Chromium Code Reviews
|
|
Chromium Code Reviews
Issue
2020313002:
Verify the order of RawResourceClient callbacks in DocumentThreadableLoader (Closed)
|
Created:
4 years, 6 months ago by hiroshige Modified:
4 years, 4 months ago CC:
chromium-reviews, tyoshino+watch_chromium.org, loading-reviews_chromium.org, gavinp+loader_chromium.org, blink-reviews, loading-reviews+fetch_chromium.org Base URL:
https://chromium.googlesource.com/chromium/src.git@master Target Ref:
refs/pending/heads/master Project:
chromium Visibility:
Public. |
DescriptionVerify the order of RawResourceClient callbacks in DocumentThreadableLoader
The errors in the order of RawResourceClient callbacks potentially leads to
CORS bypassing, especially in DocumentThreadableLoader.
This CL introduces RawResourceClientStateChecker to check the order of
RawResourceClient callbacks, assuming that the RawResourceClient is added
to at most one RawResource, and applies it to DocumentThreadableLoader.
BUG=633696, 640291
Committed: https://crrev.com/48136fcd4b053686ce2f1f98e64b00a064907ec4
Cr-Commit-Position: refs/heads/master@{#413990}
Patch Set 1 #Patch Set 2 : #
Total comments: 6
Patch Set 3 : Reflect comments #Patch Set 4 : Rebase. #Patch Set 5 : Fix rebase error and update TODO comment #
Messages
Total messages: 48 (22 generated)
The CQ bit was checked by hiroshige@chromium.org to run a CQ dry run
Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patch-status/2020313002/1 View timeline at https://chromium-cq-status.appspot.com/patch-timeline/2020313002/1
The CQ bit was unchecked by commit-bot@chromium.org
Dry run: Try jobs failed on following builders: cast_shell_linux on tryserver.chromium.linux (JOB_FAILED, http://build.chromium.org/p/tryserver.chromium.linux/builders/cast_shell_linu...)
The CQ bit was checked by hiroshige@chromium.org to run a CQ dry run
Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patch-status/2020313002/20001 View timeline at https://chromium-cq-status.appspot.com/patch-timeline/2020313002/20001
The CQ bit was unchecked by commit-bot@chromium.org
Dry run: This issue passed the CQ dry run.
hiroshige@chromium.org changed reviewers: + yhirano@chromium.org
I think it is important to check that ThreadableLoader's responseReceived() is always called before dataReceived() (see Issue 612132), so this CL adds assertions for that. Not only the responseReceived() and dataReceived(), I think it is good to check all RawResourceClient overrides in DocumentThreadableLoader. I also think it is good to check ResourceClient's callback order in general, but I'm not sure how to implement it, so I implemented this as ThreadableLoader-specific for now. - ResourceClients are not yet moved to the Oilpan heap. - A ResourceClient can be added to multiple Resources in general. If a ResourceClient is only added to at most one Resource (e.g. ResourceOwner), RawResourceClientStateChecker can be applied as-is. But I'm not sure ResourceOwner should remain after ResourceClient is moved on-heap, and skipping checks on ResourceClients added to multiple Resources might look incomplete. Alternatively, we can implement RawResourceClientStateChecker so that the client can be added to multiple Resources, e.g. by adding HashMap<Resource*, State> (not sure about the correct type though) or HashMap<unsigned long /* identifier */, State>. WDYT?
Description was changed from ========== Verify the order of RawResourceClient callbacks by RawResourceClientStateChecker BUG= ========== to ========== Verify the order of RawResourceClient callbacks by RawResourceClientStateChecker BUG=612132 ==========
https://codereview.chromium.org/2020313002/diff/20001/third_party/WebKit/Sour... File third_party/WebKit/Source/core/fetch/RawResource.h (right): https://codereview.chromium.org/2020313002/diff/20001/third_party/WebKit/Sour... third_party/WebKit/Source/core/fetch/RawResource.h:147: class CORE_EXPORT RawResourceClientStateChecker { +final https://codereview.chromium.org/2020313002/diff/20001/third_party/WebKit/Sour... third_party/WebKit/Source/core/fetch/RawResource.h:153: void willAddClient(); I'm a bit concerned about the case when DocumentThreadableLoader is a subclass of ResourceOwner<RawResource>. In that case ResourceOwner::setResource adds the client to a Resource without notifying DocumentThreadableLoader (Currently no one outside of the class calls setResource but we will not be able to forbid it). Does that mean DocumentThreadableLoader will never be able to be a subclass of ResourceOwner?
