New issue
Advanced search Search tips

Issue 917532 link

Starred by 2 users
Status: Available
Owner: ----
Cc:
hirosh...@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 3
Type: Bug

Blocked on:
issue 875153


Sign in to add a comment

upgrade-insecure-requests doesn't work for worker top-level scripts

Project Member Reported by hirosh...@chromium.org, Dec 21 
From https://example.com/main.html,

new Worker('http://example.com/worker.js')

should be successful if upgrade-insecure-requests is specified,
because upgrading is done at Step 2.3 of main fetch
https://fetch.spec.whatwg.org/#main-fetch
which is before same-origin check at Step 5 of main fetch
that ensures same-originness of workers.

However, in Blink the same-originness check is done in AbstractWorker before going into platform/loader (i.e. before upgrading), and therefore the worker above is rejected.

I file this as I found this during adding test coverage (and thus I'm adding a WPT test failing due to this issue), but I expect the priority is quite low.
Probably this will be fixed once we remove ad-hoc origin checks outside platform/loader (Issue 875153).

Comment 1 by falken@chromium.org, Dec 27

Status: Available (was: Untriaged)

Comment 2 by hirosh...@chromium.org, Jan 9 

Tests:
external/wpt/upgrade-insecure-requests/worker-upgrade.https.html
external/wpt/upgrade-insecure-requests/worker-redirect-upgrade.https.html
external/wpt/upgrade-insecure-requests/module-worker-upgrade.https.html
external/wpt/upgrade-insecure-requests/module-worker-redirect-upgrade.https.html

Added by:
https://chromium-review.googlesource.com/c/chromium/src/+/1389635
(Probably will be renamed by Issue 906850)
Project Member

Comment 3 by bugdroid1@chromium.org, Jan 9 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/f347091b94fb55bd5218d3e426f119bbc8ba2d23

commit f347091b94fb55bd5218d3e426f119bbc8ba2d23
Author: Hiroshige Hayashizaki <hiroshige@chromium.org>
Date: Wed Jan 09 19:28:08 2019

[wpt/upgrade-insecure-requests] Add worker/worklet tests

This CL adds upgrade-insecure-requests test coverage for:
- (classic and module) dedicated worker top-level scripts,
- fetch API from dedicated workers, and
- animation/audio/layout/paint worklet top-level scripts.
possibly including redirects and/or static imports,
reusing /mixed-content/generic/common.js.

For this purpose, this CL creates a generator script
that generates the newly added tests
as well as some of the existing tests
(where this CL preserves the test behavior):
- iframe-upgrade.https.html
- iframe-redirect-upgrade.https.html
- image-upgrade.https.html
- image-redirect-upgrade.https.html

This CL also removes upgrade-insecure-requests tests under
/wpt/worklets/ as they are covered by the newly added tests.

