[SCM] WebKit Debian packaging branch, debian/experimental, updated. upstream/1.3.3-9427-gc2be6fc

ap at apple.com ap at apple.com
Wed Dec 22 11:22:09 UTC 2010 

The following commit has been merged in the debian/experimental branch:
commit 27db1d7487f3e8924ccb4f5dbfa0a1cc5620e573
Author: ap at apple.com <ap at apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Tue Jul 20 19:48:36 2010 +0000

            Reviewed by Brady Eidson.
    
            https://bugs.webkit.org/show_bug.cgi?id=41531
            Asynchronous cross origin XMLHttpRequest doesn't expose 401 response when withCredentials is false
    
            This doesn't match Firefox, but it matches our sync case, XHR2 spec and common sense.
    
            Test: http/tests/xmlhttprequest/cross-origin-no-authorization.html (updated results).
    
            * loader/DocumentThreadableLoader.cpp:
            (WebCore::DocumentThreadableLoader::didReceiveAuthenticationChallenge): Instead of canceling
            the request, continue without credentials - if the platform has a necessary method on
            ResourceHandle.
    
            * loader/SubresourceLoader.cpp:
            (WebCore::SubresourceLoader::didReceiveAuthenticationChallenge): Don't ask resource loader
            client for credentials if subresource loader client already took care of those.
    
            * platform/network/ResourceHandle.cpp: (WebCore::ResourceHandle::hasAuthenticationChallenge):
            * platform/network/ResourceHandle.h:
            Added an accessor to check whether ResourceHandle is currently waiting for credentials.
    
    
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@63766 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 2051cea..9910e1b 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,21 @@
+2010-07-20  Alexey Proskuryakov  <ap at apple.com>
+
+        Reviewed by Brady Eidson.
+
+        https://bugs.webkit.org/show_bug.cgi?id=41531
+        Asynchronous cross origin XMLHttpRequest doesn't expose 401 response when withCredentials is false
+
+        https://bugs.webkit.org/show_bug.cgi?id=30669
+        http/tests/xmlhttprequest/cross-origin-no-authorization.html has missing "DONE" in one branch
+
+        * http/tests/xmlhttprequest/cross-origin-no-authorization-expected.txt:
+        * http/tests/xmlhttprequest/cross-origin-no-authorization.html:
+        Updated for new results, added the missing "DONE".
+
+        * http/tests/xmlhttprequest/cross-origin-no-credential-prompt.html: Added.
+        * http/tests/xmlhttprequest/cross-origin-no-credential-prompt-expected.txt: Added.
+        Check that despite these changes, there is still no auth dialog displayed.
+
 2010-07-20  Joseph Pecoraro  <joepeck at webkit.org>
 
         Reviewed by Geoffrey Garen.
diff --git a/LayoutTests/http/tests/xmlhttprequest/cross-origin-no-authorization-expected.txt b/LayoutTests/http/tests/xmlhttprequest/cross-origin-no-authorization-expected.txt
index f954e00..ef3e11e 100644
--- a/LayoutTests/http/tests/xmlhttprequest/cross-origin-no-authorization-expected.txt
+++ b/LayoutTests/http/tests/xmlhttprequest/cross-origin-no-authorization-expected.txt
@@ -14,7 +14,7 @@ PASS: Got an exception. Error: NETWORK_ERR: XMLHttpRequest Exception 101
 Cross-origin XMLHttpRequest (sync), testing cookies.
 PASS
 Cross-origin XMLHttpRequest (async), authorization will not be sent, because withCredentials is false.
-PASS: Received error event.
+PASS: 401 Authorization required
 Cross-origin XMLHttpRequest (async), testing authorization that's not allowed by the server (withCredentials is true, but access control headers are not set).
 PASS: Received error event.
 Cross-origin XMLHttpRequest (async), testing cookies.
@@ -22,6 +22,6 @@ PASS
 Cross-origin XMLHttpRequest (sync), testing authorization with explicitly provided credentials that should be ignored.
 PASS: 401 Authorization required
 Cross-origin XMLHttpRequest (async), testing authorization with explicitly provided credentials that should be ignored.
-PASS: Received error event.
+PASS: 401 Authorization required
 DONE
 
