Expose and check origin of request in response for foreign fetch.

third_party/WebKit/Source/modules/serviceworkers/ForeignFetchRespondWithObserver.cpp

Index: third_party/WebKit/Source/modules/serviceworkers/ForeignFetchRespondWithObserver.cpp
diff --git a/third_party/WebKit/Source/modules/serviceworkers/ForeignFetchRespondWithObserver.cpp b/third_party/WebKit/Source/modules/serviceworkers/ForeignFetchRespondWithObserver.cpp
index a707f7165010cdc194065fac50be487dee8002c9..8cdedbdf4b7521c5ac8ca9f968a5095784103728 100644
--- a/third_party/WebKit/Source/modules/serviceworkers/ForeignFetchRespondWithObserver.cpp
+++ b/third_party/WebKit/Source/modules/serviceworkers/ForeignFetchRespondWithObserver.cpp
@@ -8,9 +8,9 @@
 
 namespace blink {
 
-ForeignFetchRespondWithObserver* ForeignFetchRespondWithObserver::create(ExecutionContext* context, int eventID, const KURL& requestURL, WebURLRequest::FetchRequestMode requestMode, WebURLRequest::FrameType frameType, WebURLRequest::RequestContext requestContext)
+ForeignFetchRespondWithObserver* ForeignFetchRespondWithObserver::create(ExecutionContext* context, int eventID, const KURL& requestURL, WebURLRequest::FetchRequestMode requestMode, WebURLRequest::FrameType frameType, WebURLRequest::RequestContext requestContext, PassRefPtr<SecurityOrigin> requestOrigin)
 {
-    return new ForeignFetchRespondWithObserver(context, eventID, requestURL, requestMode, frameType, requestContext);
+    return new ForeignFetchRespondWithObserver(context, eventID, requestURL, requestMode, frameType, requestContext, requestOrigin);
 }
 
 void ForeignFetchRespondWithObserver::responseWasFulfilled(const ScriptValue& value)
@@ -23,13 +23,36 @@ void ForeignFetchRespondWithObserver::responseWasFulfilled(const ScriptValue& va
         return;
     }
 
-    // TODO(mek): Handle foreign fetch specific response parameters.
     Response* response = foreignFetchResponse.response();
+    const FetchResponseData* internalResponse = response->response();
+    const bool isOpaque = internalResponse->getType() == FetchResponseData::OpaqueType || internalResponse->getType() == FetchResponseData::OpaqueRedirectType;
+    if (internalResponse->getType() != FetchResponseData::DefaultType)
+        internalResponse = internalResponse->internalResponse();
+
+    if (!foreignFetchResponse.hasOrigin()) {
+        if (foreignFetchResponse.hasHeaders() && !foreignFetchResponse.headers().isEmpty()) {
+            responseWasRejected(WebServiceWorkerResponseErrorForeignFetchHeadersWithoutOrigin);
+            return;
+        }
+
+        // If response isn't already opaque, make it opaque.
+        if (!isOpaque) {
+            FetchResponseData* opaqueData = internalResponse->createOpaqueFilteredResponse();
+            response = Response::create(getExecutionContext(), opaqueData);
+        }
+    } else if (m_requestOrigin->toString() != foreignFetchResponse.origin()) {

[Nate Chapin, 2016/05/17 17:39:22]

I don't know the spec well enough to know exactly which check you want here, but
I'm pretty sure the canonical way to do an origin check is with a function on
SecurityOrigin, rather than via direct string compare. Maybe
SecurityOrigin::isSameSchemeHostPort?

[Marijn Kruisselbrink, 2016/05/17 17:43:16]

I actually had that check first (and then realized that the comment for
isSameSchemeHostPort is wrong and there isn't currently a isSameOrigin
equivalent method at all). But more importantly, the way regular CORS checks if
an origin received in a Access-Control-Allow-Origin header is valid is by
comparing the serialized origins, rather than comparing the origins themselves.
And this code is very similar to CORS so it makes sense to do the same thing
here.

I don't know exactly why the fetch/cors spec (and the blink implementation of
CORS) were written this way (where it matters is with what happens with unique
origins; which are serialized as "null" and then always compare as equal with
eachoterh), but for now this is definitely the correct check, and consistent
with our CORS implementation.

+        responseWasRejected(WebServiceWorkerResponseErrorForeignFetchMismatchedOrigin);
+        return;
+    } else if (!isOpaque) {
+        // TODO(mek): Handle |headers| response attribute, and properly filter response.
+    }
+
     RespondWithObserver::responseWasFulfilled(ScriptValue::from(value.getScriptState(), response));
 }
 
-ForeignFetchRespondWithObserver::ForeignFetchRespondWithObserver(ExecutionContext* context, int eventID, const KURL& requestURL, WebURLRequest::FetchRequestMode requestMode, WebURLRequest::FrameType frameType, WebURLRequest::RequestContext requestContext)
+ForeignFetchRespondWithObserver::ForeignFetchRespondWithObserver(ExecutionContext* context, int eventID, const KURL& requestURL, WebURLRequest::FetchRequestMode requestMode, WebURLRequest::FrameType frameType, WebURLRequest::RequestContext requestContext, PassRefPtr<SecurityOrigin> requestOrigin)
     : RespondWithObserver(context, eventID, requestURL, requestMode, frameType, requestContext)
+    , m_requestOrigin(requestOrigin)
 {
 }