Chromium Code Reviews Chromium Code Reviews
Issue 2178973002:
Add use counter for multiple origins in Timing-Allow-Origin (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| 1 /* | 1 /* |
| 2 * Copyright (C) 2010 Google Inc. All rights reserved. | 2 * Copyright (C) 2010 Google Inc. All rights reserved. |
| 3 * Copyright (C) 2012 Intel Inc. All rights reserved. | 3 * Copyright (C) 2012 Intel Inc. All rights reserved. |
| 4 * | 4 * |
| 5 * Redistribution and use in source and binary forms, with or without | 5 * Redistribution and use in source and binary forms, with or without |
| 6 * modification, are permitted provided that the following conditions are | 6 * modification, are permitted provided that the following conditions are |
| 7 * met: | 7 * met: |
| 8 * | 8 * |
| 9 * * Redistributions of source code must retain the above copyright | 9 * * Redistributions of source code must retain the above copyright |
| 10 * notice, this list of conditions and the following disclaimer. | 10 * notice, this list of conditions and the following disclaimer. |
| (...skipping 15 matching lines...) Expand all Loading... | |
| 26 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY | 26 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY |
| 27 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT | 27 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT |
| 28 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE | 28 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE |
| 29 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 29 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
| 30 */ | 30 */ |
| 31 | 31 |
| 32 #include "core/timing/PerformanceBase.h" | 32 #include "core/timing/PerformanceBase.h" |
| 33 | 33 |
| 34 #include "core/dom/Document.h" | 34 #include "core/dom/Document.h" |
| 35 #include "core/events/Event.h" | 35 #include "core/events/Event.h" |
| 36 #include "core/frame/UseCounter.h" | |
| 36 #include "core/timing/PerformanceCompositeTiming.h" | 37 #include "core/timing/PerformanceCompositeTiming.h" |
| 37 #include "core/timing/PerformanceObserver.h" | 38 #include "core/timing/PerformanceObserver.h" |
| 38 #include "core/timing/PerformanceRenderTiming.h" | 39 #include "core/timing/PerformanceRenderTiming.h" |
| 39 #include "core/timing/PerformanceResourceTiming.h" | 40 #include "core/timing/PerformanceResourceTiming.h" |
| 40 #include "core/timing/PerformanceUserTiming.h" | 41 #include "core/timing/PerformanceUserTiming.h" |
| 41 #include "platform/network/ResourceTimingInfo.h" | 42 #include "platform/network/ResourceTimingInfo.h" |
| 42 #include "platform/weborigin/SecurityOrigin.h" | 43 #include "platform/weborigin/SecurityOrigin.h" |
| 43 #include "wtf/CurrentTime.h" | 44 #include "wtf/CurrentTime.h" |
| 44 #include <algorithm> | 45 #include <algorithm> |
| 45 | 46 |
| (...skipping 132 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 178 m_frameTimingBuffer.clear(); | 179 m_frameTimingBuffer.clear(); |
| 179 } | 180 } |
| 180 | 181 |
| 181 void PerformanceBase::setFrameTimingBufferSize(unsigned size) | 182 void PerformanceBase::setFrameTimingBufferSize(unsigned size) |
| 182 { | 183 { |
| 183 m_frameTimingBufferSize = size; | 184 m_frameTimingBufferSize = size; |
| 184 if (isFrameTimingBufferFull()) | 185 if (isFrameTimingBufferFull()) |
| 185 dispatchEvent(Event::create(EventTypeNames::frametimingbufferfull)); | 186 dispatchEvent(Event::create(EventTypeNames::frametimingbufferfull)); |
| 186 } | 187 } |
| 187 | 188 |
| 188 static bool passesTimingAllowCheck(const ResourceResponse& response, const Secur ityOrigin& initiatorSecurityOrigin, const AtomicString& originalTimingAllowOrigi n) | 189 static bool passesTimingAllowCheck(const ResourceResponse& response, const Secur ityOrigin& initiatorSecurityOrigin, const AtomicString& originalTimingAllowOrigi n, ExecutionContext* context) |
| 189 { | 190 { |
| 190 RefPtr<SecurityOrigin> resourceOrigin = SecurityOrigin::create(response.url( )); | 191 RefPtr<SecurityOrigin> resourceOrigin = SecurityOrigin::create(response.url( )); |
| 191 if (resourceOrigin->isSameSchemeHostPort(&initiatorSecurityOrigin)) | 192 if (resourceOrigin->isSameSchemeHostPort(&initiatorSecurityOrigin)) |
