Skip to content
Permalink
Browse files
Implement FetchMetadata Site
https://bugs.webkit.org/show_bug.cgi?id=238265

Reviewed by Youenn Fablet.

This implements the Sec-Fetch-Site header as part of FetchMetadata.

The site is computed on first use in the CachedResourceLoader and then tracked in the SubResourceLoader through
redirects.

The test results are only accurate on the GLib ports as they run under the web-platform.test domains which
can test proper same-site relationships as well as non-trustworthy domains (localhost is always trusted).

* LayoutTests/TestExpectations:
* LayoutTests/http/wpt/fetch/fetch-metadata-same-origin-redirect-expected.txt:
* LayoutTests/imported/w3c/web-platform-tests/fetch/metadata/fetch-via-serviceworker--fallback.https.sub-expected.txt:
* LayoutTests/imported/w3c/web-platform-tests/fetch/metadata/fetch-via-serviceworker--respondWith.https.sub-expected.txt:
* LayoutTests/imported/w3c/web-platform-tests/fetch/metadata/fetch.https.sub.any-expected.txt:
* LayoutTests/imported/w3c/web-platform-tests/fetch/metadata/fetch.https.sub.any.worker-expected.txt:
* LayoutTests/imported/w3c/web-platform-tests/fetch/metadata/fetch.sub-expected.txt:
* LayoutTests/imported/w3c/web-platform-tests/fetch/metadata/font.https.sub-expected.txt:
* LayoutTests/imported/w3c/web-platform-tests/fetch/metadata/form.https.sub-expected.txt:
* LayoutTests/imported/w3c/web-platform-tests/fetch/metadata/iframe.https.sub-expected.txt:
* LayoutTests/imported/w3c/web-platform-tests/fetch/metadata/iframe.sub-expected.txt:
* LayoutTests/imported/w3c/web-platform-tests/fetch/metadata/img.https.sub-expected.txt:
* LayoutTests/imported/w3c/web-platform-tests/fetch/metadata/navigation.https.sub-expected.txt: Added.
* LayoutTests/imported/w3c/web-platform-tests/fetch/metadata/redirect/multiple-redirect-https-downgrade-upgrade.sub-expected.txt:
* LayoutTests/imported/w3c/web-platform-tests/fetch/metadata/redirect/redirect-http-upgrade.sub-expected.txt:
* LayoutTests/imported/w3c/web-platform-tests/fetch/metadata/redirect/redirect-https-downgrade.sub-expected.txt:
* LayoutTests/imported/w3c/web-platform-tests/fetch/metadata/script.https.sub-expected.txt:
* LayoutTests/imported/w3c/web-platform-tests/fetch/metadata/script.sub-expected.txt:
* LayoutTests/imported/w3c/web-platform-tests/fetch/metadata/serviceworker.https.sub-expected.txt:
* LayoutTests/imported/w3c/web-platform-tests/fetch/metadata/sharedworker.https.sub-expected.txt:
* LayoutTests/imported/w3c/web-platform-tests/fetch/metadata/unload.https.sub-expected.txt:
* LayoutTests/imported/w3c/web-platform-tests/fetch/metadata/window-open.https.sub-expected.txt:
* LayoutTests/imported/w3c/web-platform-tests/fetch/metadata/worker.https.sub-expected.txt:
* LayoutTests/imported/w3c/web-platform-tests/fetch/metadata/xslt.https.sub-expected.txt:
* LayoutTests/imported/w3c/web-platform-tests/service-workers/service-worker/navigation-headers.https-expected.txt:
* Source/WebCore/loader/CrossOriginAccessControl.cpp:
(WebCore::cleanHTTPRequestHeadersForAccessControl):
* Source/WebCore/loader/SubresourceLoader.cpp:
(WebCore::SubresourceLoader::SubresourceLoader):
(WebCore::SubresourceLoader::willSendRequestInternal):
* Source/WebCore/loader/SubresourceLoader.h:
* Source/WebCore/loader/cache/CachedResourceLoader.cpp:
(WebCore::convertEnumerationToString):
(WebCore::updateRequestFetchMetadataHeaders):
(WebCore::CachedResourceLoader::computeFetchMetadataSite):
(WebCore::CachedResourceLoader::updateRequestAfterRedirection):
(WebCore::CachedResourceLoader::updateHTTPRequestHeaders):
* Source/WebCore/loader/cache/CachedResourceLoader.h:
* Source/WebCore/loader/cache/CachedResourceRequest.cpp:
(WebCore::CachedResourceRequest::updateFetchMetadataHeaders): Deleted.
* Source/WebCore/loader/cache/CachedResourceRequest.h:
* Source/WebCore/page/SecurityOrigin.cpp:
(WebCore::SecurityOrigin::isSameSiteAs const):
* Source/WebCore/page/SecurityOrigin.h:
* Source/WebCore/platform/network/HTTPHeaderNames.in:

