New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 880023 link

Starred by 1 user
Status: Fixed
Owner:
hirosh...@chromium.org
Closed: Sep 12
Cc:
mkwst@chromium.org
japhet@chromium.org
nhiroki@chromium.org
horo@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac , Fuchsia
Pri: 1
Type: Bug-Security

Blocked on:
issue 880986


Sign in to add a comment

Security: Mixed content check is bypassed in data: workers created from HTTPS Documents

Project Member Reported by hirosh...@chromium.org, Sep 3 
VULNERABILITY DETAILS

If an HTTPS Document creates a data: worker, and then the worker accesses HTTP subresources (e.g. via Fetch API), mixed content check is not applied to those subresources.

This enables HTTPS pages to have access to HTTP resources by creating data: workers.

According to the spec, this seems to be implemented via HTTPS State propagated from HTTPS Document to data: workers.

VERSION
Chrome Version: 62.0.3189.0 or later.
First bad CL: r495097 https://chromium-review.googlesource.com/567845
Operating System: All (Tested on Linux)

REPRODUCTION CASE

(0) Start local WPT server:
./third_party/blink/tools/run_blink_wptserve.py
and add "127.0.0.1 foobarbaz" to /etc/hosts
(1) Open an HTTPS webpage, say, https://www.google.com/
(2) Open DevTools and execute:
var w = new Worker('data:text/javascript,fetch("http://foobarbaz:8001/worklets/resources/empty-worklet-script-with-cors-header.js", {mode: "cors"}).then(r => postMessage("Bad (resolved)"), r => postMessage("Good (rejected)"));')
w.onerror = () => console.log("ERROR");
w.onmessage = (r) => console.log(r.data);

Expected:
Good (rejected)

Actual:
Bad (resolved)

Related:  Issue 880015  (both issues has the root cause that Chromium doesn't implement mixed content checker based on HTTPS state).

Comment 1 by hirosh...@chromium.org, Sep 3

Cc: japhet@chromium.org

Comment 2 by mkwst@chromium.org, Sep 3

Labels: ReleaseBlock-Stable Security_Severity-Medium M-70 Security_Impact-Stable
Thanks for tracking this down. Am I correct in assuming that fixing the one fill fix the other (given the ways in which the fake document works for both dedicated workers and worklets)?

This seems similar in severity; if we can fix it in 70, that would be excellent.

Comment 3 by hirosh...@chromium.org, Sep 3 

> #2
> fixing the one fill fix the other

Not necessarily;
For example,  Issue 880015  can be fixed by using a more appropriate SecurityOrigin (i.e. the parent Document's origin, which is anyway correct/needed for other issues), but this issue cannot (as SecurityOrigin itself doesn't contain the information whether the parent Document is HTTP or HTTPS, and accessing the parent Document's origin in this case doesn't align with the spec).

Given the severity is similar in these two issues, I'll explore a way that fixes the both issues, like implementing https://html.spec.whatwg.org/#https-state correctly (right now not sure whether it is feasible/mergeable though).

Note: These HTTP resources in the two issues are now loaded off-the-main-thread (and enabling off-the-main-thread fetch caused the regressions), i.e. without accessing the parent Document, and mixed content is checked primarily based on a SecurityOrigin (See MixedContentChecker::IsMixedContent()).

Comment 4 by hirosh...@chromium.org, Sep 6 

Er, this issue also seems to exist in Firefox 52.8.1.

Comment 5 by hirosh...@chromium.org, Sep 6

Status: Started (was: Assigned)

Comment 6 by hirosh...@chromium.org, Sep 6

Blockedon: 880986
Project Member

Comment 7 by sheriffbot@chromium.org, Sep 6 

This issue is marked as a release blocker with no OS labels associated. Please add an appropriate OS label.

All release blocking issues should have OS labels associated to it, so that the issue can tracked and promptly verified, once it gets fixed.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 8 by bugdroid1@chromium.org, Sep 7 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/85ef12e4845a8fdfcc00517ba61c5ebc3fd6416c

commit 85ef12e4845a8fdfcc00517ba61c5ebc3fd6416c
Author: Hiroshige Hayashizaki <hiroshige@chromium.org>
Date: Fri Sep 07 09:46:26 2018

Worker: Move UpgradeInsecureRequest() to PopulateResourceRequest()

Currently, UpgradeInsecureRequest() is called in
WorkerFetchContext::PrepareRequest(), which is called after
mixed content check.
Therefore, insecure requests are blocked as mixed content
before upgraded.

This CL moves the UpgradeInsecureRequest() call to
WorkerFetchContext::PopulateResourceRequest(), which is called
before mixed content check.
This is also consistent with FrameFetchContext, where
insecure request is upgraded in
FrameFetchContext::PopulateResourceRequest().

