Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(236)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: third_party/WebKit/Source/core/loader/FrameFetchContext.cpp

Issue 2918653004: Remove dup'ed code for RequestorOrigin and FirstPartyCookie (Closed)
Patch Set: . Created 3 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« content/renderer/fetchers/resource_fetcher_impl.cc ('K') | « content/renderer/render_frame_impl.cc ('k') | third_party/WebKit/Source/core/loader/FrameFetchContextTest.cpp » ('j') | third_party/WebKit/Source/core/loader/FrameFetchContextTest.cpp » ('J')
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: third_party/WebKit/Source/core/loader/FrameFetchContext.cpp
diff --git a/third_party/WebKit/Source/core/loader/FrameFetchContext.cpp b/third_party/WebKit/Source/core/loader/FrameFetchContext.cpp
index 328a07253fcd822ca3df82a0655cc305f40f15b8..cfdee68040d257ee5c4d741c89daae4f7705f177 100644
--- a/third_party/WebKit/Source/core/loader/FrameFetchContext.cpp
+++ b/third_party/WebKit/Source/core/loader/FrameFetchContext.cpp
@@ -296,6 +296,8 @@ void FrameFetchContext::DispatchDidChangeResourcePriority(
void FrameFetchContext::PrepareRequest(ResourceRequest& request,
RedirectType redirect_type) {
+ SetFirstPartyCookieAndRequestorOrigin(request);
kinuko 2017/06/07 02:00:49 Moved here so this is also called in redirects (so
+
GetFrame()->Loader().ApplyUserAgent(request);
GetLocalFrameClient()->DispatchWillSendRequest(request);
@@ -687,8 +689,6 @@ void FrameFetchContext::PopulateResourceRequest(
const ResourceLoaderOptions& options,
SecurityViolationReportingPolicy reporting_policy,
ResourceRequest& request) {
- SetFirstPartyCookieAndRequestorOrigin(request);
-
// Before modifying the request for CSP, evaluate report-only headers. This
// allows site owners to learn about requests that are being modified
// (e.g. mixed content that is being upgraded by upgrade-insecure-requests).
@@ -703,27 +703,37 @@ void FrameFetchContext::PopulateResourceRequest(
void FrameFetchContext::SetFirstPartyCookieAndRequestorOrigin(
kinuko 2017/06/07 02:00:49 Now this does mostly same as what RenderFrameImpl:
ResourceRequest& request) {
- if (!GetDocument())
- return;
-
+ // Set the first party for cookies url if it has not been set yet (new
+ // requests). This value will be updated during redirects, consistent with
+ // https://tools.ietf.org/html/draft-west-first-party-cookies-04#section-2.1.1
Mike West 2017/06/07 06:48:44 Would you mind updating this to https://tools.ietf
kinuko 2017/06/07 06:57:49 Done.
if (request.FirstPartyForCookies().IsNull()) {
- request.SetFirstPartyForCookies(
- GetDocument() ? GetDocument()->FirstPartyForCookies()
- : SecurityOrigin::UrlWithUniqueSecurityOrigin());
+ if (request.GetFrameType() == WebURLRequest::kFrameTypeTopLevel) {
+ request.SetFirstPartyForCookies(request.Url());
+ } else {
+ // Use GetDocument() for subresource or nested frame cases,
+ // GetFrame()->GetDocument() otherwise.
+ Document* document =
+ GetDocument() ? GetDocument() : GetFrame()->GetDocument();
+ request.SetFirstPartyForCookies(document->FirstPartyForCookies());
+ }
}
- // Subresource requests inherit their requestor origin from |m_document|
- // directly. Top-level and nested frame types are taken care of in
- // 'FrameLoadRequest()'. Auxiliary frame types in 'createWindow()' and
- // 'FrameLoader::load'.
- // TODO(mkwst): It would be cleaner to adjust blink::ResourceRequest to
- // initialize itself with a `nullptr` initiator so that this can be a simple
- // `isNull()` check. https://crbug.com/625969
- if (request.GetFrameType() == WebURLRequest::kFrameTypeNone &&
- request.RequestorOrigin()->IsUnique()) {
- request.SetRequestorOrigin(GetDocument()->IsSandboxed(kSandboxOrigin)
- ? SecurityOrigin::Create(document_->Url())
- : document_->GetSecurityOrigin());
+ // Subresource requests inherit their requestor origin from |document_|
+ // directly. Top-level frame types are taken care of in 'FrameLoadRequest()'.
+ // Auxiliary frame types in 'CreateWindow()' and 'FrameLoader::Load'.
+ if (!request.RequestorOrigin()) {
+ if (request.GetFrameType() == WebURLRequest::kFrameTypeNone) {
+ Document* document = GetDocument();
+ request.SetRequestorOrigin(document->IsSandboxed(kSandboxOrigin)
+ ? SecurityOrigin::Create(document->Url())
+ : document->GetSecurityOrigin());
+ } else {
+ // Set the requestor origin to the same origin as the frame's document
+ // if it hasn't yet been set. (We may hit here for nested frames and
+ // redirect cases)
+ request.SetRequestorOrigin(
+ GetFrame()->GetDocument()->GetSecurityOrigin());
kinuko 2017/06/07 02:00:49 Wasn't bit sure if we should also check IsSandboxe
+ }
}
}
« content/renderer/fetchers/resource_fetcher_impl.cc ('K') | « content/renderer/render_frame_impl.cc ('k') | third_party/WebKit/Source/core/loader/FrameFetchContextTest.cpp » ('j') | third_party/WebKit/Source/core/loader/FrameFetchContextTest.cpp » ('J')

Powered by Google App Engine
This is Rietveld 408576698