[SCM] WebKit Debian packaging branch, debian/experimental, updated. upstream/1.3.3-9427-gc2be6fc
ap at apple.com
ap at apple.com
Wed Dec 22 11:22:09 UTC 2010
The following commit has been merged in the debian/experimental branch:
commit 27db1d7487f3e8924ccb4f5dbfa0a1cc5620e573
Author: ap at apple.com <ap at apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Tue Jul 20 19:48:36 2010 +0000
Reviewed by Brady Eidson.
https://bugs.webkit.org/show_bug.cgi?id=41531
Asynchronous cross origin XMLHttpRequest doesn't expose 401 response when withCredentials is false
This doesn't match Firefox, but it matches our sync case, XHR2 spec and common sense.
Test: http/tests/xmlhttprequest/cross-origin-no-authorization.html (updated results).
* loader/DocumentThreadableLoader.cpp:
(WebCore::DocumentThreadableLoader::didReceiveAuthenticationChallenge): Instead of canceling
the request, continue without credentials - if the platform has a necessary method on
ResourceHandle.
* loader/SubresourceLoader.cpp:
(WebCore::SubresourceLoader::didReceiveAuthenticationChallenge): Don't ask resource loader
client for credentials if subresource loader client already took care of those.
* platform/network/ResourceHandle.cpp: (WebCore::ResourceHandle::hasAuthenticationChallenge):
* platform/network/ResourceHandle.h:
Added an accessor to check whether ResourceHandle is currently waiting for credentials.
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@63766 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 2051cea..9910e1b 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,21 @@
+2010-07-20 Alexey Proskuryakov <ap at apple.com>
+
+ Reviewed by Brady Eidson.
+
+ https://bugs.webkit.org/show_bug.cgi?id=41531
+ Asynchronous cross origin XMLHttpRequest doesn't expose 401 response when withCredentials is false
+
+ https://bugs.webkit.org/show_bug.cgi?id=30669
+ http/tests/xmlhttprequest/cross-origin-no-authorization.html has missing "DONE" in one branch
+
+ * http/tests/xmlhttprequest/cross-origin-no-authorization-expected.txt:
+ * http/tests/xmlhttprequest/cross-origin-no-authorization.html:
+ Updated for new results, added the missing "DONE".
+
+ * http/tests/xmlhttprequest/cross-origin-no-credential-prompt.html: Added.
+ * http/tests/xmlhttprequest/cross-origin-no-credential-prompt-expected.txt: Added.
+ Check that despite these changes, there is still no auth dialog displayed.
+
2010-07-20 Joseph Pecoraro <joepeck at webkit.org>
Reviewed by Geoffrey Garen.
diff --git a/LayoutTests/http/tests/xmlhttprequest/cross-origin-no-authorization-expected.txt b/LayoutTests/http/tests/xmlhttprequest/cross-origin-no-authorization-expected.txt
index f954e00..ef3e11e 100644
--- a/LayoutTests/http/tests/xmlhttprequest/cross-origin-no-authorization-expected.txt
+++ b/LayoutTests/http/tests/xmlhttprequest/cross-origin-no-authorization-expected.txt
@@ -14,7 +14,7 @@ PASS: Got an exception. Error: NETWORK_ERR: XMLHttpRequest Exception 101
Cross-origin XMLHttpRequest (sync), testing cookies.
PASS
Cross-origin XMLHttpRequest (async), authorization will not be sent, because withCredentials is false.
-PASS: Received error event.
+PASS: 401 Authorization required
Cross-origin XMLHttpRequest (async), testing authorization that's not allowed by the server (withCredentials is true, but access control headers are not set).
PASS: Received error event.
Cross-origin XMLHttpRequest (async), testing cookies.
@@ -22,6 +22,6 @@ PASS
Cross-origin XMLHttpRequest (sync), testing authorization with explicitly provided credentials that should be ignored.
PASS: 401 Authorization required
Cross-origin XMLHttpRequest (async), testing authorization with explicitly provided credentials that should be ignored.
-PASS: Received error event.
