New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 880015 link

Starred by 1 user
Status: Fixed
Owner:
hirosh...@chromium.org
Closed: Sep 12
Cc:
mkwst@chromium.org
japhet@chromium.org
nhiroki@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac , Fuchsia
Pri: 1
Type: Bug-Security

Blocked on:
issue 880986
Blocking:
issue 880027



Sign in to add a comment

Security: Mixed content check is bypassed when loading Worklets

Project Member Reported by hirosh...@chromium.org, Sep 3 
VULNERABILITY DETAILS

When loading an HTTP worklet (with Access-Control-Allow-Origin: *) from an HTTPS Document, the worklet is NOT blocked due to mixed content check.

VERSION
Chrome Version: M69 or later.
Regression since: r562087 https://chromium-review.googlesource.com/c/chromium/src/+/1026945
Operating System: All (tested on Linux)

REPRODUCTION CASE

(0) Start local WPT server:
./third_party/blink/tools/run_blink_wptserve.py
and add "127.0.0.1 foobarbaz" to /etc/hosts
(1) Enable
chrome://flags/#enable-experimental-web-platform-features
(2) Open an HTTPS webpage, say, https://www.google.com/
(3) Open DevTools and execute:
CSS.layoutWorklet.addModule('http://foobarbaz:8001/worklets/resources/empty-worklet-script-with-cors-header.js').then(() => console.log("BAD")).catch(() => console.log("Good (rejected)"))

Expected:
"Good (rejected)" and a console error about mixed content.

Actual:
"BAD". No Mixed-Content error messages.

Please use labels and text to provide additional information.

The immediate cause for this issue is that WorkletGlobalScope's SecurityOrigin is used for mixed content check.
The WorkletGlobalScope's SecurityOrigin is opaque and thus no mixed-content checks are applied.
The Document's origin is HTTPS, and thus HTTP worklets are expected to be blocked as mixed content.

Using the SecurityOrigin of the parent Document instead of the worklet somehow fix this issue (reverting the effect of the regressing CL (r562087)), but this is not a complete solution.
Probably we have to implement
https://html.spec.whatwg.org/#https-state as specced.

Security team & Blink>SecurityFeature people, do we have to merge a fix for this CL into M69?

Comment 1 by hirosh...@chromium.org, Sep 3

Summary: Security: Mixed content check is bypassed when loading Worklets (was: Security: )

Comment 2 by hirosh...@chromium.org, Sep 3

Cc: mkwst@chromium.org

Comment 3 by mkwst@chromium.org, Sep 3

Labels: ReleaseBlock-Stable M-70
I don't think this blocks M69 stable, but if we can merge it back to M70, that would be excellent.

Comment 4 by hirosh...@chromium.org, Sep 3 

Related:  Issue 880023 .
Using the SecurityOrigin of the parent Document instead of the worklet fixes this issue but not  Issue 880023 .
Implementing https://html.spec.whatwg.org/#https-state will fix both issues.

Comment 5 by hirosh...@chromium.org, Sep 3

Blocking: 880027

Comment 6 by tsepez@chromium.org, Sep 4

Labels: Security_Severity-Medium
Project Member

Comment 7 by sheriffbot@chromium.org, Sep 5

Labels: Security_Impact-Beta

Comment 8 by hirosh...@chromium.org, Sep 6

Blockedon: 880986
Project Member

Comment 9 by sheriffbot@chromium.org, Sep 6 

This issue is marked as a release blocker with no OS labels associated. Please add an appropriate OS label.

All release blocking issues should have OS labels associated to it, so that the issue can tracked and promptly verified, once it gets fixed.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 10 by bugdroid1@chromium.org, Sep 7 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/85ef12e4845a8fdfcc00517ba61c5ebc3fd6416c

commit 85ef12e4845a8fdfcc00517ba61c5ebc3fd6416c
Author: Hiroshige Hayashizaki <hiroshige@chromium.org>
Date: Fri Sep 07 09:46:26 2018

Worker: Move UpgradeInsecureRequest() to PopulateResourceRequest()

Currently, UpgradeInsecureRequest() is called in
WorkerFetchContext::PrepareRequest(), which is called after
mixed content check.
Therefore, insecure requests are blocked as mixed content
before upgraded.

This CL moves the UpgradeInsecureRequest() call to
WorkerFetchContext::PopulateResourceRequest(), which is called
before mixed content check.
This is also consistent with FrameFetchContext, where
insecure request is upgraded in
FrameFetchContext::PopulateResourceRequest().

