third_party/WebKit/Source/core/timing/PerformanceBase.cpp - Issue 2178973002: Add use counter for multiple origins in Timing-Allow-Origin

Unified Diff: third_party/WebKit/Source/core/timing/PerformanceBase.cpp

Issue 2178973002: Add use counter for multiple origins in Timing-Allow-Origin (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: Added counters Created 4 years, 5 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

« third_party/WebKit/Source/core/frame/UseCounter.h ('K') | « third_party/WebKit/Source/core/frame/UseCounter.h ('k') | tools/metrics/histograms/histograms.xml » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

Index: third_party/WebKit/Source/core/timing/PerformanceBase.cpp

diff --git a/third_party/WebKit/Source/core/timing/PerformanceBase.cpp b/third_party/WebKit/Source/core/timing/PerformanceBase.cpp

index 517acfe9e793aa08b8f2f81a4f4814dbbc55bb5e..4bae9d3980a0ac10dc906a38c43e5055984f6ff6 100644

--- a/third_party/WebKit/Source/core/timing/PerformanceBase.cpp

+++ b/third_party/WebKit/Source/core/timing/PerformanceBase.cpp

@@ -33,6 +33,7 @@

#include "core/dom/Document.h"

#include "core/events/Event.h"

+#include "core/frame/UseCounter.h"

#include "core/timing/PerformanceCompositeTiming.h"

#include "core/timing/PerformanceObserver.h"

#include "core/timing/PerformanceRenderTiming.h"

@@ -185,7 +186,7 @@ void PerformanceBase::setFrameTimingBufferSize(unsigned size)

dispatchEvent(Event::create(EventTypeNames::frametimingbufferfull));

}

-static bool passesTimingAllowCheck(const ResourceResponse& response, const SecurityOrigin& initiatorSecurityOrigin, const AtomicString& originalTimingAllowOrigin)

+static bool passesTimingAllowCheck(const ResourceResponse& response, const SecurityOrigin& initiatorSecurityOrigin, const AtomicString& originalTimingAllowOrigin, ExecutionContext* context)

{

RefPtr<SecurityOrigin> resourceOrigin = SecurityOrigin::create(response.url());

if (resourceOrigin->isSameSchemeHostPort(&initiatorSecurityOrigin))

@@ -195,12 +196,18 @@ static bool passesTimingAllowCheck(const ResourceResponse& response, const Secur

if (timingAllowOriginString.isEmpty() || equalIgnoringCase(timingAllowOriginString, "null"))

return false;

- if (timingAllowOriginString == "*")

+ if (timingAllowOriginString == "*") {

+ UseCounter::count(context, UseCounter::StarInTimingAllowOrigin);

return true;

+ }

const String& securityOrigin = initiatorSecurityOrigin.toString();

Vector<String> timingAllowOrigins;

timingAllowOriginString.getString().split(' ', timingAllowOrigins);

+ if (timingAllowOrigins.size() > 1)

+ UseCounter::count(context, UseCounter::MultipleOriginsInTimingAllowOrigin);

+ else if (timingAllowOrigins.size() == 1)

+ UseCounter::count(context, UseCounter::SingleOriginInTimingAllowOrigin);

for (const String& allowOrigin : timingAllowOrigins) {

if (allowOrigin == securityOrigin)

return true;

@@ -209,13 +216,13 @@ static bool passesTimingAllowCheck(const ResourceResponse& response, const Secur

return false;

}

-static bool allowsTimingRedirect(const Vector<ResourceResponse>& redirectChain, const ResourceResponse& finalResponse, const SecurityOrigin& initiatorSecurityOrigin)

+static bool allowsTimingRedirect(const Vector<ResourceResponse>& redirectChain, const ResourceResponse& finalResponse, const SecurityOrigin& initiatorSecurityOrigin, ExecutionContext* context)

{

- if (!passesTimingAllowCheck(finalResponse, initiatorSecurityOrigin, AtomicString()))

+ if (!passesTimingAllowCheck(finalResponse, initiatorSecurityOrigin, AtomicString(), context))

return false;

for (const ResourceResponse& response : redirectChain) {

- if (!passesTimingAllowCheck(response, initiatorSecurityOrigin, AtomicString()))

+ if (!passesTimingAllowCheck(response, initiatorSecurityOrigin, AtomicString(), context))

return false;

}

@@ -227,13 +234,14 @@ void PerformanceBase::addResourceTiming(const ResourceTimingInfo& info)

if (isResourceTimingBufferFull() && !hasObserverFor(PerformanceEntry::Resource))

return;

SecurityOrigin* securityOrigin = nullptr;

- if (ExecutionContext* context = getExecutionContext())

+ ExecutionContext* context = getExecutionContext();

+ if (context)

securityOrigin = context->getSecurityOrigin();

if (!securityOrigin)

return;

const ResourceResponse& finalResponse = info.finalResponse();

- bool allowTimingDetails = passesTimingAllowCheck(finalResponse, *securityOrigin, info.originalTimingAllowOrigin());

+ bool allowTimingDetails = passesTimingAllowCheck(finalResponse, *securityOrigin, info.originalTimingAllowOrigin(), getExecutionContext());

double startTime = info.initialTime();

if (info.redirectChain().isEmpty()) {

@@ -245,7 +253,7 @@ void PerformanceBase::addResourceTiming(const ResourceTimingInfo& info)

}

const Vector<ResourceResponse>& redirectChain = info.redirectChain();

- bool allowRedirectDetails = allowsTimingRedirect(redirectChain, finalResponse, *securityOrigin);

+ bool allowRedirectDetails = allowsTimingRedirect(redirectChain, finalResponse, *securityOrigin, context);

if (!allowRedirectDetails) {

ResourceLoadTiming* finalTiming = finalResponse.resourceLoadTiming();