Bug 205326

Summary:

Implement "create a potential-CORS request"

Product:

WebKit

Reporter:

Rob Buis <rbuis>

Component:

Page Loading

Assignee:

Rob Buis <rbuis>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

beidson, cdumez, commit-queue, dbates, eric.carlson, esprehn+autocc, ews-watchlist, glenn, gyuyoung.kim, japhet, jer.noble, mkwst, philipj, sergio, webkit-bug-importer, youennf

Priority:

Keywords:

InRadar

Version:

Other

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
Patch	none
Patch	none
Patch	none
Patch	none
Patch	none
Patch	none
Patch	none
Patch	none
Patch	none
Patch	none
Patch	none
Patch	none
Patch	none
Patch	none

Rob Buis

Reported 2019-12-16 23:41:41 PST

Implement "create a potential-CORS request" and remove deprecatedSetAsPotentiallyCrossOrigin.

Attachments
Patch (4.97 KB, patch) 2019-12-16 23:58 PST, Rob Buis	no flags	Details Formatted Diff Diff
Patch (7.63 KB, patch) 2019-12-17 00:54 PST, Rob Buis	no flags	Details Formatted Diff Diff
Patch (16.26 KB, patch) 2019-12-17 02:39 PST, Rob Buis	no flags	Details Formatted Diff Diff
Patch (16.98 KB, patch) 2019-12-17 03:32 PST, Rob Buis	no flags	Details Formatted Diff Diff
Patch (23.04 KB, patch) 2019-12-17 05:32 PST, Rob Buis	no flags	Details Formatted Diff Diff
Patch (23.92 KB, patch) 2019-12-17 07:22 PST, Rob Buis	no flags	Details Formatted Diff Diff
Patch (23.99 KB, patch) 2019-12-18 00:59 PST, Rob Buis	no flags	Details Formatted Diff Diff
Patch (24.36 KB, patch) 2019-12-20 04:29 PST, Rob Buis	no flags	Details Formatted Diff Diff
Patch (13.75 KB, patch) 2020-01-03 05:11 PST, Rob Buis	no flags	Details Formatted Diff Diff
Patch (2.30 KB, patch) 2020-01-18 01:04 PST, Rob Buis	no flags	Details Formatted Diff Diff
Patch (3.71 KB, patch) 2020-01-18 01:54 PST, Rob Buis	no flags	Details Formatted Diff Diff
Patch (3.92 KB, patch) 2020-01-20 00:48 PST, Rob Buis	no flags	Details Formatted Diff Diff
Patch (3.96 KB, patch) 2020-01-20 00:49 PST, Rob Buis	no flags	Details Formatted Diff Diff
Patch (4.18 KB, patch) 2020-01-20 03:52 PST, Rob Buis	no flags	Details Formatted Diff Diff
Show Obsolete (13) View All Add attachment proposed patch, testcase, etc.

Rob Buis

Comment 1 2019-12-16 23:58:11 PST

Created attachment 385860 [details] Patch

Rob Buis

Comment 2 2019-12-17 00:54:15 PST

Created attachment 385863 [details] Patch

Rob Buis

Comment 3 2019-12-17 02:39:36 PST

Created attachment 385871 [details] Patch

Rob Buis

Comment 4 2019-12-17 03:32:38 PST

Created attachment 385874 [details] Patch

Rob Buis

Comment 5 2019-12-17 05:32:53 PST

Created attachment 385879 [details] Patch

Rob Buis

Comment 6 2019-12-17 07:22:53 PST

Created attachment 385886 [details] Patch

Alexey Proskuryakov

Comment 7 2019-12-17 18:59:56 PST

Comment on attachment 385886 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=385886&action=review > LayoutTests/ChangeLog:8 > + Adjusts test to same-origin fallback behavior by using CORS. These changes seem to suggest high likelihood of breaking behaviors websites could rely on. What evidence exists to demonstrate them being fine? > LayoutTests/imported/w3c/web-platform-tests/html/semantics/embedded-content/media-elements/track/track-element/cloneNode-expected.txt:1 > +CONSOLE MESSAGE: Unsafe attempt to load URL javascript:"network error" from origin http://localhost:8800. Domains, protocols and ports must match. Can you elaborate on why this is right, in particular?

