New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 793692 link

Starred by 2 users
Status: Fixed
Owner:
pfeldman@chromium.org
Closed: Dec 2017
Cc:
abdulsyed@chromium.org
nick@chromium.org
creis@chromium.org
caseq@chromium.org
lukasza@chromium.org
dgozman@chromium.org
ranjitkan@chromium.org
nasko@chromium.org
wfh@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Chrome , Mac
Pri: 1
Type: Bug



Sign in to add a comment

DevTools / SiteIsolation: Do not send cross-site cookies to renderer process

Project Member Reported by creis@chromium.org, Dec 11 2017 
It appears that when DevTools is attached to a RenderFrame, the browser process grants it access to "raw cookies" in ChildProcessSecurityPolicy and sends cookie values to the renderer process.

This should be modified to prevent leaking cookie values of sites that require dedicated processes, in case the renderer process is compromised.  This may involve a temporary degradation in the DevTools UI by not displaying the cookie values for these sites, unless the UI can be populated without sending the values to the renderer.

In --site-per-process mode, all sites require dedicated processes, and we should not send any cross-site cookies to the renderer.  Otherwise, we should consult the list of isolated origins and ensure that none of their cookies are sent to a renderer which is not locked to their origin.

You can use a check like the one in CrossSiteDocumentResourceHandler to determine if a site needs protecting:
 if (SiteIsolationPolicy::UseDedicatedProcessesForAllSites() ||
     ChildProcessSecurityPolicyImpl::GetInstance()->IsIsolatedOrigin(
          url::Origin::Create(url))) {
...

ChildProcessSecurityImpl::CanAccessDataForOrigin could also be used to tell if a given process has access to the cookies for an origin already (e.g., see RenderFrameMessageFilter::GetCookies).

pfeldman: Can you help triage?

Comment 1 by pfeldman@chromium.org, Dec 11 2017

Owner: caseq@chromium.org
Status: Assigned (was: Untriaged)
This is likely to be fixed as a part of the browser side network inspection. Adding this to caseq's list of requirements.

Comment 2 by creis@chromium.org, Dec 11 2017

Labels: M-64
Project Member

Comment 3 by bugdroid1@chromium.org, Dec 12 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/6745e12dc9b3313294a80575a4284f64ec175d88

commit 6745e12dc9b3313294a80575a4284f64ec175d88
Author: Pavel Feldman <pfeldman@chromium.org>
Date: Tue Dec 12 07:26:48 2017

DevTools: do not report raw headers and cookies for protected subresources.

In case subresource request's site needs to have its document protected, don't
send raw headers and cookies into the frame's renderer.

Bug:  793692 
Change-Id: I9f41adfe35717eec284130f89ac92ecc78089969
Reviewed-on: https://chromium-review.googlesource.com/821410
Reviewed-by: Charlie Reis <creis@chromium.org>
Commit-Queue: Pavel Feldman <pfeldman@chromium.org>
Cr-Commit-Position: refs/heads/master@{#523364}
[modify] https://crrev.com/6745e12dc9b3313294a80575a4284f64ec175d88/content/browser/loader/resource_dispatcher_host_impl.cc
[add] https://crrev.com/6745e12dc9b3313294a80575a4284f64ec175d88/third_party/WebKit/LayoutTests/flag-specific/site-per-process/http/tests/inspector-protocol/network/raw-headers-for-protected-document-expected.txt
[add] https://crrev.com/6745e12dc9b3313294a80575a4284f64ec175d88/third_party/WebKit/LayoutTests/http/tests/inspector-protocol/network/raw-headers-for-protected-document-expected.txt
[add] https://crrev.com/6745e12dc9b3313294a80575a4284f64ec175d88/third_party/WebKit/LayoutTests/http/tests/inspector-protocol/network/raw-headers-for-protected-document.js
[add] https://crrev.com/6745e12dc9b3313294a80575a4284f64ec175d88/third_party/WebKit/LayoutTests/http/tests/inspector-protocol/network/resources/cookie.pl
Project Member

Comment 4 by bugdroid1@chromium.org, Dec 12 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/40f08a3d4d749313f5ca1178aac0d0eae7ddf73f

commit 40f08a3d4d749313f5ca1178aac0d0eae7ddf73f
Author: Christos Froussios <cfroussios@chromium.org>
Date: Tue Dec 12 11:12:47 2017

Revert "DevTools: do not report raw headers and cookies for protected subresources."