+PASS: 401 Authorization required
DONE
diff --git a/LayoutTests/http/tests/xmlhttprequest/cross-origin-no-authorization.html b/LayoutTests/http/tests/xmlhttprequest/cross-origin-no-authorization.html
index a1cffc9..112ce94 100644
--- a/LayoutTests/http/tests/xmlhttprequest/cross-origin-no-authorization.html
+++ b/LayoutTests/http/tests/xmlhttprequest/cross-origin-no-authorization.html
@@ -145,6 +145,7 @@ function test_async_auth_explicit()
req.send();
req.onload = function() {
log((req.status == 401) ? "PASS: 401 Authorization required" : "FAIL: Loaded");
+ log("DONE");
if (window.layoutTestController)
layoutTestController.notifyDone();
}
diff --git a/LayoutTests/http/tests/xmlhttprequest/cross-origin-no-credential-prompt-expected.txt b/LayoutTests/http/tests/xmlhttprequest/cross-origin-no-credential-prompt-expected.txt
new file mode 100644
index 0000000..e1240ec
--- /dev/null
+++ b/LayoutTests/http/tests/xmlhttprequest/cross-origin-no-credential-prompt-expected.txt
@@ -0,0 +1,2 @@
+CONSOLE MESSAGE: line 1: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/basic-auth/basic-auth.php?uid=41531. Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
+There should be no authentication prompt displayed, since this is a cross-origin request. In automatic mode, the test relies on logging of authentication sheets.
diff --git a/LayoutTests/http/tests/xmlhttprequest/cross-origin-no-credential-prompt.html b/LayoutTests/http/tests/xmlhttprequest/cross-origin-no-credential-prompt.html
new file mode 100644
index 0000000..0cb08a5
--- /dev/null
+++ b/LayoutTests/http/tests/xmlhttprequest/cross-origin-no-credential-prompt.html
@@ -0,0 +1,21 @@
+There should be no authentication prompt displayed, since this is a cross-origin request.
+In automatic mode, the test relies on logging of authentication sheets.
+<script>
+if (window.layoutTestController) {
+ layoutTestController.dumpAsText();
+ layoutTestController.waitUntilDone();
+}
+
+var r = new XMLHttpRequest;
+r.open("GET", "http://localhost:8000/xmlhttprequest/resources/basic-auth/basic-auth.php?uid=41531", true);
+r.send();
+r.onload = function() {
+ alert("FAIL: should have failed due to lack of cross origin headers");
+ if (window.layoutTestController)
+ layoutTestController.notifyDone();
+}
+r.onerror = function() {
+ if (window.layoutTestController)
+ layoutTestController.notifyDone();
+}
+</script>
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index 7d09588..d22374c 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,27 @@
+2010-07-20 Alexey Proskuryakov <ap at apple.com>
+
+ Reviewed by Brady Eidson.
+
+ https://bugs.webkit.org/show_bug.cgi?id=41531
+ Asynchronous cross origin XMLHttpRequest doesn't expose 401 response when withCredentials is false
+
+ This doesn't match Firefox, but it matches our sync case, XHR2 spec and common sense.
+
+ Test: http/tests/xmlhttprequest/cross-origin-no-authorization.html (updated results).
+
+ * loader/DocumentThreadableLoader.cpp:
+ (WebCore::DocumentThreadableLoader::didReceiveAuthenticationChallenge): Instead of canceling
+ the request, continue without credentials - if the platform has a necessary method on
+ ResourceHandle.
+
+ * loader/SubresourceLoader.cpp:
+ (WebCore::SubresourceLoader::didReceiveAuthenticationChallenge): Don't ask resource loader
+ client for credentials if subresource loader client already took care of those.
+
+ * platform/network/ResourceHandle.cpp: (WebCore::ResourceHandle::hasAuthenticationChallenge):
+ * platform/network/ResourceHandle.h:
+ Added an accessor to check whether ResourceHandle is currently waiting for credentials.