Bug: 880986,  880023 ,  880015 , 880027
Change-Id: I983a40eebda8d04698b70d8c29e3707d4dcdf838
Reviewed-on: https://chromium-review.googlesource.com/1205750
Reviewed-by: Hiroki Nakagawa <nhiroki@chromium.org>
Commit-Queue: Hiroshige Hayashizaki <hiroshige@chromium.org>
Cr-Commit-Position: refs/heads/master@{#589478}
[modify] https://crrev.com/85ef12e4845a8fdfcc00517ba61c5ebc3fd6416c/third_party/blink/renderer/core/loader/worker_fetch_context.cc

Comment 9 by mpdenton@google.com, Sep 10

Labels: OS-Android OS-Chrome OS-Fuchsia OS-Linux OS-Mac OS-Windows
Adding affected OS's :)
Project Member

Comment 10 by bugdroid1@chromium.org, Sep 11 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/a4a8feb2ce11b24b5330aace67081d8446b9ffa3

commit a4a8feb2ce11b24b5330aace67081d8446b9ffa3
Author: Hiroshige Hayashizaki <hiroshige@chromium.org>
Date: Tue Sep 11 07:24:29 2018

Implement HTTPS state

To make mixed content check more spec-conformant,
this CL makes mixed content check in Workers/Worklets
take into account whether the parent contexts are HTTPS or not,
in addition to their SecurityOrigin, by
- Implementing HTTPS state spec concept in ExecutionContext, i.e.
  Document
    https://html.spec.whatwg.org/#concept-document-https-state
  WorkerGlobalScope
    https://html.spec.whatwg.org/#concept-workerglobalscope-https-state
  WorkletGlobalScope
    https://drafts.css-houdini.org/worklets/#set-up-a-worklet-environment-settings-object
- Plumbing outside Settings's HTTP state to Worker/WorkletGlobalScope
  via GlobalScopeCreationParams, and
- Plumbing HTTP state from Worker/WorkletGlobalScope to WorkerFetchContext
  via FetchClientSettingsObjectImpl, and
  https://html.spec.whatwg.org/#https-state
- Using it for mixed content check instead of SecurityOrigin.
  https://w3c.github.io/webappsec-mixed-content/#categorize-settings-object

While this is still not completely spec-conformant, mixed content
check becomes stricter: for top-level worklet scripts and
subresource requests from data: URL workers created from HTTPS Documents,
HTTP requests will be blocked after this CL.

