Request constructor should propagate origin internal field #1321
Comments
|
So given #1327 (comment) do we want to propagate "origin" or "site for cookies"? Because it seems that otherwise the service worker might still select the wrong cookies. |
|
Well, I'm not sure if "site for cookies" is adequate to populate I guess what you are saying is if we have A frames B1 and then B1 navigates to B2, then SameSite=strict cookies should not be sent for the B2 request. I guess we would need to propagate "site for cookies" as well. I'm not sure how hard that would be implementation-wise, though. |
|
Right, if we care enough about the CSRF angle to propagate origin (and top-level?), we also need ancestor information. |
|
Well, at least for my example I don't think it would matter. If A frames B1 and B1 navigates to B2, then B2 has the same ancestor chain. So once service workers are partitioned and set its site for cookies based on the partition key the effect would be the same. I guess propagating site for cookies would still be relevant for cases where B1 does window.open() to B2. Do we allow frames to create popups like that? |
|
Ah right, we discussed that. Though it would mean that "site for cookies" would be a mix between the request authority and the service worker authority, which is somewhat weird. Frames can create such popups, yes. So that indicates that the weird thing is probably bad. |
|
I don't see any information on request representing "site for cookies" right now. Does that exist? Are SameSite cookies not integrated in fetch spec yet? Maybe we should fork "site for cookies" propagation out into a separate issue. |
This was referenced Oct 14, 2021
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this issue
Oct 25, 2021
This CL contains essentially two changes: 1. The request initiator origin is plumbed through service workers that do `fetch(evt.request)`. In addition to plumbing, this requires changes to how we validate navigation requests in the CorsURLLoaderFactory. 2. Introduces an internal flag to indicate that a request should be treated as a main-frame navigation for SameSite cookie computation. This is necessary to override the service worker's IsolationInfo when a navigation request is passed through. For more detailed information about these changes please see the internal design doc at: https://docs.google.com/document/d/1KZscujuV7bCFEnzJW-0DaCPU-I40RJimQKoCcI0umTQ/edit?usp=sharing In addition, there is some discussion of these features in the following spec issues: whatwg/fetch#1321 whatwg/fetch#1327 Bug: 1115847,1241188 Change-Id: I7e236fa20aeabb705aef40fcf8d5c36da6d2798c
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this issue
Oct 26, 2021
This CL contains essentially two changes: 1. The request initiator origin is plumbed through service workers that do `fetch(evt.request)`. In addition to plumbing, this requires changes to how we validate navigation requests in the CorsURLLoaderFactory. 2. Introduces an internal flag to indicate that a request should be treated as a main-frame navigation for SameSite cookie computation. This is necessary to override the service worker's IsolationInfo when a navigation request is passed through. For more detailed information about these changes please see the internal design doc at: https://docs.google.com/document/d/1KZscujuV7bCFEnzJW-0DaCPU-I40RJimQKoCcI0umTQ/edit?usp=sharing In addition, there is some discussion of these features in the following spec issues: whatwg/fetch#1321 whatwg/fetch#1327 Bug: 1115847,1241188 Change-Id: I7e236fa20aeabb705aef40fcf8d5c36da6d2798c
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this issue
Oct 26, 2021
This CL contains essentially two changes: 1. The request initiator origin is plumbed through service workers that do `fetch(evt.request)`. In addition to plumbing, this requires changes to how we validate navigation requests in the CorsURLLoaderFactory. 2. Introduces an internal flag to indicate that a request should be treated as a main-frame navigation for SameSite cookie computation. This is necessary to override the service worker's IsolationInfo when a navigation request is passed through. For more detailed information about these changes please see the internal design doc at: https://docs.google.com/document/d/1KZscujuV7bCFEnzJW-0DaCPU-I40RJimQKoCcI0umTQ/edit?usp=sharing In addition, there is some discussion of these features in the following spec issues: whatwg/fetch#1321 whatwg/fetch#1327 Bug: 1115847,1241188 Change-Id: I7e236fa20aeabb705aef40fcf8d5c36da6d2798c
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this issue
Oct 26, 2021
This CL contains essentially two changes: 1. The request initiator origin is plumbed through service workers that do `fetch(evt.request)`. In addition to plumbing, this requires changes to how we validate navigation requests in the CorsURLLoaderFactory. 2. Introduces an internal flag to indicate that a request should be treated as a main-frame navigation for SameSite cookie computation. This is necessary to override the service worker's IsolationInfo when a navigation request is passed through. For more detailed information about these changes please see the internal design doc at: https://docs.google.com/document/d/1KZscujuV7bCFEnzJW-0DaCPU-I40RJimQKoCcI0umTQ/edit?usp=sharing In addition, there is some discussion of these features in the following spec issues: whatwg/fetch#1321 whatwg/fetch#1327 Bug: 1115847,1241188 Change-Id: I7e236fa20aeabb705aef40fcf8d5c36da6d2798c
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this issue
Oct 26, 2021
This CL contains essentially two changes: 1. The request initiator origin is plumbed through service workers that do `fetch(evt.request)`. In addition to plumbing, this requires changes to how we validate navigation requests in the CorsURLLoaderFactory. 2. Introduces an internal flag to indicate that a request should be treated as a main-frame navigation for SameSite cookie computation. This is necessary to override the service worker's IsolationInfo when a navigation request is passed through. For more detailed information about these changes please see the internal design doc at: https://docs.google.com/document/d/1KZscujuV7bCFEnzJW-0DaCPU-I40RJimQKoCcI0umTQ/edit?usp=sharing In addition, there is some discussion of these features in the following spec issues: whatwg/fetch#1321 whatwg/fetch#1327 Bug: 1115847,1241188 Change-Id: I7e236fa20aeabb705aef40fcf8d5c36da6d2798c
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this issue
Oct 26, 2021
This CL contains essentially two changes: 1. The request initiator origin is plumbed through service workers that do `fetch(evt.request)`. In addition to plumbing, this requires changes to how we validate navigation requests in the CorsURLLoaderFactory. 2. Introduces an internal flag to indicate that a request should be treated as a main-frame navigation for SameSite cookie computation. This is necessary to override the service worker's IsolationInfo when a navigation request is passed through. For more detailed information about these changes please see the internal design doc at: https://docs.google.com/document/d/1KZscujuV7bCFEnzJW-0DaCPU-I40RJimQKoCcI0umTQ/edit?usp=sharing In addition, there is some discussion of these features in the following spec issues: whatwg/fetch#1321 whatwg/fetch#1327 Bug: 1115847,1241188 Change-Id: I7e236fa20aeabb705aef40fcf8d5c36da6d2798c
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this issue
Oct 26, 2021
This CL contains essentially two changes: 1. The request initiator origin is plumbed through service workers that do `fetch(evt.request)`. In addition to plumbing, this requires changes to how we validate navigation requests in the CorsURLLoaderFactory. 2. Introduces an internal flag to indicate that a request should be treated as a main-frame navigation for SameSite cookie computation. This is necessary to override the service worker's IsolationInfo when a navigation request is passed through. For more detailed information about these changes please see the internal design doc at: https://docs.google.com/document/d/1KZscujuV7bCFEnzJW-0DaCPU-I40RJimQKoCcI0umTQ/edit?usp=sharing In addition, there is some discussion of these features in the following spec issues: whatwg/fetch#1321 whatwg/fetch#1327 Bug: 1115847,1241188 Change-Id: I7e236fa20aeabb705aef40fcf8d5c36da6d2798c
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this issue
Oct 26, 2021
This CL contains essentially two changes: 1. The request initiator origin is plumbed through service workers that do `fetch(evt.request)`. In addition to plumbing, this requires changes to how we validate navigation requests in the CorsURLLoaderFactory. 2. Introduces an internal flag to indicate that a request should be treated as a main-frame navigation for SameSite cookie computation. This is necessary to override the service worker's IsolationInfo when a navigation request is passed through. For more detailed information about these changes please see the internal design doc at: https://docs.google.com/document/d/1KZscujuV7bCFEnzJW-0DaCPU-I40RJimQKoCcI0umTQ/edit?usp=sharing In addition, there is some discussion of these features in the following spec issues: whatwg/fetch#1321 whatwg/fetch#1327 Bug: 1115847,1241188 Change-Id: I7e236fa20aeabb705aef40fcf8d5c36da6d2798c
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this issue
Oct 26, 2021
