Issue metadata
Sign in to add a comment
|
The logic to handle the unsafe-credentials policy of the Suborigin is broken |
||||||||||||||||||||||||
Issue descriptionE.g. take a look at one in FetchManager::Loader::PerformHTTPFetch(). It sets ResourceLoaderOptions::credentials_requested to true when unsafe-credentials is set. This would affect not only access from a physical origin X with suborigin A to a physical origin X with not-yet-known suborigin which can be A, but also access from a physical origin X to physical origin Y which is different from X i.e. effectively it makes the credentials mode to "include". https://chromium-review.googlesource.com/c/526212/#message-96169aef2590210713ba8ac4064eeea445265231
,
Jun 9 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/01f09fba7a7f4510b216ecb16c55ff52d2a2ba33 commit 01f09fba7a7f4510b216ecb16c55ff52d2a2ba33 Author: Takeshi Yoshino <tyoshino@chromium.org> Date: Fri Jun 09 05:57:54 2017 Fix handling of the unsafe-credentials policy of the Suborigin Factor out the logic to handle the unsafe-credentials policy of the Suborigin into a method on the SecurityOrigin class. Fix FetchParameters::SetCrossOriginAccessControl() not to touch origin when it's nullptr. The member variable include_credentials_ of XMLHttpRequest is renamed to with_credentials_ as it's confusing with the local variable include_credentials in CreateRequest(). Pass with_credentials_, not include_credentials to probe::willLoadXHR() since it'll be used to set .withCredentials to replay the XHR. ResourceRequest::SetFetchCredentialsMode() call and ResourceLoaderOptions::credentials_requested setting must not be affected by the result of suborigin policy check since it's equivalent to the credentials mode. So, it should be set based on: - XMLHttpRequest: the value set to withCredentials - FetchManager: Request::Credentials() - FetchParameters: CrossOriginAttributeValue Add a note about why |cors_flag| is still used in FetchManager::PerformHTTPFetch(). Bonus: - Renamed FetchManager::PerformBasicFetch() to PerformSchemeFetch() based on the up-to-date terminology and fixed links to the spec. - Refactored some related SecurityOrigin methods for readability. Bug: 730912 , 695808 Change-Id: Ifece2a5c6a84cc4695bfdb0d1f3757083f7cac0b Reviewed-on: https://chromium-review.googlesource.com/526212 Commit-Queue: Takeshi Yoshino <tyoshino@chromium.org> Reviewed-by: Jochen Eisinger <jochen@chromium.org> Cr-Commit-Position: refs/heads/master@{#478214} [modify] https://crrev.com/01f09fba7a7f4510b216ecb16c55ff52d2a2ba33/third_party/WebKit/LayoutTests/http/tests/security/suborigins/suborigin-unsafe-credentials.php [modify] https://crrev.com/01f09fba7a7f4510b216ecb16c55ff52d2a2ba33/third_party/WebKit/Source/core/xmlhttprequest/XMLHttpRequest.cpp [modify] https://crrev.com/01f09fba7a7f4510b216ecb16c55ff52d2a2ba33/third_party/WebKit/Source/core/xmlhttprequest/XMLHttpRequest.h [modify] https://crrev.com/01f09fba7a7f4510b216ecb16c55ff52d2a2ba33/third_party/WebKit/Source/modules/fetch/FetchManager.cpp [modify] https://crrev.com/01f09fba7a7f4510b216ecb16c55ff52d2a2ba33/third_party/WebKit/Source/platform/loader/fetch/FetchParameters.cpp [modify] https://crrev.com/01f09fba7a7f4510b216ecb16c55ff52d2a2ba33/third_party/WebKit/Source/platform/weborigin/SecurityOrigin.cpp [modify] https://crrev.com/01f09fba7a7f4510b216ecb16c55ff52d2a2ba33/third_party/WebKit/Source/platform/weborigin/SecurityOrigin.h
,
Jun 9 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/0ae54aecb40296d0f2304176ffec747e01bc5643 commit 0ae54aecb40296d0f2304176ffec747e01bc5643 Author: Takeshi Yoshino <tyoshino@chromium.org> Date: Fri Jun 09 09:37:50 2017 Clean up a layout test suborigin-cors-eventsource.php EventSourceInit.withCredentials is a boolean member. Set a boolean to it. Remove unused parameter from xorigin_ineligible_event_source(). Bug: 730912 Change-Id: I7a2bd1311d99ff01289459a95d76274f0513d87c Reviewed-on: https://chromium-review.googlesource.com/527863 Commit-Queue: Takeshi Yoshino <tyoshino@chromium.org> Reviewed-by: Yutaka Hirano <yhirano@chromium.org> Cr-Commit-Position: refs/heads/master@{#478238} [modify] https://crrev.com/0ae54aecb40296d0f2304176ffec747e01bc5643/third_party/WebKit/LayoutTests/http/tests/security/suborigins/crossorigin/suborigin-cors-eventsource.php
,
Jun 23 2017
,
Nov 7 2017
,
Nov 7 2017
Apologies, applied the wrong component in bulk.
,
Nov 10 2017
,
Dec 19 2017
,
Dec 19 2017
,
Feb 18 2018
,
Feb 26 2018
Marking WontFix as the Suborigin has been unshipped for now. CC-ing stakeholders FYI. |
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by bugdroid1@chromium.org
, Jun 9 2017