https://mikewest.github.io/cors-rfc1918/#external-request
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/dc5e487ba33a18f6e0362e072af8c5a39552dffa commit dc5e487ba33a18f6e0362e072af8c5a39552dffa Author: mkwst <mkwst@chromium.org> Date: Wed Mar 02 12:07:38 2016 CORS-RFC1918: Teach ResourceRequest about "external" requests As defined in https://mikewest.github.io/cors-rfc1918/#external-request. This patch converts the "reserved IP range" flag on 'ResourceRequest' into an "external request" flag, and ensures that the flag is set correctly for requests that run through 'ThreadableLoader' and 'ResourceFetcher'. The new flag is locked to a new RuntimeEnabledFeature, which is enabled in test only. If that feature isn't enabled, no request is marked as being external. BUG= 591052 Review URL: https://codereview.chromium.org/1749153002 Cr-Commit-Position: refs/heads/master@{#378730} [modify] https://crrev.com/dc5e487ba33a18f6e0362e072af8c5a39552dffa/third_party/WebKit/Source/core/dom/Document.cpp [modify] https://crrev.com/dc5e487ba33a18f6e0362e072af8c5a39552dffa/third_party/WebKit/Source/core/dom/SecurityContext.cpp [modify] https://crrev.com/dc5e487ba33a18f6e0362e072af8c5a39552dffa/third_party/WebKit/Source/core/dom/SecurityContext.h [modify] https://crrev.com/dc5e487ba33a18f6e0362e072af8c5a39552dffa/third_party/WebKit/Source/core/fileapi/FileReaderLoader.cpp [modify] https://crrev.com/dc5e487ba33a18f6e0362e072af8c5a39552dffa/third_party/WebKit/Source/core/loader/FrameFetchContext.cpp [modify] https://crrev.com/dc5e487ba33a18f6e0362e072af8c5a39552dffa/third_party/WebKit/Source/core/loader/FrameFetchContextTest.cpp [modify] https://crrev.com/dc5e487ba33a18f6e0362e072af8c5a39552dffa/third_party/WebKit/Source/core/loader/MixedContentChecker.cpp [modify] https://crrev.com/dc5e487ba33a18f6e0362e072af8c5a39552dffa/third_party/WebKit/Source/core/page/EventSource.cpp [modify] https://crrev.com/dc5e487ba33a18f6e0362e072af8c5a39552dffa/third_party/WebKit/Source/core/workers/WorkerScriptLoader.cpp [modify] https://crrev.com/dc5e487ba33a18f6e0362e072af8c5a39552dffa/third_party/WebKit/Source/core/workers/WorkerScriptLoader.h [modify] https://crrev.com/dc5e487ba33a18f6e0362e072af8c5a39552dffa/third_party/WebKit/Source/core/xmlhttprequest/XMLHttpRequest.cpp [modify] https://crrev.com/dc5e487ba33a18f6e0362e072af8c5a39552dffa/third_party/WebKit/Source/modules/fetch/FetchBlobDataConsumerHandle.cpp [modify] https://crrev.com/dc5e487ba33a18f6e0362e072af8c5a39552dffa/third_party/WebKit/Source/modules/fetch/FetchManager.cpp [modify] https://crrev.com/dc5e487ba33a18f6e0362e072af8c5a39552dffa/third_party/WebKit/Source/platform/RuntimeEnabledFeatures.in [modify] https://crrev.com/dc5e487ba33a18f6e0362e072af8c5a39552dffa/third_party/WebKit/Source/platform/exported/WebURLRequest.cpp [modify] https://crrev.com/dc5e487ba33a18f6e0362e072af8c5a39552dffa/third_party/WebKit/Source/platform/network/ResourceRequest.cpp [modify] https://crrev.com/dc5e487ba33a18f6e0362e072af8c5a39552dffa/third_party/WebKit/Source/platform/network/ResourceRequest.h [modify] https://crrev.com/dc5e487ba33a18f6e0362e072af8c5a39552dffa/third_party/WebKit/public/platform/WebURLRequest.h
Reopening because workers. :(