Bug: 880986,  880023 ,  880015 , 880027
Change-Id: I983a40eebda8d04698b70d8c29e3707d4dcdf838
Reviewed-on: https://chromium-review.googlesource.com/1205750
Reviewed-by: Hiroki Nakagawa <nhiroki@chromium.org>
Commit-Queue: Hiroshige Hayashizaki <hiroshige@chromium.org>
Cr-Commit-Position: refs/heads/master@{#589478}
[modify] https://crrev.com/85ef12e4845a8fdfcc00517ba61c5ebc3fd6416c/third_party/blink/renderer/core/loader/worker_fetch_context.cc

Comment 11 by mpdenton@google.com, Sep 10

Labels: OS-Android OS-Chrome OS-Fuchsia OS-Linux OS-Mac OS-Windows
Adding affected OS's :)
Project Member

Comment 12 by bugdroid1@chromium.org, Sep 11 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/a4a8feb2ce11b24b5330aace67081d8446b9ffa3

commit a4a8feb2ce11b24b5330aace67081d8446b9ffa3
Author: Hiroshige Hayashizaki <hiroshige@chromium.org>
Date: Tue Sep 11 07:24:29 2018

Implement HTTPS state

To make mixed content check more spec-conformant,
this CL makes mixed content check in Workers/Worklets
take into account whether the parent contexts are HTTPS or not,
in addition to their SecurityOrigin, by
- Implementing HTTPS state spec concept in ExecutionContext, i.e.
  Document
    https://html.spec.whatwg.org/#concept-document-https-state
  WorkerGlobalScope
    https://html.spec.whatwg.org/#concept-workerglobalscope-https-state
  WorkletGlobalScope
    https://drafts.css-houdini.org/worklets/#set-up-a-worklet-environment-settings-object
- Plumbing outside Settings's HTTP state to Worker/WorkletGlobalScope
  via GlobalScopeCreationParams, and
- Plumbing HTTP state from Worker/WorkletGlobalScope to WorkerFetchContext
  via FetchClientSettingsObjectImpl, and
  https://html.spec.whatwg.org/#https-state
- Using it for mixed content check instead of SecurityOrigin.
  https://w3c.github.io/webappsec-mixed-content/#categorize-settings-object

While this is still not completely spec-conformant, mixed content
check becomes stricter: for top-level worklet scripts and
subresource requests from data: URL workers created from HTTPS Documents,
HTTP requests will be blocked after this CL.