diff --git a/LayoutTests/http/tests/xmlhttprequest/cross-origin-no-authorization.html b/LayoutTests/http/tests/xmlhttprequest/cross-origin-no-authorization.html
index a1cffc9..112ce94 100644
--- a/LayoutTests/http/tests/xmlhttprequest/cross-origin-no-authorization.html
+++ b/LayoutTests/http/tests/xmlhttprequest/cross-origin-no-authorization.html
@@ -145,6 +145,7 @@ function test_async_auth_explicit()
     req.send();
     req.onload = function() {
         log((req.status == 401) ? "PASS: 401 Authorization required" : "FAIL: Loaded");
+        log("DONE");
         if (window.layoutTestController)
             layoutTestController.notifyDone();
     }
diff --git a/LayoutTests/http/tests/xmlhttprequest/cross-origin-no-credential-prompt-expected.txt b/LayoutTests/http/tests/xmlhttprequest/cross-origin-no-credential-prompt-expected.txt
new file mode 100644
index 0000000..e1240ec
--- /dev/null
+++ b/LayoutTests/http/tests/xmlhttprequest/cross-origin-no-credential-prompt-expected.txt
@@ -0,0 +1,2 @@
+CONSOLE MESSAGE: line 1: XMLHttpRequest cannot load http://localhost:8000/xmlhttprequest/resources/basic-auth/basic-auth.php?uid=41531. Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
+There should be no authentication prompt displayed, since this is a cross-origin request. In automatic mode, the test relies on logging of authentication sheets.
diff --git a/LayoutTests/http/tests/xmlhttprequest/cross-origin-no-credential-prompt.html b/LayoutTests/http/tests/xmlhttprequest/cross-origin-no-credential-prompt.html
new file mode 100644
index 0000000..0cb08a5
--- /dev/null
+++ b/LayoutTests/http/tests/xmlhttprequest/cross-origin-no-credential-prompt.html
@@ -0,0 +1,21 @@
+There should be no authentication prompt displayed, since this is a cross-origin request.
+In automatic mode, the test relies on logging of authentication sheets.
+<script>
+if (window.layoutTestController) {
+    layoutTestController.dumpAsText();
+    layoutTestController.waitUntilDone();
+}
+
+var r = new XMLHttpRequest;
+r.open("GET", "http://localhost:8000/xmlhttprequest/resources/basic-auth/basic-auth.php?uid=41531", true);
+r.send();
+r.onload = function() {
+    alert("FAIL: should have failed due to lack of cross origin headers");
+    if (window.layoutTestController)
+        layoutTestController.notifyDone();
+}
+r.onerror = function() {
+    if (window.layoutTestController)
+        layoutTestController.notifyDone();
+}
+</script>
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index 7d09588..d22374c 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,27 @@
+2010-07-20  Alexey Proskuryakov  <ap at apple.com>
+
+        Reviewed by Brady Eidson.
+
+        https://bugs.webkit.org/show_bug.cgi?id=41531
+        Asynchronous cross origin XMLHttpRequest doesn't expose 401 response when withCredentials is false
+
+        This doesn't match Firefox, but it matches our sync case, XHR2 spec and common sense.
+
+        Test: http/tests/xmlhttprequest/cross-origin-no-authorization.html (updated results).
+
+        * loader/DocumentThreadableLoader.cpp:
+        (WebCore::DocumentThreadableLoader::didReceiveAuthenticationChallenge): Instead of canceling
+        the request, continue without credentials - if the platform has a necessary method on
+        ResourceHandle.
+
+        * loader/SubresourceLoader.cpp:
+        (WebCore::SubresourceLoader::didReceiveAuthenticationChallenge): Don't ask resource loader
+        client for credentials if subresource loader client already took care of those.
+
+        * platform/network/ResourceHandle.cpp: (WebCore::ResourceHandle::hasAuthenticationChallenge):
+        * platform/network/ResourceHandle.h:
+        Added an accessor to check whether ResourceHandle is currently waiting for credentials.
+
 2010-07-20  Leandro Pereira  <leandro at profusion.mobi>
 