Bug: 880986,  880023 ,  880015 
Change-Id: I4a43e2ee424177e93b0d7da40c2c1b8891cdced3
Reviewed-on: https://chromium-review.googlesource.com/1208390
Reviewed-by: Mike West <mkwst@chromium.org>
Reviewed-by: Hiroki Nakagawa <nhiroki@chromium.org>
Commit-Queue: Hiroshige Hayashizaki <hiroshige@chromium.org>
Cr-Commit-Position: refs/heads/master@{#590225}
[modify] https://crrev.com/a4a8feb2ce11b24b5330aace67081d8446b9ffa3/third_party/blink/renderer/core/dom/document.h
[modify] https://crrev.com/a4a8feb2ce11b24b5330aace67081d8446b9ffa3/third_party/blink/renderer/core/execution_context/execution_context.h
[modify] https://crrev.com/a4a8feb2ce11b24b5330aace67081d8446b9ffa3/third_party/blink/renderer/core/exported/web_shared_worker_impl.cc
[modify] https://crrev.com/a4a8feb2ce11b24b5330aace67081d8446b9ffa3/third_party/blink/renderer/core/layout/custom/layout_worklet_global_scope_proxy.cc
[modify] https://crrev.com/a4a8feb2ce11b24b5330aace67081d8446b9ffa3/third_party/blink/renderer/core/loader/mixed_content_checker.cc
[modify] https://crrev.com/a4a8feb2ce11b24b5330aace67081d8446b9ffa3/third_party/blink/renderer/core/loader/mixed_content_checker.h
[modify] https://crrev.com/a4a8feb2ce11b24b5330aace67081d8446b9ffa3/third_party/blink/renderer/core/loader/modulescript/module_script_loader_test.cc
[modify] https://crrev.com/a4a8feb2ce11b24b5330aace67081d8446b9ffa3/third_party/blink/renderer/core/loader/worker_fetch_context.cc
[modify] https://crrev.com/a4a8feb2ce11b24b5330aace67081d8446b9ffa3/third_party/blink/renderer/core/loader/worker_fetch_context.h
[modify] https://crrev.com/a4a8feb2ce11b24b5330aace67081d8446b9ffa3/third_party/blink/renderer/core/script/fetch_client_settings_object_impl.cc
[modify] https://crrev.com/a4a8feb2ce11b24b5330aace67081d8446b9ffa3/third_party/blink/renderer/core/script/fetch_client_settings_object_impl.h
[modify] https://crrev.com/a4a8feb2ce11b24b5330aace67081d8446b9ffa3/third_party/blink/renderer/core/testing/null_execution_context.h
[modify] https://crrev.com/a4a8feb2ce11b24b5330aace67081d8446b9ffa3/third_party/blink/renderer/core/workers/dedicated_worker.cc
[modify] https://crrev.com/a4a8feb2ce11b24b5330aace67081d8446b9ffa3/third_party/blink/renderer/core/workers/dedicated_worker_test.cc
[modify] https://crrev.com/a4a8feb2ce11b24b5330aace67081d8446b9ffa3/third_party/blink/renderer/core/workers/experimental/thread_pool.cc
[modify] https://crrev.com/a4a8feb2ce11b24b5330aace67081d8446b9ffa3/third_party/blink/renderer/core/workers/global_scope_creation_params.cc
[modify] https://crrev.com/a4a8feb2ce11b24b5330aace67081d8446b9ffa3/third_party/blink/renderer/core/workers/global_scope_creation_params.h
[modify] https://crrev.com/a4a8feb2ce11b24b5330aace67081d8446b9ffa3/third_party/blink/renderer/core/workers/main_thread_worklet_test.cc
[modify] https://crrev.com/a4a8feb2ce11b24b5330aace67081d8446b9ffa3/third_party/blink/renderer/core/workers/threaded_worklet_messaging_proxy.cc
[modify] https://crrev.com/a4a8feb2ce11b24b5330aace67081d8446b9ffa3/third_party/blink/renderer/core/workers/threaded_worklet_test.cc
[modify] https://crrev.com/a4a8feb2ce11b24b5330aace67081d8446b9ffa3/third_party/blink/renderer/core/workers/worker_global_scope.cc
[modify] https://crrev.com/a4a8feb2ce11b24b5330aace67081d8446b9ffa3/third_party/blink/renderer/core/workers/worker_global_scope.h
[modify] https://crrev.com/a4a8feb2ce11b24b5330aace67081d8446b9ffa3/third_party/blink/renderer/core/workers/worker_thread_test.cc
[modify] https://crrev.com/a4a8feb2ce11b24b5330aace67081d8446b9ffa3/third_party/blink/renderer/core/workers/worker_thread_test_helper.h
[modify] https://crrev.com/a4a8feb2ce11b24b5330aace67081d8446b9ffa3/third_party/blink/renderer/core/workers/worklet_global_scope.cc
[modify] https://crrev.com/a4a8feb2ce11b24b5330aace67081d8446b9ffa3/third_party/blink/renderer/core/workers/worklet_global_scope.h
[modify] https://crrev.com/a4a8feb2ce11b24b5330aace67081d8446b9ffa3/third_party/blink/renderer/modules/animationworklet/animation_worklet_global_scope_test.cc
[modify] https://crrev.com/a4a8feb2ce11b24b5330aace67081d8446b9ffa3/third_party/blink/renderer/modules/animationworklet/animation_worklet_thread_test.cc
[modify] https://crrev.com/a4a8feb2ce11b24b5330aace67081d8446b9ffa3/third_party/blink/renderer/modules/csspaint/paint_worklet_global_scope_proxy.cc
[modify] https://crrev.com/a4a8feb2ce11b24b5330aace67081d8446b9ffa3/third_party/blink/renderer/modules/exported/web_embedded_worker_impl.cc
[modify] https://crrev.com/a4a8feb2ce11b24b5330aace67081d8446b9ffa3/third_party/blink/renderer/modules/webaudio/audio_worklet_global_scope_test.cc
[modify] https://crrev.com/a4a8feb2ce11b24b5330aace67081d8446b9ffa3/third_party/blink/renderer/modules/webaudio/audio_worklet_thread_test.cc
[modify] https://crrev.com/a4a8feb2ce11b24b5330aace67081d8446b9ffa3/third_party/blink/renderer/platform/loader/BUILD.gn
[add] https://crrev.com/a4a8feb2ce11b24b5330aace67081d8446b9ffa3/third_party/blink/renderer/platform/loader/fetch/https_state.cc
[add] https://crrev.com/a4a8feb2ce11b24b5330aace67081d8446b9ffa3/third_party/blink/renderer/platform/loader/fetch/https_state.h
Project Member

Comment 11 by bugdroid1@chromium.org, Sep 11 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/265401169e6adeb8b12d8e5eb4bc901c30baca87

commit 265401169e6adeb8b12d8e5eb4bc901c30baca87
Author: Hiroshige Hayashizaki <hiroshige@chromium.org>
Date: Tue Sep 11 08:45:22 2018

Add more WPT tests for mixed-content check in workers/worklets (1/2)

This CL adds test code for more worker/worklet-related cases
to mixed-content/ WPT tests:
- module-worker-top-level (outsideSettings of https: module script)
- module-data-worker-import (outsideSettings of data: worker)
- classic-data-worker-fetch (insideSettings of data: worker)
- worklet-*-top-level (outsideSettings of https: worklets)
- worklet-*-data-import (outsideSettings of data: worklets)

Actual generated tests is added in a separate CL
https://chromium-review.googlesource.com/1212746
for easier code review.

These tests are for
https://chromium-review.googlesource.com/1208390.

Bug: 880986,  880023 ,  880015 
Change-Id: I07eb96cffec889103bf437813180127644466af8
Reviewed-on: https://chromium-review.googlesource.com/1212744
Commit-Queue: Hiroshige Hayashizaki <hiroshige@chromium.org>
Reviewed-by: Mike West <mkwst@chromium.org>
Reviewed-by: Hiroki Nakagawa <nhiroki@chromium.org>
Reviewed-by: Andy Paicu <andypaicu@chromium.org>
Cr-Commit-Position: refs/heads/master@{#590239}
[modify] https://crrev.com/265401169e6adeb8b12d8e5eb4bc901c30baca87/third_party/WebKit/LayoutTests/external/wpt/mixed-content/generic/common.js
[modify] https://crrev.com/265401169e6adeb8b12d8e5eb4bc901c30baca87/third_party/WebKit/LayoutTests/external/wpt/mixed-content/generic/mixed-content-test-case.js
Project Member

Comment 12 by bugdroid1@chromium.org, Sep 11 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/d3406a529402145060b321fb3e2ba68cede12ee8

commit d3406a529402145060b321fb3e2ba68cede12ee8
Author: Hiroshige Hayashizaki <hiroshige@chromium.org>
Date: Tue Sep 11 17:24:33 2018

Add more WPT tests for mixed-content check in workers/worklets (2/2)

This CL adds generated files for test cases added in
https://chromium-review.googlesource.com/1212744.

