Implement FetchMetadata Site

https://bugs.webkit.org/show_bug.cgi?id=238265 Reviewed by Youenn Fablet. This implements the Sec-Fetch-Site header as part of FetchMetadata. The site is computed on first use in the CachedResourceLoader and then tracked in the SubResourceLoader through redirects. The test results are only accurate on the GLib ports as they run under the web-platform.test domains which can test proper same-site relationships as well as non-trustworthy domains (localhost is always trusted). * LayoutTests/TestExpectations: * LayoutTests/http/wpt/fetch/fetch-metadata-same-origin-redirect-expected.txt: * LayoutTests/imported/w3c/web-platform-tests/fetch/metadata/fetch-via-serviceworker--fallback.https.sub-expected.txt: * LayoutTests/imported/w3c/web-platform-tests/fetch/metadata/fetch-via-serviceworker--respondWith.https.sub-expected.txt: * LayoutTests/imported/w3c/web-platform-tests/fetch/metadata/fetch.https.sub.any-expected.txt: * LayoutTests/imported/w3c/web-platform-tests/fetch/metadata/fetch.https.sub.any.worker-expected.txt: * LayoutTests/imported/w3c/web-platform-tests/fetch/metadata/fetch.sub-expected.txt: * LayoutTests/imported/w3c/web-platform-tests/fetch/metadata/font.https.sub-expected.txt: * LayoutTests/imported/w3c/web-platform-tests/fetch/metadata/form.https.sub-expected.txt: * LayoutTests/imported/w3c/web-platform-tests/fetch/metadata/iframe.https.sub-expected.txt: * LayoutTests/imported/w3c/web-platform-tests/fetch/metadata/iframe.sub-expected.txt: * LayoutTests/imported/w3c/web-platform-tests/fetch/metadata/img.https.sub-expected.txt: * LayoutTests/imported/w3c/web-platform-tests/fetch/metadata/navigation.https.sub-expected.txt: Added. * LayoutTests/imported/w3c/web-platform-tests/fetch/metadata/redirect/multiple-redirect-https-downgrade-upgrade.sub-expected.txt: * LayoutTests/imported/w3c/web-platform-tests/fetch/metadata/redirect/redirect-http-upgrade.sub-expected.txt: * LayoutTests/imported/w3c/web-platform-tests/fetch/metadata/redirect/redirect-https-downgrade.sub-expected.txt: * LayoutTests/imported/w3c/web-platform-tests/fetch/metadata/script.https.sub-expected.txt: * LayoutTests/imported/w3c/web-platform-tests/fetch/metadata/script.sub-expected.txt: * LayoutTests/imported/w3c/web-platform-tests/fetch/metadata/serviceworker.https.sub-expected.txt: * LayoutTests/imported/w3c/web-platform-tests/fetch/metadata/sharedworker.https.sub-expected.txt: * LayoutTests/imported/w3c/web-platform-tests/fetch/metadata/unload.https.sub-expected.txt: * LayoutTests/imported/w3c/web-platform-tests/fetch/metadata/window-open.https.sub-expected.txt: * LayoutTests/imported/w3c/web-platform-tests/fetch/metadata/worker.https.sub-expected.txt: * LayoutTests/imported/w3c/web-platform-tests/fetch/metadata/xslt.https.sub-expected.txt: * LayoutTests/imported/w3c/web-platform-tests/service-workers/service-worker/navigation-headers.https-expected.txt: * Source/WebCore/loader/CrossOriginAccessControl.cpp: (WebCore::cleanHTTPRequestHeadersForAccessControl): * Source/WebCore/loader/SubresourceLoader.cpp: (WebCore::SubresourceLoader::SubresourceLoader): (WebCore::SubresourceLoader::willSendRequestInternal): * Source/WebCore/loader/SubresourceLoader.h: * Source/WebCore/loader/cache/CachedResourceLoader.cpp: (WebCore::convertEnumerationToString): (WebCore::updateRequestFetchMetadataHeaders): (WebCore::CachedResourceLoader::computeFetchMetadataSite): (WebCore::CachedResourceLoader::updateRequestAfterRedirection): (WebCore::CachedResourceLoader::updateHTTPRequestHeaders): * Source/WebCore/loader/cache/CachedResourceLoader.h: * Source/WebCore/loader/cache/CachedResourceRequest.cpp: (WebCore::CachedResourceRequest::updateFetchMetadataHeaders): Deleted. * Source/WebCore/loader/cache/CachedResourceRequest.h: * Source/WebCore/page/SecurityOrigin.cpp: (WebCore::SecurityOrigin::isSameSiteAs const): * Source/WebCore/page/SecurityOrigin.h: * Source/WebCore/platform/network/HTTPHeaderNames.in: Canonical link: https://commits.webkit.org/255810@main
WebKit · Oct 21, 2022 · e5f68a529bf10ce8b4f41f3ec5dd409224b28ee0 · e5f68a5
1 parent 24b1332
commit e5f68a529bf10ce8b4f41f3ec5dd409224b28ee0
Show file tree