Canonical link: https://commits.webkit.org/255810@main
  • Loading branch information
TingPing committed Oct 21, 2022
1 parent 24b1332 commit e5f68a529bf10ce8b4f41f3ec5dd409224b28ee0
Show file tree
Hide file tree
Showing 58 changed files with 755 additions and 321 deletions.
@@ -1192,7 +1192,7 @@ imported/w3c/web-platform-tests/fetch/content-encoding/bad-gzip-body.any.html [
imported/w3c/web-platform-tests/fetch/corb [ Skip ]
imported/w3c/web-platform-tests/fetch/sec-metadata [ Skip ]

# These fetch tests time out
# These fetch tests time out on ports without web-platform.test domain working (not glib).
imported/w3c/web-platform-tests/fetch/api/request/destination/fetch-destination.https.html [ Skip ]
imported/w3c/web-platform-tests/fetch/api/request/destination/fetch-destination-prefetch.https.html [ Skip ]
imported/w3c/web-platform-tests/fetch/content-type/response.window.html [ Skip ]
@@ -1205,12 +1205,13 @@ imported/w3c/web-platform-tests/fetch/metadata/embed.https.sub.tentative.html [
imported/w3c/web-platform-tests/fetch/metadata/form.https.sub.html [ Skip ]
imported/w3c/web-platform-tests/fetch/metadata/iframe.https.sub.html [ Skip ]
imported/w3c/web-platform-tests/fetch/metadata/iframe.sub.html [ Skip ]
imported/w3c/web-platform-tests/fetch/metadata/navigation.https.sub.html [ Skip ]
imported/w3c/web-platform-tests/fetch/metadata/style.https.sub.html [ Skip ]
imported/w3c/web-platform-tests/fetch/metadata/redirect/redirect-http-upgrade.sub.html [ Skip ]
imported/w3c/web-platform-tests/fetch/metadata/window-open.https.sub.html [ Skip ]
imported/w3c/web-platform-tests/fetch/metadata/redirect/ [ Skip ]
imported/w3c/web-platform-tests/fetch/stale-while-revalidate/revalidate-not-blocked-by-csp.html [ Skip ]
# These tests have unreliable ordering and are flakey
imported/w3c/web-platform-tests/fetch/metadata/script.https.sub.html [ Skip ]

# Not supported
imported/w3c/web-platform-tests/background-fetch [ Skip ]
@@ -3,6 +3,6 @@
PASS Same-Origin -> Same-Origin redirect
PASS undefined: sec-fetch-dest
PASS undefined: sec-fetch-mode
FAIL undefined: sec-fetch-site assert_equals: expected "same-origin" but got ""
PASS undefined: sec-fetch-site
PASS undefined: sec-fetch-user

@@ -2,6 +2,6 @@
PASS Sec-Fetch headers after SW fallback
PASS undefined: sec-fetch-dest
PASS undefined: sec-fetch-mode
FAIL undefined: sec-fetch-site assert_equals: expected "same-origin" but got ""
PASS undefined: sec-fetch-site
PASS undefined: sec-fetch-user

@@ -2,6 +2,6 @@
PASS Sec-Fetch headers after SW fallback
PASS undefined: sec-fetch-dest
PASS undefined: sec-fetch-mode
FAIL undefined: sec-fetch-site assert_equals: expected "same-origin" but got ""
PASS undefined: sec-fetch-site
PASS undefined: sec-fetch-user