This reverts commit 6745e12dc9b3313294a80575a4284f64ec175d88.

Reason for revert: Test raw-headers-for-protected-document.js is flaky (mostly failing)

Original change's description:
> DevTools: do not report raw headers and cookies for protected subresources.
>
> In case subresource request's site needs to have its document protected, don't
> send raw headers and cookies into the frame's renderer.
>
> Bug:  793692 
> Change-Id: I9f41adfe35717eec284130f89ac92ecc78089969
> Reviewed-on: https://chromium-review.googlesource.com/821410
> Reviewed-by: Charlie Reis <creis@chromium.org>
> Commit-Queue: Pavel Feldman <pfeldman@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#523364}

TBR=creis@chromium.org,pfeldman@chromium.org

Change-Id: I2f4abad2167c23cf6218fe1806eeadb212ccb430
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug:  793692 , 794128 
Reviewed-on: https://chromium-review.googlesource.com/822190
Commit-Queue: Christos Froussios <cfroussios@chromium.org>
Reviewed-by: Christos Froussios <cfroussios@chromium.org>
Cr-Commit-Position: refs/heads/master@{#523400}
[modify] https://crrev.com/40f08a3d4d749313f5ca1178aac0d0eae7ddf73f/content/browser/loader/resource_dispatcher_host_impl.cc
[delete] https://crrev.com/9e3ea37af709a9b7e9ae5331744dd7a1c97a2ce3/third_party/WebKit/LayoutTests/flag-specific/site-per-process/http/tests/inspector-protocol/network/raw-headers-for-protected-document-expected.txt
[delete] https://crrev.com/9e3ea37af709a9b7e9ae5331744dd7a1c97a2ce3/third_party/WebKit/LayoutTests/http/tests/inspector-protocol/network/raw-headers-for-protected-document-expected.txt
[delete] https://crrev.com/9e3ea37af709a9b7e9ae5331744dd7a1c97a2ce3/third_party/WebKit/LayoutTests/http/tests/inspector-protocol/network/raw-headers-for-protected-document.js
[delete] https://crrev.com/9e3ea37af709a9b7e9ae5331744dd7a1c97a2ce3/third_party/WebKit/LayoutTests/http/tests/inspector-protocol/network/resources/cookie.pl
Project Member

Comment 5 by bugdroid1@chromium.org, Dec 12 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/a2fe50be93893335b686b747f29965b52bf4f331

commit a2fe50be93893335b686b747f29965b52bf4f331
Author: Pavel Feldman <pfeldman@chromium.org>
Date: Tue Dec 12 22:48:54 2017

Reland "DevTools: do not report raw headers and cookies for protected subresources."

This is a reland of 6745e12dc9b3313294a80575a4284f64ec175d88
Original change's description:
> DevTools: do not report raw headers and cookies for protected subresources.
> 
> In case subresource request's site needs to have its document protected, don't
> send raw headers and cookies into the frame's renderer.
> 
> Bug:  793692 
> Change-Id: I9f41adfe35717eec284130f89ac92ecc78089969
> Reviewed-on: https://chromium-review.googlesource.com/821410
> Reviewed-by: Charlie Reis <creis@chromium.org>
> Commit-Queue: Pavel Feldman <pfeldman@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#523364}