Bug: 906850, 878274, 917532, 917554
Change-Id: I1e4f60b72d2b40c795c03b9f79c542c1a250c913
Reviewed-on: https://chromium-review.googlesource.com/c/1389635
Commit-Queue: Hiroshige Hayashizaki <hiroshige@chromium.org>
Reviewed-by: Mike West <mkwst@chromium.org>
Reviewed-by: Hiroki Nakagawa <nhiroki@chromium.org>
Cr-Commit-Position: refs/heads/master@{#621265}
[modify] https://crrev.com/f347091b94fb55bd5218d3e426f119bbc8ba2d23/third_party/blink/web_tests/TestExpectations
[add] https://crrev.com/f347091b94fb55bd5218d3e426f119bbc8ba2d23/third_party/blink/web_tests/external/wpt/upgrade-insecure-requests/animation-worklet-import-upgrade.https.html
[add] https://crrev.com/f347091b94fb55bd5218d3e426f119bbc8ba2d23/third_party/blink/web_tests/external/wpt/upgrade-insecure-requests/animation-worklet-redirect-upgrade.https.html
[add] https://crrev.com/f347091b94fb55bd5218d3e426f119bbc8ba2d23/third_party/blink/web_tests/external/wpt/upgrade-insecure-requests/animation-worklet-upgrade.https.html
[add] https://crrev.com/f347091b94fb55bd5218d3e426f119bbc8ba2d23/third_party/blink/web_tests/external/wpt/upgrade-insecure-requests/audio-worklet-import-upgrade.https.html
[add] https://crrev.com/f347091b94fb55bd5218d3e426f119bbc8ba2d23/third_party/blink/web_tests/external/wpt/upgrade-insecure-requests/audio-worklet-redirect-upgrade.https.html
[add] https://crrev.com/f347091b94fb55bd5218d3e426f119bbc8ba2d23/third_party/blink/web_tests/external/wpt/upgrade-insecure-requests/audio-worklet-upgrade.https.html
[modify] https://crrev.com/f347091b94fb55bd5218d3e426f119bbc8ba2d23/third_party/blink/web_tests/external/wpt/upgrade-insecure-requests/iframe-redirect-upgrade.https.html
[modify] https://crrev.com/f347091b94fb55bd5218d3e426f119bbc8ba2d23/third_party/blink/web_tests/external/wpt/upgrade-insecure-requests/iframe-upgrade.https.html
[modify] https://crrev.com/f347091b94fb55bd5218d3e426f119bbc8ba2d23/third_party/blink/web_tests/external/wpt/upgrade-insecure-requests/image-redirect-upgrade.https.html
[modify] https://crrev.com/f347091b94fb55bd5218d3e426f119bbc8ba2d23/third_party/blink/web_tests/external/wpt/upgrade-insecure-requests/image-upgrade.https.html
[add] https://crrev.com/f347091b94fb55bd5218d3e426f119bbc8ba2d23/third_party/blink/web_tests/external/wpt/upgrade-insecure-requests/layout-worklet-import-upgrade.https.html
[add] https://crrev.com/f347091b94fb55bd5218d3e426f119bbc8ba2d23/third_party/blink/web_tests/external/wpt/upgrade-insecure-requests/layout-worklet-redirect-upgrade.https.html
[add] https://crrev.com/f347091b94fb55bd5218d3e426f119bbc8ba2d23/third_party/blink/web_tests/external/wpt/upgrade-insecure-requests/layout-worklet-upgrade.https.html
[add] https://crrev.com/f347091b94fb55bd5218d3e426f119bbc8ba2d23/third_party/blink/web_tests/external/wpt/upgrade-insecure-requests/module-worker-import-upgrade.https.html
[add] https://crrev.com/f347091b94fb55bd5218d3e426f119bbc8ba2d23/third_party/blink/web_tests/external/wpt/upgrade-insecure-requests/module-worker-redirect-upgrade.https-expected.txt
[add] https://crrev.com/f347091b94fb55bd5218d3e426f119bbc8ba2d23/third_party/blink/web_tests/external/wpt/upgrade-insecure-requests/module-worker-redirect-upgrade.https.html
[add] https://crrev.com/f347091b94fb55bd5218d3e426f119bbc8ba2d23/third_party/blink/web_tests/external/wpt/upgrade-insecure-requests/module-worker-upgrade.https-expected.txt
[add] https://crrev.com/f347091b94fb55bd5218d3e426f119bbc8ba2d23/third_party/blink/web_tests/external/wpt/upgrade-insecure-requests/module-worker-upgrade.https.html
[add] https://crrev.com/f347091b94fb55bd5218d3e426f119bbc8ba2d23/third_party/blink/web_tests/external/wpt/upgrade-insecure-requests/paint-worklet-import-upgrade.https.html
[add] https://crrev.com/f347091b94fb55bd5218d3e426f119bbc8ba2d23/third_party/blink/web_tests/external/wpt/upgrade-insecure-requests/paint-worklet-redirect-upgrade.https.html
[add] https://crrev.com/f347091b94fb55bd5218d3e426f119bbc8ba2d23/third_party/blink/web_tests/external/wpt/upgrade-insecure-requests/paint-worklet-upgrade.https.html
[add] https://crrev.com/f347091b94fb55bd5218d3e426f119bbc8ba2d23/third_party/blink/web_tests/external/wpt/upgrade-insecure-requests/support/generate.py
[add] https://crrev.com/f347091b94fb55bd5218d3e426f119bbc8ba2d23/third_party/blink/web_tests/external/wpt/upgrade-insecure-requests/support/pass.png.headers
[add] https://crrev.com/f347091b94fb55bd5218d3e426f119bbc8ba2d23/third_party/blink/web_tests/external/wpt/upgrade-insecure-requests/support/redirect-cors.py
[modify] https://crrev.com/f347091b94fb55bd5218d3e426f119bbc8ba2d23/third_party/blink/web_tests/external/wpt/upgrade-insecure-requests/support/testharness-helper.sub.js
[add] https://crrev.com/f347091b94fb55bd5218d3e426f119bbc8ba2d23/third_party/blink/web_tests/external/wpt/upgrade-insecure-requests/support/worker.js
[add] https://crrev.com/f347091b94fb55bd5218d3e426f119bbc8ba2d23/third_party/blink/web_tests/external/wpt/upgrade-insecure-requests/support/worker.js.headers
[add] https://crrev.com/f347091b94fb55bd5218d3e426f119bbc8ba2d23/third_party/blink/web_tests/external/wpt/upgrade-insecure-requests/worker-redirect-upgrade.https-expected.txt
[add] https://crrev.com/f347091b94fb55bd5218d3e426f119bbc8ba2d23/third_party/blink/web_tests/external/wpt/upgrade-insecure-requests/worker-redirect-upgrade.https.html
[add] https://crrev.com/f347091b94fb55bd5218d3e426f119bbc8ba2d23/third_party/blink/web_tests/external/wpt/upgrade-insecure-requests/worker-subresource-fetch-redirect-upgrade.https.html
[add] https://crrev.com/f347091b94fb55bd5218d3e426f119bbc8ba2d23/third_party/blink/web_tests/external/wpt/upgrade-insecure-requests/worker-subresource-fetch-upgrade.https.html
[add] https://crrev.com/f347091b94fb55bd5218d3e426f119bbc8ba2d23/third_party/blink/web_tests/external/wpt/upgrade-insecure-requests/worker-upgrade.https-expected.txt
[add] https://crrev.com/f347091b94fb55bd5218d3e426f119bbc8ba2d23/third_party/blink/web_tests/external/wpt/upgrade-insecure-requests/worker-upgrade.https.html
[modify] https://crrev.com/f347091b94fb55bd5218d3e426f119bbc8ba2d23/third_party/blink/web_tests/external/wpt/worklets/resources/csp-tests.js

Sign in to add a comment