This CL contains essentially two changes: 1. The request initiator origin is plumbed through service workers that do `fetch(evt.request)`. In addition to plumbing, this requires changes to how we validate navigation requests in the CorsURLLoaderFactory. 2. Tracks the original destination of a request passed through a service worker. This is then used in the network service to force SameSite=Lax cookies to treat the request as a main frame navigation where appropriate. For more detailed information about these changes please see the internal design doc at: https://docs.google.com/document/d/1KZscujuV7bCFEnzJW-0DaCPU-I40RJimQKoCcI0umTQ/edit?usp=sharing In addition, there is some discussion of these features in the following spec issues: whatwg/fetch#1321 whatwg/fetch#1327 Bug: 1115847,1241188 Change-Id: I7e236fa20aeabb705aef40fcf8d5c36da6d2798c
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this issue
Oct 28, 2021
This CL contains essentially two changes: 1. The request initiator origin is plumbed through service workers that do `fetch(evt.request)`. In addition to plumbing, this requires changes to how we validate navigation requests in the CorsURLLoaderFactory. 2. Tracks the original destination of a request passed through a service worker. This is then used in the network service to force SameSite=Lax cookies to treat the request as a main frame navigation where appropriate. For more detailed information about these changes please see the internal design doc at: https://docs.google.com/document/d/1KZscujuV7bCFEnzJW-0DaCPU-I40RJimQKoCcI0umTQ/edit?usp=sharing In addition, there is some discussion of these features in the following spec issues: whatwg/fetch#1321 whatwg/fetch#1327 Bug: 1115847,1241188 Change-Id: I7e236fa20aeabb705aef40fcf8d5c36da6d2798c
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this issue
Oct 28, 2021
This CL contains essentially two changes: 1. The request initiator origin is plumbed through service workers that do `fetch(evt.request)`. In addition to plumbing, this requires changes to how we validate navigation requests in the CorsURLLoaderFactory. 2. Tracks the original destination of a request passed through a service worker. This is then used in the network service to force SameSite=Lax cookies to treat the request as a main frame navigation where appropriate. For more detailed information about these changes please see the internal design doc at: https://docs.google.com/document/d/1KZscujuV7bCFEnzJW-0DaCPU-I40RJimQKoCcI0umTQ/edit?usp=sharing In addition, there is some discussion of these features in the following spec issues: whatwg/fetch#1321 whatwg/fetch#1327 The test includes WPT tests that verify navigation headers and SameSite cookies. Note, chrome has a couple expected failures in the SameSite cookie tests because of the "lax-allowing-unsafe" intervention that is currently enabled. See: https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/web_tests/TestExpectations;l=4635;drc=e8133cbf2469adb99c6610483ab78bcfb8cc4c76 Bug: 1115847,1241188 Change-Id: I7e236fa20aeabb705aef40fcf8d5c36da6d2798c
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this issue
Oct 28, 2021
This CL contains essentially two changes: 1. The request initiator origin is plumbed through service workers that do `fetch(evt.request)`. In addition to plumbing, this requires changes to how we validate navigation requests in the CorsURLLoaderFactory. 2. Tracks the original destination of a request passed through a service worker. This is then used in the network service to force SameSite=Lax cookies to treat the request as a main frame navigation where appropriate. For more detailed information about these changes please see the internal design doc at: https://docs.google.com/document/d/1KZscujuV7bCFEnzJW-0DaCPU-I40RJimQKoCcI0umTQ/edit?usp=sharing In addition, there is some discussion of these features in the following spec issues: whatwg/fetch#1321 whatwg/fetch#1327 The test includes WPT tests that verify navigation headers and SameSite cookies. Note, chrome has a couple expected failures in the SameSite cookie tests because of the "lax-allowing-unsafe" intervention that is currently enabled. See: https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/web_tests/TestExpectations;l=4635;drc=e8133cbf2469adb99c6610483ab78bcfb8cc4c76 Bug: 1115847,1241188 Change-Id: I7e236fa20aeabb705aef40fcf8d5c36da6d2798c
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this issue
Oct 28, 2021
This CL contains essentially two changes: 1. The request initiator origin is plumbed through service workers that do `fetch(evt.request)`. In addition to plumbing, this requires changes to how we validate navigation requests in the CorsURLLoaderFactory. 2. Tracks the original destination of a request passed through a service worker. This is then used in the network service to force SameSite=Lax cookies to treat the request as a main frame navigation where appropriate. For more detailed information about these changes please see the internal design doc at: https://docs.google.com/document/d/1KZscujuV7bCFEnzJW-0DaCPU-I40RJimQKoCcI0umTQ/edit?usp=sharing In addition, there is some discussion of these features in the following spec issues: whatwg/fetch#1321 whatwg/fetch#1327 The test includes WPT tests that verify navigation headers and SameSite cookies. Note, chrome has a couple expected failures in the SameSite cookie tests because of the "lax-allowing-unsafe" intervention that is currently enabled. See: https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/web_tests/TestExpectations;l=4635;drc=e8133cbf2469adb99c6610483ab78bcfb8cc4c76 Bug: 1115847,1241188 Change-Id: I7e236fa20aeabb705aef40fcf8d5c36da6d2798c Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3115917 Reviewed-by: Matt Menke <mmenke@chromium.org> Reviewed-by: Yutaka Hirano <yhirano@chromium.org> Reviewed-by: Nasko Oskov <nasko@chromium.org> Reviewed-by: Łukasz Anforowicz <lukasza@chromium.org> Commit-Queue: Ben Kelly <wanderview@chromium.org> Cr-Commit-Position: refs/heads/main@{#936029}
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this issue
Oct 28, 2021
This CL contains essentially two changes: 1. The request initiator origin is plumbed through service workers that do `fetch(evt.request)`. In addition to plumbing, this requires changes to how we validate navigation requests in the CorsURLLoaderFactory. 2. Tracks the original destination of a request passed through a service worker. This is then used in the network service to force SameSite=Lax cookies to treat the request as a main frame navigation where appropriate. For more detailed information about these changes please see the internal design doc at: https://docs.google.com/document/d/1KZscujuV7bCFEnzJW-0DaCPU-I40RJimQKoCcI0umTQ/edit?usp=sharing In addition, there is some discussion of these features in the following spec issues: whatwg/fetch#1321 whatwg/fetch#1327 The test includes WPT tests that verify navigation headers and SameSite cookies. Note, chrome has a couple expected failures in the SameSite cookie tests because of the "lax-allowing-unsafe" intervention that is currently enabled. See: https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/web_tests/TestExpectations;l=4635;drc=e8133cbf2469adb99c6610483ab78bcfb8cc4c76 Bug: 1115847,1241188 Change-Id: I7e236fa20aeabb705aef40fcf8d5c36da6d2798c Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3115917 Reviewed-by: Matt Menke <mmenke@chromium.org> Reviewed-by: Yutaka Hirano <yhirano@chromium.org> Reviewed-by: Nasko Oskov <nasko@chromium.org> Reviewed-by: Łukasz Anforowicz <lukasza@chromium.org> Commit-Queue: Ben Kelly <wanderview@chromium.org> Cr-Commit-Position: refs/heads/main@{#936029}
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this issue
Oct 28, 2021
…rkers." This reverts commit da0a6501cf321579bd46a27ff9fba1bb8ea910bb. Reason for revert: Failure on many bots with the following error message: The service worker navigation preload request was cancelled before 'preloadResponse' settled. If you intend to use 'preloadResponse', use waitUntil() or respondWith() to wait for the promise to settle.", source: (0) Original change's description: > Fetch: Plumb request initiator through passthrough service workers. > > This CL contains essentially two changes: > > 1. The request initiator origin is plumbed through service workers > that do `fetch(evt.request)`. In addition to plumbing, this > requires changes to how we validate navigation requests in the > CorsURLLoaderFactory. > 2. Tracks the original destination of a request passed through a > service worker. This is then used in the network service to force > SameSite=Lax cookies to treat the request as a main frame navigation > where appropriate. > > For more detailed information about these changes please see the > internal design doc at: > > https://docs.google.com/document/d/1KZscujuV7bCFEnzJW-0DaCPU-I40RJimQKoCcI0umTQ/edit?usp=sharing > > In addition, there is some discussion of these features in the following > spec issues: > > whatwg/fetch#1321 > whatwg/fetch#1327 > > The test includes WPT tests that verify navigation headers and SameSite > cookies. Note, chrome has a couple expected failures in the SameSite > cookie tests because of the "lax-allowing-unsafe" intervention that is > currently enabled. See: > > https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/web_tests/TestExpectations;l=4635;drc=e8133cbf2469adb99c6610483ab78bcfb8cc4c76 > > Bug: 1115847,1241188 > Change-Id: I7e236fa20aeabb705aef40fcf8d5c36da6d2798c > Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3115917 > Reviewed-by: Matt Menke <mmenke@chromium.org> > Reviewed-by: Yutaka Hirano <yhirano@chromium.org> > Reviewed-by: Nasko Oskov <nasko@chromium.org> > Reviewed-by: Łukasz Anforowicz <lukasza@chromium.org> > Commit-Queue: Ben Kelly <wanderview@chromium.org> > Cr-Commit-Position: refs/heads/main@{#936029} Bug: 1115847,1241188 Change-Id: I3044a6d20de172b4a8ab7e39a9f26191580003fa No-Presubmit: true No-Tree-Checks: true No-Try: true