Bug:  793692 
Change-Id: Ib0bd20ae7a34c32797fee19533f597094f384c83
Reviewed-on: https://chromium-review.googlesource.com/822134
Reviewed-by: Pavel Feldman <pfeldman@chromium.org>
Cr-Commit-Position: refs/heads/master@{#523583}
[modify] https://crrev.com/a2fe50be93893335b686b747f29965b52bf4f331/content/browser/loader/resource_dispatcher_host_impl.cc
[add] https://crrev.com/a2fe50be93893335b686b747f29965b52bf4f331/third_party/WebKit/LayoutTests/flag-specific/site-per-process/http/tests/inspector-protocol/network/raw-headers-for-protected-document-expected.txt
[add] https://crrev.com/a2fe50be93893335b686b747f29965b52bf4f331/third_party/WebKit/LayoutTests/http/tests/inspector-protocol/network/raw-headers-for-protected-document-expected.txt
[add] https://crrev.com/a2fe50be93893335b686b747f29965b52bf4f331/third_party/WebKit/LayoutTests/http/tests/inspector-protocol/network/raw-headers-for-protected-document.js
[add] https://crrev.com/a2fe50be93893335b686b747f29965b52bf4f331/third_party/WebKit/LayoutTests/http/tests/inspector-protocol/network/resources/cookie.pl
[modify] https://crrev.com/a2fe50be93893335b686b747f29965b52bf4f331/third_party/WebKit/LayoutTests/http/tests/inspector-protocol/resources/inspector-protocol-test.js

Comment 6 by creis@chromium.org, Dec 15 2017

Cc: abdulsyed@chromium.org
pfeldman@/caseq@: Thanks!  Looks like r523583 is sticking.  If you're able to verify it in 65.0.3293.0 or later, do you think it's safe to request a merge to M64?  It should only affect Site Isolation modes and not default behavior, IIUC.

Comment 7 by pfeldman@chromium.org, Dec 15 2017

Labels: Merge-Request-64
- https://chromium-review.googlesource.com/c/chromium/src/+/822134 is the fix
- the safe is fix, revert was about flakiness in the test harness
- only touches one file, the code engages when devtools are opened and site isolation is in place.

Requesting merge.

Comment 8 by pfeldman@chromium.org, Dec 15 2017

Owner: pfeldman@chromium.org
Project Member

Comment 9 by sheriffbot@chromium.org, Dec 15 2017

Labels: -Merge-Request-64 Hotlist-Merge-Review Merge-Review-64
This bug requires manual review: Reverts referenced in bugdroid comments after merge request.
Please contact the milestone owner if you have questions.
Owners: cmasso@(Android), cmasso@(iOS), kbleicher@(ChromeOS), abdulsyed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 10 by kbleicher@chromium.org, Dec 15 2017 

Did you catch the unresolved comments in the review?  Wanna make sure no concerns before approving the merge.  Not a tiny change.

Comment 11 by creis@chromium.org, Dec 17 2017 

Comment 10: The change itself is just line 1281-1290 of resource_dispatcher_host_impl.cc, which adds a SiteIsolation-specific exception for report_raw_headers similar to the block above it on 1269.  Should be no change in behavior for default Chrome, though it intentionally introduces a slight regression into DevTools in Site Isolation modes to improve security (i.e., not showing some cookie values that the renderer shouldn't have access to).

The rest of the CL is just tests.

As for my comments on the CL, they were mainly sanity checks.  Pavel, could you post replies to them (apart from the commit message one, which is now moot) just to wrap up loose ends?  That should make it clear it's safe to merge.  Thanks!

Comment 12 by pfeldman@chromium.org, Dec 18 2017 

> Pavel, could you post replies to them

Done.

Comment 13 by creis@chromium.org, Dec 18 2017 

Thanks, LGTM to merge.

Comment 14 by kbleicher@chromium.org, Dec 18 2017

Labels: -Merge-Review-64 Merge-Approved-64
Approving merge to M64 Chrome OS.
Project Member

Comment 15 by bugdroid1@chromium.org, Dec 18 2017

Labels: -merge-approved-64 merge-merged-3282
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/c0360d9ba6251a91a8fa471e732ed62cc05c7255

commit c0360d9ba6251a91a8fa471e732ed62cc05c7255
Author: Pavel Feldman <pfeldman@chromium.org>
Date: Mon Dec 18 18:59:18 2017

Reland "DevTools: do not report raw headers and cookies for protected subresources."