Bug: 880986,  880023 ,  880015 
Change-Id: I4a43e2ee424177e93b0d7da40c2c1b8891cdced3
Reviewed-on: https://chromium-review.googlesource.com/1208390
Reviewed-by: Mike West <mkwst@chromium.org>
Reviewed-by: Hiroki Nakagawa <nhiroki@chromium.org>
Commit-Queue: Hiroshige Hayashizaki <hiroshige@chromium.org>
Cr-Commit-Position: refs/heads/master@{#590225}
[modify] https://crrev.com/a4a8feb2ce11b24b5330aace67081d8446b9ffa3/third_party/blink/renderer/core/dom/document.h
[modify] https://crrev.com/a4a8feb2ce11b24b5330aace67081d8446b9ffa3/third_party/blink/renderer/core/execution_context/execution_context.h
[modify] https://crrev.com/a4a8feb2ce11b24b5330aace67081d8446b9ffa3/third_party/blink/renderer/core/exported/web_shared_worker_impl.cc
[modify] https://crrev.com/a4a8feb2ce11b24b5330aace67081d8446b9ffa3/third_party/blink/renderer/core/layout/custom/layout_worklet_global_scope_proxy.cc
[modify] https://crrev.com/a4a8feb2ce11b24b5330aace67081d8446b9ffa3/third_party/blink/renderer/core/loader/mixed_content_checker.cc
[modify] https://crrev.com/a4a8feb2ce11b24b5330aace67081d8446b9ffa3/third_party/blink/renderer/core/loader/mixed_content_checker.h
[modify] https://crrev.com/a4a8feb2ce11b24b5330aace67081d8446b9ffa3/third_party/blink/renderer/core/loader/modulescript/module_script_loader_test.cc
[modify] https://crrev.com/a4a8feb2ce11b24b5330aace67081d8446b9ffa3/third_party/blink/renderer/core/loader/worker_fetch_context.cc
[modify] https://crrev.com/a4a8feb2ce11b24b5330aace67081d8446b9ffa3/third_party/blink/renderer/core/loader/worker_fetch_context.h
[modify] https://crrev.com/a4a8feb2ce11b24b5330aace67081d8446b9ffa3/third_party/blink/renderer/core/script/fetch_client_settings_object_impl.cc
[modify] https://crrev.com/a4a8feb2ce11b24b5330aace67081d8446b9ffa3/third_party/blink/renderer/core/script/fetch_client_settings_object_impl.h
[modify] https://crrev.com/a4a8feb2ce11b24b5330aace67081d8446b9ffa3/third_party/blink/renderer/core/testing/null_execution_context.h
[modify] https://crrev.com/a4a8feb2ce11b24b5330aace67081d8446b9ffa3/third_party/blink/renderer/core/workers/dedicated_worker.cc
[modify] https://crrev.com/a4a8feb2ce11b24b5330aace67081d8446b9ffa3/third_party/blink/renderer/core/workers/dedicated_worker_test.cc
[modify] https://crrev.com/a4a8feb2ce11b24b5330aace67081d8446b9ffa3/third_party/blink/renderer/core/workers/experimental/thread_pool.cc
[modify] https://crrev.com/a4a8feb2ce11b24b5330aace67081d8446b9ffa3/third_party/blink/renderer/core/workers/global_scope_creation_params.cc
[modify] https://crrev.com/a4a8feb2ce11b24b5330aace67081d8446b9ffa3/third_party/blink/renderer/core/workers/global_scope_creation_params.h
[modify] https://crrev.com/a4a8feb2ce11b24b5330aace67081d8446b9ffa3/third_party/blink/renderer/core/workers/main_thread_worklet_test.cc
[modify] https://crrev.com/a4a8feb2ce11b24b5330aace67081d8446b9ffa3/third_party/blink/renderer/core/workers/threaded_worklet_messaging_proxy.cc
[modify] https://crrev.com/a4a8feb2ce11b24b5330aace67081d8446b9ffa3/third_party/blink/renderer/core/workers/threaded_worklet_test.cc
[modify] https://crrev.com/a4a8feb2ce11b24b5330aace67081d8446b9ffa3/third_party/blink/renderer/core/workers/worker_global_scope.cc
[modify] https://crrev.com/a4a8feb2ce11b24b5330aace67081d8446b9ffa3/third_party/blink/renderer/core/workers/worker_global_scope.h
[modify] https://crrev.com/a4a8feb2ce11b24b5330aace67081d8446b9ffa3/third_party/blink/renderer/core/workers/worker_thread_test.cc
[modify] https://crrev.com/a4a8feb2ce11b24b5330aace67081d8446b9ffa3/third_party/blink/renderer/core/workers/worker_thread_test_helper.h
[modify] https://crrev.com/a4a8feb2ce11b24b5330aace67081d8446b9ffa3/third_party/blink/renderer/core/workers/worklet_global_scope.cc
[modify] https://crrev.com/a4a8feb2ce11b24b5330aace67081d8446b9ffa3/third_party/blink/renderer/core/workers/worklet_global_scope.h
[modify] https://crrev.com/a4a8feb2ce11b24b5330aace67081d8446b9ffa3/third_party/blink/renderer/modules/animationworklet/animation_worklet_global_scope_test.cc
[modify] https://crrev.com/a4a8feb2ce11b24b5330aace67081d8446b9ffa3/third_party/blink/renderer/modules/animationworklet/animation_worklet_thread_test.cc
[modify] https://crrev.com/a4a8feb2ce11b24b5330aace67081d8446b9ffa3/third_party/blink/renderer/modules/csspaint/paint_worklet_global_scope_proxy.cc
[modify] https://crrev.com/a4a8feb2ce11b24b5330aace67081d8446b9ffa3/third_party/blink/renderer/modules/exported/web_embedded_worker_impl.cc
[modify] https://crrev.com/a4a8feb2ce11b24b5330aace67081d8446b9ffa3/third_party/blink/renderer/modules/webaudio/audio_worklet_global_scope_test.cc
[modify] https://crrev.com/a4a8feb2ce11b24b5330aace67081d8446b9ffa3/third_party/blink/renderer/modules/webaudio/audio_worklet_thread_test.cc
[modify] https://crrev.com/a4a8feb2ce11b24b5330aace67081d8446b9ffa3/third_party/blink/renderer/platform/loader/BUILD.gn
[add] https://crrev.com/a4a8feb2ce11b24b5330aace67081d8446b9ffa3/third_party/blink/renderer/platform/loader/fetch/https_state.cc
[add] https://crrev.com/a4a8feb2ce11b24b5330aace67081d8446b9ffa3/third_party/blink/renderer/platform/loader/fetch/https_state.h
Project Member

Comment 13 by bugdroid1@chromium.org, Sep 11 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/265401169e6adeb8b12d8e5eb4bc901c30baca87

commit 265401169e6adeb8b12d8e5eb4bc901c30baca87
Author: Hiroshige Hayashizaki <hiroshige@chromium.org>
Date: Tue Sep 11 08:45:22 2018

Add more WPT tests for mixed-content check in workers/worklets (1/2)

This CL adds test code for more worker/worklet-related cases
to mixed-content/ WPT tests:
- module-worker-top-level (outsideSettings of https: module script)
- module-data-worker-import (outsideSettings of data: worker)
- classic-data-worker-fetch (insideSettings of data: worker)
- worklet-*-top-level (outsideSettings of https: worklets)
- worklet-*-data-import (outsideSettings of data: worklets)

Actual generated tests is added in a separate CL
https://chromium-review.googlesource.com/1212746
for easier code review.

These tests are for
https://chromium-review.googlesource.com/1208390.