Only manual change in this CL is mixed-content/spec.src.json
and all other files are generated by generic/tools/generate.py.

Bug: 880986,  880023 ,  880015 
Change-Id: I7be98407c527883176ab6a2e9cfc1fedb1f8bfbe
Reviewed-on: https://chromium-review.googlesource.com/1212746
Commit-Queue: Hiroshige Hayashizaki <hiroshige@chromium.org>
Reviewed-by: Mike West <mkwst@chromium.org>
Cr-Commit-Position: refs/heads/master@{#590369}
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/classic-data-worker-fetch/http-csp/cross-origin-http/top-level/keep-scheme-redirect/blockable/opt-in-blocks.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/classic-data-worker-fetch/http-csp/cross-origin-http/top-level/keep-scheme-redirect/blockable/opt-in-blocks.https.html.headers
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/classic-data-worker-fetch/http-csp/cross-origin-http/top-level/no-redirect/blockable/opt-in-blocks.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/classic-data-worker-fetch/http-csp/cross-origin-http/top-level/no-redirect/blockable/opt-in-blocks.https.html.headers
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/classic-data-worker-fetch/http-csp/cross-origin-http/top-level/swap-scheme-redirect/blockable/opt-in-blocks.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/classic-data-worker-fetch/http-csp/cross-origin-http/top-level/swap-scheme-redirect/blockable/opt-in-blocks.https.html.headers
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/classic-data-worker-fetch/http-csp/same-host-http/top-level/keep-scheme-redirect/blockable/opt-in-blocks.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/classic-data-worker-fetch/http-csp/same-host-http/top-level/keep-scheme-redirect/blockable/opt-in-blocks.https.html.headers
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/classic-data-worker-fetch/http-csp/same-host-http/top-level/no-redirect/blockable/opt-in-blocks.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/classic-data-worker-fetch/http-csp/same-host-http/top-level/no-redirect/blockable/opt-in-blocks.https.html.headers
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/classic-data-worker-fetch/http-csp/same-host-http/top-level/swap-scheme-redirect/blockable/opt-in-blocks.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/classic-data-worker-fetch/http-csp/same-host-http/top-level/swap-scheme-redirect/blockable/opt-in-blocks.https.html.headers
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/classic-data-worker-fetch/http-csp/same-host-https/top-level/keep-scheme-redirect/allowed/allowed.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/classic-data-worker-fetch/http-csp/same-host-https/top-level/keep-scheme-redirect/allowed/allowed.https.html.headers
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/classic-data-worker-fetch/http-csp/same-host-https/top-level/no-redirect/allowed/allowed.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/classic-data-worker-fetch/http-csp/same-host-https/top-level/no-redirect/allowed/allowed.https.html.headers
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/classic-data-worker-fetch/meta-csp/cross-origin-http/top-level/no-redirect/blockable/opt-in-blocks.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/classic-data-worker-fetch/meta-csp/same-host-http/top-level/no-redirect/blockable/opt-in-blocks.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/classic-data-worker-fetch/meta-csp/same-host-https/top-level/no-redirect/allowed/allowed.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/classic-data-worker-fetch/no-opt-in/cross-origin-http/top-level/keep-scheme-redirect/blockable/no-opt-in-blocks.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/classic-data-worker-fetch/no-opt-in/cross-origin-http/top-level/no-redirect/blockable/no-opt-in-blocks.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/classic-data-worker-fetch/no-opt-in/cross-origin-http/top-level/swap-scheme-redirect/blockable/no-opt-in-blocks.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/classic-data-worker-fetch/no-opt-in/same-host-http/top-level/keep-scheme-redirect/blockable/no-opt-in-blocks.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/classic-data-worker-fetch/no-opt-in/same-host-http/top-level/no-redirect/blockable/no-opt-in-blocks.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/classic-data-worker-fetch/no-opt-in/same-host-http/top-level/swap-scheme-redirect/blockable/no-opt-in-blocks.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/classic-data-worker-fetch/no-opt-in/same-host-https/top-level/keep-scheme-redirect/allowed/allowed.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/classic-data-worker-fetch/no-opt-in/same-host-https/top-level/no-redirect/allowed/allowed.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/module-data-worker-import/http-csp/cross-origin-http/top-level/keep-scheme-redirect/blockable/opt-in-blocks.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/module-data-worker-import/http-csp/cross-origin-http/top-level/keep-scheme-redirect/blockable/opt-in-blocks.https.html.headers
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/module-data-worker-import/http-csp/cross-origin-http/top-level/no-redirect/blockable/opt-in-blocks.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/module-data-worker-import/http-csp/cross-origin-http/top-level/no-redirect/blockable/opt-in-blocks.https.html.headers
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/module-data-worker-import/http-csp/cross-origin-http/top-level/swap-scheme-redirect/blockable/opt-in-blocks.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/module-data-worker-import/http-csp/cross-origin-http/top-level/swap-scheme-redirect/blockable/opt-in-blocks.https.html.headers
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/module-data-worker-import/http-csp/same-host-http/top-level/keep-scheme-redirect/blockable/opt-in-blocks.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/module-data-worker-import/http-csp/same-host-http/top-level/keep-scheme-redirect/blockable/opt-in-blocks.https.html.headers
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/module-data-worker-import/http-csp/same-host-http/top-level/no-redirect/blockable/opt-in-blocks.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/module-data-worker-import/http-csp/same-host-http/top-level/no-redirect/blockable/opt-in-blocks.https.html.headers
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/module-data-worker-import/http-csp/same-host-http/top-level/swap-scheme-redirect/blockable/opt-in-blocks.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/module-data-worker-import/http-csp/same-host-http/top-level/swap-scheme-redirect/blockable/opt-in-blocks.https.html.headers
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/module-data-worker-import/http-csp/same-host-https/top-level/keep-scheme-redirect/allowed/allowed.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/module-data-worker-import/http-csp/same-host-https/top-level/keep-scheme-redirect/allowed/allowed.https.html.headers
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/module-data-worker-import/http-csp/same-host-https/top-level/no-redirect/allowed/allowed.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/module-data-worker-import/http-csp/same-host-https/top-level/no-redirect/allowed/allowed.https.html.headers