Hide file tree

Showing 58 changed files with 755 additions and 321 deletions.
diff --git a/LayoutTests/TestExpectations b/LayoutTests/TestExpectations
@@ -1192,7 +1192,7 @@ imported/w3c/web-platform-tests/fetch/content-encoding/bad-gzip-body.any.html [
 imported/w3c/web-platform-tests/fetch/corb [ Skip ]
 imported/w3c/web-platform-tests/fetch/sec-metadata [ Skip ]
 
-# These fetch tests time out
+# These fetch tests time out on ports without web-platform.test domain working (not glib).
 imported/w3c/web-platform-tests/fetch/api/request/destination/fetch-destination.https.html [ Skip ]
 imported/w3c/web-platform-tests/fetch/api/request/destination/fetch-destination-prefetch.https.html [ Skip ]
 imported/w3c/web-platform-tests/fetch/content-type/response.window.html [ Skip ]
@@ -1205,12 +1205,13 @@ imported/w3c/web-platform-tests/fetch/metadata/embed.https.sub.tentative.html [
 imported/w3c/web-platform-tests/fetch/metadata/form.https.sub.html [ Skip ]
 imported/w3c/web-platform-tests/fetch/metadata/iframe.https.sub.html [ Skip ]
 imported/w3c/web-platform-tests/fetch/metadata/iframe.sub.html [ Skip ]
-imported/w3c/web-platform-tests/fetch/metadata/navigation.https.sub.html [ Skip ]
 imported/w3c/web-platform-tests/fetch/metadata/style.https.sub.html [ Skip ]
 imported/w3c/web-platform-tests/fetch/metadata/redirect/redirect-http-upgrade.sub.html [ Skip ]
 imported/w3c/web-platform-tests/fetch/metadata/window-open.https.sub.html [ Skip ]
 imported/w3c/web-platform-tests/fetch/metadata/redirect/ [ Skip ]
 imported/w3c/web-platform-tests/fetch/stale-while-revalidate/revalidate-not-blocked-by-csp.html [ Skip ]
+# These tests have unreliable ordering and are flakey
+imported/w3c/web-platform-tests/fetch/metadata/script.https.sub.html [ Skip ]
 
 # Not supported
 imported/w3c/web-platform-tests/background-fetch [ Skip ]

diff --git a/LayoutTests/http/wpt/fetch/fetch-metadata-same-origin-redirect-expected.txt b/LayoutTests/http/wpt/fetch/fetch-metadata-same-origin-redirect-expected.txt
@@ -3,6 +3,6 @@
 PASS Same-Origin -> Same-Origin redirect
 PASS undefined: sec-fetch-dest
 PASS undefined: sec-fetch-mode
-FAIL undefined: sec-fetch-site assert_equals: expected "same-origin" but got ""
+PASS undefined: sec-fetch-site
 PASS undefined: sec-fetch-user
 