https://codereview.chromium.org/2020313002/diff/20001/third_party/WebKit/Sour... File third_party/WebKit/Source/core/fetch/RawResource.h (right): https://codereview.chromium.org/2020313002/diff/20001/third_party/WebKit/Sour... third_party/WebKit/Source/core/fetch/RawResource.h:153: void willAddClient(); On 2016/06/03 07:25:13, yhirano wrote: > I'm a bit concerned about the case when DocumentThreadableLoader is a subclass > of ResourceOwner<RawResource>. In that case ResourceOwner::setResource adds the > client to a Resource without notifying DocumentThreadableLoader (Currently no > one outside of the class calls setResource but we will not be able to forbid > it). > > Does that mean DocumentThreadableLoader will never be able to be a subclass of > ResourceOwner? ResourceOwner::setResource() is |protected|. Doesn't it prevent setResource() calls from outside DocumentThreadableLoader?
https://codereview.chromium.org/2020313002/diff/20001/third_party/WebKit/Sour... File third_party/WebKit/Source/core/fetch/RawResource.h (right): https://codereview.chromium.org/2020313002/diff/20001/third_party/WebKit/Sour... third_party/WebKit/Source/core/fetch/RawResource.h:153: void willAddClient(); On 2016/06/03 09:58:38, hiroshige (slow) wrote: > On 2016/06/03 07:25:13, yhirano wrote: > > I'm a bit concerned about the case when DocumentThreadableLoader is a subclass > > of ResourceOwner<RawResource>. In that case ResourceOwner::setResource adds > the > > client to a Resource without notifying DocumentThreadableLoader (Currently no > > one outside of the class calls setResource but we will not be able to forbid > > it). > > > > Does that mean DocumentThreadableLoader will never be able to be a subclass of > > ResourceOwner? > > ResourceOwner::setResource() is |protected|. > Doesn't it prevent setResource() calls from outside DocumentThreadableLoader? I didn't notice that, thank you. But ResourceOwner may call removeClient(self) in the prefinalizer step, so can you remove the assertion from the destructor?
PTAL. https://codereview.chromium.org/2020313002/diff/20001/third_party/WebKit/Sour... File third_party/WebKit/Source/core/fetch/RawResource.h (right): https://codereview.chromium.org/2020313002/diff/20001/third_party/WebKit/Sour... third_party/WebKit/Source/core/fetch/RawResource.h:147: class CORE_EXPORT RawResourceClientStateChecker { On 2016/06/03 07:25:13, yhirano wrote: > +final Done. https://codereview.chromium.org/2020313002/diff/20001/third_party/WebKit/Sour... third_party/WebKit/Source/core/fetch/RawResource.h:153: void willAddClient(); On 2016/06/07 05:18:25, yhirano wrote: > On 2016/06/03 09:58:38, hiroshige (slow) wrote: > > On 2016/06/03 07:25:13, yhirano wrote: > > > I'm a bit concerned about the case when DocumentThreadableLoader is a > subclass > > > of ResourceOwner<RawResource>. In that case ResourceOwner::setResource adds > > the > > > client to a Resource without notifying DocumentThreadableLoader (Currently > no > > > one outside of the class calls setResource but we will not be able to forbid > > > it). > > > > > > Does that mean DocumentThreadableLoader will never be able to be a subclass > of > > > ResourceOwner? > > > > ResourceOwner::setResource() is |protected|. > > Doesn't it prevent setResource() calls from outside DocumentThreadableLoader? > > I didn't notice that, thank you. > But ResourceOwner may call removeClient(self) in the prefinalizer step, so can > you remove the assertion from the destructor? Done.
