Reviewed by Alexey Proskuryakov.
Source/WebCore:
Test: http/tests/loading/authentication-after-redirect-stores-wrong-credentials/authentication-after-redirect-stores-wrong-credentials.html
Associate the credential with the URL of the challenge itself, not the original request:
* platform/network/cf/ResourceHandleCFNet.cpp:
(WebCore::ResourceHandle::didReceiveAuthenticationChallenge):
(WebCore::ResourceHandle::receivedCredential):
* platform/network/mac/ResourceHandleMac.mm:
(WebCore::ResourceHandle::didReceiveAuthenticationChallenge):
(WebCore::ResourceHandle::receivedCredential):
LayoutTests:
* http/tests/loading/authentication-after-redirect-stores-wrong-credentials/authentication-after-redirect-stores-wrong-credentials-expected.txt: Added.
* http/tests/loading/authentication-after-redirect-stores-wrong-credentials/authentication-after-redirect-stores-wrong-credentials.html: Added.
* http/tests/loading/authentication-after-redirect-stores-wrong-credentials/resources/wrong-credential-1-redirect-to-auth.php: Added.
* http/tests/loading/authentication-after-redirect-stores-wrong-credentials/resources/wrong-credential-2-auth-then-redirect-to-finish.php: Added.
* http/tests/loading/authentication-after-redirect-stores-wrong-credentials/resources/wrong-credential-3-output-credentials-then-finish.php: Added.
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@106982
268f45cc-cd09-0410-ab3c-
d52691b4dbfc
+2012-02-07 Brady Eidson <beidson@apple.com>
+
+ <rdar://problem/9567286> and https://bugs.webkit.org/show_bug.cgi?id=78003
+ WebKit associates credentials with the wrong site if the authentication challenge takes place after a redirect chain
+
+ Reviewed by Alexey Proskuryakov.
+
+ * http/tests/loading/authentication-after-redirect-stores-wrong-credentials/authentication-after-redirect-stores-wrong-credentials-expected.txt: Added.
+ * http/tests/loading/authentication-after-redirect-stores-wrong-credentials/authentication-after-redirect-stores-wrong-credentials.html: Added.
+ * http/tests/loading/authentication-after-redirect-stores-wrong-credentials/resources/wrong-credential-1-redirect-to-auth.php: Added.
+ * http/tests/loading/authentication-after-redirect-stores-wrong-credentials/resources/wrong-credential-2-auth-then-redirect-to-finish.php: Added.
+ * http/tests/loading/authentication-after-redirect-stores-wrong-credentials/resources/wrong-credential-3-output-credentials-then-finish.php: Added.
+
2012-02-07 Julien Chaffraix <jchaffraix@webkit.org>
Revert r106958.
--- /dev/null
+main frame - didStartProvisionalLoadForFrame
+main frame - didCommitLoadForFrame
+frame "<!--framePath //<!--frame0-->-->" - didStartProvisionalLoadForFrame
+main frame - didFinishDocumentLoadForFrame
+frame "<!--framePath //<!--frame0-->-->" - didReceiveServerRedirectForProvisionalLoadForFrame
+<unknown> - didReceiveAuthenticationChallenge - Responding with httpUsername:httpPassword
+frame "<!--framePath //<!--frame0-->-->" - didCommitLoadForFrame
+frame "<!--framePath //<!--frame0-->-->" - didFinishDocumentLoadForFrame
+frame "<!--framePath //<!--frame0-->-->" - didHandleOnloadEventsForFrame
+main frame - didHandleOnloadEventsForFrame
+frame "<!--framePath //<!--frame0-->-->" - didFinishLoadForFrame
+main frame - didFinishLoadForFrame
+frame "<!--framePath //<!--frame0-->-->" - willPerformClientRedirectToURL: http://localhost:8000/loading/authentication-after-redirect-stores-wrong-credentials/resources/wrong-credential-3-output-credentials-then-finish.php
+frame "<!--framePath //<!--frame0-->-->" - didStartProvisionalLoadForFrame
+frame "<!--framePath //<!--frame0-->-->" - didCancelClientRedirectForFrame
+frame "<!--framePath //<!--frame0-->-->" - didCommitLoadForFrame
+frame "<!--framePath //<!--frame0-->-->" - didFinishDocumentLoadForFrame
+frame "<!--framePath //<!--frame0-->-->" - didHandleOnloadEventsForFrame
+frame "<!--framePath //<!--frame0-->-->" - didFinishLoadForFrame
+This test causes an HTTP authentication challenge in the middle of a redirect chain.
+It then loads a new page after that challenge, and the new page should *not* get any credentials passed to it.
+See bug 78003 for more details.
+
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+No HTTP authentication credentials
+
--- /dev/null
+<html>
+<script>
+if (window.layoutTestController) {
+ layoutTestController.dumpAsText();
+ layoutTestController.dumpChildFramesAsText();
+ layoutTestController.waitUntilDone();
+ layoutTestController.setHandlesAuthenticationChallenges(true);
+ layoutTestController.setAuthenticationUsername("httpUsername");
+ layoutTestController.setAuthenticationPassword("httpPassword");
+}
+</script>
+
+<body>
+This test causes an HTTP authentication challenge in the middle of a redirect chain.<br>
+It then loads a new page after that challenge, and the new page should *not* get any credentials passed to it.<br>
+See <a href="https://bugs.webkit.org/show_bug.cgi?id=78003">bug 78003</a> for more details.<br>
+<iframe src="http://localhost:8000/loading/authentication-after-redirect-stores-wrong-credentials/resources/wrong-credential-1-redirect-to-auth.php">
+</iframe><br>
+</body>
+</html>
\ No newline at end of file
--- /dev/null
+<?php
+// This page was supposed to be loaded using a localhost URL.
