New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 811669 link

Starred by 5 users

Issue metadata

Status: Fixed
Owner:
Closed: Sep 25
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 1
Type: Bug

Blocking:
issue 736308



Sign in to add a comment

[Code Health and Security] Too many Origin variables in Blink

Project Member Reported by tyoshino@chromium.org, Feb 13 2018

Issue description

There have been many variables around the resource loading logic in Blink.

This bug is for tracking the effort to unify them.

- ResourceRequest::requestor_origin_
- Resource::fetcher_security_origin_
- The Origin header value in ResourceRequest::http_header_fields_
- ResourceLoaderOptions::security_origin
- https://chromium-review.googlesource.com/c/chromium/src/+/897040 is going to introduce yet another security origin to Resource
 
Status: Started (was: Available)
My document summering origins is here: https://docs.google.com/document/d/1dUq3fUY67qp1_gQHwE9iaYfSlrxYAYbbPl-pQtePejo/edit?usp=sharing

I will unify them into one or two origins.

If we do not need to expose the bare origin to sandboxed frames, it will be one. Otherwise, two?
Project Member

Comment 2 by bugdroid1@chromium.org, Mar 12 2018

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/5cadf9ffb8602525f7c001f4222a472d9371e5a1

commit 5cadf9ffb8602525f7c001f4222a472d9371e5a1
Author: Takashi Toyoshima <toyoshim@chromium.org>
Date: Mon Mar 12 08:22:17 2018

OOR-CORS: unify Resource's fetcher security origin to the source origin

To simplify how Blink handles origins, I will remove the fetcher security
origin from the Resource. It was used for caching SW related meta data,
but the new source origin would match the concept better.

Bug:  803766 ,  811669 
Change-Id: I872cbc33a640126bacfc79ff15f16b588d35fc02
Reviewed-on: https://chromium-review.googlesource.com/940286
Reviewed-by: Tsuyoshi Horo <horo@chromium.org>
Reviewed-by: Yutaka Hirano <yhirano@chromium.org>
Commit-Queue: Takashi Toyoshima <toyoshim@chromium.org>
Cr-Commit-Position: refs/heads/master@{#542442}
[modify] https://crrev.com/5cadf9ffb8602525f7c001f4222a472d9371e5a1/third_party/WebKit/Source/platform/loader/fetch/Resource.cpp
[modify] https://crrev.com/5cadf9ffb8602525f7c001f4222a472d9371e5a1/third_party/WebKit/Source/platform/loader/fetch/Resource.h
[modify] https://crrev.com/5cadf9ffb8602525f7c001f4222a472d9371e5a1/third_party/WebKit/Source/platform/loader/fetch/ResourceFetcher.cpp

Labels: OOR-CORS
Owner: toyoshim@chromium.org
Labels: -Pri-3 Pri-1
This issue is blocking to implement out-of-renderer CORS correctly.

https://docs.google.com/document/d/1oDggsR58kyntm4EuB9QXed0ijdF7nR9rpVI95ObZmTI/edit?usp=sharing
Blocking: 736308
Cc: arthurso...@chromium.org
 Issue 625969  has been merged into this issue.
Cc: tyoshino@chromium.org creis@chromium.org dcheng@chromium.org nick@chromium.org horo@chromium.org
 Issue 792154  has been merged into this issue.
Cc: hirosh...@chromium.org
I could not find it on chatting yesterday, but the doc of #c4 is the parent document of other related documents.
Project Member

Comment 10 by bugdroid1@chromium.org, Sep 25

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/20a34133c595148668a91237dd2b468310aaa336

commit 20a34133c595148668a91237dd2b468310aaa336
Author: Yutaka Hirano <yhirano@chromium.org>
Date: Tue Sep 25 06:55:59 2018

Unify origins on Resource, ResourceRequest and ResourceLoadOptions

blink::ResourceRequest::RequestorOrigin() has ignored iframe
sandboxing, but the reason why doing so is unknown even to OWNERS -
some comments say it's for site-for-cookies, but ResourceRequest
has a dedicated member for the concept, and there is no corresponding
concept of "RequestorOrigin" in the spec. Let's stop doing that, and
make it "request's origin" specified at
https://fetch.spec.whatwg.org/#concept-request-origin .

This CL also unifies ResourceRequest::RequestorOrigin with members that
are corresponding to "request's origin", i.e., Resource::source_origin_
and ResourceLoadOptions::security_origin.

This CL fixes some layout tests for outofblink-cors, because
network::CORSURLLoader uses network::ResourceRequest::request_initiator
which is corresponding to ResourceRequest::RequestorOrigin() as
"request's origin".