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this issue
Oct 28, 2021
…rkers." This reverts commit da0a6501cf321579bd46a27ff9fba1bb8ea910bb. Reason for revert: Failure on many bots with the following error message: The service worker navigation preload request was cancelled before 'preloadResponse' settled. If you intend to use 'preloadResponse', use waitUntil() or respondWith() to wait for the promise to settle.", source: (0) Original change's description: > Fetch: Plumb request initiator through passthrough service workers. > > This CL contains essentially two changes: > > 1. The request initiator origin is plumbed through service workers > that do `fetch(evt.request)`. In addition to plumbing, this > requires changes to how we validate navigation requests in the > CorsURLLoaderFactory. > 2. Tracks the original destination of a request passed through a > service worker. This is then used in the network service to force > SameSite=Lax cookies to treat the request as a main frame navigation > where appropriate. > > For more detailed information about these changes please see the > internal design doc at: > > https://docs.google.com/document/d/1KZscujuV7bCFEnzJW-0DaCPU-I40RJimQKoCcI0umTQ/edit?usp=sharing > > In addition, there is some discussion of these features in the following > spec issues: > > whatwg/fetch#1321 > whatwg/fetch#1327 > > The test includes WPT tests that verify navigation headers and SameSite > cookies. Note, chrome has a couple expected failures in the SameSite > cookie tests because of the "lax-allowing-unsafe" intervention that is > currently enabled. See: > > https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/web_tests/TestExpectations;l=4635;drc=e8133cbf2469adb99c6610483ab78bcfb8cc4c76 > > Bug: 1115847,1241188 > Change-Id: I7e236fa20aeabb705aef40fcf8d5c36da6d2798c > Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3115917 > Reviewed-by: Matt Menke <mmenke@chromium.org> > Reviewed-by: Yutaka Hirano <yhirano@chromium.org> > Reviewed-by: Nasko Oskov <nasko@chromium.org> > Reviewed-by: Łukasz Anforowicz <lukasza@chromium.org> > Commit-Queue: Ben Kelly <wanderview@chromium.org> > Cr-Commit-Position: refs/heads/main@{#936029} Bug: 1115847,1241188 Change-Id: I3044a6d20de172b4a8ab7e39a9f26191580003fa No-Presubmit: true No-Tree-Checks: true No-Try: true Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3251692 Auto-Submit: Alan Screen <awscreen@chromium.org> Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com> Commit-Queue: Alan Screen <awscreen@chromium.org> Owners-Override: Alan Screen <awscreen@chromium.org> Cr-Commit-Position: refs/heads/main@{#936125}
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this issue
Oct 28, 2021
…rkers." This reverts commit da0a6501cf321579bd46a27ff9fba1bb8ea910bb. Reason for revert: Failure on many bots with the following error message: The service worker navigation preload request was cancelled before 'preloadResponse' settled. If you intend to use 'preloadResponse', use waitUntil() or respondWith() to wait for the promise to settle.", source: (0) Original change's description: > Fetch: Plumb request initiator through passthrough service workers. > > This CL contains essentially two changes: > > 1. The request initiator origin is plumbed through service workers > that do `fetch(evt.request)`. In addition to plumbing, this > requires changes to how we validate navigation requests in the > CorsURLLoaderFactory. > 2. Tracks the original destination of a request passed through a > service worker. This is then used in the network service to force > SameSite=Lax cookies to treat the request as a main frame navigation > where appropriate. > > For more detailed information about these changes please see the > internal design doc at: > > https://docs.google.com/document/d/1KZscujuV7bCFEnzJW-0DaCPU-I40RJimQKoCcI0umTQ/edit?usp=sharing > > In addition, there is some discussion of these features in the following > spec issues: > > whatwg/fetch#1321 > whatwg/fetch#1327 > > The test includes WPT tests that verify navigation headers and SameSite > cookies. Note, chrome has a couple expected failures in the SameSite > cookie tests because of the "lax-allowing-unsafe" intervention that is > currently enabled. See: > > https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/web_tests/TestExpectations;l=4635;drc=e8133cbf2469adb99c6610483ab78bcfb8cc4c76 > > Bug: 1115847,1241188 > Change-Id: I7e236fa20aeabb705aef40fcf8d5c36da6d2798c > Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3115917 > Reviewed-by: Matt Menke <mmenke@chromium.org> > Reviewed-by: Yutaka Hirano <yhirano@chromium.org> > Reviewed-by: Nasko Oskov <nasko@chromium.org> > Reviewed-by: Łukasz Anforowicz <lukasza@chromium.org> > Commit-Queue: Ben Kelly <wanderview@chromium.org> > Cr-Commit-Position: refs/heads/main@{#936029} Bug: 1115847,1241188 Change-Id: I3044a6d20de172b4a8ab7e39a9f26191580003fa No-Presubmit: true No-Tree-Checks: true No-Try: true Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3251692 Auto-Submit: Alan Screen <awscreen@chromium.org> Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com> Commit-Queue: Alan Screen <awscreen@chromium.org> Owners-Override: Alan Screen <awscreen@chromium.org> Cr-Commit-Position: refs/heads/main@{#936125}
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this issue
Oct 29, 2021
…rkers." This is a reland of da0a6501cf321579bd46a27ff9fba1bb8ea910bb Original change's description: > Fetch: Plumb request initiator through passthrough service workers. > > This CL contains essentially two changes: > > 1. The request initiator origin is plumbed through service workers > that do `fetch(evt.request)`. In addition to plumbing, this > requires changes to how we validate navigation requests in the > CorsURLLoaderFactory. > 2. Tracks the original destination of a request passed through a > service worker. This is then used in the network service to force > SameSite=Lax cookies to treat the request as a main frame navigation > where appropriate. > > For more detailed information about these changes please see the > internal design doc at: > > https://docs.google.com/document/d/1KZscujuV7bCFEnzJW-0DaCPU-I40RJimQKoCcI0umTQ/edit?usp=sharing > > In addition, there is some discussion of these features in the following > spec issues: > > whatwg/fetch#1321 > whatwg/fetch#1327 > > The test includes WPT tests that verify navigation headers and SameSite > cookies. Note, chrome has a couple expected failures in the SameSite > cookie tests because of the "lax-allowing-unsafe" intervention that is > currently enabled. See: > > https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/web_tests/TestExpectations;l=4635;drc=e8133cbf2469adb99c6610483ab78bcfb8cc4c76 > > Bug: 1115847,1241188 > Change-Id: I7e236fa20aeabb705aef40fcf8d5c36da6d2798c > Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3115917 > Reviewed-by: Matt Menke <mmenke@chromium.org> > Reviewed-by: Yutaka Hirano <yhirano@chromium.org> > Reviewed-by: Nasko Oskov <nasko@chromium.org> > Reviewed-by: Łukasz Anforowicz <lukasza@chromium.org> > Commit-Queue: Ben Kelly <wanderview@chromium.org> > Cr-Commit-Position: refs/heads/main@{#936029} Bug: 1115847,1241188 Change-Id: Ia26acbdd0d7ce6583d9a44f83ed086708657b8bd
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this issue
Oct 29, 2021
…rkers." This is a reland of da0a6501cf321579bd46a27ff9fba1bb8ea910bb This CL also includes a change to mark the two WPT tests as requiring long timeout durations. On my fast build machine with an opt build they take ~5 seconds each to complete and the default timeout is 10 seconds. On slower bots with debug builds its highly likely that these tests would be marked as timing out. This change gives them a 60 second timeout instead. Original change's description: > Fetch: Plumb request initiator through passthrough service workers. > > This CL contains essentially two changes: > > 1. The request initiator origin is plumbed through service workers > that do `fetch(evt.request)`. In addition to plumbing, this > requires changes to how we validate navigation requests in the > CorsURLLoaderFactory. > 2. Tracks the original destination of a request passed through a > service worker. This is then used in the network service to force > SameSite=Lax cookies to treat the request as a main frame navigation > where appropriate. > > For more detailed information about these changes please see the > internal design doc at: > > https://docs.google.com/document/d/1KZscujuV7bCFEnzJW-0DaCPU-I40RJimQKoCcI0umTQ/edit?usp=sharing > > In addition, there is some discussion of these features in the following > spec issues: > > whatwg/fetch#1321 > whatwg/fetch#1327 > > The test includes WPT tests that verify navigation headers and SameSite > cookies. Note, chrome has a couple expected failures in the SameSite > cookie tests because of the "lax-allowing-unsafe" intervention that is > currently enabled. See: > > https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/web_tests/TestExpectations;l=4635;drc=e8133cbf2469adb99c6610483ab78bcfb8cc4c76 > > Bug: 1115847,1241188 > Change-Id: I7e236fa20aeabb705aef40fcf8d5c36da6d2798c > Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3115917 > Reviewed-by: Matt Menke <mmenke@chromium.org> > Reviewed-by: Yutaka Hirano <yhirano@chromium.org> > Reviewed-by: Nasko Oskov <nasko@chromium.org> > Reviewed-by: Łukasz Anforowicz <lukasza@chromium.org> > Commit-Queue: Ben Kelly <wanderview@chromium.org> > Cr-Commit-Position: refs/heads/main@{#936029} Bug: 1115847,1241188 Change-Id: Ia26acbdd0d7ce6583d9a44f83ed086708657b8bd
