Origin header is preserved on cross-origin redirects.

https://bugs.webkit.org/show_bug.cgi?id=144157.

Reviewed by Sam Weinig.

Source/WebCore:

Tests: http/tests/security/cors-post-redirect-301.html
       http/tests/security/cors-post-redirect-302.html
       http/tests/security/cors-post-redirect-307.html
       http/tests/security/cors-post-redirect-308.html

* platform/network/cf/ResourceHandleCFNet.cpp:
(WebCore::ResourceHandle::willSendRequest): Always clear any origin header for cross-origin redirects.
* platform/network/mac/ResourceHandleMac.mm:
(WebCore::ResourceHandle::willSendRequest): Ditto.

LayoutTests:

* http/tests/security/cors-post-redirect-301-expected.txt: Added.
* http/tests/security/cors-post-redirect-301.html: Added.
* http/tests/security/cors-post-redirect-302-expected.txt: Added.
* http/tests/security/cors-post-redirect-302.html: Added.
* http/tests/security/cors-post-redirect-307-expected.txt: Added.
* http/tests/security/cors-post-redirect-307.html: Added.
* http/tests/security/cors-post-redirect-308-expected.txt: Added.
* http/tests/security/cors-post-redirect-308.html: Added.
* http/tests/security/resources/cors-post-redirect-target.php: Added.

Canonical link: https://commits.webkit.org/162147@main
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@183280 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Author: beidson

LayoutTests/ChangeLog

@@ -1,3 +1,20 @@
+2015-04-24  Brady Eidson  <beidson@apple.com>
+
+        Origin header is preserved on cross-origin redirects.
+        https://bugs.webkit.org/show_bug.cgi?id=144157.
+
+        Reviewed by Sam Weinig.
+
+        * http/tests/security/cors-post-redirect-301-expected.txt: Added.
+        * http/tests/security/cors-post-redirect-301.html: Added.
+        * http/tests/security/cors-post-redirect-302-expected.txt: Added.
+        * http/tests/security/cors-post-redirect-302.html: Added.
+        * http/tests/security/cors-post-redirect-307-expected.txt: Added.
+        * http/tests/security/cors-post-redirect-307.html: Added.
+        * http/tests/security/cors-post-redirect-308-expected.txt: Added.
+        * http/tests/security/cors-post-redirect-308.html: Added.
+        * http/tests/security/resources/cors-post-redirect-target.php: Added.
+
 2015-04-24  Matthew Mirman  <mmirman@apple.com>
 
         Added tests to ensure that Object.prototype.__proto__ native getter and setter do not coerce undefined to this

LayoutTests/http/tests/security/cors-post-redirect-301-expected.txt

@@ -0,0 +1 @@
+There was no origin header

LayoutTests/http/tests/security/cors-post-redirect-301.html

@@ -0,0 +1,24 @@
+<head>
+<script>
+if (window.testRunner) {
+    testRunner.waitUntilDone();
+    testRunner.dumpAsText();
+}
+</script>
+</head>
+<body>
+
+This test is designed to work only when loaded from http://127.0.0.1:8000
+
+<form id='testForm' method='POST'>
+<input id='redircode' type='hidden' name='redircode' value='301'>
+</form>
+
+<script>
+
+var form = document.getElementById('testForm');
+form.action = "/resources/redirect.php?code=301&url=http://localhost:8000/security/resources/cors-post-redirect-target.php";
+form.submit();
+ 
+</script>
+</body>

LayoutTests/http/tests/security/cors-post-redirect-302-expected.txt

@@ -0,0 +1 @@
+There was no origin header

LayoutTests/http/tests/security/cors-post-redirect-302.html

@@ -0,0 +1,24 @@
+<head>
+<script>
+if (window.testRunner) {
+    testRunner.waitUntilDone();
+    testRunner.dumpAsText();
+}
+</script>
+</head>
+<body>
+
+This test is designed to work only when loaded from http://127.0.0.1:8000
+
+<form id='testForm' method='POST'>
+<input id='redircode' type='hidden' name='redircode' value='302'>
+</form>
+
+<script>
+
+var form = document.getElementById('testForm');
+form.action = "/resources/redirect.php?code=302&url=http://localhost:8000/security/resources/cors-post-redirect-target.php";
+form.submit();
+ 
+</script>
+</body>

