Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(403)

Issues Search
    My Issues | Starred     Open | Closed | All

Issue 149643003: Improve handling of CORS redirects for some resource loads. (Closed)

Created:
6 years, 10 months ago by sof
Modified:
6 years, 10 months ago
CC:
blink-reviews, Nate Chapin, gavinp+loader_chromium.org
Base URL:
https://chromium.googlesource.com/chromium/blink.git@master
Visibility:
Public.

Description

Improve handling of CORS redirects for some resource loads. To align with what CORS requires for redirects, have CORS-enabled resource loading perform access control checks on redirects. The ResourceLoader delegates the access control check to its host's canAccessRedirect() implementation: bool ResourceLoaderHost::canAccessRedirect(Resource*, ResourceRequest&, const ResourceResponse&, ResourceLoaderOptions&); which is passed the redirect request + response along with other arguments needed to make a yes/no decision on following the redirect. To correctly handle redirects to another origin, the canAccessRedirect() predicate is also responsible for updating the 'source origin' as the redirect is followed. This and other redirect steps are taken care of by the helper method CrossOriginAccessControl::handleRedirect() The included tests cover redirects over <img> and <script>, for the various redirect responses possible (wrt CORS.) Rely on existing redirect tests for HTML imports. Notice that the redirect handling added here does not apply to resource types and loaders that implement their special (and extended) handling of CORS + redirects -- e.g., XMLHttpRequest fetches. R=abarth@chromium.org BUG=274843 Committed: https://src.chromium.org/viewvc/blink?view=rev&revision=166508

Patch Set 1 #

Patch Set 2 : Track source origin via ResourceLoaderOptions.securityOrigin #

Total comments: 4

Patch Set 3 : Factor out redirect steps as CrossOriginAccessControl::handleRedirect() #

Patch Set 4 : Compile fix (struct/class mismatch on fwd decl) #

Patch Set 5 : Compile fix (struct/class mismatch on fwd decl) #

Total comments: 11

Patch Set 6 : Use canRequest() when checking redirect origin; remove redundant null checks. #

Unified diffs Side-by-side diffs Delta from patch set Stats (+841 lines, -60 lines) Patch
M LayoutTests/http/tests/htmlimports/redirect.html View 1 2 chunks +1 line, -28 lines 0 comments Download
A LayoutTests/http/tests/htmlimports/redirect-cross-origin.html View 1 2 1 chunk +40 lines, -0 lines 0 comments Download
A LayoutTests/http/tests/htmlimports/redirect-cross-origin-cross.html View 1 2 1 chunk +28 lines, -0 lines 0 comments Download
A + LayoutTests/http/tests/htmlimports/redirect-cross-origin-cross-expected.txt View 1 2 1 chunk +2 lines, -4 lines 0 comments Download
A LayoutTests/http/tests/htmlimports/redirect-cross-origin-cross-same.html View 1 2 1 chunk +29 lines, -0 lines 0 comments Download
A LayoutTests/http/tests/htmlimports/redirect-cross-origin-cross-same-2.html View 1 2 1 chunk +29 lines, -0 lines 0 comments Download
A LayoutTests/http/tests/htmlimports/redirect-cross-origin-cross-same-2-expected.txt View 1 2 1 chunk +4 lines, -0 lines 0 comments Download
A LayoutTests/http/tests/htmlimports/redirect-cross-origin-cross-same-expected.txt View 1 2 1 chunk +4 lines, -0 lines 0 comments Download
A LayoutTests/http/tests/htmlimports/redirect-cross-origin-expected.txt View 1 2 1 chunk +12 lines, -0 lines 0 comments Download
M LayoutTests/http/tests/htmlimports/redirect-expected.txt View 1 1 chunk +1 line, -1 line 0 comments Download
A LayoutTests/http/tests/security/img-crossorigin-redirect-anonymous.html View 1 2 1 chunk +70 lines, -0 lines 0 comments Download
A LayoutTests/http/tests/security/img-crossorigin-redirect-anonymous-expected.txt View 1 2 1 chunk +18 lines, -0 lines 0 comments Download
A LayoutTests/http/tests/security/img-crossorigin-redirect-credentials.html View 1 2 1 chunk +86 lines, -0 lines 0 comments Download
A LayoutTests/http/tests/security/img-crossorigin-redirect-credentials-expected.txt View 1 2 1 chunk +22 lines, -0 lines 0 comments Download
A LayoutTests/http/tests/security/img-crossorigin-redirect-no-cors.html View 1 2 1 chunk +68 lines, -0 lines 0 comments Download
A LayoutTests/http/tests/security/img-crossorigin-redirect-no-cors-expected.txt View 1 2 1 chunk +19 lines, -0 lines 0 comments Download
A LayoutTests/http/tests/security/resources/cors-redirect.php View 1 chunk +10 lines, -0 lines 0 comments Download
A LayoutTests/http/tests/security/resources/script-allow-credentials.php View 1 chunk +6 lines, -0 lines 0 comments Download
A LayoutTests/http/tests/security/resources/script-allow-star.php View 1 chunk +5 lines, -0 lines 0 comments Download
A LayoutTests/http/tests/security/script-crossorigin-redirect-anonymous.html View 1 2 1 chunk +70 lines, -0 lines 0 comments Download
A LayoutTests/http/tests/security/script-crossorigin-redirect-anonymous-expected.txt View 1 2 1 chunk +18 lines, -0 lines 0 comments Download
A LayoutTests/http/tests/security/script-crossorigin-redirect-credentials.html View 1 2 1 chunk +86 lines, -0 lines 0 comments Download
A LayoutTests/http/tests/security/script-crossorigin-redirect-credentials-expected.txt View 1 2 1 chunk +22 lines, -0 lines 0 comments Download
A LayoutTests/http/tests/security/script-crossorigin-redirect-no-cors.html View 1 2 1 chunk +68 lines, -0 lines 0 comments Download
A LayoutTests/http/tests/security/script-crossorigin-redirect-no-cors-expected.txt View 1 2 1 chunk +16 lines, -0 lines 0 comments Download
M Source/core/fetch/CrossOriginAccessControl.h View 1 2 3 2 chunks +9 lines, -0 lines 0 comments Download
M Source/core/fetch/CrossOriginAccessControl.cpp View 1 2 3 4 5 2 chunks +67 lines, -0 lines 0 comments Download
M Source/core/fetch/ResourceFetcher.h View 1 1 chunk +3 lines, -2 lines 0 comments Download
M Source/core/fetch/ResourceFetcher.cpp View 1 2 3 4 5 3 chunks +20 lines, -4 lines 0 comments Download
M Source/core/fetch/ResourceLoader.cpp View 1 2 chunks +3 lines, -2 lines 0 comments Download
M Source/core/fetch/ResourceLoaderHost.h View 1 1 chunk +2 lines, -2 lines 0 comments Download
M Source/core/loader/DocumentThreadableLoader.h View 1 chunk +0 lines, -1 line 0 comments Download
M Source/core/loader/DocumentThreadableLoader.cpp View 1 2 2 chunks +3 lines, -16 lines 0 comments Download