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/0cff8b37a25ec1c28aa0a388bd54522f2a47a6a2 commit 0cff8b37a25ec1c28aa0a388bd54522f2a47a6a2 Author: mkwst <mkwst@chromium.org> Date: Fri Mar 04 15:55:21 2016 CORS-RFC1918: Teach Workers about address spaces. https://codereview.chromium.org/1749153002 taught Documents about their address spaces, but neglected Workers. Sorry, Workers! This patch pipes address spaces through to WorkerGlobalState as follows: 1. ServiceWorkers and SharedWorkers get their own address state from the Response which was used to create them. 2. DedicatedWorkers and Worklets get their address state from the Document which created them. BUG= 591052 Review URL: https://codereview.chromium.org/1760523004 Cr-Commit-Position: refs/heads/master@{#379292} [add] https://crrev.com/0cff8b37a25ec1c28aa0a388bd54522f2a47a6a2/third_party/WebKit/LayoutTests/http/tests/security/cors-rfc1918/addressspace-sharedworker-basic.html [delete] https://crrev.com/7a863dad79d0ab589eb2c81cac88bfb2aeee01cb/third_party/WebKit/LayoutTests/http/tests/security/cors-rfc1918/addressspace-worker-basic-expected.txt [modify] https://crrev.com/0cff8b37a25ec1c28aa0a388bd54522f2a47a6a2/third_party/WebKit/LayoutTests/http/tests/security/cors-rfc1918/addressspace-worker-basic.html [modify] https://crrev.com/0cff8b37a25ec1c28aa0a388bd54522f2a47a6a2/third_party/WebKit/LayoutTests/http/tests/security/cors-rfc1918/resources/addressspace-test.js [add] https://crrev.com/0cff8b37a25ec1c28aa0a388bd54522f2a47a6a2/third_party/WebKit/LayoutTests/http/tests/security/cors-rfc1918/resources/post-addressspace-from-sharedworker.html [modify] https://crrev.com/0cff8b37a25ec1c28aa0a388bd54522f2a47a6a2/third_party/WebKit/LayoutTests/http/tests/security/cors-rfc1918/resources/post-addressspace-to-owner.js [modify] https://crrev.com/0cff8b37a25ec1c28aa0a388bd54522f2a47a6a2/third_party/WebKit/Source/core/workers/DedicatedWorkerGlobalScope.cpp [modify] https://crrev.com/0cff8b37a25ec1c28aa0a388bd54522f2a47a6a2/third_party/WebKit/Source/core/workers/SharedWorkerGlobalScope.cpp [modify] https://crrev.com/0cff8b37a25ec1c28aa0a388bd54522f2a47a6a2/third_party/WebKit/Source/core/workers/WorkerMessagingProxy.cpp [modify] https://crrev.com/0cff8b37a25ec1c28aa0a388bd54522f2a47a6a2/third_party/WebKit/Source/core/workers/WorkerScriptLoader.cpp [modify] https://crrev.com/0cff8b37a25ec1c28aa0a388bd54522f2a47a6a2/third_party/WebKit/Source/core/workers/WorkerScriptLoader.h [modify] https://crrev.com/0cff8b37a25ec1c28aa0a388bd54522f2a47a6a2/third_party/WebKit/Source/core/workers/WorkerThreadStartupData.cpp [modify] https://crrev.com/0cff8b37a25ec1c28aa0a388bd54522f2a47a6a2/third_party/WebKit/Source/core/workers/WorkerThreadStartupData.h [modify] https://crrev.com/0cff8b37a25ec1c28aa0a388bd54522f2a47a6a2/third_party/WebKit/Source/core/workers/WorkerThreadTest.cpp [modify] https://crrev.com/0cff8b37a25ec1c28aa0a388bd54522f2a47a6a2/third_party/WebKit/Source/modules/compositorworker/CompositorWorkerGlobalScope.cpp [modify] https://crrev.com/0cff8b37a25ec1c28aa0a388bd54522f2a47a6a2/third_party/WebKit/Source/modules/compositorworker/CompositorWorkerThreadTest.cpp [modify] https://crrev.com/0cff8b37a25ec1c28aa0a388bd54522f2a47a6a2/third_party/WebKit/Source/modules/serviceworkers/ServiceWorkerGlobalScope.cpp [modify] https://crrev.com/0cff8b37a25ec1c28aa0a388bd54522f2a47a6a2/third_party/WebKit/Source/web/WebEmbeddedWorkerImpl.cpp [modify] https://crrev.com/0cff8b37a25ec1c28aa0a388bd54522f2a47a6a2/third_party/WebKit/Source/web/WebSharedWorkerImpl.cpp