The CQ bit was checked by hiroshige@chromium.org to run a CQ dry run
Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
The CQ bit was unchecked by commit-bot@chromium.org
Dry run: This issue passed the CQ dry run.
hiroshige@chromium.org changed reviewers: + japhet@chromium.org
+japhet@, could you also take a look as a core/fetch OWNER?
On 2016/08/04 15:34:10, hiroshige wrote:
> +japhet@, could you also take a look as a core/fetch OWNER?
I'm curious, why isn't this entirely in DocumentThreadableLoader? There aren't
actually any changes to RawResource here, and DocumentThreadableLoader is the
only RawResourceClient that is implementing the state checks, so it feels weird
to put the state machine in RawResource.{h,cpp}.
On 2016/08/04 16:46:16, Nate Chapin wrote:
> On 2016/08/04 15:34:10, hiroshige wrote:
> > +japhet@, could you also take a look as a core/fetch OWNER?
>
> I'm curious, why isn't this entirely in DocumentThreadableLoader? There aren't
> actually any changes to RawResource here, and DocumentThreadableLoader is the
> only RawResourceClient that is implementing the state checks, so it feels
weird
> to put the state machine in RawResource.{h,cpp}.
For generality, I'd like to apply RawResourceClientStateChecker (or similar
checker) to all RawResourceClient or ResourceOwner.
But because callback order errors in DocumentThreadableLoader are especially
critical because it directly results in CORS bypassing security bugs, I applied
it first to DocumentThreadableLoader only in this CL.
Description was changed from ========== Verify the order of RawResourceClient callbacks by RawResourceClientStateChecker BUG=612132 ========== to ========== Verify the order of RawResourceClient callbacks in DocumentThreadableLoader The errors in the order of RawResourceClient callbacks potentially leads to CORS bypassing, especially in DocumentThreadableLoader. This CL introduces RawResourceClientStateChecker to check the order of RawResourceClient callbacks, assuming that the RawResourceClient is added to at most one RawResource, and applies it to DocumentThreadableLoader. BUG=612132 ==========
On 2016/08/05 05:11:37, hiroshige wrote:
> On 2016/08/04 16:46:16, Nate Chapin wrote:
> > On 2016/08/04 15:34:10, hiroshige wrote:
> > > +japhet@, could you also take a look as a core/fetch OWNER?
> >
> > I'm curious, why isn't this entirely in DocumentThreadableLoader? There
aren't
> > actually any changes to RawResource here, and DocumentThreadableLoader is
the
> > only RawResourceClient that is implementing the state checks, so it feels
> weird
> > to put the state machine in RawResource.{h,cpp}.
>
> For generality, I'd like to apply RawResourceClientStateChecker (or similar
> checker) to all RawResourceClient or ResourceOwner.
> But because callback order errors in DocumentThreadableLoader are especially
> critical because it directly results in CORS bypassing security bugs, I
applied
> it first to DocumentThreadableLoader only in this CL.
Updated the CL description.
> For generality, I'd like to apply RawResourceClientStateChecker (or similar > checker) to all RawResourceClient or ResourceOwner. > But because callback order errors in DocumentThreadableLoader are especially > critical because it directly results in CORS bypassing security bugs, I applied > it first to DocumentThreadableLoader only in this CL. Do you have a concrete plan? I'm planning to removing setClient and related functions from DocumentThreadableLoader by making DocumentThreadableLoader inherit ResourceOwner<RawResource>, but this change makes it impossible.
On 2016/08/08 08:59:08, yhirano wrote: > > For generality, I'd like to apply RawResourceClientStateChecker (or similar > > checker) to all RawResourceClient or ResourceOwner. > > But because callback order errors in DocumentThreadableLoader are especially > > critical because it directly results in CORS bypassing security bugs, I > applied > > it first to DocumentThreadableLoader only in this CL. > > Do you have a concrete plan? Not yet. > I'm planning to removing setClient and related > functions from DocumentThreadableLoader by making DocumentThreadableLoader > inherit ResourceOwner<RawResource>, but this change makes it impossible. Then, how about applying this kind of check to ResourceOwner<RawResource>? I found your change is already landed so I'll rebase.
