Skip self-referential frame checks for POST requests.

Skip self-referential frame checks for POST requests.

The improved self-referential frame blocking in r450728 broke sites
that rely on constructing frame hierarchies where frames are loaded
via POSTs with the same URLs.  To fix this, skip POST requests in
self-referential URL checks.

Note that this only checks whether the current request is a POST, not
whether the ancestor frames were also loaded via POSTs.  The only case
where the latter would matter is if we've got two ancestors frames at
a same URL, with one or both of them loaded via POST, and the current
frame is loading that same URL via GET, which seems very unlikely to
happen in practice.

BUG=710008
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_site_isolation

Review-Url: https://codereview.chromium.org/2814413003
Cr-Commit-Position: refs/heads/master@{#464556}
Committed: https://chromium.googlesource.com/chromium/src/+/e49d7dfd68361fcdd6b83bb696fc475276afae8f

[alexmos, 2017-04-13 17:27:35]

Description was changed from

==========
Skip self-referential frame checks for POST requests.

The improved self-referential frame blocking in r450728 broke sites
that rely on constructing frame hierarchies where frames are loaded
via POSTs with the same URLs.  To fix this, skip POST requests in
self-referential URL checks.

BUG=710008
==========

to

==========
Skip self-referential frame checks for POST requests.

The improved self-referential frame blocking in r450728 broke sites
that rely on constructing frame hierarchies where frames are loaded
via POSTs with the same URLs.  To fix this, skip POST requests in
self-referential URL checks.

BUG=710008
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_site_isolation
==========

[alexmos, 2017-04-13 17:27:38]

The CQ bit was checked by alexmos@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2017-04-13 17:28:41]

Dry run: CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[alexmos, 2017-04-13 18:04:11]

Description was changed from

==========
Skip self-referential frame checks for POST requests.

The improved self-referential frame blocking in r450728 broke sites
that rely on constructing frame hierarchies where frames are loaded
via POSTs with the same URLs.  To fix this, skip POST requests in
self-referential URL checks.

BUG=710008
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_site_isolation
==========

to

==========
Skip self-referential frame checks for POST requests.

The improved self-referential frame blocking in r450728 broke sites
that rely on constructing frame hierarchies where frames are loaded
via POSTs with the same URLs.  To fix this, skip POST requests in
self-referential URL checks.

Note that this only checks whether the current request is a POST, not
whether the ancestor frames were also loaded via POSTs.  The only case
where the latter would matter is if we've got two ancestors frames at
a same URL, with one or both of them loaded via POST, and the current
frame is loading that same URL via GET, which seems very unlikely to
happen in practice.

BUG=710008
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_site_isolation
==========

[alexmos, 2017-04-13 18:33:17]

alexmos@chromium.org changed reviewers:
+ dcheng@chromium.org

[alexmos, 2017-04-13 18:33:17]

Daniel, can you please take a look?

[commit-bot: I haz the power, 2017-04-13 18:37:48]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2017-04-13 18:37:49]

Dry run: This issue passed the CQ dry run.

[alexmos, 2017-04-13 21:18:05]

Description was changed from

==========
Skip self-referential frame checks for POST requests.

The improved self-referential frame blocking in r450728 broke sites
that rely on constructing frame hierarchies where frames are loaded
via POSTs with the same URLs.  To fix this, skip POST requests in
self-referential URL checks.

Note that this only checks whether the current request is a POST, not
whether the ancestor frames were also loaded via POSTs.  The only case
where the latter would matter is if we've got two ancestors frames at
a same URL, with one or both of them loaded via POST, and the current
frame is loading that same URL via GET, which seems very unlikely to
happen in practice.

BUG=710008
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_site_isolation
==========

to

==========
Relax self-referential frame checks for non-initial navigations.

The improved self-referential frame blocking in r450728 broke sites
that rely on constructing frame hierarchies where frames are loaded
via POSTs with the same URLs.  To fix this, and potentially other
breakage from the tightened check, only enforce self-referential URL
checks for the initial load in a frame.  There's no way for a frame's
first committed URL to be a POST, so this fix handles POST requests
automatically.  It also more closely matches the old Blink check (that
was moved to browser process in r450728), which was only enforced on
initial navigation during frame creation and on changes to an iframe's
"src" attribute (the latter bit is lost with this more conservative
check).

BUG=710008
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_site_isolation
==========

[alexmos, 2017-04-13 21:20:49]

Description was changed from

==========
Relax self-referential frame checks for non-initial navigations.

The improved self-referential frame blocking in r450728 broke sites
that rely on constructing frame hierarchies where frames are loaded
via POSTs with the same URLs.  To fix this, and potentially other
breakage from the tightened check, only enforce self-referential URL
checks for the initial load in a frame.  There's no way for a frame's
first committed URL to be a POST, so this fix handles POST requests
automatically.  It also more closely matches the old Blink check (that
was moved to browser process in r450728), which was only enforced on
initial navigation during frame creation and on changes to an iframe's
"src" attribute (the latter bit is lost with this more conservative
check).

BUG=710008
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_site_isolation
==========

to

==========
Skip self-referential frame checks for POST requests.

The improved self-referential frame blocking in r450728 broke sites
that rely on constructing frame hierarchies where frames are loaded
via POSTs with the same URLs.  To fix this, skip POST requests in
self-referential URL checks.

Note that this only checks whether the current request is a POST, not
whether the ancestor frames were also loaded via POSTs.  The only case
where the latter would matter is if we've got two ancestors frames at
a same URL, with one or both of them loaded via POST, and the current
frame is loading that same URL via GET, which seems very unlikely to
happen in practice.

BUG=710008
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_site_isolation
==========

[dcheng, 2017-04-13 21:29:07]

LGTM

[alexmos, 2017-04-13 21:32:14]

Thanks!  For reference, Daniel and I discussed another approach of only
enforcing the self-referential checks for initial navigations in frames, and I
implemented it in https://codereview.chromium.org/2815413002.  We decided to go
with this approach for now, but the other CL might be something to consider if
there is more fallout from the tightened self-ref checks.

[alexmos, 2017-04-13 21:32:20]

The CQ bit was checked by alexmos@chromium.org

[commit-bot: I haz the power, 2017-04-13 21:33:59]

CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2017-04-13 21:46:41]

CQ is committing da patch.

Bot data: {"patchset_id": 1, "attempt_start_ts": 1492119140765760, "parent_rev":
"09670a9d1f03c414f8b7bb67c4bd27ccf46a84e1", "commit_rev":
"e49d7dfd68361fcdd6b83bb696fc475276afae8f"}

[commit-bot: I haz the power, 2017-04-13 21:47:37]

Description was changed from

==========
Skip self-referential frame checks for POST requests.

The improved self-referential frame blocking in r450728 broke sites
that rely on constructing frame hierarchies where frames are loaded
via POSTs with the same URLs.  To fix this, skip POST requests in
self-referential URL checks.

Note that this only checks whether the current request is a POST, not
whether the ancestor frames were also loaded via POSTs.  The only case
where the latter would matter is if we've got two ancestors frames at
a same URL, with one or both of them loaded via POST, and the current
frame is loading that same URL via GET, which seems very unlikely to
happen in practice.

BUG=710008
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_site_isolation
==========

to

==========
Skip self-referential frame checks for POST requests.

The improved self-referential frame blocking in r450728 broke sites
that rely on constructing frame hierarchies where frames are loaded
via POSTs with the same URLs.  To fix this, skip POST requests in
self-referential URL checks.

Note that this only checks whether the current request is a POST, not
whether the ancestor frames were also loaded via POSTs.  The only case
where the latter would matter is if we've got two ancestors frames at
a same URL, with one or both of them loaded via POST, and the current
frame is loading that same URL via GET, which seems very unlikely to
happen in practice.

BUG=710008
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_site_isolation

Review-Url: https://codereview.chromium.org/2814413003
Cr-Commit-Position: refs/heads/master@{#464556}
Committed:
https://chromium.googlesource.com/chromium/src/+/e49d7dfd68361fcdd6b83bb696fc...
==========

[commit-bot: I haz the power, 2017-04-13 21:47:39]

Committed patchset #1 (id:1) as
https://chromium.googlesource.com/chromium/src/+/e49d7dfd68361fcdd6b83bb696fc...