| Summary: | Cross-Origin-Embedder-Policy incorrectly blocks iframe on cache hit | ||||||
|---|---|---|---|---|---|---|---|
| Product: | WebKit | Reporter: | Sam Verschueren <sam.verschueren> | ||||
| Component: | Page Loading | Assignee: | Chris Dumez <cdumez> | ||||
| Status: | RESOLVED FIXED | ||||||
| Severity: | Normal | CC: | beidson, cdumez, roberto.vidal, sam.verschueren, twisniewski, webkit-bug-importer | ||||
| Priority: | P2 | Keywords: | BrowserCompat, InRadar | ||||
| Version: | Safari 16 | ||||||
| Hardware: | All | ||||||
| OS: | All | ||||||
| URL: | https://github.com/SamVerschueren/webkit-coep-disk-cache | ||||||
| Attachments: |
|
||||||
|
Description
Sam Verschueren
2023-03-17 02:47:55 PDT
Currently we worked around this issue by serving the iframe resource with `Cache-Control: no-store`. This is not ideal but it works and the resource itself is also quite small in size. Created attachment 465479 [details]
Screenshot showing the COEP error for disk cached responses
This is well above my paygrade, but from what I can gather, the issue lies here: https://github.com/WebKit/WebKit/blob/729daab8b1fcb955d6e487a7b6266894695972f5/Source/WebKit/NetworkProcess/NetworkResourceLoader.cpp#L666 When `shouldInterruptNavigationForCrossOriginEmbedderPolicy` is called, the `m_response` is _not_ yet updated in the case of a cache hit, but it is instead set to a dummy value (presumably the empty URL set in https://github.com/WebKit/WebKit/blob/729daab8b1fcb955d6e487a7b6266894695972f5/Source/WebCore/loader/FrameLoader.cpp#L382 ?). Thanks for the report and initial investigation. I will try and get to this bug soon. I am able to reproduce with the provided test case. Thank you. (In reply to roberto.vidal from comment #3) > This is well above my paygrade, but from what I can gather, the issue lies > here: > https://github.com/WebKit/WebKit/blob/ > 729daab8b1fcb955d6e487a7b6266894695972f5/Source/WebKit/NetworkProcess/ > NetworkResourceLoader.cpp#L666 > > When `shouldInterruptNavigationForCrossOriginEmbedderPolicy` is called, the > `m_response` is _not_ yet updated in the case of a cache hit, but it is > instead set to a dummy value (presumably the empty URL set in > https://github.com/WebKit/WebKit/blob/ > 729daab8b1fcb955d6e487a7b6266894695972f5/Source/WebCore/loader/FrameLoader. > cpp#L382 ?). That's exactly what was going on :) Pull request: https://github.com/WebKit/WebKit/pull/11712 Committed 261924@main (38e9c1ce273d): <https://commits.webkit.org/261924@main> Reviewed commits have been landed. Closing PR #11712 and removing active labels. I don't see the WPTs in this commit on wpt.fyi. Were they synced? |