@@ -8,18 +8,18 @@ PASS CORS mode
PASS no-CORS mode
PASS Same-origin fetch: sec-fetch-dest
PASS Same-origin fetch: sec-fetch-mode
FAIL Same-origin fetch: sec-fetch-site assert_equals: expected "same-origin" but got ""
PASS Same-origin fetch: sec-fetch-site
PASS Same-origin fetch: sec-fetch-user
PASS Same-origin mode: sec-fetch-dest
PASS Same-origin mode: sec-fetch-mode
FAIL Same-origin mode: sec-fetch-site assert_equals: expected "same-origin" but got ""
PASS Same-origin mode: sec-fetch-site
PASS Same-origin mode: sec-fetch-user
PASS CORS mode: sec-fetch-dest
PASS CORS mode: sec-fetch-mode
FAIL CORS mode: sec-fetch-site assert_equals: expected "same-origin" but got ""
PASS CORS mode: sec-fetch-site
PASS CORS mode: sec-fetch-user
PASS no-CORS mode: sec-fetch-dest
PASS no-CORS mode: sec-fetch-mode
FAIL no-CORS mode: sec-fetch-site assert_equals: expected "same-origin" but got ""
PASS no-CORS mode: sec-fetch-site
PASS no-CORS mode: sec-fetch-user

@@ -8,18 +8,18 @@ PASS CORS mode
PASS no-CORS mode
PASS Same-origin fetch: sec-fetch-dest
PASS Same-origin fetch: sec-fetch-mode
FAIL Same-origin fetch: sec-fetch-site assert_equals: expected "same-origin" but got ""
PASS Same-origin fetch: sec-fetch-site
PASS Same-origin fetch: sec-fetch-user
PASS Same-origin mode: sec-fetch-dest
PASS Same-origin mode: sec-fetch-mode
FAIL Same-origin mode: sec-fetch-site assert_equals: expected "same-origin" but got ""
PASS Same-origin mode: sec-fetch-site
PASS Same-origin mode: sec-fetch-user
PASS CORS mode: sec-fetch-dest
PASS CORS mode: sec-fetch-mode
FAIL CORS mode: sec-fetch-site assert_equals: expected "same-origin" but got ""
PASS CORS mode: sec-fetch-site
PASS CORS mode: sec-fetch-user
PASS no-CORS mode: sec-fetch-dest
PASS no-CORS mode: sec-fetch-mode
FAIL no-CORS mode: sec-fetch-site assert_equals: expected "same-origin" but got ""
PASS no-CORS mode: sec-fetch-site
PASS no-CORS mode: sec-fetch-user

@@ -3,10 +3,10 @@ PASS http->https fetch (cross-scheme => cross-site)
PASS http->http fetch (non-trustworthy destination => no metadata)
PASS http->https fetch (cross-scheme => cross-site): sec-fetch-dest
PASS http->https fetch (cross-scheme => cross-site): sec-fetch-mode
FAIL http->https fetch (cross-scheme => cross-site): sec-fetch-site assert_equals: expected "cross-site" but got ""
PASS http->https fetch (cross-scheme => cross-site): sec-fetch-site
PASS http->https fetch (cross-scheme => cross-site): sec-fetch-user
FAIL http->http fetch (non-trustworthy destination => no metadata): sec-fetch-dest assert_equals: expected "" but got "empty"
FAIL http->http fetch (non-trustworthy destination => no metadata): sec-fetch-mode assert_equals: expected "" but got "cors"
PASS http->http fetch (non-trustworthy destination => no metadata): sec-fetch-site
FAIL http->http fetch (non-trustworthy destination => no metadata): sec-fetch-site assert_equals: expected "" but got "same-origin"
PASS http->http fetch (non-trustworthy destination => no metadata): sec-fetch-user

@@ -8,6 +8,6 @@ FAIL Same-Site font assert_not_equals: got disallowed value "No header has been
FAIL Cross-Site font assert_not_equals: got disallowed value "No header has been recorded"
PASS Same-Origin font: sec-fetch-dest
FAIL Same-Origin font: sec-fetch-mode assert_equals: expected "cors" but got "no-cors"
FAIL Same-Origin font: sec-fetch-site assert_equals: expected "same-origin" but got ""
PASS Same-Origin font: sec-fetch-site
PASS Same-Origin font: sec-fetch-user

@@ -5,17 +5,25 @@
Harness Error (TIMEOUT), message = null

PASS localhost -> localhost:9443 iframe: forced
TIMEOUT localhost -> www.localhost:9443 iframe: forced Test timed out
PASS localhost -> www.localhost:9443 iframe: forced
TIMEOUT localhost -> www.127.0.0.1:9443 iframe: forced Test timed out
PASS localhost -> localhost:9443 iframe: user-activated
TIMEOUT localhost -> www.localhost:9443 iframe: user-activated Test timed out
PASS localhost -> www.localhost:9443 iframe: user-activated
TIMEOUT localhost -> www.127.0.0.1:9443 iframe: user-activated Test timed out
FAIL localhost -> localhost:9443 iframe: forced: sec-fetch-dest assert_equals: expected "document" but got ""
FAIL localhost -> localhost:9443 iframe: forced: sec-fetch-mode assert_equals: expected "navigate" but got ""
FAIL localhost -> localhost:9443 iframe: forced: sec-fetch-site assert_equals: expected "same-origin" but got ""
PASS localhost -> localhost:9443 iframe: forced: sec-fetch-user
FAIL localhost -> localhost:9443 iframe: user-activated: sec-fetch-dest assert_equals: expected "document" but got ""
FAIL localhost -> localhost:9443 iframe: user-activated: sec-fetch-mode assert_equals: expected "navigate" but got ""
FAIL localhost -> localhost:9443 iframe: user-activated: sec-fetch-site assert_equals: expected "same-origin" but got ""
PASS localhost -> localhost:9443 iframe: user-activated: sec-fetch-dest
PASS localhost -> localhost:9443 iframe: user-activated: sec-fetch-mode
PASS localhost -> localhost:9443 iframe: user-activated: sec-fetch-site
FAIL localhost -> localhost:9443 iframe: user-activated: sec-fetch-user assert_equals: expected "?1" but got ""
PASS localhost -> localhost:9443 iframe: forced: sec-fetch-dest
PASS localhost -> localhost:9443 iframe: forced: sec-fetch-mode
PASS localhost -> localhost:9443 iframe: forced: sec-fetch-site
PASS localhost -> localhost:9443 iframe: forced: sec-fetch-user
PASS localhost -> www.localhost:9443 iframe: forced: sec-fetch-dest
PASS localhost -> www.localhost:9443 iframe: forced: sec-fetch-mode
FAIL localhost -> www.localhost:9443 iframe: forced: sec-fetch-site assert_equals: expected "same-site" but got "cross-site"
PASS localhost -> www.localhost:9443 iframe: forced: sec-fetch-user
PASS localhost -> www.localhost:9443 iframe: user-activated: sec-fetch-dest
PASS localhost -> www.localhost:9443 iframe: user-activated: sec-fetch-mode
FAIL localhost -> www.localhost:9443 iframe: user-activated: sec-fetch-site assert_equals: expected "same-site" but got "cross-site"
FAIL localhost -> www.localhost:9443 iframe: user-activated: sec-fetch-user assert_equals: expected "?1" but got ""

@@ -1,7 +1,5 @@
Blocked access to external URL https://www.localhost:9443/fetch/metadata/resources/post-to-owner.py
Blocked access to external URL https://www.127.0.0.1:9443/fetch/metadata/resources/post-to-owner.py
Blocked access to external URL https://www.localhost:9443/fetch/metadata/resources/post-to-owner.py
Blocked access to external URL https://www.127.0.0.1:9443/fetch/metadata/resources/post-to-owner.py
This is a link!This is a link!This is a link!