         [EFL] Unreviewed build fix.
diff --git a/WebCore/loader/DocumentThreadableLoader.cpp b/WebCore/loader/DocumentThreadableLoader.cpp
index 4a7a88b..16f114d 100644
--- a/WebCore/loader/DocumentThreadableLoader.cpp
+++ b/WebCore/loader/DocumentThreadableLoader.cpp
@@ -37,10 +37,12 @@
 #include "Document.h"
 #include "Frame.h"
 #include "FrameLoader.h"
+#include "ResourceHandle.h"
 #include "ResourceRequest.h"
 #include "SecurityOrigin.h"
 #include "SubresourceLoader.h"
 #include "ThreadableLoaderClient.h"
+#include <wtf/UnusedParam.h>
 
 namespace WebCore {
 
@@ -264,14 +266,20 @@ bool DocumentThreadableLoader::getShouldUseCredentialStorage(SubresourceLoader*
     return false; // Only FrameLoaderClient can ultimately permit credential use.
 }
 
-void DocumentThreadableLoader::didReceiveAuthenticationChallenge(SubresourceLoader* loader, const AuthenticationChallenge&)
+void DocumentThreadableLoader::didReceiveAuthenticationChallenge(SubresourceLoader* loader, const AuthenticationChallenge& challenge)
 {
     ASSERT(loader == m_loader);
     // Users are not prompted for credentials for cross-origin requests.
     if (!m_sameOriginRequest) {
+#if PLATFORM(MAC) || USE(CFNETWORK) || USE(CURL)
+        loader->handle()->receivedRequestToContinueWithoutCredential(challenge);
+#else
+        // These platforms don't provide a way to continue without credentials, cancel the load altogether.
+        UNUSED_PARAM(challenge);
         RefPtr<DocumentThreadableLoader> protect(this);
         m_client->didFail(loader->blockedError());
         cancel();
+#endif
     }
 }
 
diff --git a/WebCore/loader/SubresourceLoader.cpp b/WebCore/loader/SubresourceLoader.cpp
index 53634ad..b6cce1d 100644
--- a/WebCore/loader/SubresourceLoader.cpp
+++ b/WebCore/loader/SubresourceLoader.cpp
@@ -248,14 +248,20 @@ void SubresourceLoader::didReceiveAuthenticationChallenge(const AuthenticationCh
 {
     RefPtr<SubresourceLoader> protect(this);
 
+    ASSERT(handle()->hasAuthenticationChallenge());
+
     if (m_client)
         m_client->didReceiveAuthenticationChallenge(this, challenge);
     
     // The SubResourceLoaderClient may have cancelled this ResourceLoader in response to the challenge.  
-    // If that's the case, don't call didReceiveAuthenticationChallenge
+    // If that's the case, don't call didReceiveAuthenticationChallenge.
     if (reachedTerminalState())
         return;
-        
+
+    // It may have also handled authentication on its own.
+    if (!handle()->hasAuthenticationChallenge())
+        return;
+
     ResourceLoader::didReceiveAuthenticationChallenge(challenge);
 }
 
diff --git a/WebCore/platform/network/ResourceHandle.cpp b/WebCore/platform/network/ResourceHandle.cpp
index 50cf95b..0575523 100644
--- a/WebCore/platform/network/ResourceHandle.cpp
+++ b/WebCore/platform/network/ResourceHandle.cpp
@@ -113,6 +113,11 @@ const String& ResourceHandle::lastHTTPMethod() const
     return d->m_lastHTTPMethod;
 }
 
+bool ResourceHandle::hasAuthenticationChallenge() const
+{
+    return !d->m_currentWebChallenge.isNull();
+}
+
 void ResourceHandle::clearAuthentication()
 {
 #if PLATFORM(MAC)
diff --git a/WebCore/platform/network/ResourceHandle.h b/WebCore/platform/network/ResourceHandle.h
index 21af542..2edd4c9 100644
--- a/WebCore/platform/network/ResourceHandle.h
+++ b/WebCore/platform/network/ResourceHandle.h
@@ -187,7 +187,8 @@ public:
 
     // Used to work around the fact that you don't get any more NSURLConnection callbacks until you return from the one you're in.
     static bool loadsBlocked();    
-    
+
+    bool hasAuthenticationChallenge() const;
     void clearAuthentication();
     void cancel();
 

-- 
WebKit Debian packaging

More information about the Pkg-webkit-commits mailing list