diff --git a/...eb-platform-tests/fetch/metadata/fetch-via-serviceworker--fallback.https.sub-expected.txt b/...eb-platform-tests/fetch/metadata/fetch-via-serviceworker--fallback.https.sub-expected.txt
@@ -2,6 +2,6 @@
 PASS Sec-Fetch headers after SW fallback
 PASS undefined: sec-fetch-dest
 PASS undefined: sec-fetch-mode
-FAIL undefined: sec-fetch-site assert_equals: expected "same-origin" but got ""
+PASS undefined: sec-fetch-site
 PASS undefined: sec-fetch-user
 
diff --git a/...platform-tests/fetch/metadata/fetch-via-serviceworker--respondWith.https.sub-expected.txt b/...platform-tests/fetch/metadata/fetch-via-serviceworker--respondWith.https.sub-expected.txt
@@ -2,6 +2,6 @@
 PASS Sec-Fetch headers after SW fallback
 PASS undefined: sec-fetch-dest
 PASS undefined: sec-fetch-mode
-FAIL undefined: sec-fetch-site assert_equals: expected "same-origin" but got ""
+PASS undefined: sec-fetch-site
 PASS undefined: sec-fetch-user
 
diff --git a/LayoutTests/imported/w3c/web-platform-tests/fetch/metadata/fetch.https.sub.any-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/fetch/metadata/fetch.https.sub.any-expected.txt
@@ -8,18 +8,18 @@ PASS CORS mode
 PASS no-CORS mode
 PASS Same-origin fetch: sec-fetch-dest
 PASS Same-origin fetch: sec-fetch-mode
-FAIL Same-origin fetch: sec-fetch-site assert_equals: expected "same-origin" but got ""
+PASS Same-origin fetch: sec-fetch-site
 PASS Same-origin fetch: sec-fetch-user
 PASS Same-origin mode: sec-fetch-dest
 PASS Same-origin mode: sec-fetch-mode
-FAIL Same-origin mode: sec-fetch-site assert_equals: expected "same-origin" but got ""
+PASS Same-origin mode: sec-fetch-site
 PASS Same-origin mode: sec-fetch-user
 PASS CORS mode: sec-fetch-dest
 PASS CORS mode: sec-fetch-mode
-FAIL CORS mode: sec-fetch-site assert_equals: expected "same-origin" but got ""
+PASS CORS mode: sec-fetch-site
 PASS CORS mode: sec-fetch-user
 PASS no-CORS mode: sec-fetch-dest
 PASS no-CORS mode: sec-fetch-mode
-FAIL no-CORS mode: sec-fetch-site assert_equals: expected "same-origin" but got ""
+PASS no-CORS mode: sec-fetch-site
 PASS no-CORS mode: sec-fetch-user
 
diff --git a/...ts/imported/w3c/web-platform-tests/fetch/metadata/fetch.https.sub.any.worker-expected.txt b/...ts/imported/w3c/web-platform-tests/fetch/metadata/fetch.https.sub.any.worker-expected.txt
@@ -8,18 +8,18 @@ PASS CORS mode
 PASS no-CORS mode
 PASS Same-origin fetch: sec-fetch-dest
 PASS Same-origin fetch: sec-fetch-mode
-FAIL Same-origin fetch: sec-fetch-site assert_equals: expected "same-origin" but got ""
+PASS Same-origin fetch: sec-fetch-site
 PASS Same-origin fetch: sec-fetch-user
 PASS Same-origin mode: sec-fetch-dest
 PASS Same-origin mode: sec-fetch-mode
-FAIL Same-origin mode: sec-fetch-site assert_equals: expected "same-origin" but got ""
+PASS Same-origin mode: sec-fetch-site
 PASS Same-origin mode: sec-fetch-user
 PASS CORS mode: sec-fetch-dest
 PASS CORS mode: sec-fetch-mode
-FAIL CORS mode: sec-fetch-site assert_equals: expected "same-origin" but got ""
+PASS CORS mode: sec-fetch-site
 PASS CORS mode: sec-fetch-user
 PASS no-CORS mode: sec-fetch-dest
 PASS no-CORS mode: sec-fetch-mode
-FAIL no-CORS mode: sec-fetch-site assert_equals: expected "same-origin" but got ""
+PASS no-CORS mode: sec-fetch-site
 PASS no-CORS mode: sec-fetch-user
 
