer, sourceOrigin, WTFMove(sourceURL), WTFMove(preRedirectURL), startPosition, sourceType));
     }
 
     unsigned hash() const final
@@ -95,8 +95,8 @@ class ScriptBufferSourceProvider final : public JSC::SourceProvider, public Abst
     }
 
 private:
-    ScriptBufferSourceProvider(const ScriptBuffer& scriptBuffer, const JSC::SourceOrigin& sourceOrigin, String&& sourceURL, const TextPosition& startPosition, JSC::SourceProviderSourceType sourceType)
-        : JSC::SourceProvider(sourceOrigin, WTFMove(sourceURL), startPosition, sourceType)
+    ScriptBufferSourceProvider(const ScriptBuffer& scriptBuffer, const JSC::SourceOrigin& sourceOrigin, String&& sourceURL, String&& preRedirectURL, const TextPosition& startPosition, JSC::SourceProviderSourceType sourceType)
+        : JSC::SourceProvider(sourceOrigin, WTFMove(sourceURL), WTFMove(preRedirectURL), startPosition, sourceType)
         , m_scriptBuffer(scriptBuffer)
     {
     }

diff --git a/Source/WebCore/bindings/js/ScriptModuleLoader.cpp b/Source/WebCore/bindings/js/ScriptModuleLoader.cpp
@@ -576,15 +576,15 @@ void ScriptModuleLoader::notifyFinished(ModuleScriptLoader& moduleScriptLoader,
 
         switch (type) {
         case ModuleType::JavaScript:
-            sourceCode = JSC::SourceCode { ScriptSourceCode { loader.script(), WTFMove(responseURL), { }, JSC::SourceProviderSourceType::Module, loader.scriptFetcher() }.jsSourceCode() };
+            sourceCode = JSC::SourceCode { ScriptSourceCode { loader.script(), WTFMove(responseURL), WTFMove(sourceURL), { }, JSC::SourceProviderSourceType::Module, loader.scriptFetcher() }.jsSourceCode() };
             break;
 #if ENABLE(WEBASSEMBLY)
         case ModuleType::WebAssembly:
             sourceCode = JSC::SourceCode { WebAssemblyScriptSourceCode { loader.script(), WTFMove(responseURL), loader.scriptFetcher() }.jsSourceCode() };
             break;
 #endif
         case ModuleType::JSON:
-            sourceCode = JSC::SourceCode { ScriptSourceCode { loader.script(), WTFMove(responseURL), { }, JSC::SourceProviderSourceType::JSON, loader.scriptFetcher() }.jsSourceCode() };
+            sourceCode = JSC::SourceCode { ScriptSourceCode { loader.script(), WTFMove(responseURL), WTFMove(sourceURL), { }, JSC::SourceProviderSourceType::JSON, loader.scriptFetcher() }.jsSourceCode() };
             break;
         default:
             RELEASE_ASSERT_NOT_REACHED();

diff --git a/Source/WebCore/bindings/js/ScriptSourceCode.h b/Source/WebCore/bindings/js/ScriptSourceCode.h
@@ -51,8 +51,8 @@ class ScriptSourceCode {
     {
     }
 
-    ScriptSourceCode(const ScriptBuffer& source, URL&& url = URL(), const TextPosition& startPosition = TextPosition(), JSC::SourceProviderSourceType sourceType = JSC::SourceProviderSourceType::Program)
-        : m_provider(ScriptBufferSourceProvider::create(source, JSC::SourceOrigin { url }, url.string(), startPosition, sourceType))
+    ScriptSourceCode(const ScriptBuffer& source, URL&& url = URL(), URL&& preRedirectURL = URL(), const TextPosition& startPosition = TextPosition(), JSC::SourceProviderSourceType sourceType = JSC::SourceProviderSourceType::Program)
+        : m_provider(ScriptBufferSourceProvider::create(source, JSC::SourceOrigin { url }, url.string(), preRedirectURL.string(), startPosition, sourceType))
         , m_code(m_provider.copyRef(), startPosition.m_line.oneBasedInt(), startPosition.m_column.oneBasedInt())
     {
     }
@@ -70,8 +70,8 @@ class ScriptSourceCode {
     {
     }
 
