Formalize how to track requests from isolated world origins |
||
Issue descriptionIn https://chromium-review.googlesource.com/c/chromium/src/+/783826/, we're changing ResourceFetcher.cpp to call ResourceRequest::SetRequestorOrigin with the origin of an isolated world if it differs from the document's origin. This allows the browser process to make policy decisions (e.g., cross-site document blocking in issue 786505 and issue 268640) based on whether the request was made from an isolated world. This is important for content scripts, which are not subject to the same rules as the document. The current change affects the URLRequest::initiator() for the cases below: - Whitelisted origins (e.g., content scripts) - HTML imports - ISOLATED_WORLD_ID_APPLESCRIPT - ISOLATED_WORLD_ID_CHROME_INTERNAL (DOM distiller and offline pages) - ISOLATED_WORLD_ID_TRANSLATE dcheng@ thinks the current check may be fragile against future changes, and we should look into a formal way to detect requests from isolated worlds. I think nick@ was interested in that anyway for future document blocking plans. For more discussion, see this thread: https://chromium-review.googlesource.com/c/chromium/src/+/783826/26/third_party/WebKit/Source/platform/loader/fetch/ResourceFetcher.cpp#617
,
Dec 19 2017
,
Mar 20 2018
|
||
►
Sign in to add a comment |
||
Comment 1 by toyoshim@chromium.org
, Dec 7 2017