New issue
Advanced search Search tips

Issue 757441 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Aug 7
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 2
Type: Feature

Blocked on: View detail
issue 711354
issue 736308

Blocking:
issue 679300



Sign in to add a comment

Background Fetch needs to do security checks

Project Member Reported by joh...@chromium.org, Aug 21 2017

Issue description

Because the DownloadService is used for requesting content as opposed to the regular fetching infrastructure in Blink, we can't share most of the security logic from the Fetch API.

This bug tracks the various tasks needed to achieve parity.

Eventually we hope this will be made obsolete by moving the Fetch API's security logic to an Out-of-Blink Fetch Service (https://docs.google.com/document/d/1mIk2or1y8nXHSQXQ6mJLGp3gLrtImONIuYhHtx1zInM/edit), and making the DownloadService make requests via that.
 

Comment 1 by joh...@chromium.org, Aug 21 2017

Blockedon: 711354
Components: Blink>BackgroundFetch
Labels: -Type-Bug -Pri-3 OS-All Pri-2 Type-Feature
Owner: joh...@chromium.org
Status: Started (was: Untriaged)

Comment 2 by joh...@chromium.org, Aug 21 2017

Blockedon: 736308
Project Member

Comment 3 by bugdroid1@chromium.org, Sep 4 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/167601a35b397e3ee82f8198de38cc77c7b5492a

commit 167601a35b397e3ee82f8198de38cc77c7b5492a
Author: John Mellor <johnme@chromium.org>
Date: Mon Sep 04 15:03:30 2017

[Background Fetch] Add security checks copied from Fetch

Adds some security checks to the Background Fetch API, based on
https://fetch.spec.whatwg.org/#main-fetch.

1. Blocks invalid URLs.

2. Blocks CSP violations.

3. Blocks blacklisted ports.

4. Blocks credentials embedded in the url.

5. Blocks protocols other than http:// and https://
   (https://github.com/WICG/background-fetch/issues/44).

6. Blocks Mixed Content (with an additional restriction that
   insecure http: cannot be requested from http://127.0.0.1).

7. Blocks URLs with dangling markup.

8. Temporarily blocks requests that require a CORS preflight, as
   BackgroundFetchCrossOriginFilter cannot yet handle them safely.
   This restriction will be lifted eventually.

Bug: 711354, 757441 
Change-Id: I3d93c861ce4cbc9f460f61f3ed38a65131c2a620
Reviewed-on: https://chromium-review.googlesource.com/582007
Commit-Queue: John Mellor <johnme@chromium.org>
Reviewed-by: Peter Beverloo <peter@chromium.org>
Cr-Commit-Position: refs/heads/master@{#499500}
[modify] https://crrev.com/167601a35b397e3ee82f8198de38cc77c7b5492a/content/browser/background_fetch/background_fetch_request_info.cc
[modify] https://crrev.com/167601a35b397e3ee82f8198de38cc77c7b5492a/content/browser/background_fetch/background_fetch_response.h
[add] https://crrev.com/167601a35b397e3ee82f8198de38cc77c7b5492a/third_party/WebKit/LayoutTests/external/wpt/background-fetch/content-security-policy.https.window.js
[add] https://crrev.com/167601a35b397e3ee82f8198de38cc77c7b5492a/third_party/WebKit/LayoutTests/external/wpt/background-fetch/credentials-in-url.https.window.js
[add] https://crrev.com/167601a35b397e3ee82f8198de38cc77c7b5492a/third_party/WebKit/LayoutTests/external/wpt/background-fetch/dangling-markup.https.window.js
[add] https://crrev.com/167601a35b397e3ee82f8198de38cc77c7b5492a/third_party/WebKit/LayoutTests/external/wpt/background-fetch/mixed-content-and-allowed-schemes.https.window-expected.txt
[add] https://crrev.com/167601a35b397e3ee82f8198de38cc77c7b5492a/third_party/WebKit/LayoutTests/external/wpt/background-fetch/mixed-content-and-allowed-schemes.https.window.js
[add] https://crrev.com/167601a35b397e3ee82f8198de38cc77c7b5492a/third_party/WebKit/LayoutTests/external/wpt/background-fetch/port-blocking.https.window-expected.txt
[add] https://crrev.com/167601a35b397e3ee82f8198de38cc77c7b5492a/third_party/WebKit/LayoutTests/external/wpt/background-fetch/port-blocking.https.window.js
[add] https://crrev.com/167601a35b397e3ee82f8198de38cc77c7b5492a/third_party/WebKit/LayoutTests/external/wpt/background-fetch/resources/sw.js
[add] https://crrev.com/167601a35b397e3ee82f8198de38cc77c7b5492a/third_party/WebKit/LayoutTests/external/wpt/background-fetch/resources/utils.js
[add] https://crrev.com/167601a35b397e3ee82f8198de38cc77c7b5492a/third_party/WebKit/LayoutTests/http/tests/background_fetch/block-cors-preflights.https.html
[add] https://crrev.com/167601a35b397e3ee82f8198de38cc77c7b5492a/third_party/WebKit/LayoutTests/http/tests/background_fetch/resources/utils.js
[modify] https://crrev.com/167601a35b397e3ee82f8198de38cc77c7b5492a/third_party/WebKit/Source/modules/background_fetch/BackgroundFetchManager.cpp

Comment 4 by joh...@chromium.org, Sep 27 2017

Blocking: 679300

Comment 5 by joh...@chromium.org, Dec 16 2017

Owner: peter@chromium.org
Handing over Background Fetch bugs to Peter.
Peter: What remains doing here? I think we can close this one. Please reopen if you disagree.
Status: Fixed (was: Started)

Sign in to add a comment