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/module-data-worker-import/meta-csp/cross-origin-http/top-level/no-redirect/blockable/opt-in-blocks.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/module-data-worker-import/meta-csp/same-host-http/top-level/no-redirect/blockable/opt-in-blocks.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/module-data-worker-import/meta-csp/same-host-https/top-level/no-redirect/allowed/allowed.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/module-data-worker-import/no-opt-in/cross-origin-http/top-level/keep-scheme-redirect/blockable/no-opt-in-blocks.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/module-data-worker-import/no-opt-in/cross-origin-http/top-level/no-redirect/blockable/no-opt-in-blocks.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/module-data-worker-import/no-opt-in/cross-origin-http/top-level/swap-scheme-redirect/blockable/no-opt-in-blocks.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/module-data-worker-import/no-opt-in/same-host-http/top-level/keep-scheme-redirect/blockable/no-opt-in-blocks.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/module-data-worker-import/no-opt-in/same-host-http/top-level/no-redirect/blockable/no-opt-in-blocks.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/module-data-worker-import/no-opt-in/same-host-http/top-level/swap-scheme-redirect/blockable/no-opt-in-blocks.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/module-data-worker-import/no-opt-in/same-host-https/top-level/keep-scheme-redirect/allowed/allowed.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/module-data-worker-import/no-opt-in/same-host-https/top-level/no-redirect/allowed/allowed.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/module-worker-top-level/http-csp/cross-origin-http/top-level/keep-scheme-redirect/blockable/opt-in-blocks.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/module-worker-top-level/http-csp/cross-origin-http/top-level/keep-scheme-redirect/blockable/opt-in-blocks.https.html.headers
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/module-worker-top-level/http-csp/cross-origin-http/top-level/no-redirect/blockable/opt-in-blocks.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/module-worker-top-level/http-csp/cross-origin-http/top-level/no-redirect/blockable/opt-in-blocks.https.html.headers
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/module-worker-top-level/http-csp/cross-origin-http/top-level/swap-scheme-redirect/blockable/opt-in-blocks.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/module-worker-top-level/http-csp/cross-origin-http/top-level/swap-scheme-redirect/blockable/opt-in-blocks.https.html.headers
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/module-worker-top-level/http-csp/same-host-http/top-level/keep-scheme-redirect/blockable/opt-in-blocks.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/module-worker-top-level/http-csp/same-host-http/top-level/keep-scheme-redirect/blockable/opt-in-blocks.https.html.headers
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/module-worker-top-level/http-csp/same-host-http/top-level/no-redirect/blockable/opt-in-blocks.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/module-worker-top-level/http-csp/same-host-http/top-level/no-redirect/blockable/opt-in-blocks.https.html.headers
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/module-worker-top-level/http-csp/same-host-http/top-level/swap-scheme-redirect/blockable/opt-in-blocks.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/module-worker-top-level/http-csp/same-host-http/top-level/swap-scheme-redirect/blockable/opt-in-blocks.https.html.headers
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/module-worker-top-level/http-csp/same-host-https/top-level/keep-scheme-redirect/allowed/allowed.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/module-worker-top-level/http-csp/same-host-https/top-level/keep-scheme-redirect/allowed/allowed.https.html.headers
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/module-worker-top-level/http-csp/same-host-https/top-level/no-redirect/allowed/allowed.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/module-worker-top-level/http-csp/same-host-https/top-level/no-redirect/allowed/allowed.https.html.headers
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/module-worker-top-level/meta-csp/cross-origin-http/top-level/no-redirect/blockable/opt-in-blocks.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/module-worker-top-level/meta-csp/same-host-http/top-level/no-redirect/blockable/opt-in-blocks.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/module-worker-top-level/meta-csp/same-host-https/top-level/no-redirect/allowed/allowed.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/module-worker-top-level/no-opt-in/cross-origin-http/top-level/keep-scheme-redirect/blockable/no-opt-in-blocks.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/module-worker-top-level/no-opt-in/cross-origin-http/top-level/no-redirect/blockable/no-opt-in-blocks.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/module-worker-top-level/no-opt-in/cross-origin-http/top-level/swap-scheme-redirect/blockable/no-opt-in-blocks.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/module-worker-top-level/no-opt-in/same-host-http/top-level/keep-scheme-redirect/blockable/no-opt-in-blocks.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/module-worker-top-level/no-opt-in/same-host-http/top-level/no-redirect/blockable/no-opt-in-blocks.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/module-worker-top-level/no-opt-in/same-host-http/top-level/swap-scheme-redirect/blockable/no-opt-in-blocks.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/module-worker-top-level/no-opt-in/same-host-https/top-level/keep-scheme-redirect/allowed/allowed.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/module-worker-top-level/no-opt-in/same-host-https/top-level/no-redirect/allowed/allowed.https.html
[modify] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/spec.src.json
[modify] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/spec_json.js
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/worklet-animation-data-import/http-csp/cross-origin-http/top-level/keep-scheme-redirect/blockable/opt-in-blocks.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/worklet-animation-data-import/http-csp/cross-origin-http/top-level/keep-scheme-redirect/blockable/opt-in-blocks.https.html.headers
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/worklet-animation-data-import/http-csp/cross-origin-http/top-level/no-redirect/blockable/opt-in-blocks.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/worklet-animation-data-import/http-csp/cross-origin-http/top-level/no-redirect/blockable/opt-in-blocks.https.html.headers
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/worklet-animation-data-import/http-csp/cross-origin-http/top-level/swap-scheme-redirect/blockable/opt-in-blocks.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/worklet-animation-data-import/http-csp/cross-origin-http/top-level/swap-scheme-redirect/blockable/opt-in-blocks.https.html.headers
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/worklet-animation-data-import/http-csp/same-host-http/top-level/keep-scheme-redirect/blockable/opt-in-blocks.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/worklet-animation-data-import/http-csp/same-host-http/top-level/keep-scheme-redirect/blockable/opt-in-blocks.https.html.headers
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/worklet-animation-data-import/http-csp/same-host-http/top-level/no-redirect/blockable/opt-in-blocks.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/worklet-animation-data-import/http-csp/same-host-http/top-level/no-redirect/blockable/opt-in-blocks.https.html.headers
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/worklet-animation-data-import/http-csp/same-host-http/top-level/swap-scheme-redirect/blockable/opt-in-blocks.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/worklet-animation-data-import/http-csp/same-host-http/top-level/swap-scheme-redirect/blockable/opt-in-blocks.https.html.headers
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/worklet-animation-data-import/http-csp/same-host-https/top-level/keep-scheme-redirect/allowed/allowed.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/worklet-animation-data-import/http-csp/same-host-https/top-level/keep-scheme-redirect/allowed/allowed.https.html.headers
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/worklet-animation-data-import/http-csp/same-host-https/top-level/no-redirect/allowed/allowed.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/worklet-animation-data-import/http-csp/same-host-https/top-level/no-redirect/allowed/allowed.https.html.headers
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wpt/mixed-content/worklet-animation-data-import/meta-csp/cross-origin-http/top-level/no-redirect/blockable/opt-in-blocks.https.html
[add] https://crrev.com/d3406a529402145060b321fb3e2ba68cede12ee8/third_party/WebKit/LayoutTests/external/wp