This is a reland of 6745e12dc9b3313294a80575a4284f64ec175d88
Original change's description:
> DevTools: do not report raw headers and cookies for protected subresources.
>
> In case subresource request's site needs to have its document protected, don't
> send raw headers and cookies into the frame's renderer.
>
> Bug:  793692 
> Change-Id: I9f41adfe35717eec284130f89ac92ecc78089969
> Reviewed-on: https://chromium-review.googlesource.com/821410
> Reviewed-by: Charlie Reis <creis@chromium.org>
> Commit-Queue: Pavel Feldman <pfeldman@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#523364}

TBR=pfeldman@chromium.org

(cherry picked from commit a2fe50be93893335b686b747f29965b52bf4f331)

Bug:  793692 
Change-Id: Ib0bd20ae7a34c32797fee19533f597094f384c83
Reviewed-on: https://chromium-review.googlesource.com/822134
Reviewed-by: Pavel Feldman <pfeldman@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#523583}
Reviewed-on: https://chromium-review.googlesource.com/833024
Cr-Commit-Position: refs/branch-heads/3282@{#268}
Cr-Branched-From: 5fdc0fab22ce7efd32532ee989b223fa12f8171e-refs/heads/master@{#520840}
[modify] https://crrev.com/c0360d9ba6251a91a8fa471e732ed62cc05c7255/content/browser/loader/resource_dispatcher_host_impl.cc
[add] https://crrev.com/c0360d9ba6251a91a8fa471e732ed62cc05c7255/third_party/WebKit/LayoutTests/flag-specific/site-per-process/http/tests/inspector-protocol/network/raw-headers-for-protected-document-expected.txt
[add] https://crrev.com/c0360d9ba6251a91a8fa471e732ed62cc05c7255/third_party/WebKit/LayoutTests/http/tests/inspector-protocol/network/raw-headers-for-protected-document-expected.txt
[add] https://crrev.com/c0360d9ba6251a91a8fa471e732ed62cc05c7255/third_party/WebKit/LayoutTests/http/tests/inspector-protocol/network/raw-headers-for-protected-document.js
[add] https://crrev.com/c0360d9ba6251a91a8fa471e732ed62cc05c7255/third_party/WebKit/LayoutTests/http/tests/inspector-protocol/network/resources/cookie.pl
[modify] https://crrev.com/c0360d9ba6251a91a8fa471e732ed62cc05c7255/third_party/WebKit/LayoutTests/http/tests/inspector-protocol/resources/inspector-protocol-test.js

Comment 16 by pfeldman@chromium.org, Dec 18 2017

Status: Fixed (was: Assigned)

Comment 17 by awhalley@google.com, Jan 2 2018

Labels: Merge-Request-63

Comment 18 by abdulsyed@google.com, Jan 2 2018

Labels: -Merge-Request-63 Merge-Approved-63
As discussed over email, approving this merge for M63.

Comment 19 by creis@chromium.org, Jan 2 2018 

Thanks-- I'll get it merged.
Project Member

Comment 20 by bugdroid1@chromium.org, Jan 2 2018

Labels: -merge-approved-63 merge-merged-3239
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/919527f62088a14d8360b79e2168e204713c02f0

commit 919527f62088a14d8360b79e2168e204713c02f0
Author: Charles Reis <creis@chromium.org>
Date: Tue Jan 02 17:32:00 2018

DevTools: do not report raw headers and cookies for protected subresources.

In case subresource request's site needs to have its document protected, don't
send raw headers and cookies into the frame's renderer.

