Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(298)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: third_party/WebKit/Source/core/loader/FrameFetchContext.cpp

Issue 2474943002: doc.write intervention warning message changed to replace cross-origin with cross site (etdl+1) (Closed)
Patch Set: Added a helper function Created 3 years, 11 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « third_party/WebKit/LayoutTests/http/tests/loading/doc-write-sync-third-party-script-reload-expected.txt ('k') | third_party/WebKit/public/platform/WebLoadingBehaviorFlag.h » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: third_party/WebKit/Source/core/loader/FrameFetchContext.cpp
diff --git a/third_party/WebKit/Source/core/loader/FrameFetchContext.cpp b/third_party/WebKit/Source/core/loader/FrameFetchContext.cpp
index 6afd6a6cf5f21aeaf0b98b106cd58071c051c9f8..a20bf9178938901164dfeb3cc0dee2365f3f49ff 100644
--- a/third_party/WebKit/Source/core/loader/FrameFetchContext.cpp
+++ b/third_party/WebKit/Source/core/loader/FrameFetchContext.cpp
@@ -89,11 +89,12 @@ namespace blink {
namespace {
void emitWarningForDocWriteScripts(const String& url, Document& document) {
- String message = "A Parser-blocking, cross-origin script, " + url +
- ", is invoked via document.write. This may be blocked by "
- "the browser if the device has poor network connectivity. "
- "See https://www.chromestatus.com/feature/5718547946799104 "
- "for more details.";
+ String message =
+ "A Parser-blocking, cross site (i.e. different eTLD+1) script, " + url +
+ ", is invoked via document.write. This may be blocked by "
+ "the browser if the device has poor network connectivity. "
+ "See https://www.chromestatus.com/feature/5718547946799104 "
+ "for more details.";
document.addConsoleMessage(
ConsoleMessage::create(JSMessageSource, WarningMessageLevel, message));
WTFLogAlways("%s", message.utf8().data());
@@ -142,8 +143,10 @@ bool shouldDisallowFetchForMainFrameScript(ResourceRequest& request,
// are likely to be third party content.
String requestHost = request.url().host();
String documentHost = document.getSecurityOrigin()->domain();
+
+ bool sameSite = false;
if (requestHost == documentHost)
- return false;
+ sameSite = true;
// If the hosts didn't match, then see if the domains match. For example, if
// a script is served from static.example.com for a document served from
@@ -157,7 +160,20 @@ bool shouldDisallowFetchForMainFrameScript(ResourceRequest& request,
// get non-empty results back from getDomainAndRegistry.
if (!requestDomain.isEmpty() && !documentDomain.isEmpty() &&
requestDomain == documentDomain)
+ sameSite = true;
+
+ if (sameSite) {
+ // This histogram is introduced to help decide whether we should also check
+ // same scheme while deciding whether or not to block the script as is done
+ // in other cases of "same site" usage. On the other hand we do not want to
+ // block more scripts than necessary.
+ if (request.url().protocol() != document.getSecurityOrigin()->protocol()) {
+ document.loader()->didObserveLoadingBehavior(
+ WebLoadingBehaviorFlag::
+ WebLoadingBehaviorDocumentWriteBlockDifferentScheme);
+ }
return false;
+ }
emitWarningForDocWriteScripts(request.url().getString(), document);
request.setHTTPHeaderField("Intervention",
« no previous file with comments | « third_party/WebKit/LayoutTests/http/tests/loading/doc-write-sync-third-party-script-reload-expected.txt ('k') | third_party/WebKit/public/platform/WebLoadingBehaviorFlag.h » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698