Rob Buis

Comment 8 2019-12-17 22:37:35 PST

(In reply to Alexey Proskuryakov from comment #7) > Comment on attachment 385886 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=385886&action=review > > > LayoutTests/ChangeLog:8 > > + Adjusts test to same-origin fallback behavior by using CORS. > > These changes seem to suggest high likelihood of breaking behaviors websites > could rely on. What evidence exists to demonstrate them being fine? It is specified that way for track loading: https://html.spec.whatwg.org/multipage/media.html#sourcing-out-of-band-text-tracks:create-a-potential-cors-request Chrome and Firefox implement it (I should have added that to the Changelog, will fix). > > LayoutTests/imported/w3c/web-platform-tests/html/semantics/embedded-content/media-elements/track/track-element/cloneNode-expected.txt:1 > > +CONSOLE MESSAGE: Unsafe attempt to load URL javascript:"network error" from origin http://localhost:8800. Domains, protocols and ports must match. > > Can you elaborate on why this is right, in particular? That does look a bit odd, I will debug what is triggering those console messages.

Rob Buis

Comment 9 2019-12-18 00:59:45 PST

Created attachment 385947 [details] Patch

youenn fablet

Comment 10 2019-12-20 03:16:29 PST

Comment on attachment 385947 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=385947&action=review > Source/WebCore/ChangeLog:11 > + The new behavior matches that of Chrome and Firefox. Can you detail what behavioural changes are one there?

Rob Buis

Comment 11 2019-12-20 04:29:44 PST

Created attachment 386201 [details] Patch

Rob Buis

Comment 12 2019-12-20 05:31:01 PST

Comment on attachment 385947 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=385947&action=review >> Source/WebCore/ChangeLog:11 >> + The new behavior matches that of Chrome and Firefox. > > Can you detail what behavioural changes are one there? I tried to add more details in all ChangeLog files. Note that if the same-origin fallback is controversial I can remove it from the patch.

youenn fablet

Comment 13 2020-01-03 01:30:15 PST

Comment on attachment 386201 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=386201&action=review > Source/WebCore/ChangeLog:13 > + not specified. Could we split the patch in two parts: one which is just a refactoring and then the one about text track loading? > Source/WebCore/loader/CrossOriginAccessControl.cpp:122 > +CachedResourceRequest createPotentialAccessControlRequest(ResourceRequest&& request, Document& document, const String& crossOriginAttribute, ResourceLoaderOptions&& options, bool sameOriginFlag) Can we move the options as the second parameter, that will allow to group the moved parameters together. > Source/WebCore/loader/CrossOriginAccessControl.cpp:131 > + auto cachedRequest = CachedResourceRequest { WTFMove(request), WTFMove(options) }; CachedResourceRequest cachedRequest { WTFMove(request), WTFMove(options) }; > Source/WebCore/loader/CrossOriginAccessControl.cpp:142 > auto cachedRequest = CachedResourceRequest { WTFMove(request), WTFMove(options) }; CachedResourceRequest cachedRequest { WTFMove(request), WTFMove(options) }; > Source/WebCore/loader/TextTrackLoader.cpp:163 > + auto cueRequest = createPotentialAccessControlRequest(WTFMove(resourceRequest), document, element.mediaElementCrossOriginAttribute(), WTFMove(options), true); An enum would be slightly clearer.

youenn fablet

Comment 14 2020-01-03 01:31:00 PST

@EricCarlson, any concern about changing text track loading to same-origin by default, as done by Chrome and Firefox nowadays apparently?

Rob Buis

Comment 15 2020-01-03 05:11:25 PST

Created attachment 386673 [details] Patch

Rob Buis

Comment 16 2020-01-03 06:08:19 PST

Comment on attachment 386201 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=386201&action=review I think I addressed your comments. >> Source/WebCore/ChangeLog:13 >> + not specified. > > Could we split the patch in two parts: one which is just a refactoring and then the one about text track loading? Doing that now, the new patch does not contain the text track loading changes. >> Source/WebCore/loader/CrossOriginAccessControl.cpp:122 >> +CachedResourceRequest createPotentialAccessControlRequest(ResourceRequest&& request, Document& document, const String& crossOriginAttribute, ResourceLoaderOptions&& options, bool sameOriginFlag) > > Can we move the options as the second parameter, that will allow to group the moved parameters together. Done and adjusted the call sites. >> Source/WebCore/loader/CrossOriginAccessControl.cpp:131 >> + auto cachedRequest = CachedResourceRequest { WTFMove(request), WTFMove(options) }; > > CachedResourceRequest cachedRequest { WTFMove(request), WTFMove(options) }; Done. >> Source/WebCore/loader/CrossOriginAccessControl.cpp:142 >> auto cachedRequest = CachedResourceRequest { WTFMove(request), WTFMove(options) }; > > CachedResourceRequest cachedRequest { WTFMove(request), WTFMove(options) }; Done.

WebKit Commit Bot

Comment 17 2020-01-03 07:27:39 PST

The commit-queue encountered the following flaky tests while processing attachment 386673 [details]: imported/w3c/web-platform-tests/IndexedDB/large-requests-abort.html bug 205724 (author: youennf@gmail.com) imported/w3c/web-platform-tests/IndexedDB/fire-error-event-exception.html bug 201481 (authors: shvaikalesh@gmail.com and youennf@gmail.com) The commit-queue is continuing to process your patch.