diff --git a/LayoutTests/imported/w3c/web-platform-tests/fetch/metadata/fetch.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/fetch/metadata/fetch.sub-expected.txt
@@ -3,10 +3,10 @@ PASS http->https fetch (cross-scheme => cross-site)
 PASS http->http fetch (non-trustworthy destination => no metadata)
 PASS http->https fetch (cross-scheme => cross-site): sec-fetch-dest
 PASS http->https fetch (cross-scheme => cross-site): sec-fetch-mode
-FAIL http->https fetch (cross-scheme => cross-site): sec-fetch-site assert_equals: expected "cross-site" but got ""
+PASS http->https fetch (cross-scheme => cross-site): sec-fetch-site
 PASS http->https fetch (cross-scheme => cross-site): sec-fetch-user
 FAIL http->http fetch (non-trustworthy destination => no metadata): sec-fetch-dest assert_equals: expected "" but got "empty"
 FAIL http->http fetch (non-trustworthy destination => no metadata): sec-fetch-mode assert_equals: expected "" but got "cors"
-PASS http->http fetch (non-trustworthy destination => no metadata): sec-fetch-site
+FAIL http->http fetch (non-trustworthy destination => no metadata): sec-fetch-site assert_equals: expected "" but got "same-origin"
 PASS http->http fetch (non-trustworthy destination => no metadata): sec-fetch-user
 
diff --git a/LayoutTests/imported/w3c/web-platform-tests/fetch/metadata/font.https.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/fetch/metadata/font.https.sub-expected.txt
@@ -8,6 +8,6 @@ FAIL Same-Site font assert_not_equals: got disallowed value "No header has been
 FAIL Cross-Site font assert_not_equals: got disallowed value "No header has been recorded"
 PASS Same-Origin font: sec-fetch-dest
 FAIL Same-Origin font: sec-fetch-mode assert_equals: expected "cors" but got "no-cors"
-FAIL Same-Origin font: sec-fetch-site assert_equals: expected "same-origin" but got ""
+PASS Same-Origin font: sec-fetch-site
 PASS Same-Origin font: sec-fetch-user
 
diff --git a/LayoutTests/imported/w3c/web-platform-tests/fetch/metadata/form.https.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/fetch/metadata/form.https.sub-expected.txt
@@ -5,17 +5,25 @@
 Harness Error (TIMEOUT), message = null
 
 PASS localhost -> localhost:9443 iframe: forced
-TIMEOUT localhost -> www.localhost:9443 iframe: forced Test timed out
+PASS localhost -> www.localhost:9443 iframe: forced
 TIMEOUT localhost -> www.127.0.0.1:9443 iframe: forced Test timed out
 PASS localhost -> localhost:9443 iframe: user-activated
-TIMEOUT localhost -> www.localhost:9443 iframe: user-activated Test timed out
+PASS localhost -> www.localhost:9443 iframe: user-activated
 TIMEOUT localhost -> www.127.0.0.1:9443 iframe: user-activated Test timed out
-FAIL localhost -> localhost:9443 iframe: forced: sec-fetch-dest assert_equals: expected "document" but got ""
-FAIL localhost -> localhost:9443 iframe: forced: sec-fetch-mode assert_equals: expected "navigate" but got ""
-FAIL localhost -> localhost:9443 iframe: forced: sec-fetch-site assert_equals: expected "same-origin" but got ""
-PASS localhost -> localhost:9443 iframe: forced: sec-fetch-user
-FAIL localhost -> localhost:9443 iframe: user-activated: sec-fetch-dest assert_equals: expected "document" but got ""
-FAIL localhost -> localhost:9443 iframe: user-activated: sec-fetch-mode assert_equals: expected "navigate" but got ""
-FAIL localhost -> localhost:9443 iframe: user-activated: sec-fetch-site assert_equals: expected "same-origin" but got ""
+PASS localhost -> localhost:9443 iframe: user-activated: sec-fetch-dest
+PASS localhost -> localhost:9443 iframe: user-activated: sec-fetch-mode
+PASS localhost -> localhost:9443 iframe: user-activated: sec-fetch-site
 FAIL localhost -> localhost:9443 iframe: user-activated: sec-fetch-user assert_equals: expected "?1" but got ""
+PASS localhost -> localhost:9443 iframe: forced: sec-fetch-dest
+PASS localhost -> localhost:9443 iframe: forced: sec-fetch-mode
+PASS localhost -> localhost:9443 iframe: forced: sec-fetch-site
+PASS localhost -> localhost:9443 iframe: forced: sec-fetch-user
+PASS localhost -> www.localhost:9443 iframe: forced: sec-fetch-dest
+PASS localhost -> www.localhost:9443 iframe: forced: sec-fetch-mode
+FAIL localhost -> www.localhost:9443 iframe: forced: sec-fetch-site assert_equals: expected "same-site" but got "cross-site"
+PASS localhost -> www.localhost:9443 iframe: forced: sec-fetch-user
+PASS localhost -> www.localhost:9443 iframe: user-activated: sec-fetch-dest
+PASS localhost -> www.localhost:9443 iframe: user-activated: sec-fetch-mode
+FAIL localhost -> www.localhost:9443 iframe: user-activated: sec-fetch-site assert_equals: expected "same-site" but got "cross-site"
+FAIL localhost -> www.localhost:9443 iframe: user-activated: sec-fetch-user assert_equals: expected "?1" but got ""
 
