The Worklet spec defines WorkletGlobalScope must have a unique opaque origin[1]: > 3. Let origin be a unique opaque origin. However, our current impl doesn't obey this requirement as follows: - PaintWorkletGlobalScope inherits its owner document's SecurityOrigin[2] - AnimationWorklet creates a SecurityOrigin based on its script URL[3] - AudioWorklet creates a SecurityOrigin based on its script URL[3] We should replace them with SecurityOrigin::CreateUnique(). [1] https://drafts.css-houdini.org/worklets/#set-up-a-worklet-environment-settings-object [2] https://chromium.googlesource.com/chromium/src/+/a14628013711891a600348b52153d9b36c2ba067/third_party/WebKit/Source/modules/csspaint/PaintWorkletGlobalScopeProxy.cpp#30 [3] https://chromium.googlesource.com/chromium/src/+/a14628013711891a600348b52153d9b36c2ba067/third_party/WebKit/Source/modules/compositorworker/AnimationWorkletThread.cpp#85 [4] https://chromium.googlesource.com/chromium/src/+/a14628013711891a600348b52153d9b36c2ba067/third_party/WebKit/Source/modules/webaudio/AudioWorkletThread.cpp#109
WIP CL: https://chromium-review.googlesource.com/c/chromium/src/+/714499
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/4efd8b40b79a64112ec87267187e998684e7958a commit 4efd8b40b79a64112ec87267187e998684e7958a Author: Hiroki Nakagawa <nhiroki@chromium.org> Date: Mon Oct 16 07:13:56 2017 ES6 Modules: Rename Modulator::GetSecurityOrigin() to GetSecurityOriginForFetch() Modulator::GetSecurityOrigin() must be used only for module fetch. Blink developers may expect it returns a SecurityOrigin associated with Modulator's ExecutionContext. It's correct for documents. However, for worklets, it will return owner Document's SecurityOrigin, not Worklet's SecurityOrigin. See the following CL for details: https://chromium-review.googlesource.com/c/chromium/src/+/714499 To clarify that, this CL adds the "ForFetch" suffix to the function. Bug: 773772 Change-Id: Ia2f0833f77e3044684640ae8384a25be2d7cbf9e Reviewed-on: https://chromium-review.googlesource.com/720595 Commit-Queue: Hiroki Nakagawa <nhiroki@chromium.org> Reviewed-by: Kouhei Ueno <kouhei@chromium.org> Cr-Commit-Position: refs/heads/master@{#508991} [modify] https://crrev.com/4efd8b40b79a64112ec87267187e998684e7958a/third_party/WebKit/Source/core/dom/Modulator.h [modify] https://crrev.com/4efd8b40b79a64112ec87267187e998684e7958a/third_party/WebKit/Source/core/dom/ModulatorImplBase.cpp [modify] https://crrev.com/4efd8b40b79a64112ec87267187e998684e7958a/third_party/WebKit/Source/core/dom/ModulatorImplBase.h [modify] https://crrev.com/4efd8b40b79a64112ec87267187e998684e7958a/third_party/WebKit/Source/core/loader/modulescript/ModuleScriptLoader.cpp [modify] https://crrev.com/4efd8b40b79a64112ec87267187e998684e7958a/third_party/WebKit/Source/core/loader/modulescript/ModuleScriptLoaderTest.cpp [modify] https://crrev.com/4efd8b40b79a64112ec87267187e998684e7958a/third_party/WebKit/Source/core/testing/DummyModulator.cpp [modify] https://crrev.com/4efd8b40b79a64112ec87267187e998684e7958a/third_party/WebKit/Source/core/testing/DummyModulator.h
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/4e4d8f80af86fb934bd6844dacea4e3ecbed6e14 commit 4e4d8f80af86fb934bd6844dacea4e3ecbed6e14 Author: Hiroki Nakagawa <nhiroki@chromium.org> Date: Mon Oct 16 09:50:31 2017 Worklet: Replace classic script eval with module script eval in unit tests Worklet should be executed as module scripts as opposed to classic scripts. Bug: 773772 Change-Id: Ib32899fa776bcf56be5ec5f58eb84b04df7bd603 Reviewed-on: https://chromium-review.googlesource.com/717957 Commit-Queue: Hiroki Nakagawa <nhiroki@chromium.org> Reviewed-by: Kentaro Hara <haraken@chromium.org> Reviewed-by: Kouhei Ueno <kouhei@chromium.org> Cr-Commit-Position: refs/heads/master@{#509006} [modify] https://crrev.com/4e4d8f80af86fb934bd6844dacea4e3ecbed6e14/third_party/WebKit/Source/modules/compositorworker/AnimationWorkletGlobalScope.h [modify] https://crrev.com/4e4d8f80af86fb934bd6844dacea4e3ecbed6e14/third_party/WebKit/Source/modules/compositorworker/AnimationWorkletGlobalScopeTest.cpp [modify] https://crrev.com/4e4d8f80af86fb934bd6844dacea4e3ecbed6e14/third_party/WebKit/Source/modules/compositorworker/AnimationWorkletThreadTest.cpp [modify] https://crrev.com/4e4d8f80af86fb934bd6844dacea4e3ecbed6e14/third_party/WebKit/Source/modules/webaudio/AudioWorkletGlobalScopeTest.cpp [modify] https://crrev.com/4e4d8f80af86fb934bd6844dacea4e3ecbed6e14/third_party/WebKit/Source/modules/webaudio/AudioWorkletThreadTest.cpp
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/e5065d6ee169f0dac94536ae5ae85d2572726c5f commit e5065d6ee169f0dac94536ae5ae85d2572726c5f Author: Hiroki Nakagawa <nhiroki@chromium.org> Date: Tue Oct 17 08:55:46 2017 Worklet: Make WorkletGlobalScope a unique opaque origin This CL does 2 things: (1) The Worklet spec defines WorkletGlobalScope must have a unique opaque origin: "3. Let origin be a unique opaque origin." https://drafts.css-houdini.org/worklets/#script-settings-for-worklets However, our current impl doesn't obey this requirement. PaintWorklet inherits its owner document's SecurityOrigin. AnimationWorklet and AudioWorklet create a SecurityOrigin based on their script URL. This CL replaces them with SecurityOrigin::CreateUnique(). (2) Our current impl checks CORS etc based on ExecutionContext's SecurityOrigin associated with Modulator. For Worklets, these are WorkletGlobalScope and WorkletModulatorImpl. However, Worklets need to fetch their scripts as sub-resources of the owner Document, so the security checks are conducted based on the owner Document's SecurityOrigin. After changes for (1), SecurityOrigin is a unique opaque origin and it fails a bunch of tests because of CORS check failures. To fix this, WorkletModulatorImpl overrides GetSecurityOrigin() to provide the owner Document's SecurityOrigin for module fetch. Bug: 773772 , 773778 Change-Id: I451999ef09b943c480e907e6536ca8819f446d5b Reviewed-on: https://chromium-review.googlesource.com/714499 Commit-Queue: Hiroki Nakagawa <nhiroki@chromium.org> Reviewed-by: Kouhei Ueno <kouhei@chromium.org> Reviewed-by: Kentaro Hara <haraken@chromium.org> Reviewed-by: Kinuko Yasuda <kinuko@chromium.org> Cr-Commit-Position: refs/heads/master@{#509328} [modify] https://crrev.com/e5065d6ee169f0dac94536ae5ae85d2572726c5f/third_party/WebKit/Source/core/dom/WorkletModulatorImpl.cpp [modify] https://crrev.com/e5065d6ee169f0dac94536ae5ae85d2572726c5f/third_party/WebKit/Source/core/dom/WorkletModulatorImpl.h [modify] https://crrev.com/e5065d6ee169f0dac94536ae5ae85d2572726c5f/third_party/WebKit/Source/core/loader/modulescript/ModuleScriptLoaderTest.cpp [modify] https://crrev.com/e5065d6ee169f0dac94536ae5ae85d2572726c5f/third_party/WebKit/Source/core/workers/GlobalScopeCreationParams.cpp [modify] https://crrev.com/e5065d6ee169f0dac94536ae5ae85d2572726c5f/third_party/WebKit/Source/core/workers/GlobalScopeCreationParams.h [modify] https://crrev.com/e5065d6ee169f0dac94536ae5ae85d2572726c5f/third_party/WebKit/Source/core/workers/MainThreadWorkletGlobalScope.cpp [modify] https://crrev.com/e5065d6ee169f0dac94536ae5ae85d2572726c5f/third_party/WebKit/Source/core/workers/MainThreadWorkletGlobalScope.h [modify] https://crrev.com/e5065d6ee169f0dac94536ae5ae85d2572726c5f/third_party/WebKit/Source/core/workers/MainThreadWorkletTest.cpp [modify] https://crrev.com/e5065d6ee169f0dac94536ae5ae85d2572726c5f/third_party/WebKit/Source/core/workers/ThreadedWorkletGlobalScope.cpp [modify] https://crrev.com/e5065d6ee169f0dac94536ae5ae85d2572726c5f/third_party/WebKit/Source/core/workers/ThreadedWorkletGlobalScope.h [modify] https://crrev.com/e5065d6ee169f0dac94536ae5ae85d2572726c5f/third_party/WebKit/Source/core/workers/ThreadedWorkletTest.cpp [modify] https://crrev.com/e5065d6ee169f0dac94536ae5ae85d2572726c5f/third_party/WebKit/Source/core/workers/WorkerGlobalScope.cpp [modify] https://crrev.com/e5065d6ee169f0dac94536ae5ae85d2572726c5f/third_party/WebKit/Source/core/workers/WorkletGlobalScope.cpp [modify] https://crrev.com/e5065d6ee169f0dac94536ae5ae85d2572726c5f/third_party/WebKit/Source/core/workers/WorkletGlobalScope.h [modify] https://crrev.com/e5065d6ee169f0dac94536ae5ae85d2572726c5f/third_party/WebKit/Source/modules/compositorworker/AnimationWorkletGlobalScope.cpp [modify] https://crrev.com/e5065d6ee169f0dac94536ae5ae85d2572726c5f/third_party/WebKit/Source/modules/compositorworker/AnimationWorkletGlobalScope.h [modify] https://crrev.com/e5065d6ee169f0dac94536ae5ae85d2572726c5f/third_party/WebKit/Source/modules/compositorworker/AnimationWorkletThread.cpp [modify] https://crrev.com/e5065d6ee169f0dac94536ae5ae85d2572726c5f/third_party/WebKit/Source/modules/csspaint/PaintWorkletGlobalScope.cpp [modify] https://crrev.com/e5065d6ee169f0dac94536ae5ae85d2572726c5f/third_party/WebKit/Source/modules/csspaint/PaintWorkletGlobalScope.h [modify] https://crrev.com/e5065d6ee169f0dac94536ae5ae85d2572726c5f/third_party/WebKit/Source/modules/csspaint/PaintWorkletGlobalScopeProxy.cpp [modify] https://crrev.com/e5065d6ee169f0dac94536ae5ae85d2572726c5f/third_party/WebKit/Source/modules/webaudio/AudioWorkletGlobalScope.cpp [modify] https://crrev.com/e5065d6ee169f0dac94536ae5ae85d2572726c5f/third_party/WebKit/Source/modules/webaudio/AudioWorkletGlobalScope.h [modify] https://crrev.com/e5065d6ee169f0dac94536ae5ae85d2572726c5f/third_party/WebKit/Source/modules/webaudio/AudioWorkletThread.cpp
Comment 1 by nhiroki@chromium.org
, Oct 11 2017