Safari adds pragma header to Service Worker requests with active Serv…

…ice Worker https://bugs.webkit.org/show_bug.cgi?id=264388 rdar://118442076 Reviewed by Chris Dumez. Remove Pragma header if not in the keep list as done for other headers like Cache-Control. Reorder a bit the code to sort the handling of headers to keep in lexicographical order. * LayoutTests/http/wpt/service-workers/cache-control-request-expected.txt: * LayoutTests/http/wpt/service-workers/cache-control-request.html: * LayoutTests/http/wpt/service-workers/resources/cross-origin-allow.py: (main): * Source/WebCore/loader/CrossOriginAccessControl.cpp: (WebCore::httpHeadersToKeepFromCleaning): (WebCore::cleanHTTPRequestHeadersForAccessControl): * Source/WebCore/loader/CrossOriginAccessControl.h: * Source/WebKit/Shared/WebCoreArgumentCoders.serialization.in: Canonical link: https://commits.webkit.org/270819@main
WebKit · Nov 16, 2023 · 9006250 · 9006250
1 parent a09dcae
commit 9006250
Show file tree

Hide file tree

Showing 6 changed files with 38 additions and 17 deletions.
diff --git a/LayoutTests/http/wpt/service-workers/cache-control-request-expected.txt b/LayoutTests/http/wpt/service-workers/cache-control-request-expected.txt
@@ -1,5 +1,6 @@
 
 PASS Setup worker
 PASS Ensure cache-control does not break service worker fetch handling
+PASS Ensure pragma does not break service worker fetch handling
 PASS Ensure beacon headers are not broken by service worker fetch handling
 
diff --git a/LayoutTests/http/wpt/service-workers/cache-control-request.html b/LayoutTests/http/wpt/service-workers/cache-control-request.html
@@ -30,11 +30,20 @@
     const iframe = await with_iframe("resources/empty.html");
 
     const options = { method: "POST", cache: "no-cache", mode: "cors", body: "body" };
-    const response = await iframe.contentWindow.fetch(get_host_info().HTTP_REMOTE_ORIGIN +  "/WebKit/service-workers/resources/cross-origin-allow.py", options);
+    const response = await iframe.contentWindow.fetch(get_host_info().HTTP_REMOTE_ORIGIN +  "/WebKit/service-workers/resources/cross-origin-allow.py?Cache-Control", options);
     assert_not_equals(await response.text(), "no cache-control header");
     iframe.remove();
 }, "Ensure cache-control does not break service worker fetch handling");
 
+promise_test(async (test) => {
+    const iframe = await with_iframe("resources/empty.html");
+
+    const options = { method: "GET", cache: "no-store", mode: "cors" };
+    const response = await iframe.contentWindow.fetch(get_host_info().HTTP_REMOTE_ORIGIN +  "/WebKit/service-workers/resources/cross-origin-allow.py?Pragma", options);
+    assert_not_equals(await response.text(), "no pragma header");
+    iframe.remove();
+}, "Ensure pragma does not break service worker fetch handling");
+
 promise_test(async (test) => {
     const iframe = await with_iframe("resources/empty.html");
 

diff --git a/LayoutTests/http/wpt/service-workers/resources/cross-origin-allow.py b/LayoutTests/http/wpt/service-workers/resources/cross-origin-allow.py
@@ -1,3 +1,6 @@
 def main(request, response):
     value = request.headers.get("Cache-Control", "no cache-control header")
+    if b"pragma" in request.GET:
+        value = request.headers.get("Pragma", "no pragma header")
+
     return 200, [(b"Content-Type", b"text/ascii"), (b"Access-Control-Allow-Origin", "*")], value
diff --git a/Source/WebCore/loader/CrossOriginAccessControl.cpp b/Source/WebCore/loader/CrossOriginAccessControl.cpp
@@ -199,18 +199,20 @@ String validateCrossOriginRedirectionURL(const URL& redirectURL)
 OptionSet<HTTPHeadersToKeepFromCleaning> httpHeadersToKeepFromCleaning(const HTTPHeaderMap& headers)
 {
     OptionSet<HTTPHeadersToKeepFromCleaning> headersToKeep;
+    if (headers.contains(HTTPHeaderName::AcceptEncoding))
+        headersToKeep.add(HTTPHeadersToKeepFromCleaning::AcceptEncoding);
+    if (headers.contains(HTTPHeaderName::CacheControl))
+        headersToKeep.add(HTTPHeadersToKeepFromCleaning::CacheControl);
     if (headers.contains(HTTPHeaderName::ContentType))
         headersToKeep.add(HTTPHeadersToKeepFromCleaning::ContentType);
-    if (headers.contains(HTTPHeaderName::Referer))
-        headersToKeep.add(HTTPHeadersToKeepFromCleaning::Referer);
     if (headers.contains(HTTPHeaderName::Origin))
         headersToKeep.add(HTTPHeadersToKeepFromCleaning::Origin);
+    if (headers.contains(HTTPHeaderName::Pragma))
+        headersToKeep.add(HTTPHeadersToKeepFromCleaning::Pragma);
+    if (headers.contains(HTTPHeaderName::Referer))
+        headersToKeep.add(HTTPHeadersToKeepFromCleaning::Referer);
     if (headers.contains(HTTPHeaderName::UserAgent))
         headersToKeep.add(HTTPHeadersToKeepFromCleaning::UserAgent);
-    if (headers.contains(HTTPHeaderName::AcceptEncoding))
-        headersToKeep.add(HTTPHeadersToKeepFromCleaning::AcceptEncoding);
-    if (headers.contains(HTTPHeaderName::CacheControl))
-        headersToKeep.add(HTTPHeadersToKeepFromCleaning::CacheControl);
     return headersToKeep;
 }
 
@@ -222,16 +224,20 @@ void cleanHTTPRequestHeadersForAccessControl(ResourceRequest& request, OptionSet
         if (!contentType.isNull() && !isCrossOriginSafeRequestHeader(HTTPHeaderName::ContentType, contentType))
             request.clearHTTPContentType();
     }
-    if (!headersToKeep.contains(HTTPHeadersToKeepFromCleaning::Referer))
-        request.clearHTTPReferrer();
-    if (!headersToKeep.contains(HTTPHeadersToKeepFromCleaning::Origin))
-        request.clearHTTPOrigin();
-    if (!headersToKeep.contains(HTTPHeadersToKeepFromCleaning::UserAgent))
-        request.clearHTTPUserAgent();
+
     if (!headersToKeep.contains(HTTPHeadersToKeepFromCleaning::AcceptEncoding))
         request.clearHTTPAcceptEncoding();
     if (!headersToKeep.contains(HTTPHeadersToKeepFromCleaning::CacheControl))
         request.removeHTTPHeaderField(HTTPHeaderName::CacheControl);
+    if (!headersToKeep.contains(HTTPHeadersToKeepFromCleaning::Origin))
+        request.clearHTTPOrigin();
+    if (!headersToKeep.contains(HTTPHeadersToKeepFromCleaning::Pragma))
+        request.removeHTTPHeaderField(HTTPHeaderName::Pragma);
+    if (!headersToKeep.contains(HTTPHeadersToKeepFromCleaning::Referer))
+        request.clearHTTPReferrer();
+    if (!headersToKeep.contains(HTTPHeadersToKeepFromCleaning::UserAgent))
+        request.clearHTTPUserAgent();
+
     request.removeHTTPHeaderField(HTTPHeaderName::SecFetchDest);
     request.removeHTTPHeaderField(HTTPHeaderName::SecFetchMode);
     request.removeHTTPHeaderField(HTTPHeaderName::SecFetchSite);

diff --git a/Source/WebCore/loader/CrossOriginAccessControl.h b/Source/WebCore/loader/CrossOriginAccessControl.h
@@ -70,7 +70,8 @@ enum class HTTPHeadersToKeepFromCleaning : uint8_t {
     Origin = 1 << 2,
     UserAgent = 1 << 3,
     AcceptEncoding = 1 << 4,
-    CacheControl = 1 << 5
+    CacheControl = 1 << 5,
+    Pragma = 1 << 6
 };
 
 OptionSet<HTTPHeadersToKeepFromCleaning> httpHeadersToKeepFromCleaning(const HTTPHeaderMap&);

diff --git a/Source/WebKit/Shared/WebCoreArgumentCoders.serialization.in b/Source/WebKit/Shared/WebCoreArgumentCoders.serialization.in
@@ -6607,12 +6607,13 @@ header: <WebCore/WheelEventTestMonitor.h>
 
 header: <WebCore/CrossOriginAccessControl.h>
 [OptionSet] enum class WebCore::HTTPHeadersToKeepFromCleaning : uint8_t {
+    AcceptEncoding,
+    CacheControl,
     ContentType,
-    Referer,
     Origin,
+    Pragma,
+    Referer,
     UserAgent,
-    AcceptEncoding,
-    CacheControl,
 };
 
 enum class WebCore::ExceptionCode : uint8_t {