Bug: 880986,  880023 ,  880015 
Change-Id: I07eb96cffec889103bf437813180127644466af8
Reviewed-on: https://chromium-review.googlesource.com/1212744
Commit-Queue: Hiroshige Hayashizaki <hiroshige@chromium.org>
Reviewed-by: Mike West <mkwst@chromium.org>
Reviewed-by: Hiroki Nakagawa <nhiroki@chromium.org>
Reviewed-by: Andy Paicu <andypaicu@chromium.org>
Cr-Commit-Position: refs/heads/master@{#590239}
[modify] https://crrev.com/265401169e6adeb8b12d8e5eb4bc901c30baca87/third_party/WebKit/LayoutTests/external/wpt/mixed-content/generic/common.js
[modify] https://crrev.com/265401169e6adeb8b12d8e5eb4bc901c30baca87/third_party/WebKit/LayoutTests/external/wpt/mixed-content/generic/mixed-content-test-case.js
Project Member

Comment 14 by bugdroid1@chromium.org, Sep 11 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/d3406a529402145060b321fb3e2ba68cede12ee8

commit d3406a529402145060b321fb3e2ba68cede12ee8
Author: Hiroshige Hayashizaki <hiroshige@chromium.org>
Date: Tue Sep 11 17:24:33 2018

Add more WPT tests for mixed-content check in workers/worklets (2/2)

This CL adds generated files for test cases added in
https://chromium-review.googlesource.com/1212744.

Only manual change in this CL is mixed-content/spec.src.json
and all other files are generated by generic/tools/generate.py.

