third_party/WebKit/LayoutTests/http/tests/navigation/form-targets-cross-site-frame-get-expected.txt - Issue 2225383003: Origin header should be preserved in http requests made via OpenURL code path.

Side by Side Diff: third_party/WebKit/LayoutTests/http/tests/navigation/form-targets-cross-site-frame-get-expected.txt

Issue 2225383003: Origin header should be preserved in http requests made via OpenURL code path. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: Created 4 years, 4 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

« no previous file with comments | « third_party/WebKit/LayoutTests/http/tests/navigation/form-targets-cross-site-frame-get.html ('k') | third_party/WebKit/LayoutTests/http/tests/navigation/form-targets-cross-site-frame-post.html » ('j') | third_party/WebKit/LayoutTests/http/tests/navigation/form-targets-cross-site-frame-post.html » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

OLD	NEW
1 Test field:	1 Test field:

2	2

3	3

4 --------	4 --------

5 Frame: 'cross-site-frame'	5 Frame: 'cross-site-frame'

6 --------	6 --------

7 This page was requested with the HTTP method GET.	7 This page was requested with the HTTP method GET.

8	8

9 Parameters:	9 Parameters:

10	10

11 test-field = test-value	11 test-field = test-value

	12 Http headers:

	13

	14 HTTP_CONNECTION = keep-alive

	15 HTTP_HOST = localhost:8000

	16 HTTP_REFERER = http://127.0.0.1:8000/navigation/form-targets-cross-site-frame-ge t.html

	17 HTTP_UPGRADE_INSECURE_REQUESTS = 1
	Łukasz Anforowicz 2016/08/09 17:55:51 Interestingly, there is no HTTP_ORIGIN header here Interestingly, there is no HTTP_ORIGIN header here. This is surprising, because AFAICT the CORS spec doesn't call for a different behavior between POST and GET (and this testcase is the same as form-targets-cross-site-frame-post.html, except that this testcase uses GET method). See also https://crbug.com/635400#c13. jww 2016/08/09 22:38:22 The Origin header is defined by the Web Origin Con Show quoted text On 2016/08/09 17:55:51, Łukasz (OOO until Aug the 8th) wrote: > Interestingly, there is no HTTP_ORIGIN header here. This is surprising, because > AFAICT the CORS spec doesn't call for a different behavior between POST and GET > (and this testcase is the same as form-targets-cross-site-frame-post.html, > except that this testcase uses GET method). See also > https://crbug.com/635400#c13. The Origin header is defined by the Web Origin Concept spec, and it is pretty specific that the Origin header is optional for all HTTP requests: https://tools.ietf.org/html/rfc6454#page-13 This, I believe, is because the origin idea of the Origin header was that it was for CSRF, which means it's only technically a concern on POST request, and the CORS bits are a later addition. I'll look into what the actually CORS requirements are separately. Łukasz Anforowicz 2016/08/10 00:03:19 Thanks for the explanation. I feel much better ab Show quoted text On 2016/08/09 22:38:22, jww wrote: > On 2016/08/09 17:55:51, Łukasz (OOO until Aug the 8th) wrote: > > Interestingly, there is no HTTP_ORIGIN header here. This is surprising, > because > > AFAICT the CORS spec doesn't call for a different behavior between POST and > GET > > (and this testcase is the same as form-targets-cross-site-frame-post.html, > > except that this testcase uses GET method). See also > > https://crbug.com/635400#c13. > > The Origin header is defined by the Web Origin Concept spec, and it is pretty > specific that the Origin header is optional for all HTTP requests: > https://tools.ietf.org/html/rfc6454#page-13 This, I believe, is because the > origin idea of the Origin header was that it was for CSRF, which means it's only > technically a concern on POST request, and the CORS bits are a later addition. > I'll look into what the actually CORS requirements are separately. Thanks for the explanation. I feel much better about the GET-vs-POST difference knowing now that 1) Origin header is not necessarily/always tied with CORS protocol and 2) that (as pointed out by mmenke@ in https://crbug.com/635400#c18) the Fetch spec asks for Origin header in POST but not in GET requests (https://fetch.spec.whatwg.org/#origin-header). jww 2016/08/10 00:44:52 As mentioned on the bug, the Fetch spec is the def Show quoted text On 2016/08/10 00:03:19, Łukasz Anforowicz wrote: > On 2016/08/09 22:38:22, jww wrote: > > On 2016/08/09 17:55:51, Łukasz (OOO until Aug the 8th) wrote: > > > Interestingly, there is no HTTP_ORIGIN header here. This is surprising, > > because > > > AFAICT the CORS spec doesn't call for a different behavior between POST and > > GET > > > (and this testcase is the same as form-targets-cross-site-frame-post.html, > > > except that this testcase uses GET method). See also > > > https://crbug.com/635400#c13. > > > > The Origin header is defined by the Web Origin Concept spec, and it is pretty > > specific that the Origin header is optional for all HTTP requests: > > https://tools.ietf.org/html/rfc6454#page-13 This, I believe, is because the > > origin idea of the Origin header was that it was for CSRF, which means it's > only > > technically a concern on POST request, and the CORS bits are a later addition. > > I'll look into what the actually CORS requirements are separately. > > Thanks for the explanation. I feel much better about the GET-vs-POST difference > knowing now that 1) Origin header is not necessarily/always tied with CORS > protocol and 2) that (as pointed out by mmenke@ in https://crbug.com/635400#c18) > the Fetch spec asks for Origin header in POST but not in GET requests > (https://fetch.spec.whatwg.org/#origin-header). As mentioned on the bug, the Fetch spec is the definitive guide to the Origin header these days, but I wanted to point out that old RFC to give context for why it originally was created.
OLD	NEW