commit | 8b30f526e1c760773511f48faa80c0347e49234c | [log] [tgz] |
---|---|---|
author | Matt Falkenhagen <falken@chromium.org> | Fri Dec 14 04:00:31 2018 |
committer | Commit Bot <commit-bot@chromium.org> | Fri Dec 14 04:00:31 2018 |
tree | fb875e2bc9e3049744d4054a4d94e5d0efa61293 | |
parent | 9f9392fa73c44640e4d1270d8d004f34a84badbf [diff] |
CSS: Use the response URL for base URL and type for security decisions. Use ResourceResponse::ResponseUrl() to set the base URL, and use ResponseResponse::GetType() to determine whether the resonse is CORS-same-origin. This CL has three web-exposed changes. 1. Use the response URL rather than the last request URL as the base URL of the stylesheet. This aligns with the standard. See https://github.com/whatwg/fetch/pull/146 and WPT results indicate Firefox, Edge, and Safari use the response URL. This only matters if the response came from a service worker, as the URLs only differ when the service worker intercepts the request and responds with a different URL via respondWith(fetch(other_url)). This is covered by the WPT: service-workers/service-worker/fetch-request-css-base-url.https.html The test doesn't completely pass yet because the search query part of the URL gets chopped off for FetchEvent.request.referrer, but the base URL is correct. Chrome Status: https://www.chromestatus.com/feature/5642183499579392 2. Consider A->B->A redirects to be cross-origin rather than same-origin. Previously, this was considered same-origin. See the discussion in https://github.com/whatwg/fetch/issues/737 and change https://github.com/whatwg/fetch/pull/834. This change makes the following WPT test pass: css/cssom/stylesheet-same-origin.sub.html It also affects the web test: http/tests/security/cannot-read-cssrules-redirect.html This test is updated to match the behavior change. It can be removed later since it is redundant with the WPT test. 3. Consider load failures to be cross-origin rather than same-origin. That is, accessing |styleSheet.rules| throws a SecurityError if the load failed. This aligns with the specification: - cssRules checks the `origin-clean` flag: https://drafts.csswg.org/cssom/#dom-cssstylesheet-cssrules - This is set to true iff CORS-same-origin: https://html.spec.whatwg.org/multipage/links.html#link-type-stylesheet - CORS-same-origin is false on kError: https://html.spec.whatwg.org/multipage/urls-and-fetching.html#cors-same-origin This change makes the following WPT test pass: css/cssom/stylesheet-same-origin.sub.html It also affects the web tests: register-bypassing-scheme-partial.html require-sri-for-style-blocked.php These tests are updated to match the behavior change. Chrome Status: https://www.chromestatus.com/feature/5642183499579392 Intent to Ship: https://groups.google.com/a/chromium.org/d/msg/blink-dev/7OSy00oxVpk/siufiQVBBwAJ Bug: 911974 Change-Id: I9add3162596963eee66f60f339cfd9911bc151cd Reviewed-on: https://chromium-review.googlesource.com/c/1367331 Commit-Queue: Joel Hockey <joelhockey@chromium.org> Reviewed-by: Joel Hockey <joelhockey@chromium.org> Reviewed-by: Rune Lillesveen <futhark@chromium.org> Reviewed-by: Mike West <mkwst@chromium.org> Cr-Commit-Position: refs/heads/master@{#616580}
Chromium is an open-source browser project that aims to build a safer, faster, and more stable way for all users to experience the web.
The project's web site is https://www.chromium.org.
Documentation in the source is rooted in docs/README.md.
Learn how to Get Around the Chromium Source Code Directory Structure .