Bug: 880986,  880023 ,  880015 
Change-Id: I7be98407c527883176ab6a2e9cfc1fedb1f8bfbe
Reviewed-on: https://chromium-review.googlesource.com/1212746
Commit-Queue: Hiroshige Hayashizaki <hiroshige@chromium.org>
Reviewed-by: Mike West <mkwst@chromium.org>
Cr-Commit-Position: refs/heads/master@{#590369}
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/classic-data-worker-fetch/http-csp/cross-origin-http/top-level/keep-scheme-redirect/blockable/opt-in-blocks.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/classic-data-worker-fetch/http-csp/cross-origin-http/top-level/keep-scheme-redirect/blockable/opt-in-blocks.https.html.headers
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/classic-data-worker-fetch/http-csp/cross-origin-http/top-level/no-redirect/blockable/opt-in-blocks.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/classic-data-worker-fetch/http-csp/cross-origin-http/top-level/no-redirect/blockable/opt-in-blocks.https.html.headers
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/classic-data-worker-fetch/http-csp/cross-origin-http/top-level/swap-scheme-redirect/blockable/opt-in-blocks.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/classic-data-worker-fetch/http-csp/cross-origin-http/top-level/swap-scheme-redirect/blockable/opt-in-blocks.https.html.headers
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/classic-data-worker-fetch/http-csp/same-host-http/top-level/keep-scheme-redirect/blockable/opt-in-blocks.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/classic-data-worker-fetch/http-csp/same-host-http/top-level/keep-scheme-redirect/blockable/opt-in-blocks.https.html.headers
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/classic-data-worker-fetch/http-csp/same-host-http/top-level/no-redirect/blockable/opt-in-blocks.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/classic-data-worker-fetch/http-csp/same-host-http/top-level/no-redirect/blockable/opt-in-blocks.https.html.headers
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/classic-data-worker-fetch/http-csp/same-host-http/top-level/swap-scheme-redirect/blockable/opt-in-blocks.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/classic-data-worker-fetch/http-csp/same-host-http/top-level/swap-scheme-redirect/blockable/opt-in-blocks.https.html.headers
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/classic-data-worker-fetch/http-csp/same-host-https/top-level/keep-scheme-redirect/allowed/allowed.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/classic-data-worker-fetch/http-csp/same-host-https/top-level/keep-scheme-redirect/allowed/allowed.https.html.headers
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/classic-data-worker-fetch/http-csp/same-host-https/top-level/no-redirect/allowed/allowed.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/classic-data-worker-fetch/http-csp/same-host-https/top-level/no-redirect/allowed/allowed.https.html.headers
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/classic-data-worker-fetch/meta-csp/cross-origin-http/top-level/no-redirect/blockable/opt-in-blocks.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/classic-data-worker-fetch/meta-csp/same-host-http/top-level/no-redirect/blockable/opt-in-blocks.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/classic-data-worker-fetch/meta-csp/same-host-https/top-level/no-redirect/allowed/allowed.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/classic-data-worker-fetch/no-opt-in/cross-origin-http/top-level/keep-scheme-redirect/blockable/no-opt-in-blocks.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/classic-data-worker-fetch/no-opt-in/cross-origin-http/top-level/no-redirect/blockable/no-opt-in-blocks.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/classic-data-worker-fetch/no-opt-in/cross-origin-http/top-level/swap-scheme-redirect/blockable/no-opt-in-blocks.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/classic-data-worker-fetch/no-opt-in/same-host-http/top-level/keep-scheme-redirect/blockable/no-opt-in-blocks.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/classic-data-worker-fetch/no-opt-in/same-host-http/top-level/no-redirect/blockable/no-opt-in-blocks.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/classic-data-worker-fetch/no-opt-in/same-host-http/top-level/swap-scheme-redirect/blockable/no-opt-in-blocks.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/classic-data-worker-fetch/no-opt-in/same-host-https/top-level/keep-scheme-redirect/allowed/allowed.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/classic-data-worker-fetch/no-opt-in/same-host-https/top-level/no-redirect/allowed/allowed.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/module-data-worker-import/http-csp/cross-origin-http/top-level/keep-scheme-redirect/blockable/opt-in-blocks.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/module-data-worker-import/http-csp/cross-origin-http/top-level/keep-scheme-redirect/blockable/opt-in-blocks.https.html.headers
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/module-data-worker-import/http-csp/cross-origin-http/top-level/no-redirect/blockable/opt-in-blocks.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/module-data-worker-import/http-csp/cross-origin-http/top-level/no-redirect/blockable/opt-in-blocks.https.html.headers
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/module-data-worker-import/http-csp/cross-origin-http/top-level/swap-scheme-redirect/blockable/opt-in-blocks.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/module-data-worker-import/http-csp/cross-origin-http/top-level/swap-scheme-redirect/blockable/opt-in-blocks.https.html.headers
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/module-data-worker-import/http-csp/same-host-http/top-level/keep-scheme-redirect/blockable/opt-in-blocks.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/module-data-worker-import/http-csp/same-host-http/top-level/keep-scheme-redirect/blockable/opt-in-blocks.https.html.headers
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/module-data-worker-import/http-csp/same-host-http/top-level/no-redirect/blockable/opt-in-blocks.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/module-data-worker-import/http-csp/same-host-http/top-level/no-redirect/blockable/opt-in-blocks.https.html.headers
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/module-data-worker-import/http-csp/same-host-http/top-level/swap-scheme-redirect/blockable/opt-in-blocks.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/module-data-worker-import/http-csp/same-host-http/top-level/swap-scheme-redirect/blockable/opt-in-blocks.https.html.headers
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/module-data-worker-import/http-csp/same-host-https/top-level/keep-scheme-redirect/allowed/allowed.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/module-data-worker-import/http-csp/same-host-https/top-level/keep-scheme-redirect/allowed/allowed.https.html.headers
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/module-data-worker-import/http-csp/same-host-https/top-level/no-redirect/allowed/allowed.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/module-data-worker-import/http-csp/same-host-https/top-level/no-redirect/allowed/allowed.https.html.headers
