yujunjun/playwright
1
0
Fork 0
mirror of https://github.com/microsoft/playwright.git synced 2025-06-26 21:40:17 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(trace viewer): force https requests from https snapshots (#21317)

Browse Source 
Set 'Content-Security-Policy: upgrade-insecure-requests' header for
snapshots to force all `http` subresources into `https` and avoid
blocked resources because of mixed-content.

References #21263.
This commit is contained in:
Dmitry Gozman 2023-03-01 15:32:39 -08:00 committed by GitHub
parent e222874445
commit d9b0c58b96
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 12 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
packages/trace-viewer/src/sw.ts
View File

@ -65,6 +65,13 @@ async function doFetch(event: FetchEvent): Promise<Response> {
const request = event.request; const request = event.request;
const client = await self.clients.get(event.clientId); const client = await self.clients.get(event.clientId);
// When trace viewer is deployed over https, we will force upgrade
// insecure http subresources to https. Otherwise, these will fail
// to load inside our https snapshots.
// In this case, we also match http resources from the archive by
// the https urls.
const isDeployedAsHttps = self.registration.scope.startsWith('https://');
if (request.url.startsWith(self.registration.scope)) { if (request.url.startsWith(self.registration.scope)) {
const url = new URL(unwrapPopoutUrl(request.url)); const url = new URL(unwrapPopoutUrl(request.url));
const relativePath = url.pathname.substring(scopePath.length - 1); const relativePath = url.pathname.substring(scopePath.length - 1);
@ -102,7 +109,10 @@ async function doFetch(event: FetchEvent): Promise<Response> {
if (relativePath.startsWith('/snapshot/')) { if (relativePath.startsWith('/snapshot/')) {
if (!snapshotServer) if (!snapshotServer)
return new Response(null, { status: 404 }); return new Response(null, { status: 404 });
return snapshotServer.serveSnapshot(relativePath, url.searchParams, url.href); const response = snapshotServer.serveSnapshot(relativePath, url.searchParams, url.href);
if (isDeployedAsHttps)
response.headers.set('Content-Security-Policy', 'upgrade-insecure-requests');
return response;
} }
if (relativePath.startsWith('/sha1/')) { if (relativePath.startsWith('/sha1/')) {
@ -126,10 +136,7 @@ async function doFetch(event: FetchEvent): Promise<Response> {
return new Response(null, { status: 404 }); return new Response(null, { status: 404 });
const lookupUrls = [request.url]; const lookupUrls = [request.url];
// When trace viewer is deployed over https, Chrome changes http subresources if (isDeployedAsHttps && request.url.startsWith('https://'))
// in snapshots to https, presumably to avoid mixed-content.
// In this case, we additionally match http resources from the archive.
if (self.registration.scope.startsWith('https://') && request.url.startsWith('https://'))
lookupUrls.push(request.url.replace(/^https/, 'http')); lookupUrls.push(request.url.replace(/^https/, 'http'));
return snapshotServer.serveResource(lookupUrls, snapshotUrl); return snapshotServer.serveResource(lookupUrls, snapshotUrl);
} }