New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 802835 link

Starred by 6 users

Issue metadata

Status: Fixed
Owner:
Closed: Apr 2018
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac
Pri: 2
Type: Bug

Blocked on:
issue 806996

Blocking:
issue 268640



Sign in to add a comment

Enable cross-site document blocking by default

Project Member Reported by creis@chromium.org, Jan 16 2018

Issue description

In  issue 786505 , we added logic to block network responses with cross-site HTML, XML, and JSON documents from the renderer process, but we only enabled it in Site Isolation modes.  This logic is necessary for Site Isolation's goals (to prevent leaking sensitive data from other sites), but it's useful to help against cross-site script inclusion (XSSI) attacks as well, even when Site Isolation is not enabled.

This bug tracks enabling the logic in Chrome by default.  We'll need to monitor the current stats from blocking to make sure it does not have a compatibility impact, we should send a Blink intent to discuss.

Context:
http://www.chromium.org/developers/design-documents/blocking-cross-site-documents
https://www.chromium.org/Home/chromium-security/site-isolation#TOC-Recommendations-for-Web-Developers
 

Comment 1 by nasko@chromium.org, Mar 2 2018

Labels: Proj-SiteIsolation-LaunchBlocking

Comment 2 by creis@chromium.org, Mar 8 2018

Blockedon: 806996
Labels: M-67
Owner: lukasza@chromium.org
Status: Assigned (was: Available)
Assigning to lukasza@, who has started the spec discussions (see  issue 806996  and https://github.com/whatwg/fetch/issues/681).
Project Member

Comment 3 by bugdroid1@chromium.org, Apr 25 2018

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/600b23533ba7727e1d62886faff6490f7449cbe1

commit 600b23533ba7727e1d62886faff6490f7449cbe1
Author: Lukasz Anforowicz <lukasza@chromium.org>
Date: Wed Apr 25 23:58:22 2018

Enable Cross-Origin Read Blocking (CORB) by default.

Blink Intent to Implement and Ship discussion and approval happened in
https://groups.google.com/a/chromium.org/d/topic/blink-dev/hnAWBzq1qys/discussion

Bug:  802835 
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_mojo
Change-Id: I608817ddbbf538f5074774715eeb9b27920c1bf7
Reviewed-on: https://chromium-review.googlesource.com/1028356
Commit-Queue: Charlie Reis <creis@chromium.org>
Reviewed-by: Charlie Reis <creis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#553830}
[modify] https://crrev.com/600b23533ba7727e1d62886faff6490f7449cbe1/content/browser/loader/cross_site_document_blocking_browsertest.cc
[modify] https://crrev.com/600b23533ba7727e1d62886faff6490f7449cbe1/content/public/common/content_features.cc
[modify] https://crrev.com/600b23533ba7727e1d62886faff6490f7449cbe1/testing/buildbot/filters/mojo.fyi.network_content_browsertests.filter
[modify] https://crrev.com/600b23533ba7727e1d62886faff6490f7449cbe1/third_party/WebKit/LayoutTests/FlagExpectations/enable-features=NetworkService
[modify] https://crrev.com/600b23533ba7727e1d62886faff6490f7449cbe1/third_party/WebKit/LayoutTests/http/tests/inspector-protocol/network/block_cross_site_document_load-expected.txt

Project Member

Comment 4 by bugdroid1@chromium.org, Apr 26 2018

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/c63b1ab1c371924f6007b7d01244f8ad92d2c4d5

commit c63b1ab1c371924f6007b7d01244f8ad92d2c4d5
Author: Lukasz Anforowicz <lukasza@chromium.org>
Date: Thu Apr 26 23:49:24 2018

Remove WPT failure expectations for (now enabled by default) CORB.

The failure expectations for some wpt/fetch/corb/*tentative* tests were
only needed while CORB was still disabled by default.  These test
expectations can be removed now, because CORB is enabled by default
since r553830.

Bug:  802835 
Change-Id: If09646e3cfec268e2a9ec72aa870d8fa2a4460e3
Reviewed-on: https://chromium-review.googlesource.com/1030612
Reviewed-by: Charlie Reis <creis@chromium.org>
Commit-Queue: Łukasz Anforowicz <lukasza@chromium.org>
Cr-Commit-Position: refs/heads/master@{#554192}
[modify] https://crrev.com/c63b1ab1c371924f6007b7d01244f8ad92d2c4d5/third_party/WebKit/LayoutTests/FlagExpectations/site-per-process
[modify] https://crrev.com/c63b1ab1c371924f6007b7d01244f8ad92d2c4d5/third_party/WebKit/LayoutTests/TestExpectations
[modify] https://crrev.com/c63b1ab1c371924f6007b7d01244f8ad92d2c4d5/third_party/WebKit/LayoutTests/external/wpt/fetch/corb/README.md
[modify] https://crrev.com/c63b1ab1c371924f6007b7d01244f8ad92d2c4d5/third_party/WebKit/LayoutTests/external/wpt/fetch/corb/img-mime-types-coverage.tentative.sub.html

Labels: -M-67 M-68
Status: Fixed (was: Assigned)

Comment 6 Deleted

Project Member

Comment 7 by bugdroid1@chromium.org, Sep 20

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/fb46cf461915c156e955748431ce7f5127b54f4c

commit fb46cf461915c156e955748431ce7f5127b54f4c
Author: Lukasz Anforowicz <lukasza@chromium.org>
Date: Thu Sep 20 16:58:02 2018

Remove features::kCrossSiteDocumentBlocking...

Cross-Origin Read Blocking (CORB) was enabled by default in 68.0.3410.0.
Since this feature has shipped quite a while ago, it seems that now is a
good time to remove the code responsible for enabling/disabling the
feature.

Bug:  802835 
Change-Id: I11b3058447607b31cb27a3e7dbc8db137411d7b8
Reviewed-on: https://chromium-review.googlesource.com/1228485
Reviewed-by: Charlie Reis <creis@chromium.org>
Commit-Queue: Łukasz Anforowicz <lukasza@chromium.org>
Cr-Commit-Position: refs/heads/master@{#592840}
[modify] https://crrev.com/fb46cf461915c156e955748431ce7f5127b54f4c/content/browser/loader/cross_site_document_blocking_browsertest.cc
[modify] https://crrev.com/fb46cf461915c156e955748431ce7f5127b54f4c/content/browser/loader/cross_site_document_resource_handler.cc
[modify] https://crrev.com/fb46cf461915c156e955748431ce7f5127b54f4c/content/public/browser/site_isolation_policy.cc
[modify] https://crrev.com/fb46cf461915c156e955748431ce7f5127b54f4c/content/public/browser/site_isolation_policy.h
[modify] https://crrev.com/fb46cf461915c156e955748431ce7f5127b54f4c/content/public/common/content_features.cc
[modify] https://crrev.com/fb46cf461915c156e955748431ce7f5127b54f4c/content/public/common/content_features.h

Sign in to add a comment