| 192 return true; | 193 return true; |
| 193 | 194 |
| 194 const AtomicString& timingAllowOriginString = originalTimingAllowOrigin.isEm pty() ? response.httpHeaderField(HTTPNames::Timing_Allow_Origin) : originalTimin gAllowOrigin; | 195 const AtomicString& timingAllowOriginString = originalTimingAllowOrigin.isEm pty() ? response.httpHeaderField(HTTPNames::Timing_Allow_Origin) : originalTimin gAllowOrigin; |
| 195 if (timingAllowOriginString.isEmpty() || equalIgnoringCase(timingAllowOrigin String, "null")) | 196 if (timingAllowOriginString.isEmpty() || equalIgnoringCase(timingAllowOrigin String, "null")) |
| 196 return false; | 197 return false; |
| 197 | 198 |
| 198 if (timingAllowOriginString == "*") | 199 if (timingAllowOriginString == "*") |
| 199 return true; | 200 return true; |
| 200 | 201 |
| 201 const String& securityOrigin = initiatorSecurityOrigin.toString(); | 202 const String& securityOrigin = initiatorSecurityOrigin.toString(); |
| 202 Vector<String> timingAllowOrigins; | 203 Vector<String> timingAllowOrigins; |
| 203 timingAllowOriginString.getString().split(' ', timingAllowOrigins); | 204 timingAllowOriginString.getString().split(' ', timingAllowOrigins); |
| 205 if (timingAllowOrigins.size() > 1) | |
| 206 UseCounter::count(context, UseCounter::MultipleOriginsInTimingAllowOrigi n); | |
|
Mike West
2016/07/27 08:46:09
It's probably worth adding a counter for single or
| |
| 204 for (const String& allowOrigin : timingAllowOrigins) { | 207 for (const String& allowOrigin : timingAllowOrigins) { |
| 205 if (allowOrigin == securityOrigin) | 208 if (allowOrigin == securityOrigin) |
| 206 return true; | 209 return true; |
| 207 } | 210 } |
| 208 | 211 |
| 209 return false; | 212 return false; |
| 210 } | 213 } |
| 211 | 214 |
| 212 static bool allowsTimingRedirect(const Vector<ResourceResponse>& redirectChain, const ResourceResponse& finalResponse, const SecurityOrigin& initiatorSecurityOr igin) | 215 static bool allowsTimingRedirect(const Vector<ResourceResponse>& redirectChain, const ResourceResponse& finalResponse, const SecurityOrigin& initiatorSecurityOr igin, ExecutionContext* context) |
| 213 { | 216 { |
| 214 if (!passesTimingAllowCheck(finalResponse, initiatorSecurityOrigin, AtomicSt ring())) | 217 if (!passesTimingAllowCheck(finalResponse, initiatorSecurityOrigin, AtomicSt ring(), context)) |
| 215 return false; | 218 return false; |
| 216 | 219 |
| 217 for (const ResourceResponse& response : redirectChain) { | 220 for (const ResourceResponse& response : redirectChain) { |
| 218 if (!passesTimingAllowCheck(response, initiatorSecurityOrigin, AtomicStr ing())) | 221 if (!passesTimingAllowCheck(response, initiatorSecurityOrigin, AtomicStr ing(), context)) |
| 219 return false; | 222 return false; |
| 220 } | 223 } |
| 221 | 224 |
| 222 return true; | 225 return true; |
| 223 } | 226 } |
| 224 | 227 |
| 225 void PerformanceBase::addResourceTiming(const ResourceTimingInfo& info) | 228 void PerformanceBase::addResourceTiming(const ResourceTimingInfo& info) |
| 226 { | 229 { |
| 227 if (isResourceTimingBufferFull() && !hasObserverFor(PerformanceEntry::Resour ce)) | 230 if (isResourceTimingBufferFull() && !hasObserverFor(PerformanceEntry::Resour ce)) |
| 228 return; | 231 return; |
| 229 SecurityOrigin* securityOrigin = nullptr; | 232 SecurityOrigin* securityOrigin = nullptr; |
| 230 if (ExecutionContext* context = getExecutionContext()) | 233 ExecutionContext* context = getExecutionContext(); |
| 234 if (context) | |
| 231 securityOrigin = context->getSecurityOrigin(); | 235 securityOrigin = context->getSecurityOrigin(); |
| 232 if (!securityOrigin) | 236 if (!securityOrigin) |
| 233 return; | 237 return; |
| 234 | 238 |
| 235 const ResourceResponse& finalResponse = info.finalResponse(); | 239 const ResourceResponse& finalResponse = info.finalResponse(); |
| 236 bool allowTimingDetails = passesTimingAllowCheck(finalResponse, *securityOri gin, info.originalTimingAllowOrigin()); | 240 bool allowTimingDetails = passesTimingAllowCheck(finalResponse, *securityOri gin, info.originalTimingAllowOrigin(), getExecutionContext()); |
|
Mike West
2016/07/27 08:46:09
Nit: This is |context|, right?
