third_party/WebKit/Source/core/loader/FrameFetchContext.cpp - Issue 2474943002: doc.write intervention warning message changed to replace cross-origin with cross site (etdl+1)

Unified Diff: third_party/WebKit/Source/core/loader/FrameFetchContext.cpp

Issue 2474943002: doc.write intervention warning message changed to replace cross-origin with cross site (etdl+1) (Closed)

Patch Set: Bot failures fixed. Created 3 years, 11 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

« chrome/browser/page_load_metrics/observers/document_write_page_load_metrics_observer.cc ('K') | « third_party/WebKit/LayoutTests/http/tests/loading/doc-write-sync-third-party-script-reload-expected.txt ('k') | third_party/WebKit/public/platform/WebLoadingBehaviorFlag.h » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

Index: third_party/WebKit/Source/core/loader/FrameFetchContext.cpp

diff --git a/third_party/WebKit/Source/core/loader/FrameFetchContext.cpp b/third_party/WebKit/Source/core/loader/FrameFetchContext.cpp

index 6afd6a6cf5f21aeaf0b98b106cd58071c051c9f8..a20bf9178938901164dfeb3cc0dee2365f3f49ff 100644

--- a/third_party/WebKit/Source/core/loader/FrameFetchContext.cpp

+++ b/third_party/WebKit/Source/core/loader/FrameFetchContext.cpp

@@ -89,11 +89,12 @@ namespace blink {

namespace {

void emitWarningForDocWriteScripts(const String& url, Document& document) {

- String message = "A Parser-blocking, cross-origin script, " + url +

- ", is invoked via document.write. This may be blocked by "

- "the browser if the device has poor network connectivity. "

- "See https://www.chromestatus.com/feature/5718547946799104 "

- "for more details.";

+ String message =

+ "A Parser-blocking, cross site (i.e. different eTLD+1) script, " + url +

+ ", is invoked via document.write. This may be blocked by "

+ "the browser if the device has poor network connectivity. "

+ "See https://www.chromestatus.com/feature/5718547946799104 "

+ "for more details.";

document.addConsoleMessage(

ConsoleMessage::create(JSMessageSource, WarningMessageLevel, message));

WTFLogAlways("%s", message.utf8().data());

@@ -142,8 +143,10 @@ bool shouldDisallowFetchForMainFrameScript(ResourceRequest& request,

// are likely to be third party content.

String requestHost = request.url().host();

String documentHost = document.getSecurityOrigin()->domain();

+ bool sameSite = false;

if (requestHost == documentHost)

- return false;

+ sameSite = true;

// If the hosts didn't match, then see if the domains match. For example, if

// a script is served from static.example.com for a document served from

@@ -157,7 +160,20 @@ bool shouldDisallowFetchForMainFrameScript(ResourceRequest& request,

// get non-empty results back from getDomainAndRegistry.

if (!requestDomain.isEmpty() && !documentDomain.isEmpty() &&

requestDomain == documentDomain)

+ sameSite = true;

+ if (sameSite) {

+ // This histogram is introduced to help decide whether we should also check

+ // same scheme while deciding whether or not to block the script as is done

+ // in other cases of "same site" usage. On the other hand we do not want to

+ // block more scripts than necessary.

+ if (request.url().protocol() != document.getSecurityOrigin()->protocol()) {

+ document.loader()->didObserveLoadingBehavior(

+ WebLoadingBehaviorFlag::

+ WebLoadingBehaviorDocumentWriteBlockDifferentScheme);

+ }

return false;

+ }

emitWarningForDocWriteScripts(request.url().getString(), document);

request.setHTTPHeaderField("Intervention",