pull bot
pushed a commit
to jamlee-t/chromium
that referenced
this issue
Oct 29, 2021
This CL contains essentially two changes: 1. The request initiator origin is plumbed through service workers that do `fetch(evt.request)`. In addition to plumbing, this requires changes to how we validate navigation requests in the CorsURLLoaderFactory. 2. Tracks the original destination of a request passed through a service worker. This is then used in the network service to force SameSite=Lax cookies to treat the request as a main frame navigation where appropriate. For more detailed information about these changes please see the internal design doc at: https://docs.google.com/document/d/1KZscujuV7bCFEnzJW-0DaCPU-I40RJimQKoCcI0umTQ/edit?usp=sharing In addition, there is some discussion of these features in the following spec issues: whatwg/fetch#1321 whatwg/fetch#1327 The test includes WPT tests that verify navigation headers and SameSite cookies. Note, chrome has a couple expected failures in the SameSite cookie tests because of the "lax-allowing-unsafe" intervention that is currently enabled. See: https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/web_tests/TestExpectations;l=4635;drc=e8133cbf2469adb99c6610483ab78bcfb8cc4c76 Bug: 1115847,1241188 Change-Id: I7e236fa20aeabb705aef40fcf8d5c36da6d2798c Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3115917 Reviewed-by: Matt Menke <mmenke@chromium.org> Reviewed-by: Yutaka Hirano <yhirano@chromium.org> Reviewed-by: Nasko Oskov <nasko@chromium.org> Reviewed-by: Łukasz Anforowicz <lukasza@chromium.org> Commit-Queue: Ben Kelly <wanderview@chromium.org> Cr-Commit-Position: refs/heads/main@{#936029}
FrankEnderman
pushed a commit
to FrankEnderman/cursemium
that referenced
this issue
Oct 29, 2021
…rkers." This reverts commit da0a650. Reason for revert: Failure on many bots with the following error message: The service worker navigation preload request was cancelled before 'preloadResponse' settled. If you intend to use 'preloadResponse', use waitUntil() or respondWith() to wait for the promise to settle.", source: (0) Original change's description: > Fetch: Plumb request initiator through passthrough service workers. > > This CL contains essentially two changes: > > 1. The request initiator origin is plumbed through service workers > that do `fetch(evt.request)`. In addition to plumbing, this > requires changes to how we validate navigation requests in the > CorsURLLoaderFactory. > 2. Tracks the original destination of a request passed through a > service worker. This is then used in the network service to force > SameSite=Lax cookies to treat the request as a main frame navigation > where appropriate. > > For more detailed information about these changes please see the > internal design doc at: > > https://docs.google.com/document/d/1KZscujuV7bCFEnzJW-0DaCPU-I40RJimQKoCcI0umTQ/edit?usp=sharing > > In addition, there is some discussion of these features in the following > spec issues: > > whatwg/fetch#1321 > whatwg/fetch#1327 > > The test includes WPT tests that verify navigation headers and SameSite > cookies. Note, chrome has a couple expected failures in the SameSite > cookie tests because of the "lax-allowing-unsafe" intervention that is > currently enabled. See: > > https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/web_tests/TestExpectations;l=4635;drc=e8133cbf2469adb99c6610483ab78bcfb8cc4c76 > > Bug: 1115847,1241188 > Change-Id: I7e236fa20aeabb705aef40fcf8d5c36da6d2798c > Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3115917 > Reviewed-by: Matt Menke <mmenke@chromium.org> > Reviewed-by: Yutaka Hirano <yhirano@chromium.org> > Reviewed-by: Nasko Oskov <nasko@chromium.org> > Reviewed-by: Łukasz Anforowicz <lukasza@chromium.org> > Commit-Queue: Ben Kelly <wanderview@chromium.org> > Cr-Commit-Position: refs/heads/main@{#936029} Bug: 1115847,1241188 Change-Id: I3044a6d20de172b4a8ab7e39a9f26191580003fa No-Presubmit: true No-Tree-Checks: true No-Try: true Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3251692 Auto-Submit: Alan Screen <awscreen@chromium.org> Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com> Commit-Queue: Alan Screen <awscreen@chromium.org> Owners-Override: Alan Screen <awscreen@chromium.org> Cr-Commit-Position: refs/heads/main@{#936125}
wanderview
added a commit
to wanderview/fetch
that referenced
this issue
Oct 29, 2021
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this issue
Oct 29, 2021
…rkers." This is a reland of da0a6501cf321579bd46a27ff9fba1bb8ea910bb This CL also includes a change to mark the two WPT tests as requiring long timeout durations. On my fast build machine with an opt build they take ~5 seconds each to complete and the default timeout is 10 seconds. On slower bots with debug builds its highly likely that these tests would be marked as timing out. This change gives them a 60 second timeout instead. Original change's description: > Fetch: Plumb request initiator through passthrough service workers. > > This CL contains essentially two changes: > > 1. The request initiator origin is plumbed through service workers > that do `fetch(evt.request)`. In addition to plumbing, this > requires changes to how we validate navigation requests in the > CorsURLLoaderFactory. > 2. Tracks the original destination of a request passed through a > service worker. This is then used in the network service to force > SameSite=Lax cookies to treat the request as a main frame navigation > where appropriate. > > For more detailed information about these changes please see the > internal design doc at: > > https://docs.google.com/document/d/1KZscujuV7bCFEnzJW-0DaCPU-I40RJimQKoCcI0umTQ/edit?usp=sharing > > In addition, there is some discussion of these features in the following > spec issues: > > whatwg/fetch#1321 > whatwg/fetch#1327 > > The test includes WPT tests that verify navigation headers and SameSite > cookies. Note, chrome has a couple expected failures in the SameSite > cookie tests because of the "lax-allowing-unsafe" intervention that is > currently enabled. See: > > https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/web_tests/TestExpectations;l=4635;drc=e8133cbf2469adb99c6610483ab78bcfb8cc4c76 > > Bug: 1115847,1241188 > Change-Id: I7e236fa20aeabb705aef40fcf8d5c36da6d2798c > Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3115917 > Reviewed-by: Matt Menke <mmenke@chromium.org> > Reviewed-by: Yutaka Hirano <yhirano@chromium.org> > Reviewed-by: Nasko Oskov <nasko@chromium.org> > Reviewed-by: Łukasz Anforowicz <lukasza@chromium.org> > Commit-Queue: Ben Kelly <wanderview@chromium.org> > Cr-Commit-Position: refs/heads/main@{#936029} Bug: 1115847,1241188 Change-Id: Ia26acbdd0d7ce6583d9a44f83ed086708657b8bd Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3251368 Reviewed-by: Matt Menke <mmenke@chromium.org> Reviewed-by: Yutaka Hirano <yhirano@chromium.org> Reviewed-by: Nasko Oskov <nasko@chromium.org> Reviewed-by: Łukasz Anforowicz <lukasza@chromium.org> Auto-Submit: Ben Kelly <wanderview@chromium.org> Commit-Queue: Ben Kelly <wanderview@chromium.org> Cr-Commit-Position: refs/heads/main@{#936560}
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this issue
Oct 29, 2021
…rkers." This is a reland of da0a6501cf321579bd46a27ff9fba1bb8ea910bb This CL also includes a change to mark the two WPT tests as requiring long timeout durations. On my fast build machine with an opt build they take ~5 seconds each to complete and the default timeout is 10 seconds. On slower bots with debug builds its highly likely that these tests would be marked as timing out. This change gives them a 60 second timeout instead. Original change's description: > Fetch: Plumb request initiator through passthrough service workers. > > This CL contains essentially two changes: > > 1. The request initiator origin is plumbed through service workers > that do `fetch(evt.request)`. In addition to plumbing, this > requires changes to how we validate navigation requests in the > CorsURLLoaderFactory. > 2. Tracks the original destination of a request passed through a > service worker. This is then used in the network service to force > SameSite=Lax cookies to treat the request as a main frame navigation > where appropriate. > > For more detailed information about these changes please see the > internal design doc at: > > https://docs.google.com/document/d/1KZscujuV7bCFEnzJW-0DaCPU-I40RJimQKoCcI0umTQ/edit?usp=sharing > > In addition, there is some discussion of these features in the following > spec issues: > > whatwg/fetch#1321 > whatwg/fetch#1327 > > The test includes WPT tests that verify navigation headers and SameSite > cookies. Note, chrome has a couple expected failures in the SameSite > cookie tests because of the "lax-allowing-unsafe" intervention that is > currently enabled. See: > > https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/web_tests/TestExpectations;l=4635;drc=e8133cbf2469adb99c6610483ab78bcfb8cc4c76 > > Bug: 1115847,1241188 > Change-Id: I7e236fa20aeabb705aef40fcf8d5c36da6d2798c > Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3115917 > Reviewed-by: Matt Menke <mmenke@chromium.org> > Reviewed-by: Yutaka Hirano <yhirano@chromium.org> > Reviewed-by: Nasko Oskov <nasko@chromium.org> > Reviewed-by: Łukasz Anforowicz <lukasza@chromium.org> > Commit-Queue: Ben Kelly <wanderview@chromium.org> > Cr-Commit-Position: refs/heads/main@{#936029} Bug: 1115847,1241188 Change-Id: Ia26acbdd0d7ce6583d9a44f83ed086708657b8bd Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3251368 Reviewed-by: Matt Menke <mmenke@chromium.org> Reviewed-by: Yutaka Hirano <yhirano@chromium.org> Reviewed-by: Nasko Oskov <nasko@chromium.org> Reviewed-by: Łukasz Anforowicz <lukasza@chromium.org> Auto-Submit: Ben Kelly <wanderview@chromium.org> Commit-Queue: Ben Kelly <wanderview@chromium.org> Cr-Commit-Position: refs/heads/main@{#936560}
blueboxd
pushed a commit
to blueboxd/chromium-legacy
that referenced
this issue
Oct 30, 2021
…rkers." This is a reland of da0a650 This CL also includes a change to mark the two WPT tests as requiring long timeout durations. On my fast build machine with an opt build they take ~5 seconds each to complete and the default timeout is 10 seconds. On slower bots with debug builds its highly likely that these tests would be marked as timing out. This change gives them a 60 second timeout instead. Original change's description: > Fetch: Plumb request initiator through passthrough service workers. > > This CL contains essentially two changes: > > 1. The request initiator origin is plumbed through service workers > that do `fetch(evt.request)`. In addition to plumbing, this > requires changes to how we validate navigation requests in the > CorsURLLoaderFactory. > 2. Tracks the original destination of a request passed through a > service worker. This is then used in the network service to force > SameSite=Lax cookies to treat the request as a main frame navigation > where appropriate. > > For more detailed information about these changes please see the > internal design doc at: > > https://docs.google.com/document/d/1KZscujuV7bCFEnzJW-0DaCPU-I40RJimQKoCcI0umTQ/edit?usp=sharing > > In addition, there is some discussion of these features in the following > spec issues: > > whatwg/fetch#1321 > whatwg/fetch#1327 > > The test includes WPT tests that verify navigation headers and SameSite > cookies. Note, chrome has a couple expected failures in the SameSite > cookie tests because of the "lax-allowing-unsafe" intervention that is > currently enabled. See: > > https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/web_tests/TestExpectations;l=4635;drc=e8133cbf2469adb99c6610483ab78bcfb8cc4c76 > > Bug: 1115847,1241188 > Change-Id: I7e236fa20aeabb705aef40fcf8d5c36da6d2798c > Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3115917 > Reviewed-by: Matt Menke <mmenke@chromium.org> > Reviewed-by: Yutaka Hirano <yhirano@chromium.org> > Reviewed-by: Nasko Oskov <nasko@chromium.org> > Reviewed-by: Łukasz Anforowicz <lukasza@chromium.org> > Commit-Queue: Ben Kelly <wanderview@chromium.org> > Cr-Commit-Position: refs/heads/main@{#936029} Bug: 1115847,1241188 Change-Id: Ia26acbdd0d7ce6583d9a44f83ed086708657b8bd Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3251368 Reviewed-by: Matt Menke <mmenke@chromium.org> Reviewed-by: Yutaka Hirano <yhirano@chromium.org> Reviewed-by: Nasko Oskov <nasko@chromium.org> Reviewed-by: Łukasz Anforowicz <lukasza@chromium.org> Auto-Submit: Ben Kelly <wanderview@chromium.org> Commit-Queue: Ben Kelly <wanderview@chromium.org> Cr-Commit-Position: refs/heads/main@{#936560}
moz-v2v-gh
pushed a commit
to mozilla/gecko-dev
that referenced
this issue
Nov 2, 2021
…assthrough service workers., a=testonly Automatic update from web-platform-tests Fetch: Plumb request initiator through passthrough service workers. This CL contains essentially two changes: 1. The request initiator origin is plumbed through service workers that do `fetch(evt.request)`. In addition to plumbing, this requires changes to how we validate navigation requests in the CorsURLLoaderFactory. 2. Tracks the original destination of a request passed through a service worker. This is then used in the network service to force SameSite=Lax cookies to treat the request as a main frame navigation where appropriate. For more detailed information about these changes please see the internal design doc at: https://docs.google.com/document/d/1KZscujuV7bCFEnzJW-0DaCPU-I40RJimQKoCcI0umTQ/edit?usp=sharing In addition, there is some discussion of these features in the following spec issues: whatwg/fetch#1321 whatwg/fetch#1327 The test includes WPT tests that verify navigation headers and SameSite cookies. Note, chrome has a couple expected failures in the SameSite cookie tests because of the "lax-allowing-unsafe" intervention that is currently enabled. See: https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/web_tests/TestExpectations;l=4635;drc=e8133cbf2469adb99c6610483ab78bcfb8cc4c76 Bug: 1115847,1241188 Change-Id: I7e236fa20aeabb705aef40fcf8d5c36da6d2798c Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3115917 Reviewed-by: Matt Menke <mmenke@chromium.org> Reviewed-by: Yutaka Hirano <yhirano@chromium.org> Reviewed-by: Nasko Oskov <nasko@chromium.org> Reviewed-by: Łukasz Anforowicz <lukasza@chromium.org> Commit-Queue: Ben Kelly <wanderview@chromium.org> Cr-Commit-Position: refs/heads/main@{#936029} -- wpt-commits: cd0951f4268af579e9e26913fbefea1684c67f2d wpt-pr: 31378
moz-v2v-gh
pushed a commit
to mozilla/gecko-dev
that referenced
this issue
Nov 2, 2021
…hrough passthrough service workers.", a=testonly Automatic update from web-platform-tests Revert "Fetch: Plumb request initiator through passthrough service workers." This reverts commit da0a6501cf321579bd46a27ff9fba1bb8ea910bb. Reason for revert: Failure on many bots with the following error message: The service worker navigation preload request was cancelled before 'preloadResponse' settled. If you intend to use 'preloadResponse', use waitUntil() or respondWith() to wait for the promise to settle.", source: (0) Original change's description: > Fetch: Plumb request initiator through passthrough service workers. > > This CL contains essentially two changes: > > 1. The request initiator origin is plumbed through service workers > that do `fetch(evt.request)`. In addition to plumbing, this > requires changes to how we validate navigation requests in the > CorsURLLoaderFactory. > 2. Tracks the original destination of a request passed through a > service worker. This is then used in the network service to force > SameSite=Lax cookies to treat the request as a main frame navigation > where appropriate. > > For more detailed information about these changes please see the > internal design doc at: > > https://docs.google.com/document/d/1KZscujuV7bCFEnzJW-0DaCPU-I40RJimQKoCcI0umTQ/edit?usp=sharing > > In addition, there is some discussion of these features in the following > spec issues: > > whatwg/fetch#1321 > whatwg/fetch#1327 > > The test includes WPT tests that verify navigation headers and SameSite > cookies. Note, chrome has a couple expected failures in the SameSite > cookie tests because of the "lax-allowing-unsafe" intervention that is > currently enabled. See: > > https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/web_tests/TestExpectations;l=4635;drc=e8133cbf2469adb99c6610483ab78bcfb8cc4c76 > > Bug: 1115847,1241188 > Change-Id: I7e236fa20aeabb705aef40fcf8d5c36da6d2798c > Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3115917 > Reviewed-by: Matt Menke <mmenke@chromium.org> > Reviewed-by: Yutaka Hirano <yhirano@chromium.org> > Reviewed-by: Nasko Oskov <nasko@chromium.org> > Reviewed-by: Łukasz Anforowicz <lukasza@chromium.org> > Commit-Queue: Ben Kelly <wanderview@chromium.org> > Cr-Commit-Position: refs/heads/main@{#936029} Bug: 1115847,1241188 Change-Id: I3044a6d20de172b4a8ab7e39a9f26191580003fa No-Presubmit: true No-Tree-Checks: true No-Try: true Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3251692 Auto-Submit: Alan Screen <awscreen@chromium.org> Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com> Commit-Queue: Alan Screen <awscreen@chromium.org> Owners-Override: Alan Screen <awscreen@chromium.org> Cr-Commit-Position: refs/heads/main@{#936125} -- wpt-commits: 85ebe754c6a2f8a706d582c71433301ed7901a18 wpt-pr: 31425
jamienicol
pushed a commit
to jamienicol/gecko
that referenced
this issue
Nov 3, 2021