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/module-data-worker-import/meta-csp/cross-origin-http/top-level/no-redirect/blockable/opt-in-blocks.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/module-data-worker-import/meta-csp/same-host-http/top-level/no-redirect/blockable/opt-in-blocks.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/module-data-worker-import/meta-csp/same-host-https/top-level/no-redirect/allowed/allowed.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/module-data-worker-import/no-opt-in/cross-origin-http/top-level/keep-scheme-redirect/blockable/no-opt-in-blocks.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/module-data-worker-import/no-opt-in/cross-origin-http/top-level/no-redirect/blockable/no-opt-in-blocks.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/module-data-worker-import/no-opt-in/cross-origin-http/top-level/swap-scheme-redirect/blockable/no-opt-in-blocks.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/module-data-worker-import/no-opt-in/same-host-http/top-level/keep-scheme-redirect/blockable/no-opt-in-blocks.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/module-data-worker-import/no-opt-in/same-host-http/top-level/no-redirect/blockable/no-opt-in-blocks.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/module-data-worker-import/no-opt-in/same-host-http/top-level/swap-scheme-redirect/blockable/no-opt-in-blocks.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/module-data-worker-import/no-opt-in/same-host-https/top-level/keep-scheme-redirect/allowed/allowed.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/module-data-worker-import/no-opt-in/same-host-https/top-level/no-redirect/allowed/allowed.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/module-worker-top-level/http-csp/cross-origin-http/top-level/keep-scheme-redirect/blockable/opt-in-blocks.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/module-worker-top-level/http-csp/cross-origin-http/top-level/keep-scheme-redirect/blockable/opt-in-blocks.https.html.headers
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/module-worker-top-level/http-csp/cross-origin-http/top-level/no-redirect/blockable/opt-in-blocks.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/module-worker-top-level/http-csp/cross-origin-http/top-level/no-redirect/blockable/opt-in-blocks.https.html.headers
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/module-worker-top-level/http-csp/cross-origin-http/top-level/swap-scheme-redirect/blockable/opt-in-blocks.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/module-worker-top-level/http-csp/cross-origin-http/top-level/swap-scheme-redirect/blockable/opt-in-blocks.https.html.headers
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/module-worker-top-level/http-csp/same-host-http/top-level/keep-scheme-redirect/blockable/opt-in-blocks.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/module-worker-top-level/http-csp/same-host-http/top-level/keep-scheme-redirect/blockable/opt-in-blocks.https.html.headers
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/module-worker-top-level/http-csp/same-host-http/top-level/no-redirect/blockable/opt-in-blocks.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/module-worker-top-level/http-csp/same-host-http/top-level/no-redirect/blockable/opt-in-blocks.https.html.headers
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/module-worker-top-level/http-csp/same-host-http/top-level/swap-scheme-redirect/blockable/opt-in-blocks.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/module-worker-top-level/http-csp/same-host-http/top-level/swap-scheme-redirect/blockable/opt-in-blocks.https.html.headers
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/module-worker-top-level/http-csp/same-host-https/top-level/keep-scheme-redirect/allowed/allowed.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/module-worker-top-level/http-csp/same-host-https/top-level/keep-scheme-redirect/allowed/allowed.https.html.headers
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/module-worker-top-level/http-csp/same-host-https/top-level/no-redirect/allowed/allowed.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/module-worker-top-level/http-csp/same-host-https/top-level/no-redirect/allowed/allowed.https.html.headers
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/module-worker-top-level/meta-csp/cross-origin-http/top-level/no-redirect/blockable/opt-in-blocks.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/module-worker-top-level/meta-csp/same-host-http/top-level/no-redirect/blockable/opt-in-blocks.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/module-worker-top-level/meta-csp/same-host-https/top-level/no-redirect/allowed/allowed.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/module-worker-top-level/no-opt-in/cross-origin-http/top-level/keep-scheme-redirect/blockable/no-opt-in-blocks.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/module-worker-top-level/no-opt-in/cross-origin-http/top-level/no-redirect/blockable/no-opt-in-blocks.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/module-worker-top-level/no-opt-in/cross-origin-http/top-level/swap-scheme-redirect/blockable/no-opt-in-blocks.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/module-worker-top-level/no-opt-in/same-host-http/top-level/keep-scheme-redirect/blockable/no-opt-in-blocks.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/module-worker-top-level/no-opt-in/same-host-http/top-level/no-redirect/blockable/no-opt-in-blocks.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/module-worker-top-level/no-opt-in/same-host-http/top-level/swap-scheme-redirect/blockable/no-opt-in-blocks.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/module-worker-top-level/no-opt-in/same-host-https/top-level/keep-scheme-redirect/allowed/allowed.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/module-worker-top-level/no-opt-in/same-host-https/top-level/no-redirect/allowed/allowed.https.html
[modify] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/spec.src.json
[modify] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/spec_json.js
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/worklet-animation-data-import/http-csp/cross-origin-http/top-level/keep-scheme-redirect/blockable/opt-in-blocks.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/worklet-animation-data-import/http-csp/cross-origin-http/top-level/keep-scheme-redirect/blockable/opt-in-blocks.https.html.headers
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/worklet-animation-data-import/http-csp/cross-origin-http/top-level/no-redirect/blockable/opt-in-blocks.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/worklet-animation-data-import/http-csp/cross-origin-http/top-level/no-redirect/blockable/opt-in-blocks.https.html.headers
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/worklet-animation-data-import/http-csp/cross-origin-http/top-level/swap-scheme-redirect/blockable/opt-in-blocks.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/worklet-animation-data-import/http-csp/cross-origin-http/top-level/swap-scheme-redirect/blockable/opt-in-blocks.https.html.headers
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/worklet-animation-data-import/http-csp/same-host-http/top-level/keep-scheme-redirect/blockable/opt-in-blocks.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/worklet-animation-data-import/http-csp/same-host-http/top-level/keep-scheme-redirect/blockable/opt-in-blocks.https.html.headers
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/worklet-animation-data-import/http-csp/same-host-http/top-level/no-redirect/blockable/opt-in-blocks.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/worklet-animation-data-import/http-csp/same-host-http/top-level/no-redirect/blockable/opt-in-blocks.https.html.headers
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/worklet-animation-data-import/http-csp/same-host-http/top-level/swap-scheme-redirect/blockable/opt-in-blocks.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/worklet-animation-data-import/http-csp/same-host-http/top-level/swap-scheme-redirect/blockable/opt-in-blocks.https.html.headers
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/worklet-animation-data-import/http-csp/same-host-https/top-level/keep-scheme-redirect/allowed/allowed.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/worklet-animation-data-import/http-csp/same-host-https/top-level/keep-scheme-redirect/allowed/allowed.https.html.headers
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/worklet-animation-data-import/http-csp/same-host-https/top-level/no-redirect/allowed/allowed.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/worklet-animation-data-import/http-csp/same-host-https/top-level/no-redirect/allowed/allowed.https.html.headers
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/worklet-animation-data-import/meta-csp/cross-origin-http/top-level/no-redirect/blockable/opt-in-blocks.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wp

