Source/WebCore/ChangeLog

 12014-09-10 Youenn Fablet <youenn.fablet@crf.canon.fr>
 2
 3 [WK2] Authentication dialog is displayed for cross-origin XHR
 4 https://bugs.webkit.org/show_bug.cgi?id=131349
 5
 6 Reviewed by Alexey Proskuryakov.
 7
 8 * WebCore.exp.in: Export of isAllowedToAskUserForCredentials.
 9 * loader/ResourceLoader.cpp:
 10 (WebCore::ResourceLoader::isAllowedToAskUserForCredentials): Replacing clientCredentialPolicy method. Returns true if credentials can be requested to the user.
 11 (WebCore::ResourceLoader::didReceiveAuthenticationChallenge): Updated to use isAllowedToAskUserForCredentials.
 12 * loader/ResourceLoader.h: Removing clientCredentialPolicy method and adding isAllowedToAskUserForCredentials method.
 13
1142014-09-10 Gyuyoung Kim <gyuyoung.kim@samsung.com>
215
316 Use ASSERT instead of ASSERT_WITH_SECURITY_IMPLICATION

Source/WebKit2/ChangeLog

 12014-09-10 Youenn Fablet <youenn.fablet@crf.canon.fr>
 2
 3 [WK2] Authentication dialog is displayed for cross-origin XHR
 4 https://bugs.webkit.org/show_bug.cgi?id=131349
 5
 6 Reviewed by Alexey Proskuryakov.
 7
 8 Precomputing client credential policy in the Web Process before sending the resource load task to the Network Process.
 9
 10 * NetworkProcess/NetworkResourceLoader.cpp:
 11 (WebKit::NetworkResourceLoader::didReceiveAuthenticationChallenge): Added an ASSERT to ensure that credential policy is never set to DoNotAskClientForCrossOriginCredentials.
 12 * WebProcess/Network/WebResourceLoadScheduler.cpp:
 13 (WebKit::WebResourceLoadScheduler::scheduleLoad): Precomputing client credential policy to handle the case of cross-origin requests.
 14 * WebProcess/Network/WebResourceLoader.cpp:
 15 (WebKit::WebResourceLoader::willSendRequest): Added a TODO to check whether redirections need a specific handling.
 16
1172014-09-10 Antti Koivisto <antti@apple.com>
218
319 NetworkResourceLoader cleanups

Source/WebCore/WebCore.exp.in

@@__ZNK7WebCore14ResourceBuffer4sizeEv
16931693__ZNK7WebCore14ResourceBuffer7isEmptyEv
16941694__ZNK7WebCore14ResourceHandle10connectionEv
16951695__ZNK7WebCore14ResourceLoader11frameLoaderEv
 1696__ZNK7WebCore14ResourceLoader32isAllowedToAskUserForCredentialsEv
16961697__ZNK7WebCore14ScrollableArea13scrolledToTopEv
16971698__ZNK7WebCore14ScrollableArea14scrollAnimatorEv
16981699__ZNK7WebCore14ScrollableArea14scrolledToLeftEv

Source/WebCore/loader/ResourceLoader.cpp

@@bool ResourceLoader::shouldUseCredentialStorage()
538538 return frameLoader()->client().shouldUseCredentialStorage(documentLoader(), identifier());
539539}
540540
 541bool ResourceLoader::isAllowedToAskUserForCredentials() const
 542{
 543 return m_options.clientCredentialPolicy() == AskClientForAllCredentials || (m_options.clientCredentialPolicy() == DoNotAskClientForCrossOriginCredentials && m_frame->document()->securityOrigin()->canRequest(originalRequest().url()));
 544}
 545
541546void ResourceLoader::didReceiveAuthenticationChallenge(const AuthenticationChallenge& challenge)
542547{
543548 ASSERT(m_handle->hasAuthenticationChallenge());

@@void ResourceLoader::didReceiveAuthenticationChallenge(const AuthenticationChall
547552 Ref<ResourceLoader> protect(*this);
548553
549554 if (m_options.allowCredentials() == AllowStoredCredentials) {
550  if (m_options.clientCredentialPolicy() == AskClientForAllCredentials || (m_options.clientCredentialPolicy() == DoNotAskClientForCrossOriginCredentials && m_frame->document()->securityOrigin()->canRequest(originalRequest().url()))) {
 555 if (isAllowedToAskUserForCredentials()) {
551556 frameLoader()->notifier().didReceiveAuthenticationChallenge(this, challenge);
552557 return;
553558 }