Bug:  867834 ,  811669 ,  879991 , 870173
Change-Id: Ie42d38dcfcc16e0a56d8fb1029475b72bd45f2ca
Reviewed-on: https://chromium-review.googlesource.com/1213422
Reviewed-by: Kentaro Hara <haraken@chromium.org>
Reviewed-by: Kinuko Yasuda <kinuko@chromium.org>
Reviewed-by: Takashi Toyoshima <toyoshim@chromium.org>
Commit-Queue: Yutaka Hirano <yhirano@chromium.org>
Cr-Commit-Position: refs/heads/master@{#593840}
[modify] https://crrev.com/20a34133c595148668a91237dd2b468310aaa336/third_party/WebKit/LayoutTests/TestExpectations
[modify] https://crrev.com/20a34133c595148668a91237dd2b468310aaa336/third_party/blink/public/platform/web_url_request.h
[modify] https://crrev.com/20a34133c595148668a91237dd2b468310aaa336/third_party/blink/renderer/core/exported/web_associated_url_loader_impl.cc
[modify] https://crrev.com/20a34133c595148668a91237dd2b468310aaa336/third_party/blink/renderer/core/fetch/fetch_manager.cc
[modify] https://crrev.com/20a34133c595148668a91237dd2b468310aaa336/third_party/blink/renderer/core/loader/base_fetch_context.cc
[modify] https://crrev.com/20a34133c595148668a91237dd2b468310aaa336/third_party/blink/renderer/core/loader/base_fetch_context_test.cc
[modify] https://crrev.com/20a34133c595148668a91237dd2b468310aaa336/third_party/blink/renderer/core/loader/frame_fetch_context.cc
[modify] https://crrev.com/20a34133c595148668a91237dd2b468310aaa336/third_party/blink/renderer/core/loader/frame_fetch_context.h
[modify] https://crrev.com/20a34133c595148668a91237dd2b468310aaa336/third_party/blink/renderer/core/loader/frame_fetch_context_test.cc
[modify] https://crrev.com/20a34133c595148668a91237dd2b468310aaa336/third_party/blink/renderer/core/loader/ping_loader.cc
[modify] https://crrev.com/20a34133c595148668a91237dd2b468310aaa336/third_party/blink/renderer/core/loader/resource/image_resource.cc
[modify] https://crrev.com/20a34133c595148668a91237dd2b468310aaa336/third_party/blink/renderer/core/loader/resource/image_resource.h
[modify] https://crrev.com/20a34133c595148668a91237dd2b468310aaa336/third_party/blink/renderer/core/loader/threadable_loader.cc
[modify] https://crrev.com/20a34133c595148668a91237dd2b468310aaa336/third_party/blink/renderer/core/loader/threadable_loader.h
[modify] https://crrev.com/20a34133c595148668a91237dd2b468310aaa336/third_party/blink/renderer/core/loader/worker_fetch_context.cc
[modify] https://crrev.com/20a34133c595148668a91237dd2b468310aaa336/third_party/blink/renderer/core/loader/worker_fetch_context.h
[modify] https://crrev.com/20a34133c595148668a91237dd2b468310aaa336/third_party/blink/renderer/core/xmlhttprequest/xml_http_request.cc
[modify] https://crrev.com/20a34133c595148668a91237dd2b468310aaa336/third_party/blink/renderer/modules/background_fetch/background_fetch_icon_loader.cc
[modify] https://crrev.com/20a34133c595148668a91237dd2b468310aaa336/third_party/blink/renderer/modules/eventsource/event_source.cc
[modify] https://crrev.com/20a34133c595148668a91237dd2b468310aaa336/third_party/blink/renderer/modules/notifications/notification_image_loader.cc
[modify] https://crrev.com/20a34133c595148668a91237dd2b468310aaa336/third_party/blink/renderer/platform/loader/fetch/fetch_parameters.cc
[modify] https://crrev.com/20a34133c595148668a91237dd2b468310aaa336/third_party/blink/renderer/platform/loader/fetch/memory_cache_correctness_test.cc
[modify] https://crrev.com/20a34133c595148668a91237dd2b468310aaa336/third_party/blink/renderer/platform/loader/fetch/memory_cache_test.cc
[modify] https://crrev.com/20a34133c595148668a91237dd2b468310aaa336/third_party/blink/renderer/platform/loader/fetch/raw_resource.cc
[modify] https://crrev.com/20a34133c595148668a91237dd2b468310aaa336/third_party/blink/renderer/platform/loader/fetch/raw_resource.h
[modify] https://crrev.com/20a34133c595148668a91237dd2b468310aaa336/third_party/blink/renderer/platform/loader/fetch/raw_resource_test.cc
[modify] https://crrev.com/20a34133c595148668a91237dd2b468310aaa336/third_party/blink/renderer/platform/loader/fetch/resource.cc
[modify] https://crrev.com/20a34133c595148668a91237dd2b468310aaa336/third_party/blink/renderer/platform/loader/fetch/resource.h
[modify] https://crrev.com/20a34133c595148668a91237dd2b468310aaa336/third_party/blink/renderer/platform/loader/fetch/resource_fetcher.cc
[modify] https://crrev.com/20a34133c595148668a91237dd2b468310aaa336/third_party/blink/renderer/platform/loader/fetch/resource_fetcher_test.cc
[modify] https://crrev.com/20a34133c595148668a91237dd2b468310aaa336/third_party/blink/renderer/platform/loader/fetch/resource_loader.cc
[modify] https://crrev.com/20a34133c595148668a91237dd2b468310aaa336/third_party/blink/renderer/platform/loader/fetch/resource_loader.h
[modify] https://crrev.com/20a34133c595148668a91237dd2b468310aaa336/third_party/blink/renderer/platform/loader/fetch/resource_loader_options.h
[modify] https://crrev.com/20a34133c595148668a91237dd2b468310aaa336/third_party/blink/renderer/platform/loader/fetch/resource_request.cc
[modify] https://crrev.com/20a34133c595148668a91237dd2b468310aaa336/third_party/blink/renderer/platform/loader/fetch/resource_request.h
[modify] https://crrev.com/20a34133c595148668a91237dd2b468310aaa336/third_party/blink/renderer/platform/loader/subresource_integrity_test.cc

Owner: yhirano@chromium.org
Status: Fixed (was: Started)

Sign in to add a comment