PlzWorker: Add the Sec-Metadata header to browser-initiated requests for shared worker scripts

This CL adss the Sec-Metadata header to browser-initiated requests for shared worker's main script. Note that the browser-initiated request (a.k.a PlzWorker) is enabled only when the NetworkService is enabled. Design doc of the PlzWorker: https://docs.google.com/document/d/1Jtn33bvqkqWxq6K7HIA4uU6HLWPTmOD7vFviacfTmhM/edit?usp=sharing Bug: 715632 Cq-Include-Trybots: luci.chromium.try:linux_mojo Change-Id: I6ecc10122bdcf36aa4a0b8d7daddb0b3475e1dff Reviewed-on: https://chromium-review.googlesource.com/1212247 Commit-Queue: Hiroki Nakagawa <nhiroki@chromium.org> Reviewed-by: Mike West <mkwst@chromium.org> Reviewed-by: Kinuko Yasuda <kinuko@chromium.org> Cr-Commit-Position: refs/heads/master@{#593832}

PlzWorker: Add the Sec-Metadata header to browser-initiated requests for shared worker scripts
This CL adss the Sec-Metadata header to browser-initiated requests for shared worker's main script. Note that the browser-initiated request (a.k.a PlzWorker) is enabled only when the NetworkService is enabled. Design doc of the PlzWorker: https://docs.google.com/document/d/1Jtn33bvqkqWxq6K7HIA4uU6HLWPTmOD7vFviacfTmhM/edit?usp=sharing Bug: 715632 Cq-Include-Trybots: luci.chromium.try:linux_mojo Change-Id: I6ecc10122bdcf36aa4a0b8d7daddb0b3475e1dff Reviewed-on: https://chromium-review.googlesource.com/1212247 Commit-Queue: Hiroki Nakagawa <nhiroki@chromium.org> Reviewed-by: Mike West <mkwst@chromium.org> Reviewed-by: Kinuko Yasuda <kinuko@chromium.org> Cr-Commit-Position: refs/heads/master@{#593832}
50eb41e9 · Hiroki Nakagawa · Commit Bot · 6a4948b1 · 50eb41e9 · 50eb41e9
Commit 50eb41e9 authored Sep 25, 2018 by Hiroki Nakagawa Committed by Commit Bot Sep 25, 2018
4 changed files
--- a/content/browser/shared_worker/shared_worker_service_impl.cc
+++ b/content/browser/shared_worker/shared_worker_service_impl.cc
@@ -41,6 +41,7 @@
 #include "content/public/browser/render_view_host.h"
 #include "content/public/common/bind_interface_helpers.h"
 #include "content/public/common/content_features.h"
+#include "content/public/common/content_switches.h"
 #include "content/public/common/renderer_preferences.h"
 #include "mojo/public/cpp/bindings/strong_associated_binding.h"
 #include "mojo/public/cpp/bindings/strong_binding.h"
@@ -363,29 +364,50 @@ void SharedWorkerServiceImpl::DestroyHost(SharedWorkerHost* host) {
 // TODO(nhiroki): Align this function with AddAdditionalRequestHeaders() in
 // navigation_request.cc, FrameFetchContext, and WorkerFetchContext.
 void SharedWorkerServiceImpl::AddAdditionalRequestHeaders(
-    net::HttpRequestHeaders* headers,
+    network::ResourceRequest* resource_request,
    BrowserContext* browser_context) {
  DCHECK(base::FeatureList::IsEnabled(network::features::kNetworkService));

+  // TODO(nhiroki): Return early when the request is neither HTTP nor HTTPS
+  // (i.e., Blob URL or Data URL). This should be checked by
+  // SchemeIsHTTPOrHTTPS(), but currently cross-origin workers on extensions
+  // are allowed and the check doesn't work well. See https://crbug.com/867302.
+
  // Set the "Accept" header.
-  headers->SetHeaderIfMissing(network::kAcceptHeader,
-                              network::kDefaultAcceptHeader);
+  resource_request->headers.SetHeaderIfMissing(network::kAcceptHeader,
+                                               network::kDefaultAcceptHeader);