Source/WebCore/loader/ResourceLoader.h

@@public:
122122 bool shouldSendResourceLoadCallbacks() const { return m_options.sendLoadCallbacks() == SendCallbacks; }
123123 void setSendCallbackPolicy(SendCallbackPolicy sendLoadCallbacks) { m_options.setSendLoadCallbacks(sendLoadCallbacks); }
124124 bool shouldSniffContent() const { return m_options.sniffContent() == SniffContent; }
125  ClientCredentialPolicy clientCredentialPolicy() const { return m_options.clientCredentialPolicy(); }
 125 WEBCORE_EXPORT bool isAllowedToAskUserForCredentials() const;
126126
127127 bool reachedTerminalState() const { return m_reachedTerminalState; }
128128
 129
129130 const ResourceRequest& request() const { return m_request; }
130131
131132 void setDataBufferingPolicy(DataBufferingPolicy);

Source/WebKit2/NetworkProcess/NetworkResourceLoader.cpp

@@bool NetworkResourceLoader::shouldUseCredentialStorage(ResourceHandle* handle)
357357void NetworkResourceLoader::didReceiveAuthenticationChallenge(ResourceHandle* handle, const AuthenticationChallenge& challenge)
358358{
359359 ASSERT_UNUSED(handle, handle == m_handle);
 360 // NetworkResourceLoader does not know whether the request is cross origin, so Web process computes an applicable credential policy for it.
 361 ASSERT(m_parameters.clientCredentialPolicy != DoNotAskClientForCrossOriginCredentials);
360362
361  // FIXME (http://webkit.org/b/115291): Since we go straight to the UI process for authentication we don't get WebCore's
362  // cross-origin check before asking the client for credentials.
363  // Therefore we are too permissive in the case where the ClientCredentialPolicy is DoNotAskClientForCrossOriginCredentials.
364363 if (m_parameters.clientCredentialPolicy == DoNotAskClientForAnyCredentials) {
365364 challenge.authenticationClient()->receivedRequestToContinueWithoutCredential(challenge);
366365 return;

Source/WebKit2/WebProcess/Network/WebResourceLoadScheduler.cpp

@@void WebResourceLoadScheduler::scheduleLoad(ResourceLoader* resourceLoader, Cach
169169 loadParameters.contentSniffingPolicy = contentSniffingPolicy;
170170 loadParameters.allowStoredCredentials = allowStoredCredentials;
171171 // If there is no WebFrame then this resource cannot be authenticated with the client.
172  loadParameters.clientCredentialPolicy = (webFrame && webPage) ? resourceLoader->clientCredentialPolicy() : DoNotAskClientForAnyCredentials;
 172 loadParameters.clientCredentialPolicy = (webFrame && webPage && resourceLoader->isAllowedToAskUserForCredentials()) ? AskClientForAllCredentials : DoNotAskClientForAnyCredentials;
173173 loadParameters.shouldClearReferrerOnHTTPSToHTTPRedirect = shouldClearReferrerOnHTTPSToHTTPRedirect;
174174 loadParameters.isMainResource = resource && resource->type() == CachedResource::MainResource;
175175 loadParameters.defersLoading = resourceLoader->defersLoading();

Source/WebKit2/WebProcess/Network/WebResourceLoader.cpp

@@void WebResourceLoader::willSendRequest(const ResourceRequest& proposedRequest,
8989 ResourceRequest newRequest = proposedRequest;
9090 if (m_coreLoader->documentLoader()->applicationCacheHost()->maybeLoadFallbackForRedirect(m_coreLoader.get(), newRequest, redirectResponse))
9191 return;
 92 // FIXME: Do we need to update NetworkResourceLoader clientCredentialPolicy in case loader policy is DoNotAskClientForCrossOriginCredentials?
9293 m_coreLoader->willSendRequest(newRequest, redirectResponse);
9394
9495 if (!m_coreLoader)

LayoutTests/ChangeLog

 12014-09-10 Youenn Fablet <youenn.fablet@crf.canon.fr>
 2
 3 [WK2] Authentication dialog is displayed for cross-origin XHR
 4 https://bugs.webkit.org/show_bug.cgi?id=131349
 5
 6 Reviewed by Alexey Proskuryakov.
 7
 8 * platform/mac-wk2/TestExpectations: Unskipped tests.
 9
1102014-09-10 Jer Noble <jer.noble@apple.com>
211
312 Unreviewed gardening. Rebaseline failing media/video- tests broken by r156546.

LayoutTests/platform/mac-wk2/TestExpectations

@@webkit.org/b/125996 platform/mac/accessibility/search-when-element-starts-in-tab
341341
342342webkit.org/b/127960 [ MountainLion ] http/tests/security/cross-origin-plugin-private-browsing-toggled.html [ Pass Failure ]
343343
344 webkit.org/b/131349 http/tests/xmlhttprequest/access-control-preflight-credential-async.html [ Failure ]
345 webkit.org/b/131349 http/tests/xmlhttprequest/cross-origin-no-authorization.html [ Failure ]
346 webkit.org/b/131349 http/tests/xmlhttprequest/cross-origin-no-credential-prompt.html [ Failure ]
347 
348344webkit.org/b/134550 [ Mavericks ] http/tests/cache/iframe-304-crash.html [ Pass Failure ]
349345
350346# Subpixel wrong cliprect on WK2