New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 913253 link

Starred by 2 users
Status: Assigned
Owner:
mkwst@chromium.org
Buried. Ping if important.
Cc:
yhirano@chromium.org
msramek@chromium.org
jsb...@chromium.org
dullweber@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Mac
Pri: 1
Type: Bug-Regression



Sign in to add a comment

Clear-Site-Data header not returned in Fetch API Headers-object

Reported by joostdeb...@gmail.com, Dec 9 
UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.80 Safari/537.36

Steps to reproduce the problem:
1. Do a request with the Fetch API to an endpoint that produces a response containing the Clear-Site-Data header.
2. Call header.has('Clear-Site-Data') on the response object.
3. The header.has('Clear-Site-Data') will return false even though the header is present.

Example: https://www.aqualabs.nl/csd-header.html -- It requests an endpoint and prints all headers from the response. In Chrome the Clear-Site-Data header is not included.

Tested in: Chrome 71.0.3578.80 Stable and Chrome 73.0.3635.0 Canary on Windows 10.0.17763.134. Works well on Firefox 63.0.3.

What is the expected behavior?
The Headers-object should return the Clear-Site-Data header when it is present in the response.

What went wrong?
The Clear-Site-Data header is not returned in the Header-object of the Fetch API.

Did this work before? No 

Does this work in other browsers? N/A

Chrome version: 71.0.3578.80  Channel: stable
OS Version: 10.0
Flash Version:

Comment 1 by susan.boorgula@chromium.org, Dec 9

Labels: Needs-Triage-M71

Comment 2 by yhirano@chromium.org, Dec 10

Cc: msramek@chromium.org dullweber@chromium.org jsb...@chromium.org yhirano@chromium.org
Components: -Blink>Network Privacy
Cc-ing OWNERS in content/browser/browsing_data.

Comment 3 by susan.boorgula@chromium.org, Dec 12

Labels: -Type-Bug -Pri-2 RegressedIn-61 Triaged-ET FoundIn-73 Target-71 Target-72 Target-73 M-73 FoundIn-71 FoundIn-72 hasbisect OS-Linux OS-Mac Pri-1 Type-Bug-Regression
Owner: msramek@chromium.org
Status: Assigned (was: Unconfirmed)
teo8976@ Thanks for the issue.

Able to reproduce this issue on Windows 10, Mac OS 10.13.6 and Ubuntu 17.10 on the latest Stable 71.0.3578.80 and latest Canary 73.0.3638.0.

Bisect Information:
====================
Good Build: 61.0.3123.0
Bad Build : 61.0.3124.0

By running the per-revision bisect script,error was coming up. Hence below is the Changelog URL by running the Chromium bisect.
https://chromium.googlesource.com/chromium/src/+log/f31a9f767ad6e5a7be6ba96c920230f2e1e34864..9bc8902cf5825d5cbcdbf2b7766241f2f9c96bbb

From the above Changelog, suspecting the below Change.
Reviewed-on: https://codereview.chromium.org/2368923003

msramek@ Please check and confirm if this issue is related to your change, else help us in assigning to the right owner.

Thanks...

Comment 4 by msramek@chromium.org, Dec 12

Owner: mkwst@chromium.org
I believe this is because we marked Clear-Site-Data as a "cookie-like" header:

https://cs.chromium.org/chromium/src/net/http/http_response_headers.cc?type=cs&q=kCookieResponseHeaders%5C%5B%5C%5D+file:http_response_headers.cc

As the comment in the code says, these headers are "not to be [...] disclosed". You may notice that "Set-Cookie" and "Set-Cookie2" headers are also not exposed by the Fetch API.

At least the cache avoidance is WAI, let me double-check with +mkwst@ whether this is also desirable.

Sign in to add a comment