Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Plaintext Ping requests not blocked by mixed-content checks (262117)
rdar://116054889 Reviewed by Alex Christensen. Enforce mixed content checks for beacons and poings, like we do for regular xhr/fetch. This aligns the behavior with Chrome and Firefox. We have to change some tests so that preloads kick in deterministically. Preloads might not kick in if an early JS resource is already in the cache. We therefore clear the memory cache to ensure dump-securitypolicyviolation-and-notify-done.js gets fetched again, which will trigger both preload and resource load. Otherwise, we will get only one CONSOLE MESSAGE for the actual blocked load. We also have to change some tests so that they use HTTPS and not HTTP. * LayoutTests/http/tests/blink/sendbeacon/beacon-cross-origin.https-expected.txt: * LayoutTests/http/tests/navigation/ping-attribute/anchor-cross-origin-from-https-expected.txt: * LayoutTests/http/tests/navigation/ping-attribute/anchor-cross-origin-from-https.html: * LayoutTests/http/tests/navigation/ping-attribute/area-cross-origin-from-https-expected.txt: * LayoutTests/http/tests/navigation/ping-attribute/area-cross-origin-from-https.html: * LayoutTests/http/tests/navigation/ping-attribute/resources/secure-anchor-cross-origin.html: * LayoutTests/http/tests/navigation/ping-attribute/secure-anchor-cross-origin-expected.txt: * LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-beacon-in-iframe-expected.txt: Added. * LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-beacon-in-iframe.html: Added. * LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-iframe-expected.txt: * LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-main-frame-expected.txt: * LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-ping-in-iframe-expected.txt: Added. * LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-ping-in-iframe.https-expected.txt: Added. * LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-ping-in-iframe.https.html: Added. * LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-iframe-expected.txt: * LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-main-frame-expected.txt: * LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-beacon.html: Added. * LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-css.html: * LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-iframe.html: * LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-image.html: * LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-ping.html: Added. * LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-plugin.html: * LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-script.html: * LayoutTests/imported/w3c/web-platform-tests/mixed-content/gen/top.http-rp/opt-in/beacon.https-expected.txt: * LayoutTests/imported/w3c/web-platform-tests/mixed-content/gen/top.meta/opt-in/beacon.https-expected.txt: * LayoutTests/imported/w3c/web-platform-tests/mixed-content/gen/top.meta/unset/beacon.https-expected.txt: * LayoutTests/platform/glib/imported/w3c/web-platform-tests/mixed-content/gen/top.http-rp/opt-in/beacon.https-expected.txt: Removed. * LayoutTests/platform/glib/imported/w3c/web-platform-tests/mixed-content/gen/top.meta/opt-in/beacon.https-expected.txt: Removed. * LayoutTests/platform/glib/imported/w3c/web-platform-tests/mixed-content/gen/top.meta/unset/beacon.https-expected.txt: Removed. * LayoutTests/platform/ios/TestExpectations: * LayoutTests/platform/mac-wk1/TestExpectations: * LayoutTests/platform/wk2/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-iframe-expected.txt: * LayoutTests/platform/wk2/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-main-frame-expected.txt: * LayoutTests/platform/wk2/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-main-frame-expected.txt: * Source/WebCore/loader/cache/CachedResourceLoader.cpp: (WebCore::CachedResourceLoader::checkInsecureContent const): Originally-landed-as: 272448.10@safari-7618-branch (b856378). rdar://124557284 Canonical link: https://commits.webkit.org/276787@main
- Loading branch information