diff --git a/LayoutTests/imported/w3c/web-platform-tests/fetch/metadata/iframe.https.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/fetch/metadata/iframe.https.sub-expected.txt
@@ -1,7 +1,5 @@
 Blocked access to external URL https://www.localhost:9443/fetch/metadata/resources/post-to-owner.py
-Blocked access to external URL https://www.127.0.0.1:9443/fetch/metadata/resources/post-to-owner.py
 Blocked access to external URL https://www.localhost:9443/fetch/metadata/resources/post-to-owner.py
-Blocked access to external URL https://www.127.0.0.1:9443/fetch/metadata/resources/post-to-owner.py
 This is a link!This is a link!This is a link!
 
 Harness Error (TIMEOUT), message = null
@@ -12,12 +10,12 @@ TIMEOUT localhost -> www.127.0.0.1:9443 iframe: forced Test timed out
 PASS localhost -> localhost:9443 iframe: user-activated
 TIMEOUT localhost -> www.localhost:9443 iframe: user-activated Test timed out
 TIMEOUT localhost -> www.127.0.0.1:9443 iframe: user-activated Test timed out
-FAIL localhost -> localhost:9443 iframe: forced: sec-fetch-dest assert_equals: expected "iframe" but got ""
-FAIL localhost -> localhost:9443 iframe: forced: sec-fetch-mode assert_equals: expected "navigate" but got ""
-FAIL localhost -> localhost:9443 iframe: forced: sec-fetch-site assert_equals: expected "same-origin" but got ""
-PASS localhost -> localhost:9443 iframe: forced: sec-fetch-user
-FAIL localhost -> localhost:9443 iframe: user-activated: sec-fetch-dest assert_equals: expected "iframe" but got ""
-FAIL localhost -> localhost:9443 iframe: user-activated: sec-fetch-mode assert_equals: expected "navigate" but got ""
-FAIL localhost -> localhost:9443 iframe: user-activated: sec-fetch-site assert_equals: expected "same-origin" but got ""
+PASS localhost -> localhost:9443 iframe: user-activated: sec-fetch-dest
+PASS localhost -> localhost:9443 iframe: user-activated: sec-fetch-mode
+PASS localhost -> localhost:9443 iframe: user-activated: sec-fetch-site
 FAIL localhost -> localhost:9443 iframe: user-activated: sec-fetch-user assert_equals: expected "?1" but got ""
+PASS localhost -> localhost:9443 iframe: forced: sec-fetch-dest
+PASS localhost -> localhost:9443 iframe: forced: sec-fetch-mode
+PASS localhost -> localhost:9443 iframe: forced: sec-fetch-site
+PASS localhost -> localhost:9443 iframe: forced: sec-fetch-user
 
diff --git a/LayoutTests/imported/w3c/web-platform-tests/fetch/metadata/iframe.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/fetch/metadata/iframe.sub-expected.txt
@@ -1,5 +1,4 @@
 Blocked access to external URL http://www.localhost:8800/fetch/metadata/resources/post-to-owner.py
-Blocked access to external URL http://www.127.0.0.1:8800/fetch/metadata/resources/post-to-owner.py
 