Harness Error (TIMEOUT), message = null
@@ -12,12 +10,12 @@ TIMEOUT localhost -> www.127.0.0.1:9443 iframe: forced Test timed out
PASS localhost -> localhost:9443 iframe: user-activated
TIMEOUT localhost -> www.localhost:9443 iframe: user-activated Test timed out
TIMEOUT localhost -> www.127.0.0.1:9443 iframe: user-activated Test timed out
FAIL localhost -> localhost:9443 iframe: forced: sec-fetch-dest assert_equals: expected "iframe" but got ""
FAIL localhost -> localhost:9443 iframe: forced: sec-fetch-mode assert_equals: expected "navigate" but got ""
FAIL localhost -> localhost:9443 iframe: forced: sec-fetch-site assert_equals: expected "same-origin" but got ""
PASS localhost -> localhost:9443 iframe: forced: sec-fetch-user
FAIL localhost -> localhost:9443 iframe: user-activated: sec-fetch-dest assert_equals: expected "iframe" but got ""
FAIL localhost -> localhost:9443 iframe: user-activated: sec-fetch-mode assert_equals: expected "navigate" but got ""
FAIL localhost -> localhost:9443 iframe: user-activated: sec-fetch-site assert_equals: expected "same-origin" but got ""
PASS localhost -> localhost:9443 iframe: user-activated: sec-fetch-dest
PASS localhost -> localhost:9443 iframe: user-activated: sec-fetch-mode
PASS localhost -> localhost:9443 iframe: user-activated: sec-fetch-site
FAIL localhost -> localhost:9443 iframe: user-activated: sec-fetch-user assert_equals: expected "?1" but got ""
PASS localhost -> localhost:9443 iframe: forced: sec-fetch-dest
PASS localhost -> localhost:9443 iframe: forced: sec-fetch-mode
PASS localhost -> localhost:9443 iframe: forced: sec-fetch-site
PASS localhost -> localhost:9443 iframe: forced: sec-fetch-user

@@ -1,5 +1,4 @@
Blocked access to external URL http://www.localhost:8800/fetch/metadata/resources/post-to-owner.py
Blocked access to external URL http://www.127.0.0.1:8800/fetch/metadata/resources/post-to-owner.py


Harness Error (TIMEOUT), message = null
@@ -8,12 +7,12 @@ PASS Non-secure same-origin iframe => No headers
TIMEOUT Non-secure same-site iframe => No headers Test timed out
TIMEOUT Non-secure cross-site iframe => No headers. Test timed out
PASS Secure, cross-site (cross-scheme, same-host) iframe
PASS Non-secure same-origin iframe => No headers: sec-fetch-dest
PASS Non-secure same-origin iframe => No headers: sec-fetch-mode
PASS Non-secure same-origin iframe => No headers: sec-fetch-site
FAIL Non-secure same-origin iframe => No headers: sec-fetch-dest assert_equals: expected "" but got "iframe"
FAIL Non-secure same-origin iframe => No headers: sec-fetch-mode assert_equals: expected "" but got "navigate"
FAIL Non-secure same-origin iframe => No headers: sec-fetch-site assert_equals: expected "" but got "same-origin"
PASS Non-secure same-origin iframe => No headers: sec-fetch-user
FAIL Secure, cross-site (cross-scheme, same-host) iframe: sec-fetch-dest assert_equals: expected "iframe" but got ""
FAIL Secure, cross-site (cross-scheme, same-host) iframe: sec-fetch-mode assert_equals: expected "navigate" but got ""
FAIL Secure, cross-site (cross-scheme, same-host) iframe: sec-fetch-site assert_equals: expected "cross-site" but got ""
PASS Secure, cross-site (cross-scheme, same-host) iframe: sec-fetch-dest
PASS Secure, cross-site (cross-scheme, same-host) iframe: sec-fetch-mode
PASS Secure, cross-site (cross-scheme, same-host) iframe: sec-fetch-site
PASS Secure, cross-site (cross-scheme, same-host) iframe: sec-fetch-user

@@ -6,6 +6,6 @@ FAIL Same-site image promise_test: Unhandled rejection with value: object "[obje
FAIL Cross-site image promise_test: Unhandled rejection with value: object "[object Event]"
PASS Same-origin image: sec-fetch-dest
PASS Same-origin image: sec-fetch-mode
FAIL Same-origin image: sec-fetch-site assert_equals: expected (string) "same-origin" but got (undefined) undefined
PASS Same-origin image: sec-fetch-site
PASS Same-origin image: sec-fetch-user

@@ -0,0 +1,7 @@

PASS This page's top-level navigation.
PASS undefined: sec-fetch-dest
PASS undefined: sec-fetch-mode
PASS undefined: sec-fetch-site
PASS undefined: sec-fetch-user

This file was deleted.

This file was deleted.

0 comments on commit e5f68a5

Please sign in to comment.