Comment 13 by hirosh...@chromium.org, Sep 12

Labels: Merge-Request-70
Status: Fixed (was: Started)
Landed on 71.0.3550.0. Confirmed fixed (Test Case #0) on local build on Linux.

The CLs are relatively large, but anyway requesting merging the CLs to M-70, according to Comment #2:
Comment #8: https://chromium-review.googlesource.com/c/chromium/src/+/1205750
Comment #10: https://chromium-review.googlesource.com/c/chromium/src/+/1208390

These CLs also fixes  Issue 880015 .

Comment 14 by abdulsyed@chromium.org, Sep 12 

how safe is this merge overall? Is it well tested?

Comment 15 by hirosh...@chromium.org, Sep 12 

The CLs should only affect mixed content check and upgrading insecure requests in workers, and have moderate test coverage (wpt tests added in Comment #11/#12 and some existing worklet wpt tests).

However, the CLs are medium-sized and thus not super trivial, so I'd avoid merging unless the security impact of this issue is sufficiently high (i.e. leaving this bug is more dangerous than risks of these medium-sized CLs). mkwst@, WDYT?
Project Member

Comment 16 by sheriffbot@chromium.org, Sep 13

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Project Member

Comment 17 by sheriffbot@chromium.org, Sep 13

Labels: -Merge-Request-70 Hotlist-Merge-Approved Merge-Approved-70
Your change meets the bar and is auto-approved for M70. Please go ahead and merge the CL to branch 3538 manually. Please contact milestone owner if you have questions.
Owners: benmason@(Android), kariahda@(iOS), geohsu@(ChromeOS), abdulsyed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 18 by sheriffbot@chromium.org, Sep 17 

This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible!

If all merges have been completed, please remove any remaining Merge-Approved labels from this issue.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 19 by bugdroid1@chromium.org, Sep 17

Labels: -merge-approved-70 merge-merged-3538
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/6ecbff63d7872264433cb0fa827e880342c10072

commit 6ecbff63d7872264433cb0fa827e880342c10072
Author: Hiroshige Hayashizaki <hiroshige@chromium.org>
Date: Mon Sep 17 19:16:33 2018

Worker: Move UpgradeInsecureRequest() to PopulateResourceRequest()

Currently, UpgradeInsecureRequest() is called in
WorkerFetchContext::PrepareRequest(), which is called after
mixed content check.
Therefore, insecure requests are blocked as mixed content
before upgraded.

This CL moves the UpgradeInsecureRequest() call to
WorkerFetchContext::PopulateResourceRequest(), which is called
before mixed content check.
This is also consistent with FrameFetchContext, where
insecure request is upgraded in
FrameFetchContext::PopulateResourceRequest().

Bug: 880986,  880023 ,  880015 , 880027
Change-Id: I983a40eebda8d04698b70d8c29e3707d4dcdf838
Reviewed-on: https://chromium-review.googlesource.com/1205750
Reviewed-by: Hiroki Nakagawa <nhiroki@chromium.org>
Commit-Queue: Hiroshige Hayashizaki <hiroshige@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#589478}(cherry picked from commit 85ef12e4845a8fdfcc00517ba61c5ebc3fd6416c)
Reviewed-on: https://chromium-review.googlesource.com/1228779
Reviewed-by: Hiroshige Hayashizaki <hiroshige@chromium.org>
Cr-Commit-Position: refs/branch-heads/3538@{#452}
Cr-Branched-From: 79f7c91a2b2a2932cd447fa6f865cb6662fa8fa6-refs/heads/master@{#587811}
[modify] https://crrev.com/6ecbff63d7872264433cb0fa827e880342c10072/third_party/blink/renderer/core/loader/worker_fetch_context.cc
Project Member

Comment 20 by bugdroid1@chromium.org, Sep 17 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/42d55dd557267d39290e04146df83edf8d11b43b

commit 42d55dd557267d39290e04146df83edf8d11b43b
Author: Hiroshige Hayashizaki <hiroshige@chromium.org>
Date: Mon Sep 17 19:47:12 2018

Implement HTTPS state

To make mixed content check more spec-conformant,
this CL makes mixed content check in Workers/Worklets
take into account whether the parent contexts are HTTPS or not,
in addition to their SecurityOrigin, by
- Implementing HTTPS state spec concept in ExecutionContext, i.e.
  Document
    https://html.spec.whatwg.org/#concept-document-https-state
  WorkerGlobalScope
    https://html.spec.whatwg.org/#concept-workerglobalscope-https-state
  WorkletGlobalScope
    https://drafts.css-houdini.org/worklets/#set-up-a-worklet-environment-settings-object
- Plumbing outside Settings's HTTP state to Worker/WorkletGlobalScope
  via GlobalScopeCreationParams, and
- Plumbing HTTP state from Worker/WorkletGlobalScope to WorkerFetchContext
  via FetchClientSettingsObjectImpl, and
  https://html.spec.whatwg.org/#https-state
- Using it for mixed content check instead of SecurityOrigin.
  https://w3c.github.io/webappsec-mixed-content/#categorize-settings-object

While this is still not completely spec-conformant, mixed content
check becomes stricter: for top-level worklet scripts and
subresource requests from data: URL workers created from HTTPS Documents,
HTTP requests will be blocked after this CL.

TBR=mkwst@chromium.org, nhiroki@chromium.org

(cherry picked from commit a4a8feb2ce11b24b5330aace67081d8446b9ffa3)

