CORS-RFC1918: Force preflights for external requests in DocumentThreadableLoader.

CORS-RFC1918: Force preflights for external requests in DocumentThreadableLoader.

This patch introduces the requirement that "external requests" which go through
DocumentThreadableLoader (XHR, Fetch, etc) generate preflights containing an
`Access-Control-Request-External` header. The preflight must be answered with a new
`Access-Control-Allow-External` response header. Otherwise, the request will be
cancelled.

This is still behind a runtime flag in `test` mode, but it required updating a
number of tests that were making cross-origin requests from sandboxed origins to
`127.0.0.1`. I don't expect that to be a common pattern, so adding the relevant
headers seems like a reasonable way of addressing the problem for these tests.

BUG=590714
Committed: https://crrev.com/c9f85e872f14d0e09a6677fb0703ab949e6fe123
Cr-Commit-Position: refs/heads/master@{#392048}

[Mike West, 2016-03-01 16:01:54]

Description was changed from

==========
WIP: Step 1 of CORS-RFC1918.

BUG=590714
==========

to

==========
Force preflights for external requests in DocumentThreadableLoader.

Still somewhat WIP. Needs tests for things other than 'fetch()'.

BUG=590714
==========

[Mike West, 2016-03-01 16:01:54]

mkwst@chromium.org changed reviewers:
+ jochen@chromium.org

[Mike West, 2016-03-02 12:28:37]

Description was changed from

==========
Force preflights for external requests in DocumentThreadableLoader.

Still somewhat WIP. Needs tests for things other than 'fetch()'.

BUG=590714
==========

to

==========
CORS-RFC1918: Force preflights for external requests in
DocumentThreadableLoader.

Still somewhat WIP. Needs tests for things other than 'fetch()'.

BUG=590714
==========

[Mike West, 2016-03-02 15:47:30]

Description was changed from

==========
CORS-RFC1918: Force preflights for external requests in
DocumentThreadableLoader.

Still somewhat WIP. Needs tests for things other than 'fetch()'.

BUG=590714
==========

to

==========
CORS-RFC1918: Force preflights for external requests in
DocumentThreadableLoader.

Still somewhat WIP. Needs tests for things other than 'fetch()' and XHR.

BUG=590714
==========

[Mike West, 2016-05-03 14:52:05]

Description was changed from

==========
CORS-RFC1918: Force preflights for external requests in
DocumentThreadableLoader.

Still somewhat WIP. Needs tests for things other than 'fetch()' and XHR.

BUG=590714
==========

to

==========
CORS-RFC1918: Force preflights for external requests in
DocumentThreadableLoader.

This patch introduces the requirement that "external requests" which go through
DocumentThreadableLoader (XHR, Fetch, etc) generate preflights containing an
`Access-Control-Request-External` header. The preflight must be answered with a
new
`Access-Control-Allow-External` response header. Otherwise, the request will be
cancelled.

This is still behind a runtime flag in `test` mode, but it required updating a
number of tests that were making cross-origin requests from sandboxed origins to
`127.0.0.1`. I don't expect that to be a common pattern, so adding the relevant
headers seems like a reasonable way of addressing the problem for these tests.

BUG=590714
==========

[Mike West, 2016-05-03 15:43:44]

Description was changed from

==========
CORS-RFC1918: Force preflights for external requests in
DocumentThreadableLoader.

This patch introduces the requirement that "external requests" which go through
DocumentThreadableLoader (XHR, Fetch, etc) generate preflights containing an
`Access-Control-Request-External` header. The preflight must be answered with a
new
`Access-Control-Allow-External` response header. Otherwise, the request will be
cancelled.

This is still behind a runtime flag in `test` mode, but it required updating a
number of tests that were making cross-origin requests from sandboxed origins to
`127.0.0.1`. I don't expect that to be a common pattern, so adding the relevant
headers seems like a reasonable way of addressing the problem for these tests.

BUG=590714
==========

to

==========
CORS-RFC1918: Force preflights for external requests in
DocumentThreadableLoader.

This patch introduces the requirement that "external requests" which go through
DocumentThreadableLoader (XHR, Fetch, etc) generate preflights containing an
`Access-Control-Request-External` header. The preflight must be answered with a
new
`Access-Control-Allow-External` response header. Otherwise, the request will be
cancelled.