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/cfa9893483f1c8b83d9e93c188c4c18f552bb1ba commit cfa9893483f1c8b83d9e93c188c4c18f552bb1ba Author: mkwst <mkwst@chromium.org> Date: Wed Mar 09 13:06:19 2016 CORS-RFC1918: Pipe creator address space through SharedWorker creation. SharedWorkers are created in a fairly arcane process whereby the renderer IPCs up to the browser to look for existing workers, and then the browser IPCs back down to the renderer to kick off a request if a new worker needs to spin up. https://codereview.chromium.org/1760523004 took care of some of the work necessary to ensure that the worker that spins up is correctly marked as "external" if relevant, but didn't deal with the request for the worker itself. "Why do we care?", you ask, "Surely SharedWorkers are same-origin with the requesting page!" True, but part of the goal is to deal with DNS poisoning attacks, which means that we really do need to tag the request itself. Ugh. The CL is large enough, but got even larger when I realized that I needed to split the AddressSpace enum out of WebURLRequest in order to make it includable from //content/{browser,common}. Sorry for the mess! As kinuko@ noted in the previous patch, unit tests that generate a request I could verify are hard to put together with the current infrastructure. There's an upcoming patch (https://codereview.chromium.org/1745083002) which breaks the existing //security/cors-rfc1918/* layout tests without this patch, however. BUG= 591052 Review URL: https://codereview.chromium.org/1775933002 Cr-Commit-Position: refs/heads/master@{#380126} [modify] https://crrev.com/cfa9893483f1c8b83d9e93c188c4c18f552bb1ba/content/browser/DEPS [modify] https://crrev.com/cfa9893483f1c8b83d9e93c188c4c18f552bb1ba/content/browser/devtools/shared_worker_devtools_manager_unittest.cc [modify] https://crrev.com/cfa9893483f1c8b83d9e93c188c4c18f552bb1ba/content/browser/shared_worker/shared_worker_host.cc [modify] https://crrev.com/cfa9893483f1c8b83d9e93c188c4c18f552bb1ba/content/browser/shared_worker/shared_worker_instance.cc [modify] https://crrev.com/cfa9893483f1c8b83d9e93c188c4c18f552bb1ba/content/browser/shared_worker/shared_worker_instance.h [modify] https://crrev.com/cfa9893483f1c8b83d9e93c188c4c18f552bb1ba/content/browser/shared_worker/shared_worker_instance_unittest.cc [modify] https://crrev.com/cfa9893483f1c8b83d9e93c188c4c18f552bb1ba/content/browser/shared_worker/shared_worker_service_impl.cc [modify] https://crrev.com/cfa9893483f1c8b83d9e93c188c4c18f552bb1ba/content/common/DEPS [modify] https://crrev.com/cfa9893483f1c8b83d9e93c188c4c18f552bb1ba/content/common/content_param_traits_macros.h [modify] https://crrev.com/cfa9893483f1c8b83d9e93c188c4c18f552bb1ba/content/common/view_messages.h [modify] https://crrev.com/cfa9893483f1c8b83d9e93c188c4c18f552bb1ba/content/common/worker_messages.h [modify] https://crrev.com/cfa9893483f1c8b83d9e93c188c4c18f552bb1ba/content/renderer/render_thread_impl.cc [modify] https://crrev.com/cfa9893483f1c8b83d9e93c188c4c18f552bb1ba/content/renderer/shared_worker/embedded_shared_worker_stub.cc [modify] https://crrev.com/cfa9893483f1c8b83d9e93c188c4c18f552bb1ba/content/renderer/shared_worker/embedded_shared_worker_stub.h [modify] https://crrev.com/cfa9893483f1c8b83d9e93c188c4c18f552bb1ba/content/renderer/shared_worker_repository.cc [modify] https://crrev.com/cfa9893483f1c8b83d9e93c188c4c18f552bb1ba/content/renderer/shared_worker_repository.h [modify] https://crrev.com/cfa9893483f1c8b83d9e93c188c4c18f552bb1ba/third_party/WebKit/LayoutTests/http/tests/security/cors-rfc1918/resources/post-addressspace-from-sharedworker.html [modify] https://crrev.com/cfa9893483f1c8b83d9e93c188c4c18f552bb1ba/third_party/WebKit/Source/core/dom/Document.cpp [modify] https://crrev.com/cfa9893483f1c8b83d9e93c188c4c18f552bb1ba/third_party/WebKit/Source/core/dom/SecurityContext.cpp [modify] https://crrev.com/cfa9893483f1c8b83d9e93c188c4c18f552bb1ba/third_party/WebKit/Source/core/dom/SecurityContext.h [modify] https://crrev.com/cfa9893483f1c8b83d9e93c188c4c18f552bb1ba/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp [modify] https://crrev.com/cfa9893483f1c8b83d9e93c188c4c18f552bb1ba/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicyTest.cpp [modify] https://crrev.com/cfa9893483f1c8b83d9e93c188c4c18f552bb1ba/third_party/WebKit/Source/core/loader/FrameFetchContextTest.cpp [modify] https://crrev.com/cfa9893483f1c8b83d9e93c188c4c18f552bb1ba/third_party/WebKit/Source/core/loader/MixedContentChecker.cpp [modify] https://crrev.com/cfa9893483f1c8b83d9e93c188c4c18f552bb1ba/third_party/WebKit/Source/core/workers/InProcessWorkerBase.cpp [modify] https://crrev.com/cfa9893483f1c8b83d9e93c188c4c18f552bb1ba/third_party/WebKit/Source/core/workers/WorkerGlobalScope.cpp [modify] https://crrev.com/cfa9893483f1c8b83d9e93c188c4c18f552bb1ba/third_party/WebKit/Source/core/workers/WorkerScriptLoader.cpp [modify] https://crrev.com/cfa9893483f1c8b83d9e93c188c4c18f552bb1ba/third_party/WebKit/Source/core/workers/WorkerScriptLoader.h [modify] https://crrev.com/cfa9893483f1c8b83d9e93c188c4c18f552bb1ba/third_party/WebKit/Source/core/workers/WorkerThreadStartupData.cpp [modify] https://crrev.com/cfa9893483f1c8b83d9e93c188c4c18f552bb1ba/third_party/WebKit/Source/core/workers/WorkerThreadStartupData.h [modify] https://crrev.com/cfa9893483f1c8b83d9e93c188c4c18f552bb1ba/third_party/WebKit/Source/core/workers/WorkerThreadTest.cpp [modify] https://crrev.com/cfa9893483f1c8b83d9e93c188c4c18f552bb1ba/third_party/WebKit/Source/modules/compositorworker/CompositorWorkerThreadTest.cpp [modify] https://crrev.com/cfa9893483f1c8b83d9e93c188c4c18f552bb1ba/third_party/WebKit/Source/modules/worklet/Worklet.cpp [modify] https://crrev.com/cfa9893483f1c8b83d9e93c188c4c18f552bb1ba/third_party/WebKit/Source/platform/network/ResourceRequest.cpp [modify] https://crrev.com/cfa9893483f1c8b83d9e93c188c4c18f552bb1ba/third_party/WebKit/Source/platform/network/ResourceRequest.h [modify] https://crrev.com/cfa9893483f1c8b83d9e93c188c4c18f552bb1ba/third_party/WebKit/Source/web/SharedWorkerRepositoryClientImpl.cpp [modify] https://crrev.com/cfa9893483f1c8b83d9e93c188c4c18f552bb1ba/third_party/WebKit/Source/web/WebEmbeddedWorkerImpl.cpp [modify] https://crrev.com/cfa9893483f1c8b83d9e93c188c4c18f552bb1ba/third_party/WebKit/Source/web/WebSharedWorkerImpl.cpp [modify] https://crrev.com/cfa9893483f1c8b83d9e93c188c4c18f552bb1ba/third_party/WebKit/Source/web/WebSharedWorkerImpl.h [modify] https://crrev.com/cfa9893483f1c8b83d9e93c188c4c18f552bb1ba/third_party/WebKit/public/blink_headers.gypi [add] https://crrev.com/cfa9893483f1c8b83d9e93c188c4c18f552bb1ba/third_party/WebKit/public/platform/WebAddressSpace.h [modify] https://crrev.com/cfa9893483f1c8b83d9e93c188c4c18f552bb1ba/third_party/WebKit/public/platform/WebURLRequest.h [modify] https://crrev.com/cfa9893483f1c8b83d9e93c188c4c18f552bb1ba/third_party/WebKit/public/web/WebSharedWorker.h [modify] https://crrev.com/cfa9893483f1c8b83d9e93c188c4c18f552bb1ba/third_party/WebKit/public/web/WebSharedWorkerRepositoryClient.h
Comment 1 by bugdroid1@chromium.org
, Mar 2 2016