Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(628)

Issues Search
    My Issues | Starred     Open | Closed | All

Issue 1801513003: Cross origin requests to same origin should match

Created:
4 years, 9 months ago by Yoav Weiss
Modified:
4 years, 9 months ago
Reviewers:
Nate Chapin
CC:
chromium-reviews, tyoshino+watch_chromium.org, gavinp+prerender_chromium.org, blink-reviews-html_chromium.org, loading-reviews_chromium.org, dglazkov+blink, gavinp+loader_chromium.org, blink-reviews, loading-reviews+fetch_chromium.org, kinuko+watch
Base URL:
https://chromium.googlesource.com/chromium/src.git@master
Target Ref:
refs/pending/heads/master
Project:
chromium
Visibility:
Public.

Description

Cross origin requests to same origin should match Preloaded CORS mode requests (e.g. preloaded fonts) to same-origin should match regardless of their 'crossorigin' attribute. This CL makes sure they do. Spec discussion: https://github.com/w3c/preload/issues/32 BUG=595148

Patch Set 1 #

Patch Set 2 : Fixed failing tests #

Patch Set 3 : Fixed failing CORS tests #

Total comments: 6
Unified diffs Side-by-side diffs Delta from patch set Stats (+71 lines, -51 lines) Patch
M third_party/WebKit/LayoutTests/http/tests/preload/download_resources.html View 1 chunk +1 line, -1 line 0 comments Download
M third_party/WebKit/LayoutTests/http/tests/preload/onerror_event.html View 1 chunk +1 line, -1 line 0 comments Download
M third_party/WebKit/LayoutTests/http/tests/preload/onload_event.html View 1 chunk +1 line, -1 line 0 comments Download
M third_party/WebKit/LayoutTests/http/tests/preload/single_download_preload.html View 3 chunks +10 lines, -4 lines 0 comments Download
M third_party/WebKit/Source/core/core.gypi View 1 1 chunk +1 line, -0 lines 0 comments Download
M third_party/WebKit/Source/core/css/CSSImageSetValue.cpp View 1 1 chunk +1 line, -2 lines 0 comments Download
M third_party/WebKit/Source/core/css/CSSImageValue.cpp View 1 1 chunk +1 line, -2 lines 0 comments Download
M third_party/WebKit/Source/core/dom/ScriptLoader.cpp View 1 1 chunk +1 line, -2 lines 0 comments Download
M third_party/WebKit/Source/core/fetch/FetchRequest.cpp View 1 2 1 chunk +12 lines, -11 lines 2 comments Download
M third_party/WebKit/Source/core/fetch/ResourceLoaderOptions.h View 1 7 chunks +13 lines, -13 lines 2 comments Download
A third_party/WebKit/Source/core/fetch/ResourceLoaderOptions.cpp View 1 2 1 chunk +21 lines, -0 lines 2 comments Download
M third_party/WebKit/Source/core/html/HTMLLinkElement.cpp View 1 1 chunk +2 lines, -3 lines 0 comments Download
M third_party/WebKit/Source/core/html/parser/PreloadRequest.cpp View 1 1 chunk +1 line, -2 lines 0 comments Download
M third_party/WebKit/Source/core/loader/ImageLoader.cpp View 1 1 chunk +1 line, -2 lines 0 comments Download
M third_party/WebKit/Source/core/loader/LinkLoader.cpp View 1 2 chunks +2 lines, -4 lines 0 comments Download
M third_party/WebKit/Source/core/loader/TextTrackLoader.cpp View 1 1 chunk +2 lines, -3 lines 0 comments Download

Messages

Total messages: 8 (3 generated)
Yoav Weiss
Hey Nate! Can you take a look?
4 years, 9 months ago (2016-03-15 23:21:57 UTC) #4
Nate Chapin
https://codereview.chromium.org/1801513003/diff/40001/third_party/WebKit/Source/core/fetch/FetchRequest.cpp File third_party/WebKit/Source/core/fetch/FetchRequest.cpp (right): https://codereview.chromium.org/1801513003/diff/40001/third_party/WebKit/Source/core/fetch/FetchRequest.cpp#newcode81 third_party/WebKit/Source/core/fetch/FetchRequest.cpp:81: m_options.sameOrigin = isSameOriginRequest ? IsSameOrigin : NotSameOrigin; Instead of ...
4 years, 9 months ago (2016-03-17 22:58:18 UTC) #5
Yoav Weiss
I'm no longer 100% sure that this approach is the right one, as the test ...
4 years, 9 months ago (2016-03-18 07:53:14 UTC) #6
Nate Chapin
On 2016/03/18 07:53:14, Yoav Weiss wrote: > I'm no longer 100% sure that this approach ...
4 years, 9 months ago (2016-03-18 20:01:22 UTC) #7
Yoav Weiss
4 years, 9 months ago (2016-03-21 17:55:11 UTC) #8 
On 2016/03/18 20:01:22, Nate Chapin wrote:
> On 2016/03/18 07:53:14, Yoav Weiss wrote:
> > I'm no longer 100% sure that this approach is the right one, as the test
> > failures seem legit and point to a problem with this approach and redirects.
> > 
> > If I understand correctly, when two same origin requests are requested, one
> with
> > corsEnabled and one without, we can reuse the requests *unless* the response
> is
> > a redirect to a different origin. In order to resolve that, we would need to
> add
> > hook that verify cors state upon redirect requests as well. Is Blink aware
of
> > redirects in such a scenario?
> 
> ResourceFetcher::willFollowRedirect() has a call to
> CrossOriginAccessControl::handleRedirect(). Blink definitely gets
notifications
> for redirects (except for sync requests), and it looks like we do at least
some
> CORS handling then.
>

Looked into that, and it seems like willFollowRedirect enables you to return
false, 
which cancels the request.

However for our scenario where we have 2 requests with different corsEnabled,
we'd have to hook up a mechanism here that enables the use of the response in
the non-CORS request, but forces a second fetch for the CORS request in this
scenario.

I'm not sure that the win of removing the "crossorigin" attribute requirement
for same origin are worth the complexity of such a mechanism. WDYT?

Powered by Google App Engine
This is Rietveld 408576698