LayoutTests/http/tests/security/cors-post-redirect-307-expected.txt

@@ -0,0 +1 @@
+There was no origin header

LayoutTests/http/tests/security/cors-post-redirect-307.html

@@ -0,0 +1,24 @@
+<head>
+<script>
+if (window.testRunner) {
+    testRunner.waitUntilDone();
+    testRunner.dumpAsText();
+}
+</script>
+</head>
+<body>
+
+This test is designed to work only when loaded from http://127.0.0.1:8000
+
+<form id='testForm' method='POST'>
+<input id='redircode' type='hidden' name='redircode' value='307'>
+</form>
+
+<script>
+
+var form = document.getElementById('testForm');
+form.action = "/resources/redirect.php?code=307&url=http://localhost:8000/security/resources/cors-post-redirect-target.php";
+form.submit();
+ 
+</script>
+</body>

LayoutTests/http/tests/security/cors-post-redirect-308-expected.txt

@@ -0,0 +1 @@
+There was no origin header

LayoutTests/http/tests/security/cors-post-redirect-308.html

@@ -0,0 +1,24 @@
+<head>
+<script>
+if (window.testRunner) {
+    testRunner.waitUntilDone();
+    testRunner.dumpAsText();
+}
+</script>
+</head>
+<body>
+
+This test is designed to work only when loaded from http://127.0.0.1:8000
+
+<form id='testForm' method='POST'>
+<input id='redircode' type='hidden' name='redircode' value='308'>
+</form>
+
+<script>
+
+var form = document.getElementById('testForm');
+form.action = "/resources/redirect.php?code=308&url=http://localhost:8000/security/resources/cors-post-redirect-target.php";
+form.submit();
+ 
+</script>
+</body>

LayoutTests/http/tests/security/resources/cors-post-redirect-target.php

@@ -0,0 +1,17 @@
+<?php
+$sawOrigin = false;
+foreach (getallheaders() as $name => $value) {
+    if (strtolower($name) == "origin") {
+        echo "Origin header value: $value";
+        $sawOrigin = true;
+    }
+}
+
+if (!$sawOrigin)
+    echo "There was no origin header";
+
+?>
+<script>
+if (window.testRunner)
+    testRunner.notifyDone();
+</script>

Source/WebCore/ChangeLog

@@ -1,3 +1,20 @@
+2015-04-24  Brady Eidson  <beidson@apple.com>
+
+        Origin header is preserved on cross-origin redirects.
+        https://bugs.webkit.org/show_bug.cgi?id=144157.
+
+        Reviewed by Sam Weinig.
+
+        Tests: http/tests/security/cors-post-redirect-301.html
+               http/tests/security/cors-post-redirect-302.html
+               http/tests/security/cors-post-redirect-307.html
+               http/tests/security/cors-post-redirect-308.html
+
+        * platform/network/cf/ResourceHandleCFNet.cpp:
+        (WebCore::ResourceHandle::willSendRequest): Always clear any origin header for cross-origin redirects.
+        * platform/network/mac/ResourceHandleMac.mm:
+        (WebCore::ResourceHandle::willSendRequest): Ditto.
+
 2015-04-24  Brent Fulgham  <bfulgham@apple.com>
 
         Immediate action not functional for embedded PDFs

Source/WebCore/platform/network/cf/ResourceHandleCFNet.cpp

@@ -276,9 +276,10 @@ void ResourceHandle::willSendRequest(ResourceRequest& request, const ResourceRes
     request.removeCredentials();
 
     if (!protocolHostAndPortAreEqual(request.url(), redirectResponse.url())) {
-        // If the network layer carries over authentication headers from the original request
-        // in a cross-origin redirect, we want to clear those headers here.
+        // The network layer might carry over some headers from the original request that
+        // we want to strip here because the redirect is cross-origin.
         request.clearHTTPAuthorization();
+        request.clearHTTPOrigin();
     } else {
         // Only consider applying authentication credentials if this is actually a redirect and the redirect
         // URL didn't include credentials of its own.

Source/WebCore/platform/network/mac/ResourceHandleMac.mm

@@ -462,10 +462,10 @@ static bool synchronousWillSendRequestEnabled()
     request.removeCredentials();
 
     if (!protocolHostAndPortAreEqual(request.url(), redirectResponse.url())) {
-        // If the network layer carries over authentication headers from the original request
-        // in a cross-origin redirect, we want to clear those headers here.
-        // As of Lion, CFNetwork no longer does this.
+        // The network layer might carry over some headers from the original request that
+        // we want to strip here because the redirect is cross-origin.
         request.clearHTTPAuthorization();
+        request.clearHTTPOrigin();
     } else {
         // Only consider applying authentication credentials if this is actually a redirect and the redirect
         // URL didn't include credentials of its own.