On 2016/08/08 09:12:55, hiroshige wrote: > On 2016/08/08 08:59:08, yhirano wrote: > > > For generality, I'd like to apply RawResourceClientStateChecker (or similar > > > checker) to all RawResourceClient or ResourceOwner. > > > But because callback order errors in DocumentThreadableLoader are especially > > > critical because it directly results in CORS bypassing security bugs, I > > applied > > > it first to DocumentThreadableLoader only in this CL. > > > > Do you have a concrete plan? > Not yet. > > > I'm planning to removing setClient and related > > functions from DocumentThreadableLoader by making DocumentThreadableLoader > > inherit ResourceOwner<RawResource>, but this change makes it impossible. > Then, how about applying this kind of check to ResourceOwner<RawResource>? I hope that ResourceOwner<T> is defined uniformally (it's not now). > I found your change is already landed so I'll rebase. I've reverted the CL for some reason. It's OK to cancel the plan to make DocumentThreadableLoader inherit ResourceOwner<RawResource>, but in that case please update the TODO comment.
On 2016/08/08 09:22:36, yhirano wrote: > On 2016/08/08 09:12:55, hiroshige wrote: > > On 2016/08/08 08:59:08, yhirano wrote: > > > > For generality, I'd like to apply RawResourceClientStateChecker (or > similar > > > > checker) to all RawResourceClient or ResourceOwner. > > > > But because callback order errors in DocumentThreadableLoader are > especially > > > > critical because it directly results in CORS bypassing security bugs, I > > > applied > > > > it first to DocumentThreadableLoader only in this CL. > > > > > > Do you have a concrete plan? > > Not yet. > > > > > I'm planning to removing setClient and related > > > functions from DocumentThreadableLoader by making DocumentThreadableLoader > > > inherit ResourceOwner<RawResource>, but this change makes it impossible. > > Then, how about applying this kind of check to ResourceOwner<RawResource>? > I hope that ResourceOwner<T> is defined uniformally (it's not now). > > > I found your change is already landed so I'll rebase. > I've reverted the CL for some reason. > > It's OK to cancel the plan to make DocumentThreadableLoader inherit > ResourceOwner<RawResource>, but in that case please update the TODO comment. Hmm. How about 1. landing this CL on canary as-is (i.e. while it is blocking making DocumentThreadableLoader to be a ResourceOwner subclass) 2. landing [1] and merging it to stable 3. reverting this CL or refactoring it so that DocumentThreadableLoader can be a ResourceOwner. 4. relanding your CLs. because I'd like to check [1] is not violating the assertions in this CL before merging [1] to stable. [1] https://codereview.chromium.org/2210473002/
lgtm
japhet@, could you take a look?
japhet@, friendly ping.
Patchset #4 (id:60001) has been deleted
lgtm
Description was changed from ========== Verify the order of RawResourceClient callbacks in DocumentThreadableLoader The errors in the order of RawResourceClient callbacks potentially leads to CORS bypassing, especially in DocumentThreadableLoader. This CL introduces RawResourceClientStateChecker to check the order of RawResourceClient callbacks, assuming that the RawResourceClient is added to at most one RawResource, and applies it to DocumentThreadableLoader. BUG=612132 ========== to ========== Verify the order of RawResourceClient callbacks in DocumentThreadableLoader The errors in the order of RawResourceClient callbacks potentially leads to CORS bypassing, especially in DocumentThreadableLoader. This CL introduces RawResourceClientStateChecker to check the order of RawResourceClient callbacks, assuming that the RawResourceClient is added to at most one RawResource, and applies it to DocumentThreadableLoader. BUG=612132, 633696 ==========
Description was changed from ========== Verify the order of RawResourceClient callbacks in DocumentThreadableLoader The errors in the order of RawResourceClient callbacks potentially leads to CORS bypassing, especially in DocumentThreadableLoader. This CL introduces RawResourceClientStateChecker to check the order of RawResourceClient callbacks, assuming that the RawResourceClient is added to at most one RawResource, and applies it to DocumentThreadableLoader. BUG=612132, 633696 ========== to ========== Verify the order of RawResourceClient callbacks in DocumentThreadableLoader The errors in the order of RawResourceClient callbacks potentially leads to CORS bypassing, especially in DocumentThreadableLoader. This CL introduces RawResourceClientStateChecker to check the order of RawResourceClient callbacks, assuming that the RawResourceClient is added to at most one RawResource, and applies it to DocumentThreadableLoader. BUG=612132, 633696, 640291 ==========
