doc.write intervention warning message changed to replace cross-origin with cross site (etdl+1)

third_party/WebKit/Source/core/loader/FrameFetchContext.cpp

 /*
  * Copyright (C) 2013 Google Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are
  * met:
  *
  *     * Redistributions of source code must retain the above copyright
  * notice, this list of conditions and the following disclaimer.
  *     * Redistributions in binary form must reproduce the above
@@ skipping 71 matching lines @@
 #include "public/platform/WebViewScheduler.h"
 #include "wtf/Vector.h"
 #include <algorithm>
 #include <memory>
 
 namespace blink {
 
 namespace {
 
 void emitWarningForDocWriteScripts(const String& url, Document& document) {
-  String message = "A Parser-blocking, cross-origin script, " + url +
-                   ", is invoked via document.write. This may be blocked by "
-                   "the browser if the device has poor network connectivity. "
-                   "See https://www.chromestatus.com/feature/5718547946799104 "
-                   "for more details.";
+  String message =
+      "A Parser-blocking, cross site (i.e. different eTLD+1) script, " + url +
+      ", is invoked via document.write. This may be blocked by "
+      "the browser if the device has poor network connectivity. "
+      "See https://www.chromestatus.com/feature/5718547946799104 "
+      "for more details.";
   document.addConsoleMessage(
       ConsoleMessage::create(JSMessageSource, WarningMessageLevel, message));
   WTFLogAlways("%s", message.utf8().data());
 }
 
 bool isConnectionEffectively2G(WebEffectiveConnectionType effectiveType) {
   switch (effectiveType) {
     case WebEffectiveConnectionType::TypeSlow2G:
     case WebEffectiveConnectionType::Type2G:
       return true;
@@ skipping 28 matching lines @@
   PerformanceMonitor::documentWriteFetchScript(&document);
 
   if (!request.url().protocolIsInHTTPFamily())
     return false;
 
   // Avoid blocking same origin scripts, as they may be used to render main
   // page content, whereas cross-origin scripts inserted via document.write
   // are likely to be third party content.
   String requestHost = request.url().host();
   String documentHost = document.getSecurityOrigin()->domain();
+
+  bool sameSite = false;
   if (requestHost == documentHost)
-    return false;
+    sameSite = true;
 
   // If the hosts didn't match, then see if the domains match. For example, if
   // a script is served from static.example.com for a document served from
   // www.example.com, we consider that a first party script and allow it.
   String requestDomain = NetworkUtils::getDomainAndRegistry(
       requestHost, NetworkUtils::IncludePrivateRegistries);
   String documentDomain = NetworkUtils::getDomainAndRegistry(
       documentHost, NetworkUtils::IncludePrivateRegistries);
   // getDomainAndRegistry will return the empty string for domains that are
   // already top-level, such as localhost. Thus we only compare domains if we
   // get non-empty results back from getDomainAndRegistry.
   if (!requestDomain.isEmpty() && !documentDomain.isEmpty() &&
       requestDomain == documentDomain)
+    sameSite = true;
+
+  if (sameSite) {
+    // This histogram is introduced to help decide whether we should also check
+    // same scheme while deciding whether or not to block the script as is done
+    // in other cases of "same site" usage. On the other hand we do not want to
+    // block more scripts than necessary.
+    if (request.url().protocol() != document.getSecurityOrigin()->protocol()) {
+      document.loader()->didObserveLoadingBehavior(
+          WebLoadingBehaviorFlag::
+              WebLoadingBehaviorDocumentWriteBlockDifferentScheme);
+    }
     return false;
+  }
 
   emitWarningForDocWriteScripts(request.url().getString(), document);
   request.setHTTPHeaderField("Intervention",
                              "<https://www.chromestatus.com/feature/"
                              "5718547946799104>; level=\"warning\"");
 
   // Do not block scripts if it is a page reload. This is to enable pages to
   // recover if blocking of a script is leading to a page break and the user
   // reloads the page.
   const FrameLoadType loadType = document.frame()->loader().loadType();
@@ skipping 887 matching lines @@
                                                     response);
 }
 
 DEFINE_TRACE(FrameFetchContext) {
   visitor->trace(m_document);
   visitor->trace(m_documentLoader);
   FetchContext::trace(visitor);
 }
 
 }  // namespace blink