WebKit Commit Bot

Comment 18 2020-01-03 07:27:46 PST

The commit-queue encountered the following flaky tests while processing attachment 386673 [details]: imported/w3c/web-platform-tests/IndexedDB/interleaved-cursors-large.html bug 201849 The commit-queue is continuing to process your patch.

WebKit Commit Bot

Comment 19 2020-01-03 08:19:55 PST

Comment on attachment 386673 [details] Patch Clearing flags on attachment: 386673 Committed r254000: <https://trac.webkit.org/changeset/254000>

WebKit Commit Bot

Comment 20 2020-01-03 08:19:57 PST

All reviewed patches have been landed. Closing bug.

Radar WebKit Bug Importer

Comment 21 2020-01-03 08:20:24 PST

<rdar://problem/58298224>

Rob Buis

Comment 22 2020-01-03 09:20:10 PST

Reopening as a reminder that Eric still needs to react (comment 14) :)

Eric Carlson

Comment 23 2020-01-03 10:05:55 PST

(In reply to youenn fablet from comment #14) > @EricCarlson, any concern about changing text track loading to same-origin > by default, as done by Chrome and Firefox nowadays apparently? No, I think it is the right thing.

Eric Carlson

Comment 24 2020-01-03 10:06:25 PST

(In reply to Rob Buis from comment #22) > Reopening as a reminder that Eric still needs to react (comment 14) :) Closing bug. Thanks for checking in Rob!

Rob Buis

Comment 25 2020-01-18 01:04:26 PST

Reopening to attach new patch.

Rob Buis

Comment 26 2020-01-18 01:04:29 PST

Created attachment 388140 [details] Patch

Rob Buis

Comment 27 2020-01-18 01:54:39 PST

Created attachment 388141 [details] Patch

Rob Buis

Comment 28 2020-01-20 00:48:49 PST

Created attachment 388214 [details] Patch

Rob Buis

Comment 29 2020-01-20 00:49:41 PST

Created attachment 388215 [details] Patch

youenn fablet

Comment 30 2020-01-20 01:57:44 PST

Comment on attachment 388215 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=388215&action=review > Source/WebCore/loader/CrossOriginAccessControl.cpp:140 > + options.storedCredentialsPolicy = credentials == FetchOptions::Credentials::Include ? StoredCredentialsPolicy::Use : document.securityOrigin().canRequest(request.url()) ? StoredCredentialsPolicy::Use : StoredCredentialsPolicy::DoNotUse; Can we write it with something like: switch (credentials) { case FetchOptions::Credentials::Omit: ... case FetchOptions::Credentials::Omit: ... case FetchOptions::Credentials::Include: ... case FetchOptions::Credentials::SameOrigin: ... } This should be easier to use and we would also ensure consistency between the two values (for instance omit => DoNotUse).

Rob Buis

Comment 31 2020-01-20 03:52:26 PST

Created attachment 388225 [details] Patch

WebKit Commit Bot

Comment 32 2020-01-20 06:43:16 PST

The commit-queue encountered the following flaky tests while processing attachment 388225 [details]: editing/spelling/spellcheck-async-remove-frame.html bug 158401 (authors: morrita@google.com, rniwa@webkit.org, and tony@chromium.org) The commit-queue is continuing to process your patch.

WebKit Commit Bot

Comment 33 2020-01-20 06:43:50 PST

Comment on attachment 388225 [details] Patch Clearing flags on attachment: 388225 Committed r254821: <https://trac.webkit.org/changeset/254821>

WebKit Commit Bot

Comment 34 2020-01-20 06:43:52 PST

All reviewed patches have been landed. Closing bug.

Rob Buis

Comment 35 2020-01-21 00:14:14 PST

(In reply to youenn fablet from comment #30) > Comment on attachment 388215 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=388215&action=review > > > Source/WebCore/loader/CrossOriginAccessControl.cpp:140 > > + options.storedCredentialsPolicy = credentials == FetchOptions::Credentials::Include ? StoredCredentialsPolicy::Use : document.securityOrigin().canRequest(request.url()) ? StoredCredentialsPolicy::Use : StoredCredentialsPolicy::DoNotUse; > > Can we write it with something like: > switch (credentials) { > case FetchOptions::Credentials::Omit: > ... > case FetchOptions::Credentials::Omit: > ... > case FetchOptions::Credentials::Include: > ... > case FetchOptions::Credentials::SameOrigin: > ... > } > This should be easier to use and we would also ensure consistency between > the two values (for instance omit => DoNotUse). Yes, this did make the code easier to read and reason about.

Note You need to log in before you can comment on or make changes to this bug.