content/browser/android/content_url_loader_factory.cc · c6e232163d52e4334f7227ef30634b707e44a903 · eriksson monteiro / tangled

OOR-CORS: each content:// should be assumed as an opaque origin · c6e23216

Takashi Toyoshima authored Jun 18, 2020

On Android Chrome, each content:// should be assumed as an opaque
origin, and should not allow CORS-enabled requests among content://
URLs. Also content:// can not load legacy worker scripts from
content:// URLs as the mode "same-origin" is not permitted too.

TEST=./out/a/bin/run_chrome_public_test_apk -A Feature=CORS

Bug: 1092449
Change-Id: I83d15f4c1e2f2d88e219032952a7da78f470c16a
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2247920
Commit-Queue: Takashi Toyoshima <toyoshim@chromium.org>
Reviewed-by: Tommy Nyquist <nyquist@chromium.org>
Reviewed-by: Yutaka Hirano <yhirano@chromium.org>
Reviewed-by: Kinuko Yasuda <kinuko@chromium.org>
Cr-Commit-Position: refs/heads/master@{#779596}

c6e23216

content_url_loader_factory.cc 12.9 KB

Replace content_url_loader_factory.cc