Bug 161434

Summary: [Fetch API] Fetch API should be able to load data URL in Same Origin mode
Product: WebKit Reporter: youenn fablet <youennf>
Component: WebCore Misc.Assignee: youenn fablet <youennf>
Status: RESOLVED FIXED    
Severity: Normal CC: cdumez, commit-queue, dbates, japhet
Priority: P2    
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on:    
Bug Blocks: 151937    
Attachments:
Description Flags
Patch none

youenn fablet
Reported 2016-08-31 05:38:05 PDT
CachedResourceLoader is forbidding data URL loads in SameOrigin mode currently.
Attachments
Patch (23.87 KB, patch)
2016-08-31 06:45 PDT, youenn fablet
no flags
youenn fablet
Comment 1 2016-08-31 06:45:06 PDT
Alex Christensen
Comment 2 2016-08-31 09:31:25 PDT
Comment on attachment 287510 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=287510&action=review > Source/WebCore/loader/cache/CachedResourceLoader.cpp:388 > +static inline bool isSameOriginDataURL(const URL& url, const ResourceLoaderOptions& options, bool didReceiveRedirectResponse) > +{ > + return !didReceiveRedirectResponse && url.protocolIsData() && options.sameOriginDataURLFlag == SameOriginDataURLFlag::Set; > +} I don't understand why !didReceiveRedirectResponse is here.
youenn fablet
Comment 3 2016-08-31 09:43:12 PDT
(In reply to comment #2) > Comment on attachment 287510 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=287510&action=review > > > Source/WebCore/loader/cache/CachedResourceLoader.cpp:388 > > +static inline bool isSameOriginDataURL(const URL& url, const ResourceLoaderOptions& options, bool didReceiveRedirectResponse) > > +{ > > + return !didReceiveRedirectResponse && url.protocolIsData() && options.sameOriginDataURLFlag == SameOriginDataURLFlag::Set; > > +} > > I don't understand why !didReceiveRedirectResponse is here. Step 7 of https://fetch.spec.whatwg.org/#http-redirect-fetch stipulates that same-origin url flag is unset after a redirection. Basically, data-url after redirection is only allowed in no-cors mode, and will lead to opaque responses. I haven't searched for the rationale of this decision, this seems like an edge case. Also, there is no real interop here: as shown by the new tests, chrome, firefox and webkit have all different behaviours for data urls after redirections.
WebKit Commit Bot
Comment 4 2016-08-31 13:20:37 PDT
Comment on attachment 287510 [details] Patch Clearing flags on attachment: 287510 Committed r205265: <http://trac.webkit.org/changeset/205265>
WebKit Commit Bot
Comment 5 2016-08-31 13:20:41 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.