OOR-CORS: Add kWebViewOriginCheckForStreamReader as a kill-switch

This patch adds a new WebView specific base::Feature to control newly introduced origin checks to reduce unexpected compatibility breakages. Bug: 1096677 Change-Id: I28c9fadc6ee5ce0f06017c4977358a3566d6c159 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2265709 Commit-Queue: Richard Coles <torne@chromium.org> Reviewed-by: Richard Coles <torne@chromium.org> Auto-Submit: Takashi Toyoshima <toyoshim@chromium.org> Cr-Commit-Position: refs/heads/master@{#784021}

OOR-CORS: Add kWebViewOriginCheckForStreamReader as a kill-switch
This patch adds a new WebView specific base::Feature to control newly introduced origin checks to reduce unexpected compatibility breakages. Bug: 1096677 Change-Id: I28c9fadc6ee5ce0f06017c4977358a3566d6c159 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2265709 Commit-Queue: Richard Coles <torne@chromium.org> Reviewed-by: Richard Coles <torne@chromium.org> Auto-Submit: Takashi Toyoshima <toyoshim@chromium.org> Cr-Commit-Position: refs/heads/master@{#784021}
e21eb00e · Takashi Toyoshima · Commit Bot · 4592c8fb · e21eb00e · e21eb00e
Commit e21eb00e authored Jun 30, 2020 by Takashi Toyoshima Committed by Commit Bot Jun 30, 2020
4 changed files
--- a/android_webview/browser/network_service/android_stream_reader_url_loader.cc
+++ b/android_webview/browser/network_service/android_stream_reader_url_loader.cc
@@ -153,8 +153,11 @@ void AndroidStreamReaderURLLoader::ResumeReadingBodyFromNet() {}
 void AndroidStreamReaderURLLoader::Start() {
  DCHECK(thread_checker_.CalledOnValidThread());

-  if (reject_cors_request_ && response_head_->response_type ==
-                                  network::mojom::FetchResponseType::kCors) {
+  if (base::FeatureList::IsEnabled(
+          features::kWebViewOriginCheckForStreamReader) &&
+      reject_cors_request_ &&
+      response_head_->response_type ==
+          network::mojom::FetchResponseType::kCors) {
    RequestCompleteWithStatus(
        network::URLLoaderCompletionStatus(network::CorsErrorStatus(
            network::mojom::CorsError::kCorsDisabledScheme)));

--- a/android_webview/common/aw_features.cc
+++ b/android_webview/common/aw_features.cc
@@ -23,6 +23,10 @@ const base::Feature kWebViewConnectionlessSafeBrowsing{
 const base::Feature kWebViewExtraHeadersSameOriginOnly{
    "WebViewExtraHeadersSameOriginOnly", base::FEATURE_DISABLED_BY_DEFAULT};

+// Activate compatible origin checks for AndroidStreamReaderURLLoader.
+const base::Feature kWebViewOriginCheckForStreamReader{
+    "WebViewOriginCheckForStreamReader", base::FEATURE_DISABLED_BY_DEFAULT};
+
 // Sniff the content stream to guess the MIME type when the application doesn't
 // tell us the MIME type explicitly.
 //

--- a/android_webview/common/aw_features.h
+++ b/android_webview/common/aw_features.h
@@ -17,6 +17,7 @@ namespace features {
 extern const base::Feature kWebViewBrotliSupport;
 extern const base::Feature kWebViewConnectionlessSafeBrowsing;
 extern const base::Feature kWebViewExtraHeadersSameOriginOnly;
+extern const base::Feature kWebViewOriginCheckForStreamReader;
 extern const base::Feature kWebViewSniffMimeType;
 extern const base::Feature kWebViewTestFeature;
 extern const base::Feature kWebViewWideColorGamutSupport;

--- a/android_webview/javatests/src/org/chromium/android_webview/test/AwSettingsTest.java
+++ b/android_webview/javatests/src/org/chromium/android_webview/test/AwSettingsTest.java
@@ -70,7 +70,8 @@ import java.util.regex.Pattern;
 * application
 */
 @RunWith(AwJUnit4ClassRunner.class)
-@CommandLineFlags.Add({ContentSwitches.HOST_RESOLVER_RULES + "=MAP * 127.0.0.1"})
+@CommandLineFlags.Add({ContentSwitches.HOST_RESOLVER_RULES + "=MAP * 127.0.0.1",
+        "enable-features=WebViewOriginCheckForStreamReader"})
 public class AwSettingsTest {
    @Rule
    public AwActivityTestRule mActivityTestRule =