Chromium Code Reviews
|
|
Chromium Code Reviews
Issue
2360753002:
Cross-origin https->https pings should omit Ping-From header (Closed)
|
Created:
4 years, 3 months ago by Nate Chapin Modified:
4 years, 2 months ago CC:
blink-reviews, chromium-reviews, gavinp+loader_chromium.org, Nate Chapin, loading-reviews_chromium.org, tyoshino+watch_chromium.org Target Ref:
refs/pending/heads/master Project:
chromium Visibility:
Public. |
DescriptionCross-origin https->https pings should omit Ping-From header
https://html.spec.whatwg.org/multipage/semantics.html#hyperlink-auditing
part 4 states that a Ping-From header should only be sent
for same origin requests or if the document containing the
hyperlink is unencrypted.
I think this was regressed accidentally in https://trac.webkit.org/changeset/91306
BUG=637459
TEST=PingLoaderTest.HTTPSToHTTPS
Committed: https://crrev.com/4d0b173423eb7a234d237fad04829ed0dd660820
Cr-Commit-Position: refs/heads/master@{#421277}
Patch Set 1 #
Total comments: 5
Patch Set 2 : More tests #
Messages
Total messages: 24 (16 generated)
The CQ bit was checked by japhet@chromium.org to run a CQ dry run
Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
The CQ bit was unchecked by commit-bot@chromium.org
Dry run: This issue passed the CQ dry run.
Description was changed from ========== Cross-origin https->https pings should omit Ping-From header BUG=637459 TEST=PingLoaderTest.HTTPSToHTTPS ========== to ========== Cross-origin https->https pings should omit Ping-From header https://html.spec.whatwg.org/multipage/semantics.html#hyperlink-auditing part 4 states that a Ping-From header should only be sent for same origin requests or if the document containing the hyperlink is unencrypted. I haven't been able to hunt down exactly went the spec changed, but it was at least a year ago. BUG=637459 TEST=PingLoaderTest.HTTPSToHTTPS ==========
Description was changed from ========== Cross-origin https->https pings should omit Ping-From header https://html.spec.whatwg.org/multipage/semantics.html#hyperlink-auditing part 4 states that a Ping-From header should only be sent for same origin requests or if the document containing the hyperlink is unencrypted. I haven't been able to hunt down exactly went the spec changed, but it was at least a year ago. BUG=637459 TEST=PingLoaderTest.HTTPSToHTTPS ========== to ========== Cross-origin https->https pings should omit Ping-From header https://html.spec.whatwg.org/multipage/semantics.html#hyperlink-auditing part 4 states that a Ping-From header should only be sent for same origin requests or if the document containing the hyperlink is unencrypted. I haven't been able to hunt down exactly went the spec changed, but it was at least a year ago. BUG=637459 TEST=PingLoaderTest.HTTPSToHTTPS ==========
japhet@chromium.org changed reviewers: + mkwst@chromium.org
https://codereview.chromium.org/2360753002/diff/1/third_party/WebKit/Source/c... File third_party/WebKit/Source/core/loader/PingLoader.cpp (right): https://codereview.chromium.org/2360753002/diff/1/third_party/WebKit/Source/c... third_party/WebKit/Source/core/loader/PingLoader.cpp:448: if (!pingURL.protocolIsInHTTPFamily()) I don't think this is explicitly enforced anywhere else. Relevant spec change: https://github.com/whatwg/html/pull/1110/commits/66a87bf027d2055369381dbecd00...
Description was changed from ========== Cross-origin https->https pings should omit Ping-From header https://html.spec.whatwg.org/multipage/semantics.html#hyperlink-auditing part 4 states that a Ping-From header should only be sent for same origin requests or if the document containing the hyperlink is unencrypted. I haven't been able to hunt down exactly went the spec changed, but it was at least a year ago. BUG=637459 TEST=PingLoaderTest.HTTPSToHTTPS ========== to ========== Cross-origin https->https pings should omit Ping-From header https://html.spec.whatwg.org/multipage/semantics.html#hyperlink-auditing part 4 states that a Ping-From header should only be sent for same origin requests or if the document containing the hyperlink is unencrypted. I think this was regressed accidentally in https://trac.webkit.org/changeset/91306 BUG=637459 TEST=PingLoaderTest.HTTPSToHTTPS ==========
mkwst@chromium.org changed reviewers: + jochen@chromium.org
+Jochen for the referrer policy question. https://codereview.chromium.org/2360753002/diff/1/third_party/WebKit/Source/c... File third_party/WebKit/Source/core/loader/PingLoader.cpp (right): https://codereview.chromium.org/2360753002/diff/1/third_party/WebKit/Source/c... third_party/WebKit/Source/core/loader/PingLoader.cpp:448: if (!pingURL.protocolIsInHTTPFamily()) On 2016/09/21 at 23:14:19, Nate Chapin wrote: > I don't think this is explicitly enforced anywhere else. Relevant spec change: https://github.com/whatwg/html/pull/1110/commits/66a87bf027d2055369381dbecd00... Can you add a test for this as well? https://codereview.chromium.org/2360753002/diff/1/third_party/WebKit/Source/c... File third_party/WebKit/Source/core/loader/PingLoaderTest.cpp (right): https://codereview.chromium.org/2360753002/diff/1/third_party/WebKit/Source/c... third_party/WebKit/Source/core/loader/PingLoaderTest.cpp:56: EXPECT_EQ(String(), pingRequest.httpHeaderField("Ping-From")); 1. Can you copy/paste a HTTP->HTTPS test as well? 2. Does `ping-from` need to understand the page's referrer policy? /cc jochen@.
