New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 860802 link

Starred by 2 users
Status: Verified
Owner:
dcreager@chromium.org
Last visit > 30 days ago
Closed: Jul 27
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 1
Type: Bug

Blocking:
issue 704259



Sign in to add a comment

Reporting: Send CORS preflights for report uploads

Project Member Reported by dcreager@chromium.org, Jul 6 
From https://github.com/w3c/reporting/issues/41

Reporting uploads should send CORS preflight requests.  Couple of steps needed:

1. Group reports by the origin of the original request; each report upload should only contain reports for a single origin.

2. Update the uploader to send a CORS preflight (with the origin of the reports as the Origin header), and only upload the payload if the preflight request succeeds.

For #2, there is existing CORS preflight logic in Blink, and a new implementation being created in the network service.  Code in //net can't depend on either of those, so we'd need to add a new method to the ReportingDelegate to actually perform an upload (including the CORS preflight), and have the embedder pull in the dependencies and link everything together.

Another option would just be to implement the preflight request ourselves (like is current done for Expect-CT), at least as a stop-gap, until we fully integrate the Reporting stack into the Network Service.

Comment 1 by dcreager@chromium.org, Jul 6

Blocking: 704259
Project Member

Comment 2 by bugdroid1@chromium.org, Jul 10 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/c98446b543d430c0ff39af497f626715719fe169

commit c98446b543d430c0ff39af497f626715719fe169
Author: Douglas Creager <dcreager@chromium.org>
Date: Tue Jul 10 18:19:31 2018

Reporting: Uploads should only contain a single origin

Per https://github.com/w3c/reporting/issues/41, a reporting upload
should only contain reports about a single origin.  This will allow us
to send a CORS preflight for that origin, if it differs from the origin
of the collector receiving the reports.

This patch also removes the notion of an endpoint being "pending".  In
the spec, a "pending endpoint" is one that has been taken out of the
rotation because of too many failures; we're handling this with a
per-endpoint BackoffEntry.  And now that we're creating separate
uploads for each origin that uses a collector, we don't want to penalize
any of them by serializing their uploads.

Bug:  860802 
Change-Id: I45cf905bd9ec3491e61aa0567c6dc0a19e957313
Reviewed-on: https://chromium-review.googlesource.com/1128599
Commit-Queue: Douglas Creager <dcreager@chromium.org>
Reviewed-by: Misha Efimov <mef@chromium.org>
Cr-Commit-Position: refs/heads/master@{#573815}
[modify] https://crrev.com/c98446b543d430c0ff39af497f626715719fe169/net/reporting/reporting_delivery_agent.cc
[modify] https://crrev.com/c98446b543d430c0ff39af497f626715719fe169/net/reporting/reporting_delivery_agent_unittest.cc
[modify] https://crrev.com/c98446b543d430c0ff39af497f626715719fe169/net/reporting/reporting_endpoint_manager.cc
[modify] https://crrev.com/c98446b543d430c0ff39af497f626715719fe169/net/reporting/reporting_endpoint_manager.h
[modify] https://crrev.com/c98446b543d430c0ff39af497f626715719fe169/net/reporting/reporting_endpoint_manager_unittest.cc
Project Member

Comment 3 by bugdroid1@chromium.org, Jul 13 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/3428d813dccf875e0bbc89771553701c36b55f99

commit 3428d813dccf875e0bbc89771553701c36b55f99
Author: Douglas Creager <dcreager@chromium.org>
Date: Fri Jul 13 03:59:56 2018

Reporting: Send CORS preflight before uploading reports

Per https://github.com/w3c/reporting/issues/41, we're supposed to send a
CORS preflight request before uploading reports, if the origin of the
reports is different than the origin of the collector.

There is existing CORS preflight code in both Blink and the Network
Service.  Code in //net isn't allowed to depend on either of those;
instead of using a delegate to handle the inverted dependency, we just
send out the preflight request by hand, just like the Expect-CT code
does.

Bug:  860802 
Change-Id: Ib20db54d3d2597d9fbacfe356e61cc6d3bc9d5fc
Reviewed-on: https://chromium-review.googlesource.com/1128600
Commit-Queue: Douglas Creager <dcreager@chromium.org>
Reviewed-by: Misha Efimov <mef@chromium.org>
Cr-Commit-Position: refs/heads/master@{#574836}
[modify] https://crrev.com/3428d813dccf875e0bbc89771553701c36b55f99/net/reporting/reporting_delivery_agent.cc
[modify] https://crrev.com/3428d813dccf875e0bbc89771553701c36b55f99/net/reporting/reporting_test_util.cc
[modify] https://crrev.com/3428d813dccf875e0bbc89771553701c36b55f99/net/reporting/reporting_test_util.h
[modify] https://crrev.com/3428d813dccf875e0bbc89771553701c36b55f99/net/reporting/reporting_uploader.cc
[modify] https://crrev.com/3428d813dccf875e0bbc89771553701c36b55f99/net/reporting/reporting_uploader.h
[modify] https://crrev.com/3428d813dccf875e0bbc89771553701c36b55f99/net/reporting/reporting_uploader_unittest.cc
[modify] https://crrev.com/3428d813dccf875e0bbc89771553701c36b55f99/tools/metrics/histograms/enums.xml

Comment 4 by dcreager@chromium.org, Jul 27

Status: Verified (was: Assigned)

Sign in to add a comment