Comment 15 by hirosh...@chromium.org, Sep 12

Status: Fixed (was: Started)
Landed on 71.0.3550.0. Confirmed fixed (Test Case #0) on local build on Linux.

Merge is requested in  Issue 880023 .
Project Member

Comment 16 by sheriffbot@chromium.org, Sep 13

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Project Member

Comment 17 by bugdroid1@chromium.org, Sep 17

Labels: merge-merged-3538
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/6ecbff63d7872264433cb0fa827e880342c10072

commit 6ecbff63d7872264433cb0fa827e880342c10072
Author: Hiroshige Hayashizaki <hiroshige@chromium.org>
Date: Mon Sep 17 19:16:33 2018

Worker: Move UpgradeInsecureRequest() to PopulateResourceRequest()

Currently, UpgradeInsecureRequest() is called in
WorkerFetchContext::PrepareRequest(), which is called after
mixed content check.
Therefore, insecure requests are blocked as mixed content
before upgraded.

This CL moves the UpgradeInsecureRequest() call to
WorkerFetchContext::PopulateResourceRequest(), which is called
before mixed content check.
This is also consistent with FrameFetchContext, where
insecure request is upgraded in
FrameFetchContext::PopulateResourceRequest().

Bug: 880986,  880023 ,  880015 , 880027
Change-Id: I983a40eebda8d04698b70d8c29e3707d4dcdf838
Reviewed-on: https://chromium-review.googlesource.com/1205750
Reviewed-by: Hiroki Nakagawa <nhiroki@chromium.org>
Commit-Queue: Hiroshige Hayashizaki <hiroshige@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#589478}(cherry picked from commit 85ef12e4845a8fdfcc00517ba61c5ebc3fd6416c)
Reviewed-on: https://chromium-review.googlesource.com/1228779
Reviewed-by: Hiroshige Hayashizaki <hiroshige@chromium.org>
Cr-Commit-Position: refs/branch-heads/3538@{#452}
Cr-Branched-From: 79f7c91a2b2a2932cd447fa6f865cb6662fa8fa6-refs/heads/master@{#587811}
[modify] https://crrev.com/6ecbff63d7872264433cb0fa827e880342c10072/third_party/blink/renderer/core/loader/worker_fetch_context.cc
Project Member

Comment 18 by bugdroid1@chromium.org, Sep 17 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/42d55dd557267d39290e04146df83edf8d11b43b

commit 42d55dd557267d39290e04146df83edf8d11b43b
Author: Hiroshige Hayashizaki <hiroshige@chromium.org>
Date: Mon Sep 17 19:47:12 2018

Implement HTTPS state

To make mixed content check more spec-conformant,
this CL makes mixed content check in Workers/Worklets
take into account whether the parent contexts are HTTPS or not,
in addition to their SecurityOrigin, by
- Implementing HTTPS state spec concept in ExecutionContext, i.e.
  Document
    https://html.spec.whatwg.org/#concept-document-https-state
  WorkerGlobalScope
    https://html.spec.whatwg.org/#concept-workerglobalscope-https-state
  WorkletGlobalScope
    https://drafts.css-houdini.org/worklets/#set-up-a-worklet-environment-settings-object
- Plumbing outside Settings's HTTP state to Worker/WorkletGlobalScope
  via GlobalScopeCreationParams, and
- Plumbing HTTP state from Worker/WorkletGlobalScope to WorkerFetchContext
  via FetchClientSettingsObjectImpl, and
  https://html.spec.whatwg.org/#https-state
- Using it for mixed content check instead of SecurityOrigin.
  https://w3c.github.io/webappsec-mixed-content/#categorize-settings-object

While this is still not completely spec-conformant, mixed content
check becomes stricter: for top-level worklet scripts and
subresource requests from data: URL workers created from HTTPS Documents,
HTTP requests will be blocked after this CL.

TBR=mkwst@chromium.org, nhiroki@chromium.org

(cherry picked from commit a4a8feb2ce11b24b5330aace67081d8446b9ffa3)

