OOR-CORS: serialize local file initiators to 'null' for CORS check

The code, url::Origin, that new CORS implementation relies on serializes local file initiators to 'file://' rather than 'null'. This results in CORS check failures even if the server allows 'null' origin to access. Bug: 825567 Cq-Include-Trybots: master.tryserver.chromium.linux:linux_mojo Change-Id: Icb387b6df6e1e6574ff90cad61f53400092cbcb3 Reviewed-on: https://chromium-review.googlesource.com/983276 Commit-Queue: Takashi Toyoshima <toyoshim@chromium.org> Reviewed-by: Mike West <mkwst@chromium.org> Reviewed-by: Yutaka Hirano <yhirano@chromium.org> Cr-Commit-Position: refs/heads/master@{#546777}

OOR-CORS: serialize local file initiators to 'null' for CORS check
The code, url::Origin, that new CORS implementation relies on serializes local file initiators to 'file://' rather than 'null'. This results in CORS check failures even if the server allows 'null' origin to access. Bug: 825567 Cq-Include-Trybots: master.tryserver.chromium.linux:linux_mojo Change-Id: Icb387b6df6e1e6574ff90cad61f53400092cbcb3 Reviewed-on: https://chromium-review.googlesource.com/983276 Commit-Queue: Takashi Toyoshima <toyoshim@chromium.org> Reviewed-by: Mike West <mkwst@chromium.org> Reviewed-by: Yutaka Hirano <yhirano@chromium.org> Cr-Commit-Position: refs/heads/master@{#546777}
d5e1f8bf · Takashi Toyoshima · Commit Bot · 2ad71d13 · d5e1f8bf · d5e1f8bf
Commit d5e1f8bf authored Mar 29, 2018 by Takashi Toyoshima Committed by Commit Bot Mar 29, 2018
4 changed files
--- a/services/network/public/cpp/cors/cors.cc
+++ b/services/network/public/cpp/cors/cors.cc
@@ -12,6 +12,7 @@
 #include "net/http/http_request_headers.h"
 #include "url/gurl.h"
 #include "url/origin.h"
+#include "url/url_constants.h"
 #include "url/url_util.h"

 namespace {
@@ -40,6 +41,18 @@ std::string ExtractMIMETypeFromMediaType(const std::string& media_type) {
  return std::string();
 }

+// url::Origin::Serialize() serializes all Origins with a 'file' scheme to
+// 'file://', but it isn't desirable for CORS check. Returns 'null' instead to
+// be aligned with HTTP Origin header calculation in Blink SecurityOrigin.
+// |allow_file_origin| is used to realize a behavior change that
+// the --allow-file-access-from-files command-line flag needs.
+// TODO(mkwst): Generalize and move to url/Origin.
+std::string Serialize(const url::Origin& origin, bool allow_file_origin) {
+  if (!allow_file_origin && origin.scheme() == url::kFileScheme)
+    return "null";
+  return origin.Serialize();
+}
+
 }  // namespace

 namespace network {
@@ -64,7 +77,8 @@ base::Optional<mojom::CORSError> CheckAccess(
    const base::Optional<std::string>& allow_origin_header,
    const base::Optional<std::string>& allow_credentials_header,
    mojom::FetchCredentialsMode credentials_mode,
-    const url::Origin& origin) {
+    const url::Origin& origin,
+    bool allow_file_origin) {
  if (!response_status_code)
    return mojom::CORSError::kInvalidResponse;

@@ -84,7 +98,7 @@ base::Optional<mojom::CORSError> CheckAccess(
      return mojom::CORSError::kWildcardOriginNotAllowed;
  } else if (!allow_origin_header) {
    return mojom::CORSError::kMissingAllowOriginHeader;
-  } else if (*allow_origin_header != origin.Serialize()) {
+  } else if (*allow_origin_header != Serialize(origin, allow_file_origin)) {
    // We do not use url::Origin::IsSameOriginWith() here for two reasons below.
    //  1. Allow "null" to match here. The latest spec does not have a clear
    //     information about this (https://fetch.spec.whatwg.org/#cors-check),

--- a/services/network/public/cpp/cors/cors.h
+++ b/services/network/public/cpp/cors/cors.h
@@ -44,7 +44,8 @@ base::Optional<mojom::CORSError> CheckAccess(
    const base::Optional<std::string>& allow_origin_header,
    const base::Optional<std::string>& allow_credentials_header,
    network::mojom::FetchCredentialsMode credentials_mode,
-    const url::Origin& origin);
+    const url::Origin& origin,
+    bool allow_file_origin = false);

 // Given a redirected-to URL, checks if the location is allowed
 // according to CORS. That is:

--- a/services/network/public/cpp/cors/cors_url_loader.cc
+++ b/services/network/public/cpp/cors/cors_url_loader.cc
@@ -132,6 +132,7 @@ void CORSURLLoader::OnReceiveResponse(
  DCHECK(forwarding_client_);
  DCHECK(!is_waiting_follow_redirect_call_);
  if (fetch_cors_flag_ && cors::IsCORSEnabledRequestMode(fetch_request_mode_)) {
+    // TODO(toyoshim): Reflect --allow-file-access-from-files flag.
    base::Optional<mojom::CORSError> cors_error = cors::CheckAccess(
        last_response_url_, response_head.headers->response_code(),
        GetHeaderString(response_head.headers,

--- a/third_party/WebKit/Source/platform/loader/cors/CORS.cpp
+++ b/third_party/WebKit/Source/platform/loader/cors/CORS.cpp
@@ -74,12 +74,15 @@ WTF::Optional<network::mojom::CORSError> CheckAccess(
    const HTTPHeaderMap& response_header,
    network::mojom::FetchCredentialsMode credentials_mode,
    const SecurityOrigin& origin) {
+  std::unique_ptr<SecurityOrigin::PrivilegeData> privilege =
+      origin.CreatePrivilegeData();
  return network::cors::CheckAccess(
      response_url, response_status_code,
      GetHeaderValue(response_header, HTTPNames::Access_Control_Allow_Origin),
      GetHeaderValue(response_header,
                     HTTPNames::Access_Control_Allow_Credentials),
-      credentials_mode, origin.ToUrlOrigin());
+      credentials_mode, origin.ToUrlOrigin(),
+      !privilege->block_local_access_from_local_origin_);
 }

 WTF::Optional<network::mojom::CORSError> CheckRedirectLocation(