New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 793881 link

Starred by 3 users
Status: Fixed
Owner:
lukasza@chromium.org
Closed: Dec 2017
Cc:
abdulsyed@chromium.org
gkihumba@chromium.org
gov...@chromium.org
amineer@chromium.org
creis@chromium.org
nasko@chromium.org
wfh@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac
Pri: 1
Type: Bug

Blocking:
issue 786505



Sign in to add a comment

Add feature flag to control cross-site document blocking

Project Member Reported by nasko@chromium.org, Dec 11 2017 
Part of the Site Isolation project includes blocking delivery of cross-site documents (XSD) content to processes that don't have access to the specific site. However, cross-site document blocking can be useful feature on its own, so it will be best to have flags controlling its behavior independently from site isolation. This bug is to track the addition of such flag.

Comment 1 by nasko@chromium.org, Dec 11 2017

Blocking: 786505

Comment 2 by nasko@chromium.org, Dec 11 2017

Labels: Merge-Request-64
The implementation of the flags was landed in r522981. Requesting merge into M64.

Comment 3 by creis@chromium.org, Dec 11 2017

Cc: abdulsyed@chromium.org gov...@chromium.org
Labels: -Pri-3 Pri-1
Verified in 65.0.3290.0 as follows:

Try to see if document blocking is enabled in the configurations below, using the following steps:
1. Visit http://csreis.github.io/tests/
2. In DevTools Console:
var x = new XMLHttpRequest(); x.onload = function() { console.log("Response: " + x.responseText)}; x.open("GET", "http://www.example.com"); x.send();
3. In about:histograms, check if SiteIsolation.XSD.Browser.Blocked was incremented.

Configurations:
1) No OOPIFs, no blocking (--disable-features=IsolateOrigins,site-per-process).  Should not see any blocking.
2) No OOPIFs, enable blocking (--disable-features=IsolateOrigins,site-per-process --enable-features=CrossSiteDocumentBlockingAlways).  Should see a blocked response.
3) OOPIFs enabled (--site-per-process).  Should see a blocked response.
4) OOPIFs enabled, blocking disabled (--site-per-process --disable-features=CrossSiteDocumentBlockingIfIsolating)

We'll need to merge this to both M64 and the M63 minibranch (3239_84).

Comment 4 by gov...@chromium.org, Dec 11 2017

Cc: gkihumba@chromium.org amineer@chromium.org
Approving merge to  M63 minibranch (3239_84) based on comment #3 and per internal group chat.

Comment 5 by gov...@chromium.org, Dec 11 2017

Labels: Merge-Approved-63-minibranch

Comment 6 by abdulsyed@chromium.org, Dec 11 2017

Labels: -Merge-Request-64 Merge-Approved-64
Approving for M64. Branch:3282
Project Member

Comment 7 by bugdroid1@chromium.org, Dec 11 2017

Labels: -merge-approved-64 merge-merged-3282
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/c9fcf0daa075daa038f8fea18947e7b0c47e4673

commit c9fcf0daa075daa038f8fea18947e7b0c47e4673
Author: Nasko Oskov <nasko@chromium.org>
Date: Mon Dec 11 21:16:05 2017

Kill switch for cross-site document blocking.

Integrating cross-site document blocking with 2 new content_features.h:

- kCrossSiteDocumentBlockingIfIsolating - kill switch for cross-site
  document blocking.  This feature is enabled by default.

- kCrossSiteDocumentBlockingAlways - a way to force cross-site
  document blocking even if no isolation mode is turned on
  (e.g. even if there is no site-per-process or isolate-origins).
  This feature is disabled by default.

Bug:  786505 ,  793881 
Change-Id: Id0c9a69025fc20f7659b97a96fe70402cc933113
Reviewed-on: https://chromium-review.googlesource.com/818388
Commit-Queue: Łukasz Anforowicz <lukasza@chromium.org>
Commit-Queue: Charlie Reis <creis@chromium.org>
Reviewed-by: Charlie Reis <creis@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#522981}
Reviewed-on: https://chromium-review.googlesource.com/820452
Cr-Commit-Position: refs/branch-heads/3282@{#148}
Cr-Branched-From: 5fdc0fab22ce7efd32532ee989b223fa12f8171e-refs/heads/master@{#520840}
[modify] https://crrev.com/c9fcf0daa075daa038f8fea18947e7b0c47e4673/content/browser/loader/cross_site_document_blocking_browsertest.cc
[modify] https://crrev.com/c9fcf0daa075daa038f8fea18947e7b0c47e4673/content/browser/loader/cross_site_document_resource_handler.cc
[modify] https://crrev.com/c9fcf0daa075daa038f8fea18947e7b0c47e4673/content/common/site_isolation_policy.cc
[modify] https://crrev.com/c9fcf0daa075daa038f8fea18947e7b0c47e4673/content/common/site_isolation_policy.h
[modify] https://crrev.com/c9fcf0daa075daa038f8fea18947e7b0c47e4673/content/public/common/content_features.cc
[modify] https://crrev.com/c9fcf0daa075daa038f8fea18947e7b0c47e4673/content/public/common/content_features.h
Project Member

Comment 8 by bugdroid1@chromium.org, Dec 11 2017

Labels: merge-merged-3239_84
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/3d1bd9af24648379c22b20f061a3bf06bb6dc329

commit 3d1bd9af24648379c22b20f061a3bf06bb6dc329
Author: Nasko Oskov <nasko@chromium.org>
Date: Mon Dec 11 21:22:32 2017

Kill switch for cross-site document blocking.

Integrating cross-site document blocking with 2 new content_features.h:

- kCrossSiteDocumentBlockingIfIsolating - kill switch for cross-site
  document blocking.  This feature is enabled by default.

- kCrossSiteDocumentBlockingAlways - a way to force cross-site
  document blocking even if no isolation mode is turned on
  (e.g. even if there is no site-per-process or isolate-origins).
  This feature is disabled by default.

Bug:  786505 ,  793881 
Change-Id: Id0c9a69025fc20f7659b97a96fe70402cc933113
Reviewed-on: https://chromium-review.googlesource.com/818388
Commit-Queue: Łukasz Anforowicz <lukasza@chromium.org>
Commit-Queue: Charlie Reis <creis@chromium.org>
Reviewed-by: Charlie Reis <creis@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#522981}
Reviewed-on: https://chromium-review.googlesource.com/820673
Reviewed-by: Nasko Oskov <nasko@chromium.org>
Cr-Commit-Position: refs/branch-heads/3239_84@{#4}
Cr-Branched-From: 8f51ed0e633e109109762a3deb18a50e8c138819-refs/branch-heads/3239@{#643}
Cr-Branched-From: adb61db19020ed8ecee5e91b1a0ea4c924ae2988-refs/heads/master@{#508578}
[modify] https://crrev.com/3d1bd9af24648379c22b20f061a3bf06bb6dc329/content/browser/loader/cross_site_document_blocking_browsertest.cc
[modify] https://crrev.com/3d1bd9af24648379c22b20f061a3bf06bb6dc329/content/browser/loader/cross_site_document_resource_handler.cc
[modify] https://crrev.com/3d1bd9af24648379c22b20f061a3bf06bb6dc329/content/common/site_isolation_policy.cc
[modify] https://crrev.com/3d1bd9af24648379c22b20f061a3bf06bb6dc329/content/common/site_isolation_policy.h
[modify] https://crrev.com/3d1bd9af24648379c22b20f061a3bf06bb6dc329/content/public/common/content_features.cc
[modify] https://crrev.com/3d1bd9af24648379c22b20f061a3bf06bb6dc329/content/public/common/content_features.h

Comment 9 by gov...@chromium.org, Dec 13 2017

Labels: Merge-Approved-63
Approving merge to M63 branch 3239. Please merge ASAP. Thank you.
Project Member

Comment 10 by bugdroid1@chromium.org, Dec 13 2017

Labels: -merge-approved-63 merge-merged-3239
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/2b6ff5ec5d927c2d41a50a63d7cb65b566dcefa4

commit 2b6ff5ec5d927c2d41a50a63d7cb65b566dcefa4
Author: Nasko Oskov <nasko@chromium.org>
Date: Wed Dec 13 00:50:29 2017

Kill switch for cross-site document blocking.

Integrating cross-site document blocking with 2 new content_features.h:

- kCrossSiteDocumentBlockingIfIsolating - kill switch for cross-site
  document blocking.  This feature is enabled by default.

- kCrossSiteDocumentBlockingAlways - a way to force cross-site
  document blocking even if no isolation mode is turned on
  (e.g. even if there is no site-per-process or isolate-origins).
  This feature is disabled by default.

Bug:  786505 ,  793881 
TBR=nasko@chromium.org

Change-Id: Id0c9a69025fc20f7659b97a96fe70402cc933113
Reviewed-on: https://chromium-review.googlesource.com/818388
Commit-Queue: Łukasz Anforowicz <lukasza@chromium.org>
Commit-Queue: Charlie Reis <creis@chromium.org>
Reviewed-by: Charlie Reis <creis@chromium.org>
Cr-Original-Original-Commit-Position: refs/heads/master@{#522981}
Reviewed-on: https://chromium-review.googlesource.com/820673
Reviewed-by: Nasko Oskov <nasko@chromium.org>
Cr-Original-Commit-Position: refs/branch-heads/3239_84@{#4}
Cr-Original-Branched-From: 8f51ed0e633e109109762a3deb18a50e8c138819-refs/branch-heads/3239@{#643}
Cr-Original-Branched-From: adb61db19020ed8ecee5e91b1a0ea4c924ae2988-refs/heads/master@{#508578}
Reviewed-on: https://chromium-review.googlesource.com/823564
Cr-Commit-Position: refs/branch-heads/3239@{#669}
Cr-Branched-From: adb61db19020ed8ecee5e91b1a0ea4c924ae2988-refs/heads/master@{#508578}
[modify] https://crrev.com/2b6ff5ec5d927c2d41a50a63d7cb65b566dcefa4/content/browser/loader/cross_site_document_blocking_browsertest.cc
[modify] https://crrev.com/2b6ff5ec5d927c2d41a50a63d7cb65b566dcefa4/content/browser/loader/cross_site_document_resource_handler.cc
[modify] https://crrev.com/2b6ff5ec5d927c2d41a50a63d7cb65b566dcefa4/content/common/site_isolation_policy.cc
[modify] https://crrev.com/2b6ff5ec5d927c2d41a50a63d7cb65b566dcefa4/content/common/site_isolation_policy.h
[modify] https://crrev.com/2b6ff5ec5d927c2d41a50a63d7cb65b566dcefa4/content/public/common/content_features.cc
[modify] https://crrev.com/2b6ff5ec5d927c2d41a50a63d7cb65b566dcefa4/content/public/common/content_features.h

Comment 11 by creis@chromium.org, Dec 13 2017

Status: Fixed (was: Started)
Fixed by r522981 and merged to both M64 and M63.

Comment 12 by lukasza@chromium.org, Dec 18 2017

Labels: -Merge-Approved-63-minibranch
All merges are already done - removing one of the labels to stop nag emails.

Sign in to add a comment