Bug: 880986,  880023 ,  880015 
Change-Id: I4a43e2ee424177e93b0d7da40c2c1b8891cdced3
Reviewed-on: https://chromium-review.googlesource.com/1208390
Reviewed-by: Mike West <mkwst@chromium.org>
Reviewed-by: Hiroki Nakagawa <nhiroki@chromium.org>
Commit-Queue: Hiroshige Hayashizaki <hiroshige@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#590225}
Reviewed-on: https://chromium-review.googlesource.com/1228491
Reviewed-by: Hiroshige Hayashizaki <hiroshige@chromium.org>
Cr-Commit-Position: refs/branch-heads/3538@{#455}
Cr-Branched-From: 79f7c91a2b2a2932cd447fa6f865cb6662fa8fa6-refs/heads/master@{#587811}
[modify] https://crrev.com/42d55dd557267d39290e04146df83edf8d11b43b/third_party/blink/renderer/core/dom/document.h
[modify] https://crrev.com/42d55dd557267d39290e04146df83edf8d11b43b/third_party/blink/renderer/core/execution_context/execution_context.h
[modify] https://crrev.com/42d55dd557267d39290e04146df83edf8d11b43b/third_party/blink/renderer/core/exported/web_shared_worker_impl.cc
[modify] https://crrev.com/42d55dd557267d39290e04146df83edf8d11b43b/third_party/blink/renderer/core/layout/custom/layout_worklet_global_scope_proxy.cc
[modify] https://crrev.com/42d55dd557267d39290e04146df83edf8d11b43b/third_party/blink/renderer/core/loader/mixed_content_checker.cc
[modify] https://crrev.com/42d55dd557267d39290e04146df83edf8d11b43b/third_party/blink/renderer/core/loader/mixed_content_checker.h
[modify] https://crrev.com/42d55dd557267d39290e04146df83edf8d11b43b/third_party/blink/renderer/core/loader/modulescript/module_script_loader_test.cc
[modify] https://crrev.com/42d55dd557267d39290e04146df83edf8d11b43b/third_party/blink/renderer/core/loader/worker_fetch_context.cc
[modify] https://crrev.com/42d55dd557267d39290e04146df83edf8d11b43b/third_party/blink/renderer/core/loader/worker_fetch_context.h
[modify] https://crrev.com/42d55dd557267d39290e04146df83edf8d11b43b/third_party/blink/renderer/core/script/fetch_client_settings_object_impl.cc
[modify] https://crrev.com/42d55dd557267d39290e04146df83edf8d11b43b/third_party/blink/renderer/core/script/fetch_client_settings_object_impl.h
[modify] https://crrev.com/42d55dd557267d39290e04146df83edf8d11b43b/third_party/blink/renderer/core/testing/null_execution_context.h
[modify] https://crrev.com/42d55dd557267d39290e04146df83edf8d11b43b/third_party/blink/renderer/core/workers/dedicated_worker.cc
[modify] https://crrev.com/42d55dd557267d39290e04146df83edf8d11b43b/third_party/blink/renderer/core/workers/dedicated_worker_test.cc
[modify] https://crrev.com/42d55dd557267d39290e04146df83edf8d11b43b/third_party/blink/renderer/core/workers/global_scope_creation_params.cc
[modify] https://crrev.com/42d55dd557267d39290e04146df83edf8d11b43b/third_party/blink/renderer/core/workers/global_scope_creation_params.h
[modify] https://crrev.com/42d55dd557267d39290e04146df83edf8d11b43b/third_party/blink/renderer/core/workers/main_thread_worklet_test.cc
[modify] https://crrev.com/42d55dd557267d39290e04146df83edf8d11b43b/third_party/blink/renderer/core/workers/threaded_worklet_messaging_proxy.cc
[modify] https://crrev.com/42d55dd557267d39290e04146df83edf8d11b43b/third_party/blink/renderer/core/workers/threaded_worklet_test.cc
[modify] https://crrev.com/42d55dd557267d39290e04146df83edf8d11b43b/third_party/blink/renderer/core/workers/worker_global_scope.cc
[modify] https://crrev.com/42d55dd557267d39290e04146df83edf8d11b43b/third_party/blink/renderer/core/workers/worker_global_scope.h
[modify] https://crrev.com/42d55dd557267d39290e04146df83edf8d11b43b/third_party/blink/renderer/core/workers/worker_thread_test.cc
[modify] https://crrev.com/42d55dd557267d39290e04146df83edf8d11b43b/third_party/blink/renderer/core/workers/worker_thread_test_helper.h
[modify] https://crrev.com/42d55dd557267d39290e04146df83edf8d11b43b/third_party/blink/renderer/core/workers/worklet_global_scope.cc
[modify] https://crrev.com/42d55dd557267d39290e04146df83edf8d11b43b/third_party/blink/renderer/core/workers/worklet_global_scope.h
[modify] https://crrev.com/42d55dd557267d39290e04146df83edf8d11b43b/third_party/blink/renderer/modules/animationworklet/animation_worklet_global_scope_test.cc
[modify] https://crrev.com/42d55dd557267d39290e04146df83edf8d11b43b/third_party/blink/renderer/modules/animationworklet/animation_worklet_thread_test.cc
[modify] https://crrev.com/42d55dd557267d39290e04146df83edf8d11b43b/third_party/blink/renderer/modules/csspaint/paint_worklet_global_scope_proxy.cc
[modify] https://crrev.com/42d55dd557267d39290e04146df83edf8d11b43b/third_party/blink/renderer/modules/exported/web_embedded_worker_impl.cc
[modify] https://crrev.com/42d55dd557267d39290e04146df83edf8d11b43b/third_party/blink/renderer/modules/webaudio/audio_worklet_global_scope_test.cc
[modify] https://crrev.com/42d55dd557267d39290e04146df83edf8d11b43b/third_party/blink/renderer/modules/webaudio/audio_worklet_thread_test.cc
[modify] https://crrev.com/42d55dd557267d39290e04146df83edf8d11b43b/third_party/blink/renderer/platform/loader/BUILD.gn
[add] https://crrev.com/42d55dd557267d39290e04146df83edf8d11b43b/third_party/blink/renderer/platform/loader/fetch/https_state.cc
[add] https://crrev.com/42d55dd557267d39290e04146df83edf8d11b43b/third_party/blink/renderer/platform/loader/fetch/https_state.h

Comment 19 by awhalley@google.com, Sep 25

Labels: -ReleaseBlock-Stable
Project Member

Comment 20 by sheriffbot@chromium.org, Dec 20

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment