GitLab

This CL moves the inbound ("Finalize") half of Trust Tokens operation
execution before URLLoader opens its response pipe.

Requests configured for Trust Tokens operations execute outbound
("Begin") and inbound ("Finalize") halves of their Trust Tokens
operation against their request and response headers. The intended
behavior when either half fails is to fail the request altogether.
Currently, due to a bug, requests whose inbound ("Finalize") Trust
Tokens operation halves fail can still report a success to the renderer.
This is because URLLoader::OnResponseStarted opens a request's response
data pipe before executing the request's inbound Trust Tokens operation
half. Later, in URLLoader::NotifyCompleted, the loader sees that the
pipe is open and reports a completed response to the loader's client,
before seeing that there is a failure status and reporting the error.
This means that the client will always see a successful response before
sending the error; the effect of this is that fetch(..., trustToken)
will resolve with a success instead of rejecting with a DOMException in
cases where the request fails on the inbound half of its Trust Tokens
operation.

This CL fixes the issue by moving the inbound half of the Trust Tokens
operation before the data pipe is opened, so that the data pipe will not
open if the inbound half of the Trust Tokens operation fails.

Fixed: 1105696
Change-Id: Icf80e0f2d8d8231ec1c2854087c7afa023422c71
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2303677Reviewed-by: Matt Menke <mmenke@chromium.org>
Reviewed-by: Charlie Harrison <csharrison@chromium.org>
Commit-Queue: David Van Cleve <davidvc@chromium.org>
Cr-Commit-Position: refs/heads/master@{#791396}