Messages

Total messages: 14 (0 generated)
sof
No particular rush (with the weekend looming and all), but when you have a spare ...
6 years, 10 months ago (2014-01-31 22:41:50 UTC) #1
abarth-chromium
https://codereview.chromium.org/149643003/diff/80001/Source/core/fetch/CrossOriginAccessControl.h File Source/core/fetch/CrossOriginAccessControl.h (right): https://codereview.chromium.org/149643003/diff/80001/Source/core/fetch/CrossOriginAccessControl.h#newcode59 Source/core/fetch/CrossOriginAccessControl.h:59: bool checkCrossOriginAccessRedirectionUrl(const KURL&, String& errorDescription); Url -> URL Rather ...
6 years, 10 months ago (2014-01-31 23:42:40 UTC) #2
abarth-chromium
6 years, 10 months ago (2014-01-31 23:43:05 UTC) #3
sof
https://codereview.chromium.org/149643003/diff/80001/Source/core/fetch/ResourceFetcher.cpp File Source/core/fetch/ResourceFetcher.cpp (right): https://codereview.chromium.org/149643003/diff/80001/Source/core/fetch/ResourceFetcher.cpp#newcode1313 Source/core/fetch/ResourceFetcher.cpp:1313: bool ResourceFetcher::canAccessRedirect(Resource* resource, ResourceRequest& request, const ResourceResponse& redirectResponse, ResourceLoaderOptions& ...
6 years, 10 months ago (2014-02-01 14:39:18 UTC) #4
sof
https://codereview.chromium.org/149643003/diff/80001/Source/core/fetch/CrossOriginAccessControl.h File Source/core/fetch/CrossOriginAccessControl.h (right): https://codereview.chromium.org/149643003/diff/80001/Source/core/fetch/CrossOriginAccessControl.h#newcode59 Source/core/fetch/CrossOriginAccessControl.h:59: bool checkCrossOriginAccessRedirectionUrl(const KURL&, String& errorDescription); On 2014/01/31 23:42:40, abarth ...
6 years, 10 months ago (2014-02-04 22:01:49 UTC) #5
abarth-chromium
LGTM Thanks for iterating on this CL. I'm very happy with the direction you're taking ...
6 years, 10 months ago (2014-02-05 08:20:44 UTC) #6
sof
Thanks for finding the time, much appreciated. I'll follow up on where to direct the ...
6 years, 10 months ago (2014-02-05 10:05:42 UTC) #7
sof
The CQ bit was checked by sigbjornf@opera.com
6 years, 10 months ago (2014-02-05 11:00:57 UTC) #8
commit-bot: I haz the power
CQ is trying da patch. Follow status at https://chromium-status.appspot.com/cq/sigbjornf@opera.com/149643003/340001
6 years, 10 months ago (2014-02-05 11:01:04 UTC) #9
commit-bot: I haz the power
The CQ bit was unchecked by commit-bot@chromium.org
6 years, 10 months ago (2014-02-05 14:04:26 UTC) #10
commit-bot: I haz the power
Retried try job too often on linux_blink for step(s) webkit_tests http://build.chromium.org/p/tryserver.chromium/buildstatus?builder=linux_blink&number=11023
6 years, 10 months ago (2014-02-05 14:04:26 UTC) #11
sof
The CQ bit was checked by sigbjornf@opera.com
6 years, 10 months ago (2014-02-05 14:05:37 UTC) #12
commit-bot: I haz the power
CQ is trying da patch. Follow status at https://chromium-status.appspot.com/cq/sigbjornf@opera.com/149643003/340001
6 years, 10 months ago (2014-02-05 14:05:49 UTC) #13
commit-bot: I haz the power
6 years, 10 months ago (2014-02-05 16:07:46 UTC) #14
Message was sent while issue was closed. 
Change committed as 166508

Powered by Google App Engine
This is Rietveld 408576698