XSDB: Check origin rather than site |
||||
Issue descriptionChrome Version: 65.0.3314.0 OS: Win/Mac/Linux/ChromeOS What steps will reproduce the problem? (1) Start Chrome with --site-per-process (2) Visit http://tests.netsekure.org/ (3) Open DevTools and type the following into the Console: var i = document.createElement("img"); i.src = "http://netsekure.org"; What is the expected result? There should be a console message for the response being blocked, since it is cross-origin and not allowed by CORS. Similarly, there should be a SiteIsolation.XSD.Browser.Blocked event in chrome://histograms. What happens instead? No console message appears, and the response is not blocked by the browser process (i.e., there is no SiteIsolation.XSD.Browser.Blocked event in chrome://histograms). This is because the blocking logic in CrossSiteDocumentClassifier::IsSameSite is currently site-based. We should be able to make it origin-based without breaking anything, since we're currently assuming (per issue 786505 ) that the renderer isn't compromised anyway. Making it origin based means it will apply to --isolate-origins cases as well. As we add process-level enforcements in issue 268640 to handle compromised renderers, we can keep the origin-based checks but we simply won't catch any cases that a compromised renderer lies to request other parts of its own site/origin.
,
Jan 18 2018
Just wanted to double-check that - document.domain should have no impact on XSDB. For example, AFAICT XHRs are still subject to a strict SOP and are not impacted by document.domain changes. Is it fair to assume that the same is true for other resource types like RESOURCE_TYPE_SUB_RESOURCE, RESOURCE_TYPE_WORKER, RESOURCE_TYPE_SHARED_WORKER, etc.? - blocking of same-site, cross-origin RESOURCE_TYPE_PREFETCH responses is okay (because the browser-side [or network-process/service-side] cache would still be populated, even if the response body doesn't reach a renderer process) If the above sounds okay, then I think I'd be able to put together a CL that implements this.
,
Jan 18 2018
WIP CLs @: - https://crrev.com/c/874752: XSDB: Check origin rather than site. - https://crrev.com/c/875004: Inline IsSameOrigin method + remove unused arg of IsValidCorsHeaderSet.
,
Jan 24 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/2b21b95ab393d18a1b67c2b7fcdf265218f89f2d commit 2b21b95ab393d18a1b67c2b7fcdf265218f89f2d Author: Lukasz Anforowicz <lukasza@chromium.org> Date: Wed Jan 24 17:38:38 2018 XSDB: Check origin rather than site. The browser currently blocks responses of sensitive types (e.g. text/html, text/json) from reaching a cross-site renderer. After this CL, the blocking will be extended to cross-*origin* renderers. The CL modifies cross-site into cross-origin checks for: - initiator frame's origin VS resource URL - initiator frame's origin VS CORS response Bug: 800137 Change-Id: I19c3dab75360d3494bb4525060682abc9939bf80 Reviewed-on: https://chromium-review.googlesource.com/874752 Reviewed-by: Charlie Reis <creis@chromium.org> Commit-Queue: Łukasz Anforowicz <lukasza@chromium.org> Cr-Commit-Position: refs/heads/master@{#531588} [modify] https://crrev.com/2b21b95ab393d18a1b67c2b7fcdf265218f89f2d/content/browser/loader/cross_site_document_resource_handler.cc [modify] https://crrev.com/2b21b95ab393d18a1b67c2b7fcdf265218f89f2d/content/browser/loader/cross_site_document_resource_handler_unittest.cc [modify] https://crrev.com/2b21b95ab393d18a1b67c2b7fcdf265218f89f2d/content/common/cross_site_document_classifier.cc [modify] https://crrev.com/2b21b95ab393d18a1b67c2b7fcdf265218f89f2d/content/common/cross_site_document_classifier.h [modify] https://crrev.com/2b21b95ab393d18a1b67c2b7fcdf265218f89f2d/content/common/cross_site_document_classifier_unittest.cc [modify] https://crrev.com/2b21b95ab393d18a1b67c2b7fcdf265218f89f2d/content/renderer/loader/site_isolation_stats_gatherer.cc [modify] https://crrev.com/2b21b95ab393d18a1b67c2b7fcdf265218f89f2d/third_party/WebKit/LayoutTests/FlagExpectations/site-per-process
,
Jan 24 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/e4d11e92042e137af688e4a941ebe5785bd8ec75 commit e4d11e92042e137af688e4a941ebe5785bd8ec75 Author: Lukasz Anforowicz <lukasza@chromium.org> Date: Wed Jan 24 19:48:37 2018 Inline IsSameOrigin method + remove unused arg of IsValidCorsHeaderSet. Bug: 800137 Change-Id: I7e69b12cb914519f7ae47b234e6db2477d803d2d Reviewed-on: https://chromium-review.googlesource.com/875004 Commit-Queue: Łukasz Anforowicz <lukasza@chromium.org> Reviewed-by: Charlie Reis <creis@chromium.org> Cr-Commit-Position: refs/heads/master@{#531651} [modify] https://crrev.com/e4d11e92042e137af688e4a941ebe5785bd8ec75/content/browser/loader/cross_site_document_resource_handler.cc [modify] https://crrev.com/e4d11e92042e137af688e4a941ebe5785bd8ec75/content/common/cross_site_document_classifier.cc [modify] https://crrev.com/e4d11e92042e137af688e4a941ebe5785bd8ec75/content/common/cross_site_document_classifier.h [modify] https://crrev.com/e4d11e92042e137af688e4a941ebe5785bd8ec75/content/common/cross_site_document_classifier_unittest.cc [modify] https://crrev.com/e4d11e92042e137af688e4a941ebe5785bd8ec75/content/renderer/loader/site_isolation_stats_gatherer.cc
,
Jan 30 2018
|
||||
►
Sign in to add a comment |
||||
Comment 1 by abdulsyed@google.com
, Jan 9 2018