Description was changed from ========== Verify the order of RawResourceClient callbacks in DocumentThreadableLoader The errors in the order of RawResourceClient callbacks potentially leads to CORS bypassing, especially in DocumentThreadableLoader. This CL introduces RawResourceClientStateChecker to check the order of RawResourceClient callbacks, assuming that the RawResourceClient is added to at most one RawResource, and applies it to DocumentThreadableLoader. BUG=612132, 633696, 640291 ========== to ========== Verify the order of RawResourceClient callbacks in DocumentThreadableLoader The errors in the order of RawResourceClient callbacks potentially leads to CORS bypassing, especially in DocumentThreadableLoader. This CL introduces RawResourceClientStateChecker to check the order of RawResourceClient callbacks, assuming that the RawResourceClient is added to at most one RawResource, and applies it to DocumentThreadableLoader. BUG=633696, 640291 ==========
The CQ bit was checked by hiroshige@chromium.org
The patchset sent to the CQ was uploaded after l-g-t-m from yhirano@chromium.org, japhet@chromium.org Link to the patchset: https://codereview.chromium.org/2020313002/#ps100001 (title: "Fix rebase error and update TODO comment")
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
The CQ bit was unchecked by commit-bot@chromium.org
Try jobs failed on following builders: win_chromium_rel_ng on master.tryserver.chromium.win (JOB_FAILED, http://build.chromium.org/p/tryserver.chromium.win/builders/win_chromium_rel_...)
The CQ bit was checked by hiroshige@chromium.org
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
Message was sent while issue was closed.
Description was changed from ========== Verify the order of RawResourceClient callbacks in DocumentThreadableLoader The errors in the order of RawResourceClient callbacks potentially leads to CORS bypassing, especially in DocumentThreadableLoader. This CL introduces RawResourceClientStateChecker to check the order of RawResourceClient callbacks, assuming that the RawResourceClient is added to at most one RawResource, and applies it to DocumentThreadableLoader. BUG=633696, 640291 ========== to ========== Verify the order of RawResourceClient callbacks in DocumentThreadableLoader The errors in the order of RawResourceClient callbacks potentially leads to CORS bypassing, especially in DocumentThreadableLoader. This CL introduces RawResourceClientStateChecker to check the order of RawResourceClient callbacks, assuming that the RawResourceClient is added to at most one RawResource, and applies it to DocumentThreadableLoader. BUG=633696, 640291 ==========
Message was sent while issue was closed.
Committed patchset #5 (id:100001)
Message was sent while issue was closed.
Description was changed from ========== Verify the order of RawResourceClient callbacks in DocumentThreadableLoader The errors in the order of RawResourceClient callbacks potentially leads to CORS bypassing, especially in DocumentThreadableLoader. This CL introduces RawResourceClientStateChecker to check the order of RawResourceClient callbacks, assuming that the RawResourceClient is added to at most one RawResource, and applies it to DocumentThreadableLoader. BUG=633696, 640291 ========== to ========== Verify the order of RawResourceClient callbacks in DocumentThreadableLoader The errors in the order of RawResourceClient callbacks potentially leads to CORS bypassing, especially in DocumentThreadableLoader. This CL introduces RawResourceClientStateChecker to check the order of RawResourceClient callbacks, assuming that the RawResourceClient is added to at most one RawResource, and applies it to DocumentThreadableLoader. BUG=633696, 640291 Committed: https://crrev.com/48136fcd4b053686ce2f1f98e64b00a064907ec4 Cr-Commit-Position: refs/heads/master@{#413990} ==========
Message was sent while issue was closed.
Patchset 5 (id:??) landed as https://crrev.com/48136fcd4b053686ce2f1f98e64b00a064907ec4 Cr-Commit-Position: refs/heads/master@{#413990} |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
