CREDENTIAL: Credentials should be submitted within a registrable domain.

The current code checks for an exact origin match when creating a Request. That doesn't match the specification; see step 3.1 of https://w3c.github.io/webappsec-credential-management/#body-extraction. BUG=606788 Review URL: https://codereview.chromium.org/1918253002 Cr-Commit-Position: refs/heads/master@{#389858}

CREDENTIAL: Credentials should be submitted within a registrable domain.
The current code checks for an exact origin match when creating a Request. That doesn't match the specification; see step 3.1 of https://w3c.github.io/webappsec-credential-management/#body-extraction. BUG=606788 Review URL: https://codereview.chromium.org/1918253002 Cr-Commit-Position: refs/heads/master@{#389858}
6036e62a · mkwst · Commit bot · 8fc656b6 · 6036e62a · 6036e62a
Commit 6036e62a authored Apr 26, 2016 by mkwst Committed by Commit bot Apr 26, 2016
3 changed files
--- a/third_party/WebKit/LayoutTests/http/tests/credentialmanager/passwordcredential-fetch-registrabledomain.html
+++ b/third_party/WebKit/LayoutTests/http/tests/credentialmanager/passwordcredential-fetch-registrabledomain.html
+<!DOCTYPE html>
+<title>Credential Manager: PasswordCredential same-registrable-domain fetching.</title>
+<script src="../resources/testharness.js"></script>
+<script src="../resources/testharnessreport.js"></script>
+<script>
+// Move to a subdomain of `example.test` for testing:
+if (document.location.hostname == "127.0.0.1") {
+    document.location.hostname = "subdomain.example.test";
+} else {
+    var c = new PasswordCredential({
+        id: 'id',
+        password: 'pencil',
+        name: 'name',
+        iconURL: 'https://example.com/icon.png'
+    });
+
+    promise_test(function() {
+        var r1 = new Request('./resources/echo-post.php', { credentials: c, method: "POST" });
+        return fetch(r1)
+            .then(resp => resp.json())
+            .then(j => {
+                assert_equals(j.username, 'id');
+                assert_equals(j.password, 'pencil');
+            });
+    }, "Same-origin fetch.");
+
+    promise_test(function() {
+        var r1 = new Request('http://example.test:8000/credentialmanager/resources/echo-post.php', { credentials: c, method: "POST" });
+        return fetch(r1)
+            .then(resp => resp.json())
+            .then(j => {
+                assert_equals(j.username, 'id');
+                assert_equals(j.password, 'pencil');
+            });
+    }, "Fetch from `subdomain.example.test` => `example.test`.");
+
+    promise_test(function() {
+        var r1 = new Request('http://other.example.test:8000/credentialmanager/resources/echo-post.php', { credentials: c, method: "POST" });
+        return fetch(r1)
+            .then(resp => resp.json())
+            .then(j => {
+                assert_equals(j.username, 'id');
+                assert_equals(j.password, 'pencil');
+            });
+    }, "Fetch from `subdomain.example.test` => `other.example.test`.");
+
+    promise_test(function() {
+        var r1 = new Request('http://other.subdomain.example.test:8000/credentialmanager/resources/echo-post.php', { credentials: c, method: "POST" });
+        return fetch(r1)
+            .then(resp => resp.json())
+            .then(j => {
+                assert_equals(j.username, 'id');
+                assert_equals(j.password, 'pencil');
+            });
+    }, "Fetch from `subdomain.example.test` => `other.subdomain.example.test`.");
+}
+</script>
+
+
--- a/third_party/WebKit/LayoutTests/http/tests/credentialmanager/resources/echo-post.php
+++ b/third_party/WebKit/LayoutTests/http/tests/credentialmanager/resources/echo-post.php
 <?php
+    $request_origin_value = $_SERVER["HTTP_ORIGIN"];
+    if (!is_null($request_origin_value)) {
+        header("Access-Control-Allow-Origin: $request_origin_value");
+        header("Access-Control-Allow-Credentials: true");
+        header("Access-Control-Allow-Methods: GET,POST,OPTIONS");
+    }
    echo json_encode($_POST);
 ?>
--- a/third_party/WebKit/Source/modules/fetch/Request.cpp
+++ b/third_party/WebKit/Source/modules/fetch/Request.cpp
@@ -19,6 +19,7 @@
 #include "platform/RuntimeEnabledFeatures.h"
 #include "platform/network/HTTPParsers.h"
 #include "platform/network/ResourceRequest.h"
+#include "platform/weborigin/OriginAccessEntry.h"
 #include "platform/weborigin/Referrer.h"
 #include "public/platform/WebURLRequest.h"
 #include "public/platform/modules/serviceworker/WebServiceWorkerRequest.h"
@@ -326,9 +327,9 @@ Request* Request::createRequestWithRequestOrString(ScriptState* scriptState, Req
    if (request->credentials() == WebURLRequest::FetchCredentialsModePassword) {
        r->getHeaders()->append(HTTPNames::Content_Type, init.contentType, exceptionState);

-        // TODO(mkwst): This should be a registrable-domain match.
-        if (!origin->canRequest(r->url())) {
-            exceptionState.throwTypeError("Credentials may only be submitted to same-origin endpoints.");
+        const OriginAccessEntry accessEntry = OriginAccessEntry(r->url().protocol(), r->url().host(), OriginAccessEntry::AllowRegisterableDomains);
+        if (accessEntry.matchesDomain(*origin) == OriginAccessEntry::DoesNotMatchOrigin) {
+            exceptionState.throwTypeError("Credentials may only be submitted to endpoints on the same registrable domain.");
            return nullptr;
        }
    }