Skip to content
Permalink
Browse files
WebSocket requests should include Sec-Fetch-Mode=websocket for FetchM…
…etadata

https://bugs.webkit.org/show_bug.cgi?id=237550
rdar://problem/90106854

Reviewed by Alex Christensen.

Add Sec Fetch headers to the WebSocket Handshake request.
We specila case this since we do not have a good use of websocket destination and mode enumeration values.
And the URL needs to be translated from ws to http scheme.

Add win and bigsur expectations since they do not support custom HTTP headers.

* LayoutTests/platform/win/http/wpt/fetch/fetch-metadata-websocket-expected.txt:
* LayoutTests/platform/mac-bigsur/http/wpt/fetch:
* LayoutTests/http/wpt/fetch/fetch-metadata-websocket-expected.txt: Added.
* LayoutTests/http/wpt/fetch/fetch-metadata-websocket.html: Added.
* Source/WebCore/Modules/websockets/ThreadableWebSocketChannel.cpp:
(WebCore::ThreadableWebSocketChannel::webSocketConnectRequest):

Canonical link: https://commits.webkit.org/256527@main
  • Loading branch information
youennf committed Nov 10, 2022
1 parent b97318e commit f05061a1e8307f802de0f4f17059ae8a6dee58d9
Show file tree
Hide file tree
Showing 5 changed files with 66 additions and 0 deletions.
@@ -0,0 +1,7 @@

PASS Websocket Handshake fetch metadata
PASS WebSocket Handshake: sec-fetch-dest
PASS WebSocket Handshake: sec-fetch-mode
PASS WebSocket Handshake: sec-fetch-site
PASS WebSocket Handshake: sec-fetch-user

@@ -0,0 +1,30 @@
<!DOCTYPE html><!-- webkit-test-runner [ dumpJSConsoleLogInStdErr=true ] -->

<link rel="author" href="mtrzos@google.com" title="Maciek Trzos">
<script src=/resources/testharness.js></script>
<script src=/resources/testharnessreport.js></script>
<script src=/fetch/metadata/resources/helper.js></script>
<script src=/common/utils.js></script>
<body></body>
<script>
let nonce = token();

console.log(window.location.href);

promise_test(t => {
return new Promise((resolve, reject) => {
let key = "websocket-" + nonce;

let ws = new WebSocket("ws://localhost:8800/fetch/metadata/resources/record-header.py?file=" + key);
let expected = {"site": "same-origin", "user": "", "mode": "websocket", "dest": "websocket"};

// This is expected to fail but will still record the headers from the handshake.
ws.addEventListener("error", e => {
validate_expectations(key, expected, "WebSocket Handshake")
.then(_ => resolve())
.catch(e => reject(e));
});
})
}, "Websocket Handshake fetch metadata");
</script>

@@ -0,0 +1,7 @@

PASS Websocket Handshake fetch metadata
FAIL WebSocket Handshake: sec-fetch-dest assert_equals: expected "websocket" but got ""
FAIL WebSocket Handshake: sec-fetch-mode assert_equals: expected "websocket" but got ""
FAIL WebSocket Handshake: sec-fetch-site assert_equals: expected "same-origin" but got ""
PASS WebSocket Handshake: sec-fetch-user

@@ -0,0 +1,7 @@

PASS Websocket Handshake fetch metadata
FAIL WebSocket Handshake: sec-fetch-dest assert_equals: expected "websocket" but got ""
FAIL WebSocket Handshake: sec-fetch-mode assert_equals: expected "websocket" but got ""
FAIL WebSocket Handshake: sec-fetch-site assert_equals: expected "same-origin" but got ""
PASS WebSocket Handshake: sec-fetch-user

@@ -137,6 +137,21 @@ std::optional<ResourceRequest> ThreadableWebSocketChannel::webSocketConnectReque
request.addHTTPHeaderField(HTTPHeaderName::Pragma, HTTPHeaderValues::noCache());
request.addHTTPHeaderField(HTTPHeaderName::CacheControl, HTTPHeaderValues::noCache());

auto httpURL = request.url();
httpURL.setProtocol(url.protocolIs("ws"_s) ? "http"_s : "https"_s);
auto requestOrigin = SecurityOrigin::create(httpURL);
if (document.settings().fetchMetadataEnabled() && requestOrigin->isPotentiallyTrustworthy()) {
request.addHTTPHeaderField(HTTPHeaderName::SecFetchDest, "websocket"_s);
request.addHTTPHeaderField(HTTPHeaderName::SecFetchMode, "websocket"_s);

if (document.securityOrigin().isSameOriginAs(requestOrigin.get()))
request.addHTTPHeaderField(HTTPHeaderName::SecFetchSite, "same-origin"_s);
else if (document.securityOrigin().isSameSiteAs(requestOrigin))
request.addHTTPHeaderField(HTTPHeaderName::SecFetchSite, "same-site"_s);
else
request.addHTTPHeaderField(HTTPHeaderName::SecFetchSite, "cross-site"_s);
}

return request;
}

0 comments on commit f05061a

Please sign in to comment.