+// That is important, and the next page has to be loaded using 127.0.0.1.
+header("Location: http://127.0.0.1:8000/loading/authentication-after-redirect-stores-wrong-credentials/resources/wrong-credential-2-auth-then-redirect-to-finish.php");
+exit;
+?>
\ No newline at end of file
--- /dev/null
+<?php
+if (!isset($_SERVER['PHP_AUTH_USER'])) {
+ header('WWW-Authenticate: Basic');
+ header('HTTP/1.0 401 Unauthorized');
+ exit;
+}
+?>
+<script>
+// This page was supposed to be loaded using a 127.0.0.1 URL.
+// That is important, and the final page has to be loaded using localhost.
+// Plus, the redirect to the final page in this test has to be a new page load to trigger the bug; It cannot be an HTTP redirect.
+window.setTimeout("window.location = 'http://localhost:8000/loading/authentication-after-redirect-stores-wrong-credentials/resources/wrong-credential-3-output-credentials-then-finish.php';", 0);
+</script>
--- /dev/null
+<?php
+if (!isset($_SERVER['PHP_AUTH_USER']))
+ echo "No HTTP authentication credentials<br>";
+else
+ echo "Authenticated as {$_SERVER['PHP_AUTH_USER']} with password {$_SERVER['PHP_AUTH_PW']}<br>";
+?>
+<script>
+if (window.layoutTestController)
+ layoutTestController.notifyDone();
+</script>
+2012-02-07 Brady Eidson <beidson@apple.com>
+
+ <rdar://problem/9567286> and https://bugs.webkit.org/show_bug.cgi?id=78003
+ WebKit associates credentials with the wrong site if the authentication challenge takes place after a redirect chain
+
+ Reviewed by Alexey Proskuryakov.
+
+ Test: http/tests/loading/authentication-after-redirect-stores-wrong-credentials/authentication-after-redirect-stores-wrong-credentials.html
+
+ Associate the credential with the URL of the challenge itself, not the original request:
+ * platform/network/cf/ResourceHandleCFNet.cpp:
+ (WebCore::ResourceHandle::didReceiveAuthenticationChallenge):
+ (WebCore::ResourceHandle::receivedCredential):
+ * platform/network/mac/ResourceHandleMac.mm:
+ (WebCore::ResourceHandle::didReceiveAuthenticationChallenge):
+ (WebCore::ResourceHandle::receivedCredential):
+
2012-02-07 Tony Chang <tony@chromium.org>
move warning about css values and render style constants closer to where it applies
KURL urlToStore;
if (challenge.failureResponse().httpStatusCode() == 401)
- urlToStore = firstRequest().url();
+ urlToStore = challenge.failureResponse().url();
CredentialStorage::set(core(credential.get()), challenge.protectionSpace(), urlToStore);
CFURLConnectionUseCredential(d->m_connection.get(), credential.get(), challenge.cfURLAuthChallengeRef());
ASSERT(credential.persistence() == CredentialPersistenceNone);
if (challenge.failureResponse().httpStatusCode() == 401) {
// Store the credential back, possibly adding it as a default for this directory.
- CredentialStorage::set(credential, challenge.protectionSpace(), firstRequest().url());
+ CredentialStorage::set(credential, challenge.protectionSpace(), challenge.failureResponse().url());
}
RetainPtr<CFURLCredentialRef> cfCredential(AdoptCF, createCF(credential));
CFURLConnectionUseCredential(d->m_connection.get(), cfCredential.get(), challenge.cfURLAuthChallengeRef());
KURL urlToStore;
if (challenge.failureResponse().httpStatusCode() == 401)
- urlToStore = firstRequest().url();
+ urlToStore = challenge.failureResponse().url();
CredentialStorage::set(webCredential, challenge.protectionSpace(), urlToStore);
CFURLConnectionUseCredential(d->m_connection.get(), cfCredential.get(), challenge.cfURLAuthChallengeRef());
ASSERT(credential.persistence() == CredentialPersistenceNone);
if (challenge.failureResponse().httpStatusCode() == 401) {
// Store the credential back, possibly adding it as a default for this directory.
- CredentialStorage::set(credential, challenge.protectionSpace(), firstRequest().url());
+ CredentialStorage::set(credential, challenge.protectionSpace(), challenge.failureResponse().url());
}
[challenge.sender() useCredential:mac(credential) forAuthenticationChallenge:mac(challenge)];
return;
Credential webCredential(credential, CredentialPersistenceNone);
KURL urlToStore;
if (challenge.failureResponse().httpStatusCode() == 401)
- urlToStore = firstRequest().url();
+ urlToStore = challenge.failureResponse().url();
CredentialStorage::set(webCredential, core([d->m_currentMacChallenge protectionSpace]), urlToStore);
[[d->m_currentMacChallenge sender] useCredential:mac(webCredential) forAuthenticationChallenge:d->m_currentMacChallenge];
} else
projects / profile / ivi / webkit-efl.git / commitdiff