 
 Harness Error (TIMEOUT), message = null
@@ -8,12 +7,12 @@ PASS Non-secure same-origin iframe => No headers
 TIMEOUT Non-secure same-site iframe => No headers Test timed out
 TIMEOUT Non-secure cross-site iframe => No headers. Test timed out
 PASS Secure, cross-site (cross-scheme, same-host) iframe
-PASS Non-secure same-origin iframe => No headers: sec-fetch-dest
-PASS Non-secure same-origin iframe => No headers: sec-fetch-mode
-PASS Non-secure same-origin iframe => No headers: sec-fetch-site
+FAIL Non-secure same-origin iframe => No headers: sec-fetch-dest assert_equals: expected "" but got "iframe"
+FAIL Non-secure same-origin iframe => No headers: sec-fetch-mode assert_equals: expected "" but got "navigate"
+FAIL Non-secure same-origin iframe => No headers: sec-fetch-site assert_equals: expected "" but got "same-origin"
 PASS Non-secure same-origin iframe => No headers: sec-fetch-user
-FAIL Secure, cross-site (cross-scheme, same-host) iframe: sec-fetch-dest assert_equals: expected "iframe" but got ""
-FAIL Secure, cross-site (cross-scheme, same-host) iframe: sec-fetch-mode assert_equals: expected "navigate" but got ""
-FAIL Secure, cross-site (cross-scheme, same-host) iframe: sec-fetch-site assert_equals: expected "cross-site" but got ""
+PASS Secure, cross-site (cross-scheme, same-host) iframe: sec-fetch-dest
+PASS Secure, cross-site (cross-scheme, same-host) iframe: sec-fetch-mode
+PASS Secure, cross-site (cross-scheme, same-host) iframe: sec-fetch-site
 PASS Secure, cross-site (cross-scheme, same-host) iframe: sec-fetch-user
 
diff --git a/LayoutTests/imported/w3c/web-platform-tests/fetch/metadata/img.https.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/fetch/metadata/img.https.sub-expected.txt
@@ -6,6 +6,6 @@ FAIL Same-site image promise_test: Unhandled rejection with value: object "[obje
 FAIL Cross-site image promise_test: Unhandled rejection with value: object "[object Event]"
 PASS Same-origin image: sec-fetch-dest
 PASS Same-origin image: sec-fetch-mode
-FAIL Same-origin image: sec-fetch-site assert_equals: expected (string) "same-origin" but got (undefined) undefined
+PASS Same-origin image: sec-fetch-site
 PASS Same-origin image: sec-fetch-user
 
diff --git a/LayoutTests/imported/w3c/web-platform-tests/fetch/metadata/navigation.https.sub-expected.txt b/LayoutTests/imported/w3c/web-platform-tests/fetch/metadata/navigation.https.sub-expected.txt
@@ -0,0 +1,7 @@
+
+PASS This page's top-level navigation.
+PASS undefined: sec-fetch-dest
+PASS undefined: sec-fetch-mode
+PASS undefined: sec-fetch-site
+PASS undefined: sec-fetch-user
+
diff --git a/...-tests/fetch/metadata/redirect/multiple-redirect-https-downgrade-upgrade.sub-expected.txt b/...-tests/fetch/metadata/redirect/multiple-redirect-https-downgrade-upgrade.sub-expected.txt
diff --git a/...ted/w3c/web-platform-tests/fetch/metadata/redirect/redirect-http-upgrade.sub-expected.txt b/...ted/w3c/web-platform-tests/fetch/metadata/redirect/redirect-http-upgrade.sub-expected.txt