Bug: 880986,  880023 ,  880015 
Change-Id: I4a43e2ee424177e93b0d7da40c2c1b8891cdced3
Reviewed-on: https://chromium-review.googlesource.com/1208390
Reviewed-by: Mike West <mkwst@chromium.org>
Reviewed-by: Hiroki Nakagawa <nhiroki@chromium.org>
Commit-Queue: Hiroshige Hayashizaki <hiroshige@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#590225}
Reviewed-on: https://chromium-review.googlesource.com/1228491
Reviewed-by: Hiroshige Hayashizaki <hiroshige@chromium.org>
Cr-Commit-Position: refs/branch-heads/3538@{#455}
Cr-Branched-From: 79f7c91a2b2a2932cd447fa6f865cb6662fa8fa6-refs/heads/master@{#587811}
[modify] https://crrev.com/42d55dd557267d39290e04146df83edf8d11b43b/third_party/blink/renderer/core/dom/document.h
[modify] https://crrev.com/42d55dd557267d39290e04146df83edf8d11b43b/third_party/blink/renderer/core/execution_context/execution_context.h
[modify] https://crrev.com/42d55dd557267d39290e04146df83edf8d11b43b/third_party/blink/renderer/core/exported/web_shared_worker_impl.cc
[modify] https://crrev.com/42d55dd557267d39290e04146df83edf8d11b43b/third_party/blink/renderer/core/layout/custom/layout_worklet_global_scope_proxy.cc
[modify] https://crrev.com/42d55dd557267d39290e04146df83edf8d11b43b/third_party/blink/renderer/core/loader/mixed_content_checker.cc
[modify] https://crrev.com/42d55dd557267d39290e04146df83edf8d11b43b/third_party/blink/renderer/core/loader/mixed_content_checker.h
[modify] https://crrev.com/42d55dd557267d39290e04146df83edf8d11b43b/third_party/blink/renderer/core/loader/modulescript/module_script_loader_test.cc
[modify] https://crrev.com/42d55dd557267d39290e04146df83edf8d11b43b/third_party/blink/renderer/core/loader/worker_fetch_context.cc
[modify] https://crrev.com/42d55dd557267d39290e04146df83edf8d11b43b/third_party/blink/renderer/core/loader/worker_fetch_context.h
[modify] https://crrev.com/42d55dd557267d39290e04146df83edf8d11b43b/third_party/blink/renderer/core/script/fetch_client_settings_object_impl.cc
[modify] https://crrev.com/42d55dd557267d39290e04146df83edf8d11b43b/third_party/blink/renderer/core/script/fetch_client_settings_object_impl.h
[modify] https://crrev.com/42d55dd557267d39290e04146df83edf8d11b43b/third_party/blink/renderer/core/testing/null_execution_context.h
[modify] https://crrev.com/42d55dd557267d39290e04146df83edf8d11b43b/third_party/blink/renderer/core/workers/dedicated_worker.cc
[modify] https://crrev.com/42d55dd557267d39290e04146df83edf8d11b43b/third_party/blink/renderer/core/workers/dedicated_worker_test.cc
[modify] https://crrev.com/42d55dd557267d39290e04146df83edf8d11b43b/third_party/blink/renderer/core/workers/global_scope_creation_params.cc
[modify] https://crrev.com/42d55dd557267d39290e04146df83edf8d11b43b/third_party/blink/renderer/core/workers/global_scope_creation_params.h
[modify] https://crrev.com/42d55dd557267d39290e04146df83edf8d11b43b/third_party/blink/renderer/core/workers/main_thread_worklet_test.cc
[modify] https://crrev.com/42d55dd557267d39290e04146df83edf8d11b43b/third_party/blink/renderer/core/workers/threaded_worklet_messaging_proxy.cc
[modify] https://crrev.com/42d55dd557267d39290e04146df83edf8d11b43b/third_party/blink/renderer/core/workers/threaded_worklet_test.cc
[modify] https://crrev.com/42d55dd557267d39290e04146df83edf8d11b43b/third_party/blink/renderer/core/workers/worker_global_scope.cc
[modify] https://crrev.com/42d55dd557267d39290e04146df83edf8d11b43b/third_party/blink/renderer/core/workers/worker_global_scope.h
[modify] https://crrev.com/42d55dd557267d39290e04146df83edf8d11b43b/third_party/blink/renderer/core/workers/worker_thread_test.cc
[modify] https://crrev.com/42d55dd557267d39290e04146df83edf8d11b43b/third_party/blink/renderer/core/workers/worker_thread_test_helper.h
[modify] https://crrev.com/42d55dd557267d39290e04146df83edf8d11b43b/third_party/blink/renderer/core/workers/worklet_global_scope.cc
[modify] https://crrev.com/42d55dd557267d39290e04146df83edf8d11b43b/third_party/blink/renderer/core/workers/worklet_global_scope.h
[modify] https://crrev.com/42d55dd557267d39290e04146df83edf8d11b43b/third_party/blink/renderer/modules/animationworklet/animation_worklet_global_scope_test.cc
[modify] https://crrev.com/42d55dd557267d39290e04146df83edf8d11b43b/third_party/blink/renderer/modules/animationworklet/animation_worklet_thread_test.cc
[modify] https://crrev.com/42d55dd557267d39290e04146df83edf8d11b43b/third_party/blink/renderer/modules/csspaint/paint_worklet_global_scope_proxy.cc
[modify] https://crrev.com/42d55dd557267d39290e04146df83edf8d11b43b/third_party/blink/renderer/modules/exported/web_embedded_worker_impl.cc
[modify] https://crrev.com/42d55dd557267d39290e04146df83edf8d11b43b/third_party/blink/renderer/modules/webaudio/audio_worklet_global_scope_test.cc
[modify] https://crrev.com/42d55dd557267d39290e04146df83edf8d11b43b/third_party/blink/renderer/modules/webaudio/audio_worklet_thread_test.cc
[modify] https://crrev.com/42d55dd557267d39290e04146df83edf8d11b43b/third_party/blink/renderer/platform/loader/BUILD.gn
[add] https://crrev.com/42d55dd557267d39290e04146df83edf8d11b43b/third_party/blink/renderer/platform/loader/fetch/https_state.cc
[add] https://crrev.com/42d55dd557267d39290e04146df83edf8d11b43b/third_party/blink/renderer/platform/loader/fetch/https_state.h

Comment 21 by hirosh...@chromium.org, Sep 17 

Merged all necessary CLs. Watching for build status.

Comment 22 by awhalley@google.com, Sep 25

Labels: -ReleaseBlock-Stable

Comment 23 by awhalley@google.com, Oct 15

Labels: Release-0-M70
Project Member

Comment 24 by sheriffbot@chromium.org, Dec 20

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment