New issue
Advanced search Search tips

Issue 782381 link

Starred by 1 user
Status: Fixed
Owner:
tbansal@chromium.org
Closed: Mar 2018
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 1
Type: Bug

Blocking:
issue 735518



Sign in to add a comment

Send client hints only on secure transports

Project Member Reported by tbansal@chromium.org, Nov 7 2017 
Client hints spec (http://httpwg.org/http-extensions/client-hints.html#security-considerations) was recently updated to allow sending of client hints on only secure transports (i.e., HTTPS URLs).

Chromium implementation of client hints should be updated to follow the spec. Additionally, we should allow client hints on local URLs for easier testing by developers.
Project Member

Comment 1 by bugdroid1@chromium.org, Nov 9 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/3b330b0c1222235d98d691572dbe43147adbdbc3

commit 3b330b0c1222235d98d691572dbe43147adbdbc3
Author: Tarun Bansal <tbansal@chromium.org>
Date: Thu Nov 09 19:03:14 2017

Allow client hints only for secure or local origins

Currently, the non-persistent client hints may be sent on non-secure
URLs. This CL changes it so that client hints (persistent or
non-persistent) are sent only on secure or local origins.

Bug:  782381 
Change-Id: I50a184d7aa19813eacc59e4d9fca5e74ec8855f2
Reviewed-on: https://chromium-review.googlesource.com/758464
Commit-Queue: Tarun Bansal <tbansal@chromium.org>
Reviewed-by: Ryan Sturm <ryansturm@chromium.org>
Reviewed-by: Kinuko Yasuda <kinuko@chromium.org>
Cr-Commit-Position: refs/heads/master@{#515229}
[modify] https://crrev.com/3b330b0c1222235d98d691572dbe43147adbdbc3/chrome/browser/client_hints/client_hints.cc
[modify] https://crrev.com/3b330b0c1222235d98d691572dbe43147adbdbc3/chrome/browser/client_hints/client_hints_browsertest.cc
[modify] https://crrev.com/3b330b0c1222235d98d691572dbe43147adbdbc3/third_party/WebKit/LayoutTests/permissionclient/image-permissions-expected.txt
[modify] https://crrev.com/3b330b0c1222235d98d691572dbe43147adbdbc3/third_party/WebKit/Source/core/loader/FrameFetchContext.cpp
[modify] https://crrev.com/3b330b0c1222235d98d691572dbe43147adbdbc3/third_party/WebKit/Source/core/loader/FrameFetchContextTest.cpp
[modify] https://crrev.com/3b330b0c1222235d98d691572dbe43147adbdbc3/third_party/WebKit/Source/platform/loader/fetch/ClientHintsPreferences.cpp
[modify] https://crrev.com/3b330b0c1222235d98d691572dbe43147adbdbc3/third_party/WebKit/Source/platform/loader/fetch/ClientHintsPreferencesTest.cpp

Comment 2 by tbansal@chromium.org, Nov 9 2017

Status: Fixed (was: Started)

Comment 3 by tbansal@chromium.org, Jan 8 2018

Status: Assigned (was: Fixed)
Opening it back since client hints were re-enabled for non-secure transports in  Issue 799050 .

Comment 4 by tbansal@chromium.org, Jan 8 2018

Labels: -M-64 M-66
Project Member

Comment 5 by bugdroid1@chromium.org, Jan 26 2018 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/8fd1644701f233451848466b4f6cc2d23900a6af

commit 8fd1644701f233451848466b4f6cc2d23900a6af
Author: Tarun Bansal <tbansal@chromium.org>
Date: Fri Jan 26 22:45:18 2018

Disable client hints on insecure contexts.

This only affects the client hints that are requested by
origins using "Accept-CH" header.

Before this change, origins can request client hints
using the main frame response. Chrome would then attach
the requested client hints on either HTTP or
HTTPS subresources. With this change, the client hints
would be attached on HTTPS subresources only.

This is guarded behind a WebRuntimeFeature which will
be enabled after external communication on blink-dev.

This is a partial revert of
https://chromium-review.googlesource.com/c/chromium/src/+/852863.

Bug:  782381 
Change-Id: I462178bd6ed3fe08faa2ee67dcba306468ae1ca8
Reviewed-on: https://chromium-review.googlesource.com/887348
Reviewed-by: Kinuko Yasuda <kinuko@chromium.org>
Reviewed-by: Ryan Sturm <ryansturm@chromium.org>
Commit-Queue: Tarun Bansal <tbansal@chromium.org>
Cr-Commit-Position: refs/heads/master@{#532079}
[modify] https://crrev.com/8fd1644701f233451848466b4f6cc2d23900a6af/third_party/WebKit/Source/core/loader/FrameFetchContext.cpp
[modify] https://crrev.com/8fd1644701f233451848466b4f6cc2d23900a6af/third_party/WebKit/Source/core/loader/FrameFetchContextTest.cpp
Project Member

Comment 6 by bugdroid1@chromium.org, Jan 31 2018 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/b454d5875b1a2c37f8518a1c55da64e1efe895a1

commit b454d5875b1a2c37f8518a1c55da64e1efe895a1
Author: Tarun Bansal <tbansal@chromium.org>
Date: Wed Jan 31 00:22:17 2018

Provide client hints only on secure contexts.

Update the http-equiv and preload scanner code path as well. The client
hints are provided only on secure contexts if
ClientHintsPersistentEnabled() feature is enabled.