…assthrough service workers., a=testonly Automatic update from web-platform-tests Fetch: Plumb request initiator through passthrough service workers. This CL contains essentially two changes: 1. The request initiator origin is plumbed through service workers that do `fetch(evt.request)`. In addition to plumbing, this requires changes to how we validate navigation requests in the CorsURLLoaderFactory. 2. Tracks the original destination of a request passed through a service worker. This is then used in the network service to force SameSite=Lax cookies to treat the request as a main frame navigation where appropriate. For more detailed information about these changes please see the internal design doc at: https://docs.google.com/document/d/1KZscujuV7bCFEnzJW-0DaCPU-I40RJimQKoCcI0umTQ/edit?usp=sharing In addition, there is some discussion of these features in the following spec issues: whatwg/fetch#1321 whatwg/fetch#1327 The test includes WPT tests that verify navigation headers and SameSite cookies. Note, chrome has a couple expected failures in the SameSite cookie tests because of the "lax-allowing-unsafe" intervention that is currently enabled. See: https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/web_tests/TestExpectations;l=4635;drc=e8133cbf2469adb99c6610483ab78bcfb8cc4c76 Bug: 1115847,1241188 Change-Id: I7e236fa20aeabb705aef40fcf8d5c36da6d2798c Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3115917 Reviewed-by: Matt Menke <mmenke@chromium.org> Reviewed-by: Yutaka Hirano <yhirano@chromium.org> Reviewed-by: Nasko Oskov <nasko@chromium.org> Reviewed-by: Łukasz Anforowicz <lukasza@chromium.org> Commit-Queue: Ben Kelly <wanderview@chromium.org> Cr-Commit-Position: refs/heads/main@{#936029} -- wpt-commits: cd0951f4268af579e9e26913fbefea1684c67f2d wpt-pr: 31378
jamienicol
pushed a commit
to jamienicol/gecko
that referenced
this issue
Nov 3, 2021
…hrough passthrough service workers.", a=testonly Automatic update from web-platform-tests Revert "Fetch: Plumb request initiator through passthrough service workers." This reverts commit da0a6501cf321579bd46a27ff9fba1bb8ea910bb. Reason for revert: Failure on many bots with the following error message: The service worker navigation preload request was cancelled before 'preloadResponse' settled. If you intend to use 'preloadResponse', use waitUntil() or respondWith() to wait for the promise to settle.", source: (0) Original change's description: > Fetch: Plumb request initiator through passthrough service workers. > > This CL contains essentially two changes: > > 1. The request initiator origin is plumbed through service workers > that do `fetch(evt.request)`. In addition to plumbing, this > requires changes to how we validate navigation requests in the > CorsURLLoaderFactory. > 2. Tracks the original destination of a request passed through a > service worker. This is then used in the network service to force > SameSite=Lax cookies to treat the request as a main frame navigation > where appropriate. > > For more detailed information about these changes please see the > internal design doc at: > > https://docs.google.com/document/d/1KZscujuV7bCFEnzJW-0DaCPU-I40RJimQKoCcI0umTQ/edit?usp=sharing > > In addition, there is some discussion of these features in the following > spec issues: > > whatwg/fetch#1321 > whatwg/fetch#1327 > > The test includes WPT tests that verify navigation headers and SameSite > cookies. Note, chrome has a couple expected failures in the SameSite > cookie tests because of the "lax-allowing-unsafe" intervention that is > currently enabled. See: > > https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/web_tests/TestExpectations;l=4635;drc=e8133cbf2469adb99c6610483ab78bcfb8cc4c76 > > Bug: 1115847,1241188 > Change-Id: I7e236fa20aeabb705aef40fcf8d5c36da6d2798c > Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3115917 > Reviewed-by: Matt Menke <mmenke@chromium.org> > Reviewed-by: Yutaka Hirano <yhirano@chromium.org> > Reviewed-by: Nasko Oskov <nasko@chromium.org> > Reviewed-by: Łukasz Anforowicz <lukasza@chromium.org> > Commit-Queue: Ben Kelly <wanderview@chromium.org> > Cr-Commit-Position: refs/heads/main@{#936029} Bug: 1115847,1241188 Change-Id: I3044a6d20de172b4a8ab7e39a9f26191580003fa No-Presubmit: true No-Tree-Checks: true No-Try: true Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3251692 Auto-Submit: Alan Screen <awscreen@chromium.org> Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com> Commit-Queue: Alan Screen <awscreen@chromium.org> Owners-Override: Alan Screen <awscreen@chromium.org> Cr-Commit-Position: refs/heads/main@{#936125} -- wpt-commits: 85ebe754c6a2f8a706d582c71433301ed7901a18 wpt-pr: 31425
moz-v2v-gh
pushed a commit
to mozilla/gecko-dev
that referenced
this issue
Nov 3, 2021
…hrough passthrough service workers.", a=testonly Automatic update from web-platform-tests Reland "Fetch: Plumb request initiator through passthrough service workers." This is a reland of da0a6501cf321579bd46a27ff9fba1bb8ea910bb This CL also includes a change to mark the two WPT tests as requiring long timeout durations. On my fast build machine with an opt build they take ~5 seconds each to complete and the default timeout is 10 seconds. On slower bots with debug builds its highly likely that these tests would be marked as timing out. This change gives them a 60 second timeout instead. Original change's description: > Fetch: Plumb request initiator through passthrough service workers. > > This CL contains essentially two changes: > > 1. The request initiator origin is plumbed through service workers > that do `fetch(evt.request)`. In addition to plumbing, this > requires changes to how we validate navigation requests in the > CorsURLLoaderFactory. > 2. Tracks the original destination of a request passed through a > service worker. This is then used in the network service to force > SameSite=Lax cookies to treat the request as a main frame navigation > where appropriate. > > For more detailed information about these changes please see the > internal design doc at: > > https://docs.google.com/document/d/1KZscujuV7bCFEnzJW-0DaCPU-I40RJimQKoCcI0umTQ/edit?usp=sharing > > In addition, there is some discussion of these features in the following > spec issues: > > whatwg/fetch#1321 > whatwg/fetch#1327 > > The test includes WPT tests that verify navigation headers and SameSite > cookies. Note, chrome has a couple expected failures in the SameSite > cookie tests because of the "lax-allowing-unsafe" intervention that is > currently enabled. See: > > https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/web_tests/TestExpectations;l=4635;drc=e8133cbf2469adb99c6610483ab78bcfb8cc4c76 > > Bug: 1115847,1241188 > Change-Id: I7e236fa20aeabb705aef40fcf8d5c36da6d2798c > Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3115917 > Reviewed-by: Matt Menke <mmenke@chromium.org> > Reviewed-by: Yutaka Hirano <yhirano@chromium.org> > Reviewed-by: Nasko Oskov <nasko@chromium.org> > Reviewed-by: Łukasz Anforowicz <lukasza@chromium.org> > Commit-Queue: Ben Kelly <wanderview@chromium.org> > Cr-Commit-Position: refs/heads/main@{#936029} Bug: 1115847,1241188 Change-Id: Ia26acbdd0d7ce6583d9a44f83ed086708657b8bd Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3251368 Reviewed-by: Matt Menke <mmenke@chromium.org> Reviewed-by: Yutaka Hirano <yhirano@chromium.org> Reviewed-by: Nasko Oskov <nasko@chromium.org> Reviewed-by: Łukasz Anforowicz <lukasza@chromium.org> Auto-Submit: Ben Kelly <wanderview@chromium.org> Commit-Queue: Ben Kelly <wanderview@chromium.org> Cr-Commit-Position: refs/heads/main@{#936560} -- wpt-commits: ef9899c9503c50c675ba1c374a04a82600d23aaf wpt-pr: 31430
jamienicol
pushed a commit
to jamienicol/gecko
that referenced
this issue
Nov 5, 2021
…hrough passthrough service workers.", a=testonly Automatic update from web-platform-tests Reland "Fetch: Plumb request initiator through passthrough service workers." This is a reland of da0a6501cf321579bd46a27ff9fba1bb8ea910bb This CL also includes a change to mark the two WPT tests as requiring long timeout durations. On my fast build machine with an opt build they take ~5 seconds each to complete and the default timeout is 10 seconds. On slower bots with debug builds its highly likely that these tests would be marked as timing out. This change gives them a 60 second timeout instead. Original change's description: > Fetch: Plumb request initiator through passthrough service workers. > > This CL contains essentially two changes: > > 1. The request initiator origin is plumbed through service workers > that do `fetch(evt.request)`. In addition to plumbing, this > requires changes to how we validate navigation requests in the > CorsURLLoaderFactory. > 2. Tracks the original destination of a request passed through a > service worker. This is then used in the network service to force > SameSite=Lax cookies to treat the request as a main frame navigation > where appropriate. > > For more detailed information about these changes please see the > internal design doc at: > > https://docs.google.com/document/d/1KZscujuV7bCFEnzJW-0DaCPU-I40RJimQKoCcI0umTQ/edit?usp=sharing > > In addition, there is some discussion of these features in the following > spec issues: > > whatwg/fetch#1321 > whatwg/fetch#1327 > > The test includes WPT tests that verify navigation headers and SameSite > cookies. Note, chrome has a couple expected failures in the SameSite > cookie tests because of the "lax-allowing-unsafe" intervention that is > currently enabled. See: > > https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/web_tests/TestExpectations;l=4635;drc=e8133cbf2469adb99c6610483ab78bcfb8cc4c76 > > Bug: 1115847,1241188 > Change-Id: I7e236fa20aeabb705aef40fcf8d5c36da6d2798c > Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3115917 > Reviewed-by: Matt Menke <mmenke@chromium.org> > Reviewed-by: Yutaka Hirano <yhirano@chromium.org> > Reviewed-by: Nasko Oskov <nasko@chromium.org> > Reviewed-by: Łukasz Anforowicz <lukasza@chromium.org> > Commit-Queue: Ben Kelly <wanderview@chromium.org> > Cr-Commit-Position: refs/heads/main@{#936029} Bug: 1115847,1241188 Change-Id: Ia26acbdd0d7ce6583d9a44f83ed086708657b8bd Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3251368 Reviewed-by: Matt Menke <mmenke@chromium.org> Reviewed-by: Yutaka Hirano <yhirano@chromium.org> Reviewed-by: Nasko Oskov <nasko@chromium.org> Reviewed-by: Łukasz Anforowicz <lukasza@chromium.org> Auto-Submit: Ben Kelly <wanderview@chromium.org> Commit-Queue: Ben Kelly <wanderview@chromium.org> Cr-Commit-Position: refs/heads/main@{#936560} -- wpt-commits: ef9899c9503c50c675ba1c374a04a82600d23aaf wpt-pr: 31430
