Commit c964dd7e authored by Lukasz Anforowicz's avatar Lukasz Anforowicz Committed by Commit Bot

Ignore browser-inititated requests in Cross-Origin-Resource-Policy.

Fixed: 1141158
Change-Id: Iae559652ee39fb2f63c8658e5cfdf8e199df149d
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2521229
Auto-Submit: Łukasz Anforowicz <lukasza@chromium.org>
Reviewed-by: default avatarNasko Oskov <nasko@chromium.org>
Reviewed-by: default avatarYutaka Hirano <yhirano@chromium.org>
Commit-Queue: Łukasz Anforowicz <lukasza@chromium.org>
Cr-Commit-Position: refs/heads/master@{#826445}
parent 4cce2b83
......@@ -23,10 +23,12 @@
#include "base/threading/thread_task_runner_handle.h"
#include "build/build_config.h"
#include "content/browser/site_instance_impl.h"
#include "content/public/browser/browser_context.h"
#include "content/public/browser/browser_task_traits.h"
#include "content/public/browser/browser_thread.h"
#include "content/public/browser/navigation_entry.h"
#include "content/public/browser/render_view_host.h"
#include "content/public/browser/storage_partition.h"
#include "content/public/browser/web_contents.h"
#include "content/public/common/content_features.h"
#include "content/public/common/content_switches.h"
......@@ -1617,4 +1619,17 @@ IN_PROC_BROWSER_TEST_F(CrossSiteDocumentBlockingIsolatedOriginTest,
EXPECT_TRUE(was_blocked);
}
IN_PROC_BROWSER_TEST_F(ContentBrowserTest, CorpVsBrowserInitiatedRequest) {
ASSERT_TRUE(embedded_test_server()->Start());
GURL test_url =
embedded_test_server()->GetURL("/site_isolation/png-corp.png");
BrowserContext* browser_context =
shell()->web_contents()->GetBrowserContext();
StoragePartition* partition =
BrowserContext::GetDefaultStoragePartition(browser_context);
ASSERT_EQ(net::OK,
LoadBasicRequest(partition->GetNetworkContext(), test_url));
}
} // namespace content
......@@ -1173,6 +1173,8 @@ TEST_F(NetworkServiceTestWithService, SetNetworkConditions) {
ResourceRequest request;
request.url = test_server()->GetURL("/nocache.html");
request.request_initiator =
url::Origin::Create(GURL("https://initiator.example.com"));
request.method = "GET";
StartLoadingURL(request, 0);
......
......@@ -145,6 +145,18 @@ base::Optional<mojom::BlockedByResponseReason> IsBlockedInternal(
mojom::RequestMode request_mode,
base::Optional<url::Origin> request_initiator_origin_lock,
mojom::CrossOriginEmbedderPolicyValue embedder_policy) {
// Browser-initiated requests are not subject to Cross-Origin-Resource-Policy.
if (!request_initiator.has_value()) {
// The DCHECK further confirm that this is a browser-initiated request.
// Note also CorsURLLoaderFactory::IsValidRequest which rejects
// renderer-initiated requests without a |request_initiator| and/or without
// a |request_initiator_origin_lock| via
// InitiatorLockCompatibility::kNoInitiator and
// InitiatorLockCompatibility::kNoLock cases.
DCHECK(!request_initiator_origin_lock.has_value());
return base::nullopt;
}
// COEP https://mikewest.github.io/corpp/#corp-check
bool upgrade_to_same_origin = false;
if ((policy == CrossOriginResourcePolicy::kNoHeader ||
......
......@@ -134,10 +134,6 @@ struct URLRequest {
// |request_initiator| indicates the origin initiating the resource request.
//
// |request_initiator| can be null for browser-initiated requests (e.g.
// navigations initiated via omnibox or bookmarks, internal subresource
// requests like fetching the SafeBrowsing data, etc.).
//
// For all requests initiated via web (both subresource requests and
// navigations), |request_initiator| should always be set to the origin of
// the frame (or worker) that has initiated the request. This is true even
......@@ -147,6 +143,14 @@ struct URLRequest {
// process on behalf of a web origin (e.g. as is the case for PaymentRequest
// API).
//
// |request_initiator| should be omitted (i.e. set to base::nullopt) for
// browser-initiated requests (e.g. navigations initiated via omnibox or
// bookmarks, internal subresource requests like fetching the SafeBrowsing
// data, etc.). Various security features may treat browser-initiated
// requests in a special way - for example in such requests 1) the special
// `Sec-Fetch-Site: none` request header is sent, 2) http responses are not
// blocked based on their Cross-Origin-Resource-Policy header, etc.
//
// SECURITY NOTE: Factories with |process_id| set to |kBrowserProcessId| do
// not enforce |request_initiator_origin_lock| and instead rely on the
// factory user to ensure that a valid, non-nullopt |request_initiator| is
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment