Origin header is preserved on cross-origin redirects.

beidson · beidson · commit c06f70adc63c · 2015-04-24T21:09:02.000Z
https://bugs.webkit.org/show_bug.cgi?id=144157. Reviewed by Sam Weinig. Source/WebCore: Tests: http/tests/security/cors-post-redirect-301.html http/tests/security/cors-post-redirect-302.html http/tests/security/cors-post-redirect-307.html http/tests/security/cors-post-redirect-308.html * platform/network/cf/ResourceHandleCFNet.cpp: (WebCore::ResourceHandle::willSendRequest): Always clear any origin header for cross-origin redirects. * platform/network/mac/ResourceHandleMac.mm: (WebCore::ResourceHandle::willSendRequest): Ditto. LayoutTests: * http/tests/security/cors-post-redirect-301-expected.txt: Added. * http/tests/security/cors-post-redirect-301.html: Added. * http/tests/security/cors-post-redirect-302-expected.txt: Added. * http/tests/security/cors-post-redirect-302.html: Added. * http/tests/security/cors-post-redirect-307-expected.txt: Added. * http/tests/security/cors-post-redirect-307.html: Added. * http/tests/security/cors-post-redirect-308-expected.txt: Added. * http/tests/security/cors-post-redirect-308.html: Added. * http/tests/security/resources/cors-post-redirect-target.php: Added. Canonical link: https://commits.webkit.org/162147@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@183280 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
@@ -1,3 +1,20 @@
+2015-04-24  Brady Eidson  <beidson@apple.com>
+
+        Origin header is preserved on cross-origin redirects.
+        https://bugs.webkit.org/show_bug.cgi?id=144157.
+
+        Reviewed by Sam Weinig.
+
+        * http/tests/security/cors-post-redirect-301-expected.txt: Added.
+        * http/tests/security/cors-post-redirect-301.html: Added.
+        * http/tests/security/cors-post-redirect-302-expected.txt: Added.
+        * http/tests/security/cors-post-redirect-302.html: Added.
+        * http/tests/security/cors-post-redirect-307-expected.txt: Added.
+        * http/tests/security/cors-post-redirect-307.html: Added.
+        * http/tests/security/cors-post-redirect-308-expected.txt: Added.
+        * http/tests/security/cors-post-redirect-308.html: Added.
+        * http/tests/security/resources/cors-post-redirect-target.php: Added.
+
 2015-04-24  Matthew Mirman  <mmirman@apple.com>
 