(cherry picked from commit 6745e12dc9b3313294a80575a4284f64ec175d88)

Bug:  793692 
Change-Id: I9f41adfe35717eec284130f89ac92ecc78089969
Reviewed-on: https://chromium-review.googlesource.com/821410
Reviewed-by: Charlie Reis <creis@chromium.org>
Commit-Queue: Pavel Feldman <pfeldman@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#523364}
Reviewed-on: https://chromium-review.googlesource.com/846700
Cr-Commit-Position: refs/branch-heads/3239@{#707}
Cr-Branched-From: adb61db19020ed8ecee5e91b1a0ea4c924ae2988-refs/heads/master@{#508578}
[modify] https://crrev.com/919527f62088a14d8360b79e2168e204713c02f0/content/browser/loader/resource_dispatcher_host_impl.cc
[add] https://crrev.com/919527f62088a14d8360b79e2168e204713c02f0/third_party/WebKit/LayoutTests/flag-specific/site-per-process/http/tests/inspector-protocol/network/raw-headers-for-protected-document-expected.txt
[add] https://crrev.com/919527f62088a14d8360b79e2168e204713c02f0/third_party/WebKit/LayoutTests/http/tests/inspector-protocol/network/raw-headers-for-protected-document-expected.txt
[add] https://crrev.com/919527f62088a14d8360b79e2168e204713c02f0/third_party/WebKit/LayoutTests/http/tests/inspector-protocol/network/raw-headers-for-protected-document.js
[add] https://crrev.com/919527f62088a14d8360b79e2168e204713c02f0/third_party/WebKit/LayoutTests/http/tests/inspector-protocol/network/resources/cookie.pl

Comment 21 by ranjitkan@chromium.org, Jan 4 2018

Cc: ranjitkan@chromium.org
Labels: TE-Verified-M63 TE-Verified-63.0.3239.132
Rechecked the issue by following the below steps on Windows 10, 7, Mac 10.12.6, Ubuntu 14.04 using chrome version 63.0.3239.132

1. Start Chrome with --site-per-process
2. Go to https://www.chromium.org
3. Go to http://csreis.github.io
4. Open DevTools network panel and check the "Disable cache" box.
5. Enter this into the DevTools Console:
var i = document.createElement("img");
i.src = "https://www.chromium.org/_/rsrc/1220197576998/Home/flying_browser.png";
6. Click on the "flying_browser.png" row of the DevTools network panel.

Observed that Cookies tab next to "Headers", "Preview", "Response", and "Timing" is NOT Displayed


Adding TE-Verified labels.

Thanks.!

Comment 22 by ranjitkan@chromium.org, Jan 9 2018 

Rechecked this on Chrome OS version 63.0.3239.136, Platform KIP 5216.227.78 as per the steps mentioned above and observed that Cookies tab next to "Headers", "Preview", "Response", and "Timing" is NOT Displayed.

Thanks.!
Project Member

Comment 23 by bugdroid1@chromium.org, Nov 30 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/1608dec4b25fae0d3ee57bfab004c3fe6140bd6d

commit 1608dec4b25fae0d3ee57bfab004c3fe6140bd6d
Author: Andrey Kosyakov <caseq@chromium.org>
Date: Fri Nov 30 17:39:00 2018

DevTools: do not expose raw headers for cross-origin requests

Same as https://chromium-review.googlesource.com/c/chromium/src/+/821410/,
but now for the network service.