  // Set the "DNT" header if necessary.
  RendererPreferences renderer_preferences;
  GetContentClient()->browser()->UpdateRendererPreferencesForWorker(
      browser_context, &renderer_preferences);
  if (renderer_preferences.enable_do_not_track)
-    headers->SetHeaderIfMissing(kDoNotTrackHeader, "1");
+    resource_request->headers.SetHeaderIfMissing(kDoNotTrackHeader, "1");

  // Set the "Save-Data" header if necessary.
  if (GetContentClient()->browser()->IsDataSaverEnabled(browser_context) &&
      !base::GetFieldTrialParamByFeatureAsBool(features::kDataSaverHoldback,
                                               "holdback_web", false)) {
-    headers->SetHeaderIfMissing("Save-Data", "on");
+    resource_request->headers.SetHeaderIfMissing("Save-Data", "on");
  }

-  // TODO(nhiroki): Set the "Sec-Metadata" header (https://crbug.com/715632).
+  // Set the "Sec-Metadata" header if necessary.
+  if (base::FeatureList::IsEnabled(features::kSecMetadata) ||
+      base::CommandLine::ForCurrentProcess()->HasSwitch(
+          switches::kEnableExperimentalWebPlatformFeatures)) {
+    // The worker's origin can be different from the constructor's origin, for
+    // example, when the worker created from the extension.
+    // TODO(hiroshige): Add DCHECK to make sure the same-originness once the
+    // cross-origin workers are deprecated (https://crbug.com/867302).
+    std::string site_value = "cross-site";
+    if (resource_request->request_initiator->IsSameOriginWith(
+            url::Origin::Create(resource_request->url))) {
+      site_value = "same-origin";
+    }
+    std::string value = base::StringPrintf(
+        "destination=\"sharedworker\", site=\"%s\"", site_value.c_str());
+    resource_request->headers.SetHeaderIfMissing("Sec-Metadata", value);
+  }
 }

 void SharedWorkerServiceImpl::CreateWorker(
@@ -439,7 +461,7 @@ void SharedWorkerServiceImpl::CreateWorker(

      auto* render_process_host = RenderProcessHost::FromID(process_id);
      DCHECK(!IsShuttingDown(render_process_host));
-      AddAdditionalRequestHeaders(&resource_request->headers,
+      AddAdditionalRequestHeaders(resource_request.get(),
                                  render_process_host->GetBrowserContext());
    }


--- a/content/browser/shared_worker/shared_worker_service_impl.h
+++ b/content/browser/shared_worker/shared_worker_service_impl.h
@@ -73,8 +73,9 @@ class CONTENT_EXPORT SharedWorkerServiceImpl : public SharedWorkerService {
  friend class SharedWorkerServiceImplTest;
  friend class SharedWorkerHostTest;

-  static void AddAdditionalRequestHeaders(net::HttpRequestHeaders* headers,
-                                          BrowserContext* browser_context);
+  static void AddAdditionalRequestHeaders(
+      network::ResourceRequest* resource_request,
+      BrowserContext* browser_context);

  void CreateWorker(
      std::unique_ptr<SharedWorkerInstance> instance,

--- a/third_party/WebKit/LayoutTests/FlagExpectations/enable-features=NetworkService
+++ b/third_party/WebKit/LayoutTests/FlagExpectations/enable-features=NetworkService
@@ -26,6 +26,3 @@ crbug.com/850689 http/tests/inspector-protocol/network/interception-set-cookie.j
 # because content_shell does not add the about: handler. With network service
 # enabled this fails in both content_shell and chrome.
 Bug(none) http/tests/misc/redirect-to-about-blank.html [ Timeout ]
-
-# PlzWorker: This is tentatively failing because of unimplemented code.
-crbug.com/715632 external/wpt/fetch/sec-metadata/sharedworker.tentative.https.sub.html [ Failure ]
--- a/third_party/WebKit/LayoutTests/virtual/outofblink-cors-ns/external/wpt/fetch/sec-metadata/sharedworker.tentative.https.sub-expected.txt
+++ b/third_party/WebKit/LayoutTests/virtual/outofblink-cors-ns/external/wpt/fetch/sec-metadata/sharedworker.tentative.https.sub-expected.txt
-This is a testharness.js-based test.
-FAIL Same-Origin sharedworker assert_not_equals: Empty Sec-Metadata header. got disallowed value ""
-Harness: the test ran to completion.
-