         Added tests to ensure that Object.prototype.__proto__ native getter and setter do not coerce undefined to this
diff --git a/LayoutTests/http/tests/security/cors-post-redirect-301-expected.txt b/LayoutTests/http/tests/security/cors-post-redirect-301-expected.txt
@@ -0,0 +1 @@
+There was no origin header
diff --git a/LayoutTests/http/tests/security/cors-post-redirect-301.html b/LayoutTests/http/tests/security/cors-post-redirect-301.html
@@ -0,0 +1,24 @@
+<head>
+<script>
+if (window.testRunner) {
+    testRunner.waitUntilDone();
+    testRunner.dumpAsText();
+}
+</script>
+</head>
+<body>
+
+This test is designed to work only when loaded from http://127.0.0.1:8000
+
+<form id='testForm' method='POST'>
+<input id='redircode' type='hidden' name='redircode' value='301'>
+</form>
+
+<script>
+
+var form = document.getElementById('testForm');
+form.action = "/resources/redirect.php?code=301&url=http://localhost:8000/security/resources/cors-post-redirect-target.php";
+form.submit();
+ 
+</script>
+</body>
diff --git a/LayoutTests/http/tests/security/cors-post-redirect-302-expected.txt b/LayoutTests/http/tests/security/cors-post-redirect-302-expected.txt
@@ -0,0 +1 @@
+There was no origin header
diff --git a/LayoutTests/http/tests/security/cors-post-redirect-302.html b/LayoutTests/http/tests/security/cors-post-redirect-302.html
@@ -0,0 +1,24 @@
+<head>
+<script>
+if (window.testRunner) {
+    testRunner.waitUntilDone();
+    testRunner.dumpAsText();
+}
+</script>
+</head>
+<body>
+
+This test is designed to work only when loaded from http://127.0.0.1:8000
+
+<form id='testForm' method='POST'>
+<input id='redircode' type='hidden' name='redircode' value='302'>
+</form>
+
+<script>
+
+var form = document.getElementById('testForm');
+form.action = "/resources/redirect.php?code=302&url=http://localhost:8000/security/resources/cors-post-redirect-target.php";
+form.submit();
+ 
+</script>
+</body>
diff --git a/LayoutTests/http/tests/security/cors-post-redirect-307-expected.txt b/LayoutTests/http/tests/security/cors-post-redirect-307-expected.txt
@@ -0,0 +1 @@
+There was no origin header
diff --git a/LayoutTests/http/tests/security/cors-post-redirect-307.html b/LayoutTests/http/tests/security/cors-post-redirect-307.html
@@ -0,0 +1,24 @@
+<head>
+<script>
+if (window.testRunner) {
+    testRunner.waitUntilDone();
+    testRunner.dumpAsText();
+}
+</script>
+</head>
+<body>
+
+This test is designed to work only when loaded from http://127.0.0.1:8000
+
+<form id='testForm' method='POST'>
+<input id='redircode' type='hidden' name='redircode' value='307'>
+</form>
+
+<script>
+
+var form = document.getElementById('testForm');
+form.action = "/resources/redirect.php?code=307&url=http://localhost:8000/security/resources/cors-post-redirect-target.php";
+form.submit();
+ 
+</script>
+</body>
diff --git a/LayoutTests/http/tests/security/cors-post-redirect-308-expected.txt b/LayoutTests/http/tests/security/cors-post-redirect-308-expected.txt
@@ -0,0 +1 @@
+There was no origin header
diff --git a/LayoutTests/http/tests/security/cors-post-redirect-308.html b/LayoutTests/http/tests/security/cors-post-redirect-308.html
@@ -0,0 +1,24 @@
+<head>
+<script>
+if (window.testRunner) {
+    testRunner.waitUntilDone();
+    testRunner.dumpAsText();
+}
+</script>
+</head>
+<body>
+
+This test is designed to work only when loaded from http://127.0.0.1:8000
+
+<form id='testForm' method='POST'>
+<input id='redircode' type='hidden' name='redircode' value='308'>
+</form>
+
+<script>
+
+var form = document.getElementById('testForm');
+form.action = "/resources/redirect.php?code=308&url=http://localhost:8000/security/resources/cors-post-redirect-target.php";
+form.submit();
+ 
+</script>
+</body>
diff --git a/LayoutTests/http/tests/security/resources/cors-post-redirect-target.php b/LayoutTests/http/tests/security/resources/cors-post-redirect-target.php
@@ -0,0 +1,17 @@
+<?php
+$sawOrigin = false;
+foreach (getallheaders() as $name => $value) {
+    if (strtolower($name) == "origin") {
+        echo "Origin header value: $value";
+        $sawOrigin = true;
+    }
+}
+
+if (!$sawOrigin)
+    echo "There was no origin header";
+
+?>
+<script>
+if (window.testRunner)
+    testRunner.notifyDone();
+</script>
diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog
@@ -1,3 +1,20 @@
+2015-04-24  Brady Eidson  <beidson@apple.com>
+
+        Origin header is preserved on cross-origin redirects.
+        https://bugs.webkit.org/show_bug.cgi?id=144157.
+
+        Reviewed by Sam Weinig.
+
+        Tests: http/tests/security/cors-post-redirect-301.html
+               http/tests/security/cors-post-redirect-302.html
+               http/tests/security/cors-post-redirect-307.html
+               http/tests/security/cors-post-redirect-308.html
+
+        * platform/network/cf/ResourceHandleCFNet.cpp:
+        (WebCore::ResourceHandle::willSendRequest): Always clear any origin header for cross-origin redirects.
+        * platform/network/mac/ResourceHandleMac.mm:
+        (WebCore::ResourceHandle::willSendRequest): Ditto.
+
 2015-04-24  Brent Fulgham  <bfulgham@apple.com>
 
         Immediate action not functional for embedded PDFs
diff --git a/Source/WebCore/platform/network/cf/ResourceHandleCFNet.cpp b/Source/WebCore/platform/network/cf/ResourceHandleCFNet.cpp
@@ -276,9 +276,10 @@ void ResourceHandle::willSendRequest(ResourceRequest& request, const ResourceRes
     request.removeCredentials();
 
     if (!protocolHostAndPortAreEqual(request.url(), redirectResponse.url())) {
-        // If the network layer carries over authentication headers from the original request
-        // in a cross-origin redirect, we want to clear those headers here.
+        // The network layer might carry over some headers from the original request that
+        // we want to strip here because the redirect is cross-origin.
         request.clearHTTPAuthorization();
+        request.clearHTTPOrigin();
     } else {
         // Only consider applying authentication credentials if this is actually a redirect and the redirect
         // URL didn't include credentials of its own.
diff --git a/Source/WebCore/platform/network/mac/ResourceHandleMac.mm b/Source/WebCore/platform/network/mac/ResourceHandleMac.mm
@@ -462,10 +462,10 @@ static bool synchronousWillSendRequestEnabled()
     request.removeCredentials();
 
     if (!protocolHostAndPortAreEqual(request.url(), redirectResponse.url())) {
-        // If the network layer carries over authentication headers from the original request
-        // in a cross-origin redirect, we want to clear those headers here.
-        // As of Lion, CFNetwork no longer does this.
+        // The network layer might carry over some headers from the original request that
+        // we want to strip here because the redirect is cross-origin.
         request.clearHTTPAuthorization();
+        request.clearHTTPOrigin();
     } else {
         // Only consider applying authentication credentials if this is actually a redirect and the redirect
         // URL didn't include credentials of its own.