On 2016/09/26 at 07:50:30, mkwst wrote: > +Jochen for the referrer policy question. > > 2. Does `ping-from` need to understand the page's referrer policy? /cc jochen@. no
https://codereview.chromium.org/2360753002/diff/1/third_party/WebKit/Source/c... File third_party/WebKit/Source/core/loader/PingLoader.cpp (right): https://codereview.chromium.org/2360753002/diff/1/third_party/WebKit/Source/c... third_party/WebKit/Source/core/loader/PingLoader.cpp:448: if (!pingURL.protocolIsInHTTPFamily()) On 2016/09/26 07:50:30, Mike West (OOO until 26th) wrote: > On 2016/09/21 at 23:14:19, Nate Chapin wrote: > > I don't think this is explicitly enforced anywhere else. Relevant spec change: > https://github.com/whatwg/html/pull/1110/commits/66a87bf027d2055369381dbecd00... > > Can you add a test for this as well? Done. https://codereview.chromium.org/2360753002/diff/1/third_party/WebKit/Source/c... File third_party/WebKit/Source/core/loader/PingLoaderTest.cpp (right): https://codereview.chromium.org/2360753002/diff/1/third_party/WebKit/Source/c... third_party/WebKit/Source/core/loader/PingLoaderTest.cpp:56: EXPECT_EQ(String(), pingRequest.httpHeaderField("Ping-From")); On 2016/09/26 07:50:30, Mike West (OOO until 26th) wrote: > 1. Can you copy/paste a HTTP->HTTPS test as well? > > 2. Does `ping-from` need to understand the page's referrer policy? /cc jochen@. 1. Done. 2. What jochen said.
The CQ bit was checked by japhet@chromium.org to run a CQ dry run
Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
The CQ bit was unchecked by commit-bot@chromium.org
Dry run: Try jobs failed on following builders: linux_chromium_rel_ng on master.tryserver.chromium.linux (JOB_FAILED, http://build.chromium.org/p/tryserver.chromium.linux/builders/linux_chromium_...)
LGTM. I'll argue with Jochen in https://github.com/w3c/webappsec-referrer-policy/issues/70, but that's not something you need to address in this patch. :)
The CQ bit was checked by japhet@chromium.org
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
Message was sent while issue was closed.
Description was changed from ========== Cross-origin https->https pings should omit Ping-From header https://html.spec.whatwg.org/multipage/semantics.html#hyperlink-auditing part 4 states that a Ping-From header should only be sent for same origin requests or if the document containing the hyperlink is unencrypted. I think this was regressed accidentally in https://trac.webkit.org/changeset/91306 BUG=637459 TEST=PingLoaderTest.HTTPSToHTTPS ========== to ========== Cross-origin https->https pings should omit Ping-From header https://html.spec.whatwg.org/multipage/semantics.html#hyperlink-auditing part 4 states that a Ping-From header should only be sent for same origin requests or if the document containing the hyperlink is unencrypted. I think this was regressed accidentally in https://trac.webkit.org/changeset/91306 BUG=637459 TEST=PingLoaderTest.HTTPSToHTTPS ==========
Message was sent while issue was closed.
Committed patchset #2 (id:20001)
Message was sent while issue was closed.
Description was changed from ========== Cross-origin https->https pings should omit Ping-From header https://html.spec.whatwg.org/multipage/semantics.html#hyperlink-auditing part 4 states that a Ping-From header should only be sent for same origin requests or if the document containing the hyperlink is unencrypted. I think this was regressed accidentally in https://trac.webkit.org/changeset/91306 BUG=637459 TEST=PingLoaderTest.HTTPSToHTTPS ========== to ========== Cross-origin https->https pings should omit Ping-From header https://html.spec.whatwg.org/multipage/semantics.html#hyperlink-auditing part 4 states that a Ping-From header should only be sent for same origin requests or if the document containing the hyperlink is unencrypted. I think this was regressed accidentally in https://trac.webkit.org/changeset/91306 BUG=637459 TEST=PingLoaderTest.HTTPSToHTTPS Committed: https://crrev.com/4d0b173423eb7a234d237fad04829ed0dd660820 Cr-Commit-Position: refs/heads/master@{#421277} ==========
Message was sent while issue was closed.
Patchset 2 (id:??) landed as https://crrev.com/4d0b173423eb7a234d237fad04829ed0dd660820 Cr-Commit-Position: refs/heads/master@{#421277} |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
