Restrict account consistency request headers to main frame |
||
Issue descriptionFor RESPONSES, we check that the type is content::RESOURCE_TYPE_MAIN_FRAME See: Mirror: https://cs.chromium.org/chromium/src/chrome/browser/signin/chrome_signin_helper.cc?rcl=c6f67ca22af1cd509dee7418d72ab1f42deb877e&l=142 Dice: https://cs.chromium.org/chromium/src/chrome/browser/signin/chrome_signin_helper.cc?rcl=c6f67ca22af1cd509dee7418d72ab1f42deb877e&l=192 However, for REQUESTS, I don't see a similar check. That means that we are probably adding the request header to all requests to Gaia (i.e. subresources, XHR, ...). See: https://cs.chromium.org/chromium/src/chrome/browser/signin/chrome_signin_helper.cc?rcl=c6f67ca22af1cd509dee7418d72ab1f42deb877e&l=233 This seems inconsistent, and unnecessary. Is this intended?
,
Sep 5 2017
I tried restricting to RESOURCE_TYPE_MAIN frame, and it actually breaks Dice. It seems Dice requires both RESOURCE_TYPE_MAIN_FRAME and RESOURCE_TYPE_MAIN_XHR, and thus the inconsistency between request and response is actually expected. We could still limit the header to main frames and XHR only, but that would be essentially a performance optimization. It would also limit what Gaia can do, and may cause bugs in the future if Gaia expects the header on other requests. I'm closing this, I don't think it's worth investing in that direction. |
||
►
Sign in to add a comment |
||
Comment 1 by droger@chromium.org
, Aug 31 2017