Bug
1789149 [wpt PR 35777] - Consolidate Timing-Allow-Origin checking code, a=testonly
Automatic update from web-platform-tests
Consolidate Timing-Allow-Origin checking code
Actual TAO check is done in a function TimingAllowOriginCheck()
blink/ResourceTiming doesn't check for TAO anymore.
network::cors::CorsUrlLoaded performs the checks in transit, as
specified in https://fetch.spec.whatwg.org/#tao-check, which now also
applies to nested contexts (iframes).
Note that we now have to check if a redirect taints the origin before responding to a manual redirect. Since all of the other places (apart from TAO) where redirect-tainted is checked also check that the mode is not navigation, this does not effect any observable behavior outside of TAO.
The exception is the resource timing for a cross-origin iframe served
from a service worker - the TAO check for that resource is done in
ServiceWorkerMainResourceLoaded as loading of a main resource in a
service worker doesn't have the same context to decide about TAO as
CorsUrLLoader.
See resource-timing/workerStart-tao-protected.https.html
resource-timing-cross-origin.https.html now works according to spec,
amended it.
Added unit tests for CorsUrlLoader and TimingAllowOriginParser.
Fixed:
1201767
Bug:
1201767
Change-Id: Ic85884cb8400dbef9e8dba1409bfec3f0dd9538c
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/
3873286
Reviewed-by: Yoav Weiss <yoavweiss@chromium.org>
Commit-Queue: Noam Rosenthal <nrosenthal@chromium.org>
Reviewed-by: Yoshisato Yanagisawa <yyanagisawa@chromium.org>
Reviewed-by: Takashi Toyoshima <toyoshim@chromium.org>
Cr-Commit-Position: refs/heads/main@{#
1043888}
--
wpt-commits:
a4b2c96c7456f24049376f3427c6775870211540
wpt-pr: 35777