Bug:  782381 
Change-Id: I28d75b6bfd14f36accdba8f87488ae687df049d7
Reviewed-on: https://chromium-review.googlesource.com/887924
Commit-Queue: Tarun Bansal <tbansal@chromium.org>
Reviewed-by: Kinuko Yasuda <kinuko@chromium.org>
Cr-Commit-Position: refs/heads/master@{#533109}
[modify] https://crrev.com/b454d5875b1a2c37f8518a1c55da64e1efe895a1/third_party/WebKit/Source/core/html/parser/HTMLPreloadScanner.cpp
[modify] https://crrev.com/b454d5875b1a2c37f8518a1c55da64e1efe895a1/third_party/WebKit/Source/core/html/parser/HTMLPreloadScannerTest.cpp
[modify] https://crrev.com/b454d5875b1a2c37f8518a1c55da64e1efe895a1/third_party/WebKit/Source/core/loader/FrameFetchContext.cpp
[modify] https://crrev.com/b454d5875b1a2c37f8518a1c55da64e1efe895a1/third_party/WebKit/Source/core/loader/HttpEquiv.cpp
[modify] https://crrev.com/b454d5875b1a2c37f8518a1c55da64e1efe895a1/third_party/WebKit/Source/platform/loader/fetch/ClientHintsPreferences.cpp
[modify] https://crrev.com/b454d5875b1a2c37f8518a1c55da64e1efe895a1/third_party/WebKit/Source/platform/loader/fetch/ClientHintsPreferences.h
[modify] https://crrev.com/b454d5875b1a2c37f8518a1c55da64e1efe895a1/third_party/WebKit/Source/platform/loader/fetch/ClientHintsPreferencesTest.cpp

Comment 7 by tbansal@chromium.org, Feb 27 2018

Status: Started (was: Assigned)

Comment 8 by tbansal@chromium.org, Mar 9 2018

Labels: -M-66 M-67
Status: Fixed (was: Started)
This is now fully implemented behind flag.
Project Member

Comment 10 by bugdroid1@chromium.org, Mar 19 2018 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/62158e3ea5680211a69999dd5f00649248130c0d

commit 62158e3ea5680211a69999dd5f00649248130c0d
Author: Raymes Khoury <raymes@chromium.org>
Date: Mon Mar 19 08:46:49 2018

Revert "Enable ClientHintsPersistent feature (Accept-CH-Lifetime header)."

This reverts commit 6af9df3e37f4ba34a5a5a44a5245bebce7485507.

Reason for revert: Caused a regression as outlined in
https://chromium-review.googlesource.com/c/chromium/src/+/957265#message-bfd66cb6916d1397f05a74dd7c1fca4645857147

Original change's description:
> Enable ClientHintsPersistent feature (Accept-CH-Lifetime header).
>
> blink-dev i2s thread: https://groups.google.com/a/chromium.org/d/topic/blink-dev/8RBFue7RMXQ/discussion
>
> Change-Id: I5595b3aed72ea0cece88948f69f480f5808fce6b
> Bug:  735518 , 782381 , 816661 
> TBR: raymes@chromium.org
> Reviewed-on: https://chromium-review.googlesource.com/957265
> Reviewed-by: Tarun Bansal <tbansal@chromium.org>
> Reviewed-by: David Dorwin <ddorwin@chromium.org>
> Reviewed-by: Kinuko Yasuda <kinuko@chromium.org>
> Commit-Queue: Tarun Bansal <tbansal@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#543786}

TBR=ddorwin@chromium.org,raymes@chromium.org,kinuko@chromium.org,tbansal@chromium.org

# Not skipping CQ checks because original CL landed > 1 day ago.

Bug:  735518 ,  782381 ,  816661 
Change-Id: I47c42057e7d3158eeb515b993266ce0ff8e937e7
Reviewed-on: https://chromium-review.googlesource.com/968081
Commit-Queue: Raymes Khoury <raymes@chromium.org>
Reviewed-by: Raymes Khoury <raymes@chromium.org>
Cr-Commit-Position: refs/heads/master@{#543992}
[modify] https://crrev.com/62158e3ea5680211a69999dd5f00649248130c0d/chrome/browser/client_hints/client_hints_browsertest.cc
[modify] https://crrev.com/62158e3ea5680211a69999dd5f00649248130c0d/chrome/browser/content_settings/content_settings_browsertest.cc
[modify] https://crrev.com/62158e3ea5680211a69999dd5f00649248130c0d/third_party/WebKit/Source/platform/runtime_enabled_features.json5
Project Member

Comment 11 by bugdroid1@chromium.org, Mar 20 2018 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/593790112b293faaabc0f692ffe225ab91c6018e

commit 593790112b293faaabc0f692ffe225ab91c6018e
Author: Tarun Bansal <tbansal@chromium.org>
Date: Tue Mar 20 04:53:34 2018

Enable ClientHintsPersistent feature (Accept-CH-Lifetime header).

blink-dev i2s thread: https://groups.google.com/a/chromium.org/d/topic/blink-dev/8RBFue7RMXQ/discussion

Bug:  735518 , 782381 , 816661 
Change-Id: Ic7c8a6a0eaf323d3ab736ac8e3ad2d23104ae0cb
Reviewed-on: https://chromium-review.googlesource.com/969407
Reviewed-by: Kinuko Yasuda <kinuko@chromium.org>
Commit-Queue: Tarun Bansal <tbansal@chromium.org>
Cr-Commit-Position: refs/heads/master@{#544285}
[modify] https://crrev.com/593790112b293faaabc0f692ffe225ab91c6018e/chrome/browser/client_hints/client_hints_browsertest.cc
[modify] https://crrev.com/593790112b293faaabc0f692ffe225ab91c6018e/third_party/WebKit/Source/platform/runtime_enabled_features.json5

Sign in to add a comment