TAO not working when multiple "Timing-Allow-Origin: *" headers are present in the HTTP header
Reported by
ug...@akamai.com,
Apr 14 2018
|
|||||
Issue descriptionUserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36 Steps to reproduce the problem: 1. Visit http://dev.utkarshgoel.in/index_nonminify.html and monitor the network activity in the devTools. This page downloads resources from three origins: dev.utkarshgoel.in, dev1.utkarshgoel, and dev2.utkarshgoel.in. Resources downloaded from all three origins have the "Timing-Allow-Origin: *" HTTP header present. In my testcase, I made the server add multiple "Timing-Allow-origin: *" headers for the origin "dev2.utkarshgoel.in". 2. To check whether the Resource Timing data shows timing information for the resource downloaded from dev2.utkarshgoel.in, in the console tab of devTools, type: >performance.getEntries("resource")[6]['name'] to know the URL of the resource downloaded from dev2.utkarshgoel.in, Next, type in the console: > performance.getEntries("resource")[6]['domainLookupStart'] to know the value of the start time of the DNS lookup You will find that the start time of the DNS lookup has a value equal to 0, even when the "Timing-Allow-Origin: *" header was present for this resource's HTTP header. 3. Next, in the console, type: >performance.getEntries("resource")[5]['name'] This will provide the URL of the resource loaded from dev1.utkarshgoel.in, which has exactly one occurrence of the "Timing-Allow-Origin: *" header. Now in the console, type: > performance.getEntries("resource")[5]['domainLookupStart'] This will give you the start time of the DNS lookup for dev1.utkarshgoe.in, which is a value greater than 0. This indicates that the Timing-Allow-Origin worked as expected for the origin dev1.utkarshgoel.in, allowing the origin "dev.utkarshgoel.in" to access the timing information for the resource from "dev1.utkarshgoel.in". What is the expected behavior? The browser should have made available the timing information for the resource downloaded from the origin "dev2.utkarshgoel.in" because it had the "Timing-Allow-Origin: *" present in the HTTP header What went wrong? Since the browser received multiple "Timing-Allow-Origin: *" headers, it concatenated the values present on all the "Timing-Allow-Origin" header, which resulted in the final value of "*, *". This value neither matched the origin name "dev.utkarshgoel.in" nor it matched the wildcard hostname "*". Did this work before? No Does this work in other browsers? No The same bug applies in Webkit (Safari). Please follow the steps below to reproduce the bug in Safari. Chrome version: 65.0.3325.181 Channel: stable OS Version: OS X 10.11.6 Flash Version: This bug is related to the Resource timing API
,
Apr 14 2018
It seems that the resource downloaded from the origin "dev2.utkarshgoel.in" is not always the sixth resource in the resource timing data. Therefore, for step 2 of reproducing the bug, observe the network activity as the page loads to identify the resource downloaded from the origin "dev2.utkarshgoel.in". The resource should be http://dev2.utkarshgoel.in/docs/utkarsh-goel-resume.pdf and should have two occurrences of the header "Timing-Allow-Origin: *". Next, type in the console: performance.getEntries("resource") to check the value of "domainLookupStart" for this resource. This value will be 0. For step 3, observe the network activity to identify the resource downloaded form the origin "dev1.utkarshgoel.in". This resource should be http://dev1.utkarshgoel.in/misc.html and has only one occurrence of the "Timing-Allow-Origin: *" header In the console, type: performance.getEntries("resource") and find this resource's "domainLookupStart" value. This value will be greater than 0 - indicating that the TAO worked as expected.