-    ScriptSourceCode(const ScriptBuffer& source, URL&& url, const TextPosition& startPosition, JSC::SourceProviderSourceType sourceType, Ref<JSC::ScriptFetcher>&& scriptFetcher)
-        : m_provider(ScriptBufferSourceProvider::create(source, JSC::SourceOrigin { url, WTFMove(scriptFetcher) }, url.string(), startPosition, sourceType))
+    ScriptSourceCode(const ScriptBuffer& source, URL&& url, URL&& preRedirectURL, const TextPosition& startPosition, JSC::SourceProviderSourceType sourceType, Ref<JSC::ScriptFetcher>&& scriptFetcher)
+        : m_provider(ScriptBufferSourceProvider::create(source, JSC::SourceOrigin { url, WTFMove(scriptFetcher) }, url.string(), preRedirectURL.string(), startPosition, sourceType))
         , m_code(m_provider.copyRef(), startPosition.m_line.oneBasedInt(), startPosition.m_column.oneBasedInt())
     {
     }

diff --git a/Source/WebCore/page/csp/ContentSecurityPolicy.cpp b/Source/WebCore/page/csp/ContentSecurityPolicy.cpp
@@ -837,7 +837,7 @@ void ContentSecurityPolicy::reportViolation(const String& effectiveViolatedDirec
         auto stack = createScriptCallStack(JSExecState::currentState(), 2);
         auto* callFrame = stack->firstNonNativeCallFrame();
         if (callFrame && callFrame->lineNumber()) {
-            info.sourceFile = createURLForReporting(URL { callFrame->sourceURL() }, effectiveViolatedDirective, usesReportTo);
+            info.sourceFile = createURLForReporting(URL { callFrame->preRedirectURL().isEmpty() ? callFrame->sourceURL() : callFrame->preRedirectURL() }, effectiveViolatedDirective, usesReportTo);
             info.lineNumber = callFrame->lineNumber();
             info.columnNumber = callFrame->columnNumber();
         }

diff --git a/Source/WebCore/workers/WorkerGlobalScope.cpp b/Source/WebCore/workers/WorkerGlobalScope.cpp
@@ -412,7 +412,7 @@ ExceptionOr<void> WorkerGlobalScope::importScripts(const FixedVector<String>& ur
         WeakPtr<ScriptBufferSourceProvider> sourceProvider;
         {
             NakedPtr<JSC::Exception> exception;
-            ScriptSourceCode sourceCode(scriptLoader->script(), URL(scriptLoader->responseURL()));
+            ScriptSourceCode sourceCode(scriptLoader->script(), URL(scriptLoader->responseURL()), scriptLoader->isRedirected() ? URL(scriptLoader->url()) : URL());
             sourceProvider = static_cast<ScriptBufferSourceProvider&>(sourceCode.provider());
             script()->evaluate(sourceCode, exception);
             if (exception) {

diff --git a/Source/WebCore/workers/WorkerThread.cpp b/Source/WebCore/workers/WorkerThread.cpp
@@ -155,7 +155,7 @@ void WorkerThread::evaluateScriptIfNecessary(String& exceptionMessage)
     } else {
         auto parameters = ModuleFetchParameters::create(JSC::ScriptFetchParameters::Type::JavaScript, emptyString(), /* isTopLevelModule */ true);
         auto scriptFetcher = WorkerScriptFetcher::create(WTFMove(parameters), globalScope()->credentials(), globalScope()->destination(), globalScope()->referrerPolicy());
-        ScriptSourceCode sourceCode(m_startupData->sourceCode, URL(m_startupData->params.scriptURL), { }, JSC::SourceProviderSourceType::Module, scriptFetcher.copyRef());
+        ScriptSourceCode sourceCode(m_startupData->sourceCode, URL(m_startupData->params.scriptURL), { }, { }, JSC::SourceProviderSourceType::Module, scriptFetcher.copyRef());
         sourceProvider = static_cast<ScriptBufferSourceProvider&>(sourceCode.provider());
         bool success = globalScope()->script()->loadModuleSynchronously(scriptFetcher.get(), sourceCode);
         if (success) {