WebSocket requests should include Sec-Fetch-Mode=websocket for FetchM…

…etadata https://bugs.webkit.org/show_bug.cgi?id=237550 rdar://problem/90106854 Reviewed by Alex Christensen. Add Sec Fetch headers to the WebSocket Handshake request. We specila case this since we do not have a good use of websocket destination and mode enumeration values. And the URL needs to be translated from ws to http scheme. Add win and bigsur expectations since they do not support custom HTTP headers. * LayoutTests/platform/win/http/wpt/fetch/fetch-metadata-websocket-expected.txt: * LayoutTests/platform/mac-bigsur/http/wpt/fetch: * LayoutTests/http/wpt/fetch/fetch-metadata-websocket-expected.txt: Added. * LayoutTests/http/wpt/fetch/fetch-metadata-websocket.html: Added. * Source/WebCore/Modules/websockets/ThreadableWebSocketChannel.cpp: (WebCore::ThreadableWebSocketChannel::webSocketConnectRequest): Canonical link: https://commits.webkit.org/256527@main
WebKit · Nov 10, 2022 · f05061a1e8307f802de0f4f17059ae8a6dee58d9 · f05061a
1 parent b97318e
commit f05061a1e8307f802de0f4f17059ae8a6dee58d9
Show file tree

Hide file tree

Showing 5 changed files with 66 additions and 0 deletions.
diff --git a/LayoutTests/http/wpt/fetch/fetch-metadata-websocket-expected.txt b/LayoutTests/http/wpt/fetch/fetch-metadata-websocket-expected.txt
@@ -0,0 +1,7 @@
+
+PASS Websocket Handshake fetch metadata
+PASS WebSocket Handshake: sec-fetch-dest
+PASS WebSocket Handshake: sec-fetch-mode
+PASS WebSocket Handshake: sec-fetch-site
+PASS WebSocket Handshake: sec-fetch-user
+
diff --git a/LayoutTests/http/wpt/fetch/fetch-metadata-websocket.html b/LayoutTests/http/wpt/fetch/fetch-metadata-websocket.html
@@ -0,0 +1,30 @@
+<!DOCTYPE html><!-- webkit-test-runner [ dumpJSConsoleLogInStdErr=true ] -->
+
+<link rel="author" href="mtrzos@google.com" title="Maciek Trzos">
+<script src=/resources/testharness.js></script>
+<script src=/resources/testharnessreport.js></script>
+<script src=/fetch/metadata/resources/helper.js></script>
+<script src=/common/utils.js></script>
+<body></body>
+<script>
+  let nonce = token();
+
+console.log(window.location.href);
+
+  promise_test(t => {
+    return new Promise((resolve, reject) => {
+      let key = "websocket-" + nonce;
+
+      let ws = new WebSocket("ws://localhost:8800/fetch/metadata/resources/record-header.py?file=" + key);
+      let expected = {"site": "same-origin", "user": "", "mode": "websocket", "dest": "websocket"};
+
+      // This is expected to fail but will still record the headers from the handshake.
+      ws.addEventListener("error", e => {
+        validate_expectations(key, expected, "WebSocket Handshake")
+          .then(_ => resolve())
+          .catch(e => reject(e));
+      });
+    })
+  }, "Websocket Handshake fetch metadata");
+</script>
+
diff --git a/LayoutTests/platform/mac-bigsur/http/wpt/fetch/fetch-metadata-websocket-expected.txt b/LayoutTests/platform/mac-bigsur/http/wpt/fetch/fetch-metadata-websocket-expected.txt
@@ -0,0 +1,7 @@
+
+PASS Websocket Handshake fetch metadata
+FAIL WebSocket Handshake: sec-fetch-dest assert_equals: expected "websocket" but got ""
+FAIL WebSocket Handshake: sec-fetch-mode assert_equals: expected "websocket" but got ""
+FAIL WebSocket Handshake: sec-fetch-site assert_equals: expected "same-origin" but got ""
+PASS WebSocket Handshake: sec-fetch-user
+
diff --git a/LayoutTests/platform/win/http/wpt/fetch/fetch-metadata-websocket-expected.txt b/LayoutTests/platform/win/http/wpt/fetch/fetch-metadata-websocket-expected.txt
@@ -0,0 +1,7 @@
+
+PASS Websocket Handshake fetch metadata
+FAIL WebSocket Handshake: sec-fetch-dest assert_equals: expected "websocket" but got ""
+FAIL WebSocket Handshake: sec-fetch-mode assert_equals: expected "websocket" but got ""
+FAIL WebSocket Handshake: sec-fetch-site assert_equals: expected "same-origin" but got ""
+PASS WebSocket Handshake: sec-fetch-user
+
diff --git a/Source/WebCore/Modules/websockets/ThreadableWebSocketChannel.cpp b/Source/WebCore/Modules/websockets/ThreadableWebSocketChannel.cpp
@@ -137,6 +137,21 @@ std::optional<ResourceRequest> ThreadableWebSocketChannel::webSocketConnectReque
     request.addHTTPHeaderField(HTTPHeaderName::Pragma, HTTPHeaderValues::noCache());
     request.addHTTPHeaderField(HTTPHeaderName::CacheControl, HTTPHeaderValues::noCache());
 
+    auto httpURL = request.url();
+    httpURL.setProtocol(url.protocolIs("ws"_s) ? "http"_s : "https"_s);
+    auto requestOrigin = SecurityOrigin::create(httpURL);
+    if (document.settings().fetchMetadataEnabled() && requestOrigin->isPotentiallyTrustworthy()) {
+        request.addHTTPHeaderField(HTTPHeaderName::SecFetchDest, "websocket"_s);
+        request.addHTTPHeaderField(HTTPHeaderName::SecFetchMode, "websocket"_s);
+
+        if (document.securityOrigin().isSameOriginAs(requestOrigin.get()))
+            request.addHTTPHeaderField(HTTPHeaderName::SecFetchSite, "same-origin"_s);
+        else if (document.securityOrigin().isSameSiteAs(requestOrigin))
+            request.addHTTPHeaderField(HTTPHeaderName::SecFetchSite, "same-site"_s);
+        else
+            request.addHTTPHeaderField(HTTPHeaderName::SecFetchSite, "cross-site"_s);
+    }
+
     return request;
 }