| |
| 237 double startTime = info.initialTime(); | 241 double startTime = info.initialTime(); |
| 238 | 242 |
| 239 if (info.redirectChain().isEmpty()) { | 243 if (info.redirectChain().isEmpty()) { |
| 240 PerformanceEntry* entry = PerformanceResourceTiming::create(info, timeOr igin(), startTime, allowTimingDetails); | 244 PerformanceEntry* entry = PerformanceResourceTiming::create(info, timeOr igin(), startTime, allowTimingDetails); |
| 241 notifyObserversOfEntry(*entry); | 245 notifyObserversOfEntry(*entry); |
| 242 if (!isResourceTimingBufferFull()) | 246 if (!isResourceTimingBufferFull()) |
| 243 addResourceTimingBuffer(*entry); | 247 addResourceTimingBuffer(*entry); |
| 244 return; | 248 return; |
| 245 } | 249 } |
| 246 | 250 |
| 247 const Vector<ResourceResponse>& redirectChain = info.redirectChain(); | 251 const Vector<ResourceResponse>& redirectChain = info.redirectChain(); |
| 248 bool allowRedirectDetails = allowsTimingRedirect(redirectChain, finalRespons e, *securityOrigin); | 252 bool allowRedirectDetails = allowsTimingRedirect(redirectChain, finalRespons e, *securityOrigin, context); |
| 249 | 253 |
| 250 if (!allowRedirectDetails) { | 254 if (!allowRedirectDetails) { |
| 251 ResourceLoadTiming* finalTiming = finalResponse.resourceLoadTiming(); | 255 ResourceLoadTiming* finalTiming = finalResponse.resourceLoadTiming(); |
| 252 ASSERT(finalTiming); | 256 ASSERT(finalTiming); |
| 253 if (finalTiming) | 257 if (finalTiming) |
| 254 startTime = finalTiming->requestTime(); | 258 startTime = finalTiming->requestTime(); |
| 255 } | 259 } |
| 256 | 260 |
| 257 ResourceLoadTiming* lastRedirectTiming = redirectChain.last().resourceLoadTi ming(); | 261 ResourceLoadTiming* lastRedirectTiming = redirectChain.last().resourceLoadTi ming(); |
| 258 ASSERT(lastRedirectTiming); | 262 ASSERT(lastRedirectTiming); |
| (...skipping 188 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 447 visitor->trace(m_frameTimingBuffer); | 451 visitor->trace(m_frameTimingBuffer); |
| 448 visitor->trace(m_resourceTimingBuffer); | 452 visitor->trace(m_resourceTimingBuffer); |
| 449 visitor->trace(m_userTiming); | 453 visitor->trace(m_userTiming); |
| 450 visitor->trace(m_observers); | 454 visitor->trace(m_observers); |
| 451 visitor->trace(m_activeObservers); | 455 visitor->trace(m_activeObservers); |
| 452 visitor->trace(m_suspendedObservers); | 456 visitor->trace(m_suspendedObservers); |
| 453 EventTargetWithInlineData::trace(visitor); | 457 EventTargetWithInlineData::trace(visitor); |
| 454 } | 458 } |
| 455 | 459 |
| 456 } // namespace blink | 460 } // namespace blink |
| OLD | NEW |
