New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 632986 link

Starred by 2 users
Status: Fixed
Owner:
bmcquade@chromium.org
Last visit > 30 days ago
Closed: Aug 2016
Cc:
jkarlin@chromium.org
shivanisha@chromium.org
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 2
Type: Bug



Sign in to add a comment

generalize same-origin doc.write script block heuristic to TLD+1

Project Member Reported by bmcquade@chromium.org, Jul 30 2016 
Currently, the doc.write script blocking logic allows scripts to load if they are on the same origin as the document. This is a heuristic to unblock scripts that are clearly first party.

There are some cases where the doc.written script or the main document have the same TLD+1, but are on different subdomains. For example in bug 618108, a script on https://bandcamp.com/ is inserted from the page https://eviltwinrecords.bandcamp.com/album/hip-hop-instrumentals-vol-i
 - these have different origins but the same TLD+1.

We should generalize the blocking logic to allow scripts as long as document and script have the same TLD+1.

The code to get the TLD+1 for a given URL is net::registry_controlled_domains::GetDomainAndRegistry. This is not currently available to blink code. We'll need to add a method in blink's platform/network/NetworkUtils.h that exposes this to blink, and then call it from our code in FrameFetchContext.

Comment 1 by bmcquade@chromium.org, Jul 31 2016

Owner: bmcquade@chromium.org
Status: Started (was: Available)
Project Member

Comment 2 by bugdroid1@chromium.org, Aug 4 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/c3892ef2fb30045b8f9173839818914c1162fcc3

commit c3892ef2fb30045b8f9173839818914c1162fcc3
Author: bmcquade <bmcquade@chromium.org>
Date: Thu Aug 04 19:49:11 2016

Allow doc.written scripts with a matching domain and registry to execute.

We currently allow scripts to execute as long as they are on the same
hostname as the document.

This change also allows scripts to execute if they have the same
domain+registry as the document. For example, if a script is on
static.example.com, and the main document is on www.example.com,
the script will be allowed to execute, since the domain+registry
for both script and document is example.com.

I didn't see a way to write a layout test for this, as layout tests
don't allow serving resources from actual domains (only 127.0.0.1
and localhost).

BUG= 632986 

Review-Url: https://codereview.chromium.org/2196983002
Cr-Commit-Position: refs/heads/master@{#409875}

[modify] https://crrev.com/c3892ef2fb30045b8f9173839818914c1162fcc3/third_party/WebKit/Source/core/loader/FrameFetchContext.cpp
[modify] https://crrev.com/c3892ef2fb30045b8f9173839818914c1162fcc3/third_party/WebKit/Source/platform/network/NetworkUtils.cpp
[modify] https://crrev.com/c3892ef2fb30045b8f9173839818914c1162fcc3/third_party/WebKit/Source/platform/network/NetworkUtils.h
[modify] https://crrev.com/c3892ef2fb30045b8f9173839818914c1162fcc3/third_party/WebKit/Source/platform/network/NetworkUtilsTest.cpp

Comment 3 by bmcquade@chromium.org, Aug 4 2016

Status: Fixed (was: Started)

Sign in to add a comment