Bug: 898306,  793692 ,  721408 
Change-Id: I96a2a25e66f4ff528d84baf03d600e4f1c89dd30
Reviewed-on: https://chromium-review.googlesource.com/c/1313739
Reviewed-by: Daniel Cheng <dcheng@chromium.org>
Reviewed-by: Matt Menke <mmenke@chromium.org>
Reviewed-by: Yutaka Hirano <yhirano@chromium.org>
Reviewed-by: Dmitry Gozman <dgozman@chromium.org>
Reviewed-by: Łukasz Anforowicz <lukasza@chromium.org>
Commit-Queue: Andrey Kosyakov <caseq@chromium.org>
Cr-Commit-Position: refs/heads/master@{#612685}
[modify] https://crrev.com/1608dec4b25fae0d3ee57bfab004c3fe6140bd6d/content/browser/devtools/render_frame_devtools_agent_host.cc
[modify] https://crrev.com/1608dec4b25fae0d3ee57bfab004c3fe6140bd6d/content/browser/devtools/render_frame_devtools_agent_host.h
[modify] https://crrev.com/1608dec4b25fae0d3ee57bfab004c3fe6140bd6d/content/browser/loader/navigation_url_loader_impl_unittest.cc
[modify] https://crrev.com/1608dec4b25fae0d3ee57bfab004c3fe6140bd6d/content/browser/websockets/websocket_manager.cc
[modify] https://crrev.com/1608dec4b25fae0d3ee57bfab004c3fe6140bd6d/services/network/network_context.cc
[modify] https://crrev.com/1608dec4b25fae0d3ee57bfab004c3fe6140bd6d/services/network/network_service.cc
[modify] https://crrev.com/1608dec4b25fae0d3ee57bfab004c3fe6140bd6d/services/network/network_service.h
[modify] https://crrev.com/1608dec4b25fae0d3ee57bfab004c3fe6140bd6d/services/network/network_service_unittest.cc
[modify] https://crrev.com/1608dec4b25fae0d3ee57bfab004c3fe6140bd6d/services/network/public/mojom/network_service.mojom
[modify] https://crrev.com/1608dec4b25fae0d3ee57bfab004c3fe6140bd6d/services/network/public/mojom/websocket.mojom
[modify] https://crrev.com/1608dec4b25fae0d3ee57bfab004c3fe6140bd6d/services/network/url_loader.cc
[modify] https://crrev.com/1608dec4b25fae0d3ee57bfab004c3fe6140bd6d/services/network/url_loader.h
[modify] https://crrev.com/1608dec4b25fae0d3ee57bfab004c3fe6140bd6d/services/network/url_loader_factory.cc
[modify] https://crrev.com/1608dec4b25fae0d3ee57bfab004c3fe6140bd6d/services/network/url_loader_unittest.cc
[modify] https://crrev.com/1608dec4b25fae0d3ee57bfab004c3fe6140bd6d/services/network/websocket.cc
[modify] https://crrev.com/1608dec4b25fae0d3ee57bfab004c3fe6140bd6d/services/network/websocket.h
[modify] https://crrev.com/1608dec4b25fae0d3ee57bfab004c3fe6140bd6d/services/network/websocket_factory.cc
[modify] https://crrev.com/1608dec4b25fae0d3ee57bfab004c3fe6140bd6d/third_party/blink/web_tests/FlagExpectations/enable-features=NetworkService
Project Member

Comment 24 by bugdroid1@chromium.org, Dec 4

Labels: merge-merged-3626
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/3d6da28e05764b49866c2e5f53504e578b16d260

commit 3d6da28e05764b49866c2e5f53504e578b16d260
Author: Andrey Kosyakov <caseq@chromium.org>
Date: Tue Dec 04 23:41:17 2018

DevTools: do not expose raw headers for cross-origin requests

Same as https://chromium-review.googlesource.com/c/chromium/src/+/821410/,
but now for the network service.

Bug: 898306,  793692 ,  721408 
Change-Id: I96a2a25e66f4ff528d84baf03d600e4f1c89dd30
Reviewed-on: https://chromium-review.googlesource.com/c/1313739
Reviewed-by: Daniel Cheng <dcheng@chromium.org>
Reviewed-by: Matt Menke <mmenke@chromium.org>
Reviewed-by: Yutaka Hirano <yhirano@chromium.org>
Reviewed-by: Dmitry Gozman <dgozman@chromium.org>
Reviewed-by: Łukasz Anforowicz <lukasza@chromium.org>
Commit-Queue: Andrey Kosyakov <caseq@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#612685}(cherry picked from commit 1608dec4b25fae0d3ee57bfab004c3fe6140bd6d)
Reviewed-on: https://chromium-review.googlesource.com/c/1361790
Reviewed-by: Andrey Kosyakov <caseq@chromium.org>
Cr-Commit-Position: refs/branch-heads/3626@{#52}
Cr-Branched-From: d897fb137fbaaa9355c0c93124cc048824eb1e65-refs/heads/master@{#612437}
[modify] https://crrev.com/3d6da28e05764b49866c2e5f53504e578b16d260/content/browser/devtools/render_frame_devtools_agent_host.cc
[modify] https://crrev.com/3d6da28e05764b49866c2e5f53504e578b16d260/content/browser/devtools/render_frame_devtools_agent_host.h
[modify] https://crrev.com/3d6da28e05764b49866c2e5f53504e578b16d260/content/browser/loader/navigation_url_loader_impl_unittest.cc
[modify] https://crrev.com/3d6da28e05764b49866c2e5f53504e578b16d260/content/browser/websockets/websocket_manager.cc
[modify] https://crrev.com/3d6da28e05764b49866c2e5f53504e578b16d260/services/network/network_context.cc
[modify] https://crrev.com/3d6da28e05764b49866c2e5f53504e578b16d260/services/network/network_service.cc
[modify] https://crrev.com/3d6da28e05764b49866c2e5f53504e578b16d260/services/network/network_service.h
[modify] https://crrev.com/3d6da28e05764b49866c2e5f53504e578b16d260/services/network/network_service_unittest.cc
[modify] https://crrev.com/3d6da28e05764b49866c2e5f53504e578b16d260/services/network/public/mojom/network_service.mojom
[modify] https://crrev.com/3d6da28e05764b49866c2e5f53504e578b16d260/services/network/public/mojom/websocket.mojom
[modify] https://crrev.com/3d6da28e05764b49866c2e5f53504e578b16d260/services/network/url_loader.cc
[modify] https://crrev.com/3d6da28e05764b49866c2e5f53504e578b16d260/services/network/url_loader.h
[modify] https://crrev.com/3d6da28e05764b49866c2e5f53504e578b16d260/services/network/url_loader_factory.cc
[modify] https://crrev.com/3d6da28e05764b49866c2e5f53504e578b16d260/services/network/url_loader_unittest.cc
[modify] https://crrev.com/3d6da28e05764b49866c2e5f53504e578b16d260/services/network/websocket.cc
[modify] https://crrev.com/3d6da28e05764b49866c2e5f53504e578b16d260/services/network/websocket.h
[modify] https://crrev.com/3d6da28e05764b49866c2e5f53504e578b16d260/services/network/websocket_factory.cc
[modify] https://crrev.com/3d6da28e05764b49866c2e5f53504e578b16d260/third_party/blink/web_tests/FlagExpectations/enable-features=NetworkService
Project Member

Comment 25 by cr-audit...@appspot.gserviceaccount.com, Dec 19

Labels: Merge-Merged-72-3626
The following revision refers to this bug: 
https://chromium.googlesource.com/chromium/src.git/+/3d6da28e05764b49866c2e5f53504e578b16d260

Commit: 3d6da28e05764b49866c2e5f53504e578b16d260
Author: caseq@chromium.org
Commiter: caseq@chromium.org
Date: 2018-12-04 23:41:17 +0000 UTC

DevTools: do not expose raw headers for cross-origin requests

Same as https://chromium-review.googlesource.com/c/chromium/src/+/821410/,
but now for the network service.

Bug: 898306,  793692 ,  721408 
Change-Id: I96a2a25e66f4ff528d84baf03d600e4f1c89dd30
Reviewed-on: https://chromium-review.googlesource.com/c/1313739
Reviewed-by: Daniel Cheng <dcheng@chromium.org>
Reviewed-by: Matt Menke <mmenke@chromium.org>
Reviewed-by: Yutaka Hirano <yhirano@chromium.org>
Reviewed-by: Dmitry Gozman <dgozman@chromium.org>
Reviewed-by: Łukasz Anforowicz <lukasza@chromium.org>
Commit-Queue: Andrey Kosyakov <caseq@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#612685}(cherry picked from commit 1608dec4b25fae0d3ee57bfab004c3fe6140bd6d)
Reviewed-on: https://chromium-review.googlesource.com/c/1361790
Reviewed-by: Andrey Kosyakov <caseq@chromium.org>
Cr-Commit-Position: refs/branch-heads/3626@{#52}
Cr-Branched-From: d897fb137fbaaa9355c0c93124cc048824eb1e65-refs/heads/master@{#612437}

Sign in to add a comment