+
2010-07-20 Leandro Pereira <leandro at profusion.mobi>
[EFL] Unreviewed build fix.
diff --git a/WebCore/loader/DocumentThreadableLoader.cpp b/WebCore/loader/DocumentThreadableLoader.cpp
index 4a7a88b..16f114d 100644
--- a/WebCore/loader/DocumentThreadableLoader.cpp
+++ b/WebCore/loader/DocumentThreadableLoader.cpp
@@ -37,10 +37,12 @@
#include "Document.h"
#include "Frame.h"
#include "FrameLoader.h"
+#include "ResourceHandle.h"
#include "ResourceRequest.h"
#include "SecurityOrigin.h"
#include "SubresourceLoader.h"
#include "ThreadableLoaderClient.h"
+#include <wtf/UnusedParam.h>
namespace WebCore {
@@ -264,14 +266,20 @@ bool DocumentThreadableLoader::getShouldUseCredentialStorage(SubresourceLoader*
return false; // Only FrameLoaderClient can ultimately permit credential use.
}
-void DocumentThreadableLoader::didReceiveAuthenticationChallenge(SubresourceLoader* loader, const AuthenticationChallenge&)
+void DocumentThreadableLoader::didReceiveAuthenticationChallenge(SubresourceLoader* loader, const AuthenticationChallenge& challenge)
{
ASSERT(loader == m_loader);
// Users are not prompted for credentials for cross-origin requests.
if (!m_sameOriginRequest) {
+#if PLATFORM(MAC) || USE(CFNETWORK) || USE(CURL)
+ loader->handle()->receivedRequestToContinueWithoutCredential(challenge);
+#else
+ // These platforms don't provide a way to continue without credentials, cancel the load altogether.
+ UNUSED_PARAM(challenge);
RefPtr<DocumentThreadableLoader> protect(this);
m_client->didFail(loader->blockedError());
cancel();
+#endif
}
}
diff --git a/WebCore/loader/SubresourceLoader.cpp b/WebCore/loader/SubresourceLoader.cpp
index 53634ad..b6cce1d 100644
--- a/WebCore/loader/SubresourceLoader.cpp
+++ b/WebCore/loader/SubresourceLoader.cpp
@@ -248,14 +248,20 @@ void SubresourceLoader::didReceiveAuthenticationChallenge(const AuthenticationCh
{
RefPtr<SubresourceLoader> protect(this);
+ ASSERT(handle()->hasAuthenticationChallenge());
+
if (m_client)
m_client->didReceiveAuthenticationChallenge(this, challenge);
// The SubResourceLoaderClient may have cancelled this ResourceLoader in response to the challenge.
- // If that's the case, don't call didReceiveAuthenticationChallenge
+ // If that's the case, don't call didReceiveAuthenticationChallenge.
if (reachedTerminalState())
return;
-
+
+ // It may have also handled authentication on its own.
+ if (!handle()->hasAuthenticationChallenge())
+ return;
+
ResourceLoader::didReceiveAuthenticationChallenge(challenge);
}
diff --git a/WebCore/platform/network/ResourceHandle.cpp b/WebCore/platform/network/ResourceHandle.cpp
index 50cf95b..0575523 100644
--- a/WebCore/platform/network/ResourceHandle.cpp
+++ b/WebCore/platform/network/ResourceHandle.cpp
@@ -113,6 +113,11 @@ const String& ResourceHandle::lastHTTPMethod() const
return d->m_lastHTTPMethod;
}
+bool ResourceHandle::hasAuthenticationChallenge() const
+{
+ return !d->m_currentWebChallenge.isNull();
+}
+
void ResourceHandle::clearAuthentication()
{
#if PLATFORM(MAC)
diff --git a/WebCore/platform/network/ResourceHandle.h b/WebCore/platform/network/ResourceHandle.h
index 21af542..2edd4c9 100644
--- a/WebCore/platform/network/ResourceHandle.h
+++ b/WebCore/platform/network/ResourceHandle.h
@@ -187,7 +187,8 @@ public:
// Used to work around the fact that you don't get any more NSURLConnection callbacks until you return from the one you're in.
static bool loadsBlocked();
-
+
+ bool hasAuthenticationChallenge() const;
void clearAuthentication();
void cancel();
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list