241003 – HSTS synthesized redirect responses should not be blocked by CORS

Bug 241003 - HSTS synthesized redirect responses should not be blocked by CORS

Summary: HSTS synthesized redirect responses should not be blocked by CORS

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	WebKit Misc. (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Alex Christensen

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2022-05-26 23:13 PDT by Alex Christensen
Modified:	2022-06-23 13:24 PDT (History)
CC List:	3 users (show)

See Also:

Attachments
Patch (3.28 KB, patch) 2022-05-26 23:17 PDT, Alex Christensen	no flags	Details \| Formatted Diff \| Diff
Patch (3.36 KB, patch) 2022-06-02 16:09 PDT, Alex Christensen	no flags	Details \| Formatted Diff \| Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alex Christensen 2022-05-26 23:13:06 PDT

...

Comment 1 Alex Christensen 2022-05-26 23:17:58 PDT

Created attachment 459803 [details]
Patch

Comment 2 Alex Christensen 2022-06-02 16:09:14 PDT

Created attachment 459975 [details]
Patch

Comment 3 Radar WebKit Bug Importer 2022-06-02 23:14:15 PDT

<rdar://problem/94331699>

Comment 4 youenn fablet 2022-06-02 23:52:09 PDT

Comment on attachment 459975 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=459975&action=review

> Source/WebKit/NetworkProcess/cocoa/NetworkSessionCocoa.mm:640
> +        NSString *origin = [request valueForHTTPHeaderField:@"Origin"] ?: @"*";

If there is no origin header, we probably do not need to add AccessControlAllowOrigin header. Adding it with '*' does not harm though.

> Source/WebKit/NetworkProcess/cocoa/NetworkSessionCocoa.mm:642
> +        networkDataTask->willPerformHTTPRedirection(WTFMove(synthesizedResponse), request, [completionHandler = makeBlockPtr(completionHandler), taskIdentifier, shouldIgnoreHSTS](auto&& request) {

Seems fine for now. There are corner cases that will not work (CORS preflight for instance)
In the future, we could add a dedicated HSTS upgrade signal and let NetworkResourceLoader/NetworkLoadChecker deal with the full case.

Comment 5 EWS 2022-06-03 14:04:03 PDT

Committed r295230 (251284@main): <https://commits.webkit.org/251284@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 459975 [details].

Comment 6 Alexey Proskuryakov 2022-06-23 13:24:23 PDT

This landed as 251285@main, NOT 251284@main.