Add use counter for multiple origins in Timing-Allow-Origin

third_party/WebKit/Source/core/timing/PerformanceBase.cpp

Index: third_party/WebKit/Source/core/timing/PerformanceBase.cpp
diff --git a/third_party/WebKit/Source/core/timing/PerformanceBase.cpp b/third_party/WebKit/Source/core/timing/PerformanceBase.cpp
index 517acfe9e793aa08b8f2f81a4f4814dbbc55bb5e..8c9b1c5eba5af37b5f81cc1998bdcda06910fb8a 100644
--- a/third_party/WebKit/Source/core/timing/PerformanceBase.cpp
+++ b/third_party/WebKit/Source/core/timing/PerformanceBase.cpp
@@ -33,6 +33,7 @@
 
 #include "core/dom/Document.h"
 #include "core/events/Event.h"
+#include "core/frame/UseCounter.h"
 #include "core/timing/PerformanceCompositeTiming.h"
 #include "core/timing/PerformanceObserver.h"
 #include "core/timing/PerformanceRenderTiming.h"
@@ -185,7 +186,7 @@ void PerformanceBase::setFrameTimingBufferSize(unsigned size)
         dispatchEvent(Event::create(EventTypeNames::frametimingbufferfull));
 }
 
-static bool passesTimingAllowCheck(const ResourceResponse& response, const SecurityOrigin& initiatorSecurityOrigin, const AtomicString& originalTimingAllowOrigin)
+static bool passesTimingAllowCheck(const ResourceResponse& response, const SecurityOrigin& initiatorSecurityOrigin, const AtomicString& originalTimingAllowOrigin, ExecutionContext* context)
 {
     RefPtr<SecurityOrigin> resourceOrigin = SecurityOrigin::create(response.url());
     if (resourceOrigin->isSameSchemeHostPort(&initiatorSecurityOrigin))
@@ -201,6 +202,8 @@ static bool passesTimingAllowCheck(const ResourceResponse& response, const Secur
     const String& securityOrigin = initiatorSecurityOrigin.toString();
     Vector<String> timingAllowOrigins;
     timingAllowOriginString.getString().split(' ', timingAllowOrigins);
+    if (timingAllowOrigins.size() > 1)
+        UseCounter::count(context, UseCounter::MultipleOriginsInTimingAllowOrigin);

[Mike West, 2016/07/27 08:46:09]

It's probably worth adding a counter for single origins as well so that we have
a feel for how often this occurs in the context of the entirety of TAO usage.

     for (const String& allowOrigin : timingAllowOrigins) {
         if (allowOrigin == securityOrigin)
             return true;
@@ -209,13 +212,13 @@ static bool passesTimingAllowCheck(const ResourceResponse& response, const Secur
     return false;
 }
 
-static bool allowsTimingRedirect(const Vector<ResourceResponse>& redirectChain, const ResourceResponse& finalResponse, const SecurityOrigin& initiatorSecurityOrigin)
+static bool allowsTimingRedirect(const Vector<ResourceResponse>& redirectChain, const ResourceResponse& finalResponse, const SecurityOrigin& initiatorSecurityOrigin, ExecutionContext* context)
 {
-    if (!passesTimingAllowCheck(finalResponse, initiatorSecurityOrigin, AtomicString()))
+    if (!passesTimingAllowCheck(finalResponse, initiatorSecurityOrigin, AtomicString(), context))
         return false;
 
     for (const ResourceResponse& response : redirectChain) {
-        if (!passesTimingAllowCheck(response, initiatorSecurityOrigin, AtomicString()))
+        if (!passesTimingAllowCheck(response, initiatorSecurityOrigin, AtomicString(), context))
             return false;
     }
 
@@ -227,13 +230,14 @@ void PerformanceBase::addResourceTiming(const ResourceTimingInfo& info)
     if (isResourceTimingBufferFull() && !hasObserverFor(PerformanceEntry::Resource))
         return;
     SecurityOrigin* securityOrigin = nullptr;
-    if (ExecutionContext* context = getExecutionContext())
+    ExecutionContext* context = getExecutionContext();
+    if (context)
         securityOrigin = context->getSecurityOrigin();
     if (!securityOrigin)
         return;
 
     const ResourceResponse& finalResponse = info.finalResponse();
-    bool allowTimingDetails = passesTimingAllowCheck(finalResponse, *securityOrigin, info.originalTimingAllowOrigin());
+    bool allowTimingDetails = passesTimingAllowCheck(finalResponse, *securityOrigin, info.originalTimingAllowOrigin(), getExecutionContext());

[Mike West, 2016/07/27 08:46:09]

Nit: This is |context|, right?

     double startTime = info.initialTime();
 
     if (info.redirectChain().isEmpty()) {
@@ -245,7 +249,7 @@ void PerformanceBase::addResourceTiming(const ResourceTimingInfo& info)
     }
 
     const Vector<ResourceResponse>& redirectChain = info.redirectChain();
-    bool allowRedirectDetails = allowsTimingRedirect(redirectChain, finalResponse, *securityOrigin);
+    bool allowRedirectDetails = allowsTimingRedirect(redirectChain, finalResponse, *securityOrigin, context);
 
     if (!allowRedirectDetails) {
         ResourceLoadTiming* finalTiming = finalResponse.resourceLoadTiming();