| commit | c2cba70cf72827045ddb6bc57d806b09cd8b4417 | |
| author | Noam Rosenthal <nrosenthal@chromium.org> | |
| Wed, 21 Sep 2022 19:28:50 +0000 (21 19:28 +0000) | ||
| committer | moz-wptsync-bot <wptsync@mozilla.com> | |
| Fri, 23 Sep 2022 22:52:04 +0000 (23 22:52 +0000) | ||
| tree | a0fe7fea9f77cb15afbbf0c136a1f549d78a1bd6 | treesnapshot (tar.gz zip) |
| parent | e32fc59312f1d3109b2b5175fa0f0d92d5926710 | commitdiff |
Bug 1789149 [wpt PR 35777] - Consolidate Timing-Allow-Origin checking code, a=testonly
Automatic update from web-platform-tests
Consolidate Timing-Allow-Origin checking code
Actual TAO check is done in a function TimingAllowOriginCheck()
blink/ResourceTiming doesn't check for TAO anymore.
network::cors::CorsUrlLoaded performs the checks in transit, as
specified in https://fetch.spec.whatwg.org/#tao-check, which now also
applies to nested contexts (iframes).
Note that we now have to check if a redirect taints the origin before responding to a manual redirect. Since all of the other places (apart from TAO) where redirect-tainted is checked also check that the mode is not navigation, this does not effect any observable behavior outside of TAO.
The exception is the resource timing for a cross-origin iframe served
from a service worker - the TAO check for that resource is done in
ServiceWorkerMainResourceLoaded as loading of a main resource in a
service worker doesn't have the same context to decide about TAO as
CorsUrLLoader.
See resource-timing/workerStart-tao-protected.https.html
resource-timing-cross-origin.https.html now works according to spec,
amended it.
Added unit tests for CorsUrlLoader and TimingAllowOriginParser.
Fixed: 1201767
Bug: 1201767
Change-Id: Ic85884cb8400dbef9e8dba1409bfec3f0dd9538c
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3873286
Reviewed-by: Yoav Weiss <yoavweiss@chromium.org>
Commit-Queue: Noam Rosenthal <nrosenthal@chromium.org>
Reviewed-by: Yoshisato Yanagisawa <yyanagisawa@chromium.org>
Reviewed-by: Takashi Toyoshima <toyoshim@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1043888}
--
wpt-commits: a4b2c96c7456f24049376f3427c6775870211540
wpt-pr: 35777
Automatic update from web-platform-tests
Consolidate Timing-Allow-Origin checking code
Actual TAO check is done in a function TimingAllowOriginCheck()
blink/ResourceTiming doesn't check for TAO anymore.
network::cors::CorsUrlLoaded performs the checks in transit, as
specified in https://fetch.spec.whatwg.org/#tao-check, which now also
applies to nested contexts (iframes).
Note that we now have to check if a redirect taints the origin before responding to a manual redirect. Since all of the other places (apart from TAO) where redirect-tainted is checked also check that the mode is not navigation, this does not effect any observable behavior outside of TAO.
The exception is the resource timing for a cross-origin iframe served
from a service worker - the TAO check for that resource is done in
ServiceWorkerMainResourceLoaded as loading of a main resource in a
service worker doesn't have the same context to decide about TAO as
CorsUrLLoader.
See resource-timing/workerStart-tao-protected.https.html
resource-timing-cross-origin.https.html now works according to spec,
amended it.
Added unit tests for CorsUrlLoader and TimingAllowOriginParser.
Fixed: 1201767
Bug: 1201767
Change-Id: Ic85884cb8400dbef9e8dba1409bfec3f0dd9538c
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3873286
Reviewed-by: Yoav Weiss <yoavweiss@chromium.org>
Commit-Queue: Noam Rosenthal <nrosenthal@chromium.org>
Reviewed-by: Yoshisato Yanagisawa <yyanagisawa@chromium.org>
Reviewed-by: Takashi Toyoshima <toyoshim@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1043888}
--
wpt-commits: a4b2c96c7456f24049376f3427c6775870211540
wpt-pr: 35777