This is still behind a runtime flag in `test` mode, but it required updating a
number of tests that were making cross-origin requests from sandboxed origins to
`127.0.0.1`. I don't expect that to be a common pattern, so adding the relevant
headers seems like a reasonable way of addressing the problem for these tests.

BUG=590714
==========

[Mike West, 2016-05-03 15:47:02]

jochen@: WDYT of this?

I'm not sure whether the next step would be to look deeper in the resource
fetcher to see what we'd need to do to teach it about preflights, or whether we
need to hoist all of CORS somewhere further up the stack to deal with everything
in one place. Either way sounds like a lot of work. The latter sounds like
significantly more work, but it's also the only future-proof option, as until
we're up and out of Blink, it's not clear that there's any value to shipping
this... maybe we can chat about it tomorrow?

[Mike West, 2016-05-06 09:35:51]

On 2016/05/03 at 15:47:02, Mike West wrote:
> jochen@: WDYT of this?
> 
> I'm not sure whether the next step would be to look deeper in the resource
fetcher to see what we'd need to do to teach it about preflights, or whether we
need to hoist all of CORS somewhere further up the stack to deal with everything
in one place. Either way sounds like a lot of work. The latter sounds like
significantly more work, but it's also the only future-proof option, as until
we're up and out of Blink, it's not clear that there's any value to shipping
this... maybe we can chat about it tomorrow?

Ping! I realize our conversation might not have been clear. I actually do want
to land this, regardless of the approach we end up taking. It's locked behind
the `test` flag so I can show folks at Mozilla/elsewhere, so it shouldn't have
any web-facing impact. WDYT?

[jochen (gone - plz use gerrit), 2016-05-06 09:40:14]

lgtm

[Mike West, 2016-05-06 10:59:34]

The CQ bit was checked by mkwst@chromium.org

[commit-bot: I haz the power, 2016-05-06 10:59:42]

CQ is trying da patch. Follow status at
 https://chromium-cq-status.appspot.com/patch-status/1745083002/200001
View timeline at
 https://chromium-cq-status.appspot.com/patch-timeline/1745083002/200001

[lucyortiz830_gmail.com, 2016-05-06 11:15:46]

On 2016/05/06 10:59:42, commit-bot: I haz the power wrote:
> CQ is trying da patch. Follow status at
>  https://chromium-cq-status.appspot.com/patch-status/1745083002/200001
> View timeline at
>  https://chromium-cq-status.appspot.com/patch-timeline/1745083002/200001

[commit-bot: I haz the power, 2016-05-06 14:06:09]

Committed patchset #11 (id:200001)

[commit-bot: I haz the power, 2016-05-06 14:07:20]

Description was changed from

==========
CORS-RFC1918: Force preflights for external requests in
DocumentThreadableLoader.

This patch introduces the requirement that "external requests" which go through
DocumentThreadableLoader (XHR, Fetch, etc) generate preflights containing an
`Access-Control-Request-External` header. The preflight must be answered with a
new
`Access-Control-Allow-External` response header. Otherwise, the request will be
cancelled.

This is still behind a runtime flag in `test` mode, but it required updating a
number of tests that were making cross-origin requests from sandboxed origins to
`127.0.0.1`. I don't expect that to be a common pattern, so adding the relevant
headers seems like a reasonable way of addressing the problem for these tests.

BUG=590714
==========

to

==========
CORS-RFC1918: Force preflights for external requests in
DocumentThreadableLoader.

This patch introduces the requirement that "external requests" which go through
DocumentThreadableLoader (XHR, Fetch, etc) generate preflights containing an
`Access-Control-Request-External` header. The preflight must be answered with a
new
`Access-Control-Allow-External` response header. Otherwise, the request will be
cancelled.

This is still behind a runtime flag in `test` mode, but it required updating a
number of tests that were making cross-origin requests from sandboxed origins to
`127.0.0.1`. I don't expect that to be a common pattern, so adding the relevant
headers seems like a reasonable way of addressing the problem for these tests.

BUG=590714

Committed: https://crrev.com/c9f85e872f14d0e09a6677fb0703ab949e6fe123
Cr-Commit-Position: refs/heads/master@{#392048}
==========

[commit-bot: I haz the power, 2016-05-06 14:07:21]

Patchset 11 (id:??) landed as
https://crrev.com/c9f85e872f14d0e09a6677fb0703ab949e6fe123
Cr-Commit-Position: refs/heads/master@{#392048}