,
Apr 14 2018
,
Apr 14 2018
Looking into the issue, it seems that PassesTimingAllowCheck[1] is not spec compliant: * It splits the values on spaces rather than commas (so the implementation was not aligned to the spec change regarding that) * It performs the "*" check only before the split, and not on each value after it. [1] https://cs.chromium.org/chromium/src/third_party/blink/renderer/core/timing/performance.cc?q=PassesTimingAllowC&sq=package:chromium&l=265
,
Apr 14 2018
,
Apr 19 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/d65176dd732b75aa98260798276930ebcf9523b8 commit d65176dd732b75aa98260798276930ebcf9523b8 Author: Yoav Weiss <yoav@yoav.ws> Date: Thu Apr 19 19:50:33 2018 [Resource Timing] Align TAO parsing to spec TAO parsing had two issues: * It was splitting the host values on whitespace rather than a comma. This used to be the specified behavior, but changed in https://github.com/w3c/resource-timing/pull/68 * When it was checking the different hosts in the host list, it was not checking for "*" as a possible value. This CL fixes those two issues and aligns the test expectations accordingly. Bug: 651861 , 833032 , 626703 Change-Id: I8a3b7e705ed7089719ad0f52607363392c7de934 Reviewed-on: https://chromium-review.googlesource.com/1013409 Reviewed-by: Nicolás Peña Moreno <npm@chromium.org> Commit-Queue: Yoav Weiss <yoav@yoav.ws> Cr-Commit-Position: refs/heads/master@{#552127} [modify] https://crrev.com/d65176dd732b75aa98260798276930ebcf9523b8/third_party/WebKit/LayoutTests/TestExpectations [delete] https://crrev.com/c976e6be607f2cde894a9933feffe6736e5b9192/third_party/WebKit/LayoutTests/external/wpt/resource-timing/resource_TAO_match_origin-expected.txt [delete] https://crrev.com/c976e6be607f2cde894a9933feffe6736e5b9192/third_party/WebKit/LayoutTests/external/wpt/resource-timing/resource_TAO_match_wildcard-expected.txt [delete] https://crrev.com/c976e6be607f2cde894a9933feffe6736e5b9192/third_party/WebKit/LayoutTests/external/wpt/resource-timing/resource_TAO_multi-expected.txt [modify] https://crrev.com/d65176dd732b75aa98260798276930ebcf9523b8/third_party/WebKit/LayoutTests/external/wpt/resource-timing/resources/TAOResponse.py [delete] https://crrev.com/c976e6be607f2cde894a9933feffe6736e5b9192/third_party/WebKit/LayoutTests/platform/linux/external/wpt/resource-timing/resource_TAO_space-expected.txt [delete] https://crrev.com/c976e6be607f2cde894a9933feffe6736e5b9192/third_party/WebKit/LayoutTests/platform/mac-mac10.10/external/wpt/resource-timing/resource_TAO_space-expected.txt [delete] https://crrev.com/c976e6be607f2cde894a9933feffe6736e5b9192/third_party/WebKit/LayoutTests/platform/mac-mac10.11/external/wpt/resource-timing/resource_TAO_space-expected.txt [delete] https://crrev.com/c976e6be607f2cde894a9933feffe6736e5b9192/third_party/WebKit/LayoutTests/platform/mac-retina/external/wpt/resource-timing/resource_TAO_space-expected.txt [delete] https://crrev.com/c976e6be607f2cde894a9933feffe6736e5b9192/third_party/WebKit/LayoutTests/platform/mac/external/wpt/resource-timing/resource_TAO_space-expected.txt [delete] https://crrev.com/c976e6be607f2cde894a9933feffe6736e5b9192/third_party/WebKit/LayoutTests/platform/win/external/wpt/resource-timing/resource_TAO_space-expected.txt [delete] https://crrev.com/c976e6be607f2cde894a9933feffe6736e5b9192/third_party/WebKit/LayoutTests/platform/win7/external/wpt/resource-timing/resource_TAO_space-expected.txt [modify] https://crrev.com/d65176dd732b75aa98260798276930ebcf9523b8/third_party/blink/renderer/core/timing/performance.cc
,
Apr 19 2018
|
|||||
►
Sign in to add a comment |
|||||
Comment 1 Deleted