From 0e55886d7bf05195a9e238537a67d6cbb456d4c9 Mon Sep 17 00:00:00 2001 From: Ben Kelly Date: Thu, 28 Oct 2021 08:29:04 -0700 Subject: [PATCH] Fetch: Plumb request initiator through passthrough service workers. This CL contains essentially two changes: 1. The request initiator origin is plumbed through service workers that do `fetch(evt.request)`. In addition to plumbing, this requires changes to how we validate navigation requests in the CorsURLLoaderFactory. 2. Tracks the original destination of a request passed through a service worker. This is then used in the network service to force SameSite=Lax cookies to treat the request as a main frame navigation where appropriate. For more detailed information about these changes please see the internal design doc at: https://docs.google.com/document/d/1KZscujuV7bCFEnzJW-0DaCPU-I40RJimQKoCcI0umTQ/edit?usp=sharing In addition, there is some discussion of these features in the following spec issues: https://github.com/whatwg/fetch/issues/1321 https://github.com/whatwg/fetch/issues/1327 The test includes WPT tests that verify navigation headers and SameSite cookies. Note, chrome has a couple expected failures in the SameSite cookie tests because of the "lax-allowing-unsafe" intervention that is currently enabled. See: https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/web_tests/TestExpectations;l=4635;drc=e8133cbf2469adb99c6610483ab78bcfb8cc4c76 Bug: 1115847,1241188 Change-Id: I7e236fa20aeabb705aef40fcf8d5c36da6d2798c --- .../navigation-headers.https.html | 558 ++++++++++++++++++ .../resources/fetch-rewrite-worker.js | 6 +- .../resources/fetch-rewrite-worker.js.headers | 2 + .../service-worker/resources/form-poster.html | 12 + .../resources/location-setter.html | 10 + .../resources/navigation-headers-server.py | 19 + .../resources/same-site-cookies-register.html | 22 + .../same-site-cookies-unregister.html | 11 + .../same-site-cookies.https.html | 215 +++++++ 9 files changed, 854 insertions(+), 1 deletion(-) create mode 100644 service-workers/service-worker/navigation-headers.https.html create mode 100644 service-workers/service-worker/resources/fetch-rewrite-worker.js.headers create mode 100644 service-workers/service-worker/resources/form-poster.html create mode 100644 service-workers/service-worker/resources/location-setter.html create mode 100644 service-workers/service-worker/resources/navigation-headers-server.py create mode 100644 service-workers/service-worker/resources/same-site-cookies-register.html create mode 100644 service-workers/service-worker/resources/same-site-cookies-unregister.html create mode 100644 service-workers/service-worker/same-site-cookies.https.html diff --git a/service-workers/service-worker/navigation-headers.https.html b/service-workers/service-worker/navigation-headers.https.html new file mode 100644 index 000000000000000..b829a59ac1327d8 --- /dev/null +++ b/service-workers/service-worker/navigation-headers.https.html @@ -0,0 +1,558 @@ + + +Service Worker: Navigation Post Request Origin Header + + + + + + + diff --git a/service-workers/service-worker/resources/fetch-rewrite-worker.js b/service-workers/service-worker/resources/fetch-rewrite-worker.js index 4631e83e0ceaab5..20a80665270ddb7 100644 --- a/service-workers/service-worker/resources/fetch-rewrite-worker.js +++ b/service-workers/service-worker/resources/fetch-rewrite-worker.js @@ -90,8 +90,12 @@ self.addEventListener('fetch', function(event) { var request = event.request; if (url) { request = new Request(url, init); + } else if (params['change-request']) { + request = new Request(request, init); } - fetch(request).then(function(response) { + const response_promise = params['navpreload'] ? event.preloadResponse + : fetch(request); + response_promise.then(function(response) { var expectedType = params['expected_type']; if (expectedType && response.type !== expectedType) { // Resolve a JSON object with a failure instead of rejecting diff --git a/service-workers/service-worker/resources/fetch-rewrite-worker.js.headers b/service-workers/service-worker/resources/fetch-rewrite-worker.js.headers new file mode 100644 index 000000000000000..123053b38c66a06 --- /dev/null +++ b/service-workers/service-worker/resources/fetch-rewrite-worker.js.headers @@ -0,0 +1,2 @@ +Content-Type: text/javascript +Service-Worker-Allowed: / diff --git a/service-workers/service-worker/resources/form-poster.html b/service-workers/service-worker/resources/form-poster.html new file mode 100644 index 000000000000000..5d56fde19a8e4f0 --- /dev/null +++ b/service-workers/service-worker/resources/form-poster.html @@ -0,0 +1,12 @@ + + +
+ diff --git a/service-workers/service-worker/resources/location-setter.html b/service-workers/service-worker/resources/location-setter.html new file mode 100644 index 000000000000000..fae18e8066550ad --- /dev/null +++ b/service-workers/service-worker/resources/location-setter.html @@ -0,0 +1,10 @@ + + + diff --git a/service-workers/service-worker/resources/navigation-headers-server.py b/service-workers/service-worker/resources/navigation-headers-server.py new file mode 100644 index 000000000000000..5b2e044f8b52a15 --- /dev/null +++ b/service-workers/service-worker/resources/navigation-headers-server.py @@ -0,0 +1,19 @@ +def main(request, response): + response.status = (200, b"OK") + response.headers.set(b"Content-Type", b"text/html") + return b""" + """ % (request.headers.get( + b"origin", b"not set"), request.headers.get(b"referer", b"not set"), + request.headers.get(b"sec-fetch-site", b"not set"), + request.headers.get(b"sec-fetch-mode", b"not set"), + request.headers.get(b"sec-fetch-dest", b"not set")) diff --git a/service-workers/service-worker/resources/same-site-cookies-register.html b/service-workers/service-worker/resources/same-site-cookies-register.html new file mode 100644 index 000000000000000..084f0a08a8e64c4 --- /dev/null +++ b/service-workers/service-worker/resources/same-site-cookies-register.html @@ -0,0 +1,22 @@ + + + diff --git a/service-workers/service-worker/resources/same-site-cookies-unregister.html b/service-workers/service-worker/resources/same-site-cookies-unregister.html new file mode 100644 index 000000000000000..cca3620b61e73c1 --- /dev/null +++ b/service-workers/service-worker/resources/same-site-cookies-unregister.html @@ -0,0 +1,11 @@ + + + diff --git a/service-workers/service-worker/same-site-cookies.https.html b/service-workers/service-worker/same-site-cookies.https.html new file mode 100644 index 000000000000000..54c42c84d80231c --- /dev/null +++ b/service-workers/service-worker/same-site-cookies.https.html @@ -0,0 +1,215 @@ + + +Service Worker: Same-site cookie behavior + + + + + + + +