wanderview
added a commit
to wanderview/fetch
that referenced
this issue
Nov 11, 2021
…st constructor. (Fixes whatwg#1321)
wanderview
added a commit
to wanderview/fetch
that referenced
this issue
Nov 11, 2021
…st constructor. (Fixes whatwg#1321, whatwg#1335)
Gabisampaio
pushed a commit
to Gabisampaio/wpt
that referenced
this issue
Nov 18, 2021
This CL contains essentially two changes: 1. The request initiator origin is plumbed through service workers that do `fetch(evt.request)`. In addition to plumbing, this requires changes to how we validate navigation requests in the CorsURLLoaderFactory. 2. Tracks the original destination of a request passed through a service worker. This is then used in the network service to force SameSite=Lax cookies to treat the request as a main frame navigation where appropriate. For more detailed information about these changes please see the internal design doc at: https://docs.google.com/document/d/1KZscujuV7bCFEnzJW-0DaCPU-I40RJimQKoCcI0umTQ/edit?usp=sharing In addition, there is some discussion of these features in the following spec issues: whatwg/fetch#1321 whatwg/fetch#1327 The test includes WPT tests that verify navigation headers and SameSite cookies. Note, chrome has a couple expected failures in the SameSite cookie tests because of the "lax-allowing-unsafe" intervention that is currently enabled. See: https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/web_tests/TestExpectations;l=4635;drc=e8133cbf2469adb99c6610483ab78bcfb8cc4c76 Bug: 1115847,1241188 Change-Id: I7e236fa20aeabb705aef40fcf8d5c36da6d2798c Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3115917 Reviewed-by: Matt Menke <mmenke@chromium.org> Reviewed-by: Yutaka Hirano <yhirano@chromium.org> Reviewed-by: Nasko Oskov <nasko@chromium.org> Reviewed-by: Łukasz Anforowicz <lukasza@chromium.org> Commit-Queue: Ben Kelly <wanderview@chromium.org> Cr-Commit-Position: refs/heads/main@{#936029}
Gabisampaio
pushed a commit
to Gabisampaio/wpt
that referenced
this issue
Nov 18, 2021
…rkers." This reverts commit da0a6501cf321579bd46a27ff9fba1bb8ea910bb. Reason for revert: Failure on many bots with the following error message: The service worker navigation preload request was cancelled before 'preloadResponse' settled. If you intend to use 'preloadResponse', use waitUntil() or respondWith() to wait for the promise to settle.", source: (0) Original change's description: > Fetch: Plumb request initiator through passthrough service workers. > > This CL contains essentially two changes: > > 1. The request initiator origin is plumbed through service workers > that do `fetch(evt.request)`. In addition to plumbing, this > requires changes to how we validate navigation requests in the > CorsURLLoaderFactory. > 2. Tracks the original destination of a request passed through a > service worker. This is then used in the network service to force > SameSite=Lax cookies to treat the request as a main frame navigation > where appropriate. > > For more detailed information about these changes please see the > internal design doc at: > > https://docs.google.com/document/d/1KZscujuV7bCFEnzJW-0DaCPU-I40RJimQKoCcI0umTQ/edit?usp=sharing > > In addition, there is some discussion of these features in the following > spec issues: > > whatwg/fetch#1321 > whatwg/fetch#1327 > > The test includes WPT tests that verify navigation headers and SameSite > cookies. Note, chrome has a couple expected failures in the SameSite > cookie tests because of the "lax-allowing-unsafe" intervention that is > currently enabled. See: > > https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/web_tests/TestExpectations;l=4635;drc=e8133cbf2469adb99c6610483ab78bcfb8cc4c76 > > Bug: 1115847,1241188 > Change-Id: I7e236fa20aeabb705aef40fcf8d5c36da6d2798c > Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3115917 > Reviewed-by: Matt Menke <mmenke@chromium.org> > Reviewed-by: Yutaka Hirano <yhirano@chromium.org> > Reviewed-by: Nasko Oskov <nasko@chromium.org> > Reviewed-by: Łukasz Anforowicz <lukasza@chromium.org> > Commit-Queue: Ben Kelly <wanderview@chromium.org> > Cr-Commit-Position: refs/heads/main@{#936029} Bug: 1115847,1241188 Change-Id: I3044a6d20de172b4a8ab7e39a9f26191580003fa No-Presubmit: true No-Tree-Checks: true No-Try: true Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3251692 Auto-Submit: Alan Screen <awscreen@chromium.org> Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com> Commit-Queue: Alan Screen <awscreen@chromium.org> Owners-Override: Alan Screen <awscreen@chromium.org> Cr-Commit-Position: refs/heads/main@{#936125}
Gabisampaio
pushed a commit
to Gabisampaio/wpt
that referenced
this issue
Nov 18, 2021
…rkers." This is a reland of da0a6501cf321579bd46a27ff9fba1bb8ea910bb This CL also includes a change to mark the two WPT tests as requiring long timeout durations. On my fast build machine with an opt build they take ~5 seconds each to complete and the default timeout is 10 seconds. On slower bots with debug builds its highly likely that these tests would be marked as timing out. This change gives them a 60 second timeout instead. Original change's description: > Fetch: Plumb request initiator through passthrough service workers. > > This CL contains essentially two changes: > > 1. The request initiator origin is plumbed through service workers > that do `fetch(evt.request)`. In addition to plumbing, this > requires changes to how we validate navigation requests in the > CorsURLLoaderFactory. > 2. Tracks the original destination of a request passed through a > service worker. This is then used in the network service to force > SameSite=Lax cookies to treat the request as a main frame navigation > where appropriate. > > For more detailed information about these changes please see the > internal design doc at: > > https://docs.google.com/document/d/1KZscujuV7bCFEnzJW-0DaCPU-I40RJimQKoCcI0umTQ/edit?usp=sharing > > In addition, there is some discussion of these features in the following > spec issues: > > whatwg/fetch#1321 > whatwg/fetch#1327 > > The test includes WPT tests that verify navigation headers and SameSite > cookies. Note, chrome has a couple expected failures in the SameSite > cookie tests because of the "lax-allowing-unsafe" intervention that is > currently enabled. See: > > https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/web_tests/TestExpectations;l=4635;drc=e8133cbf2469adb99c6610483ab78bcfb8cc4c76 > > Bug: 1115847,1241188 > Change-Id: I7e236fa20aeabb705aef40fcf8d5c36da6d2798c > Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3115917 > Reviewed-by: Matt Menke <mmenke@chromium.org> > Reviewed-by: Yutaka Hirano <yhirano@chromium.org> > Reviewed-by: Nasko Oskov <nasko@chromium.org> > Reviewed-by: Łukasz Anforowicz <lukasza@chromium.org> > Commit-Queue: Ben Kelly <wanderview@chromium.org> > Cr-Commit-Position: refs/heads/main@{#936029} Bug: 1115847,1241188 Change-Id: Ia26acbdd0d7ce6583d9a44f83ed086708657b8bd Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3251368 Reviewed-by: Matt Menke <mmenke@chromium.org> Reviewed-by: Yutaka Hirano <yhirano@chromium.org> Reviewed-by: Nasko Oskov <nasko@chromium.org> Reviewed-by: Łukasz Anforowicz <lukasza@chromium.org> Auto-Submit: Ben Kelly <wanderview@chromium.org> Commit-Queue: Ben Kelly <wanderview@chromium.org> Cr-Commit-Position: refs/heads/main@{#936560}
wanderview
added a commit
to wanderview/fetch
that referenced
this issue
Nov 22, 2021
wanderview
added a commit
to wanderview/fetch
that referenced
this issue
Nov 24, 2021
qtprojectorg
pushed a commit
to qt/qtwebengine-chromium
that referenced
this issue
Jan 13, 2022
Manual backprort of patch for "CVE-2022-0111: Inappropriate implementation in Navigation." and "CVE-2022-0117: Policy bypass in Service Workers", originally reviewed on https://chromium-review.googlesource.com/c/chromium/src/+/3251368: Reland "Fetch: Plumb request initiator through passthrough service workers." This is a reland of da0a6501cf321579bd46a27ff9fba1bb8ea910bb This CL also includes a change to mark the two WPT tests as requiring long timeout durations. On my fast build machine with an opt build they take ~5 seconds each to complete and the default timeout is 10 seconds. On slower bots with debug builds its highly likely that these tests would be marked as timing out. This change gives them a 60 second timeout instead. Original change's description: > Fetch: Plumb request initiator through passthrough service workers. > > This CL contains essentially two changes: > > 1. The request initiator origin is plumbed through service workers > that do `fetch(evt.request)`. In addition to plumbing, this > requires changes to how we validate navigation requests in the > CorsURLLoaderFactory. > 2. Tracks the original destination of a request passed through a > service worker. This is then used in the network service to force > SameSite=Lax cookies to treat the request as a main frame navigation > where appropriate. > > For more detailed information about these changes please see the > internal design doc at: > > https://docs.google.com/document/d/1KZscujuV7bCFEnzJW-0DaCPU-I40RJimQKoCcI0umTQ/edit?usp=sharing > > In addition, there is some discussion of these features in the following > spec issues: > > whatwg/fetch#1321 > whatwg/fetch#1327 > > The test includes WPT tests that verify navigation headers and SameSite > cookies. Note, chrome has a couple expected failures in the SameSite > cookie tests because of the "lax-allowing-unsafe" intervention that is > currently enabled. See: > > https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/web_tests/TestExpectations;l=4635;drc=e8133cbf2469adb99c6610483ab78bcfb8cc4c76 > > Bug: 1115847,1241188 > Change-Id: I7e236fa20aeabb705aef40fcf8d5c36da6d2798c > Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3115917 > Reviewed-by: Matt Menke <mmenke@chromium.org> > Reviewed-by: Yutaka Hirano <yhirano@chromium.org> > Reviewed-by: Nasko Oskov <nasko@chromium.org> > Reviewed-by: Łukasz Anforowicz <lukasza@chromium.org> > Commit-Queue: Ben Kelly <wanderview@chromium.org> > Cr-Commit-Position: refs/heads/main@{#936029} Bug: 1115847,1241188 Change-Id: Ia26acbdd0d7ce6583d9a44f83ed086708657b8bd Reviewed-by: Matt Menke <mmenke@chromium.org> Reviewed-by: Yutaka Hirano <yhirano@chromium.org> Reviewed-by: Nasko Oskov <nasko@chromium.org> Reviewed-by: Łukasz Anforowicz <lukasza@chromium.org> Auto-Submit: Ben Kelly <wanderview@chromium.org> Commit-Queue: Ben Kelly <wanderview@chromium.org> Cr-Commit-Position: refs/heads/main@{#936560} Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
qtprojectorg
pushed a commit
to qt/qtwebengine-chromium
that referenced
this issue
Feb 11, 2022
Manual icherry-pick of patch for "CVE-2022-0111: Inappropriate implementation in Navigation." and "CVE-2022-0117: Policy bypass in Service Workers", originally reviewed on https://chromium-review.googlesource.com/c/chromium/src/+/3251368: Reland "Fetch: Plumb request initiator through passthrough service workers." This is a reland of da0a6501cf321579bd46a27ff9fba1bb8ea910bb This CL also includes a change to mark the two WPT tests as requiring long timeout durations. On my fast build machine with an opt build they take ~5 seconds each to complete and the default timeout is 10 seconds. On slower bots with debug builds its highly likely that these tests would be marked as timing out. This change gives them a 60 second timeout instead. Original change's description: > Fetch: Plumb request initiator through passthrough service workers. > > This CL contains essentially two changes: > > 1. The request initiator origin is plumbed through service workers > that do `fetch(evt.request)`. In addition to plumbing, this > requires changes to how we validate navigation requests in the > CorsURLLoaderFactory. > 2. Tracks the original destination of a request passed through a > service worker. This is then used in the network service to force > SameSite=Lax cookies to treat the request as a main frame navigation > where appropriate. > > For more detailed information about these changes please see the > internal design doc at: > > https://docs.google.com/document/d/1KZscujuV7bCFEnzJW-0DaCPU-I40RJimQKoCcI0umTQ/edit?usp=sharing > > In addition, there is some discussion of these features in the following > spec issues: > > whatwg/fetch#1321 > whatwg/fetch#1327 > > The test includes WPT tests that verify navigation headers and SameSite > cookies. Note, chrome has a couple expected failures in the SameSite > cookie tests because of the "lax-allowing-unsafe" intervention that is > currently enabled. See: > > https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/web_tests/TestExpectations;l=4635;drc=e8133cbf2469adb99c6610483ab78bcfb8cc4c76 > > Bug: 1115847,1241188 > Change-Id: I7e236fa20aeabb705aef40fcf8d5c36da6d2798c > Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3115917 > Reviewed-by: Matt Menke <mmenke@chromium.org> > Reviewed-by: Yutaka Hirano <yhirano@chromium.org> > Reviewed-by: Nasko Oskov <nasko@chromium.org> > Reviewed-by: Łukasz Anforowicz <lukasza@chromium.org> > Commit-Queue: Ben Kelly <wanderview@chromium.org> > Cr-Commit-Position: refs/heads/main@{#936029} Bug: 1115847,1241188 Change-Id: Ia26acbdd0d7ce6583d9a44f83ed086708657b8bd Reviewed-by: Matt Menke <mmenke@chromium.org> Reviewed-by: Yutaka Hirano <yhirano@chromium.org> Reviewed-by: Nasko Oskov <nasko@chromium.org> Reviewed-by: Łukasz Anforowicz <lukasza@chromium.org> Auto-Submit: Ben Kelly <wanderview@chromium.org> Commit-Queue: Ben Kelly <wanderview@chromium.org> Cr-Commit-Position: refs/heads/main@{#936560} Reviewed-by: Michal Klocek <michal.klocek@qt.io>
ericorth
pushed a commit
to ericorth/fetch
that referenced
this issue
Feb 18, 2022
Tests: WPT service-workers/service-worker/navigation-headers.https.html and service-workers/service-worker/same-site-cookies.https.html. Fixes whatwg#1321 and fixes whatwg#1335. Co-authored-by: Anne van Kesteren <annevk@annevk.nl>
qtprojectorg
pushed a commit
to qt/qtwebengine-chromium
that referenced
this issue
Mar 4, 2022
Manual backport of patch for "CVE-2022-0111: Inappropriate implementation in Navigation." and "CVE-2022-0117: Policy bypass in Service Workers", originally reviewed on https://chromium-review.googlesource.com/c/chromium/src/+/3251368: Reland "Fetch: Plumb request initiator through passthrough service workers." This is a reland of da0a6501cf321579bd46a27ff9fba1bb8ea910bb This CL also includes a change to mark the two WPT tests as requiring long timeout durations. On my fast build machine with an opt build they take ~5 seconds each to complete and the default timeout is 10 seconds. On slower bots with debug builds its highly likely that these tests would be marked as timing out. This change gives them a 60 second timeout instead. Original change's description: > Fetch: Plumb request initiator through passthrough service workers. > > This CL contains essentially two changes: > > 1. The request initiator origin is plumbed through service workers >that do `fetch(evt.request)`. In addition to plumbing, this >requires changes to how we validate navigation requests in the >CorsURLLoaderFactory. > 2. Tracks the original destination of a request passed through a >service worker. This is then used in the network service to force >SameSite=Lax cookies to treat the request as a main frame navigation >where appropriate. > > For more detailed information about these changes please see the > internal design doc at: > > https://docs.google.com/document/d/1KZscujuV7bCFEnzJW-0DaCPU-I40RJimQKoCcI0umTQ/edit?usp=sharing > > In addition, there is some discussion of these features in the following > spec issues: > > whatwg/fetch#1321 > whatwg/fetch#1327 > > The test includes WPT tests that verify navigation headers and SameSite > cookies. Note, chrome has a couple expected failures in the SameSite > cookie tests because of the "lax-allowing-unsafe" intervention that is > currently enabled. See: > > https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/web_tests/TestExpectations;l=4635;drc=e8133cbf2469adb99c6610483ab78bcfb8cc4c76 > > Bug: 1115847,1241188 > Change-Id: I7e236fa20aeabb705aef40fcf8d5c36da6d2798c > Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3115917 > Reviewed-by: Matt Menke <mmenke@chromium.org> > Reviewed-by: Yutaka Hirano <yhirano@chromium.org> > Reviewed-by: Nasko Oskov <nasko@chromium.org> > Reviewed-by: Łukasz Anforowicz <lukasza@chromium.org> > Commit-Queue: Ben Kelly <wanderview@chromium.org> > Cr-Commit-Position: refs/heads/main@{#936029} Bug: 1115847,1241188 Change-Id: Ia26acbdd0d7ce6583d9a44f83ed086708657b8bd Reviewed-by: Matt Menke <mmenke@chromium.org> Reviewed-by: Michal Klocek <michal.klocek@qt.io>
mjfroman
pushed a commit
to mjfroman/moz-libwebrtc-third-party
that referenced
this issue
Oct 14, 2022
This CL contains essentially two changes: 1. The request initiator origin is plumbed through service workers that do `fetch(evt.request)`. In addition to plumbing, this requires changes to how we validate navigation requests in the CorsURLLoaderFactory. 2. Tracks the original destination of a request passed through a service worker. This is then used in the network service to force SameSite=Lax cookies to treat the request as a main frame navigation where appropriate. For more detailed information about these changes please see the internal design doc at: https://docs.google.com/document/d/1KZscujuV7bCFEnzJW-0DaCPU-I40RJimQKoCcI0umTQ/edit?usp=sharing In addition, there is some discussion of these features in the following spec issues: whatwg/fetch#1321 whatwg/fetch#1327 The test includes WPT tests that verify navigation headers and SameSite cookies. Note, chrome has a couple expected failures in the SameSite cookie tests because of the "lax-allowing-unsafe" intervention that is currently enabled. See: https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/web_tests/TestExpectations;l=4635;drc=e8133cbf2469adb99c6610483ab78bcfb8cc4c76 Bug: 1115847,1241188 Change-Id: I7e236fa20aeabb705aef40fcf8d5c36da6d2798c Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3115917 Reviewed-by: Matt Menke <mmenke@chromium.org> Reviewed-by: Yutaka Hirano <yhirano@chromium.org> Reviewed-by: Nasko Oskov <nasko@chromium.org> Reviewed-by: Łukasz Anforowicz <lukasza@chromium.org> Commit-Queue: Ben Kelly <wanderview@chromium.org> Cr-Commit-Position: refs/heads/main@{#936029} NOKEYCHECK=True GitOrigin-RevId: da0a6501cf321579bd46a27ff9fba1bb8ea910bb
mjfroman
pushed a commit
to mjfroman/moz-libwebrtc-third-party
that referenced
this issue
Oct 14, 2022
…rkers." This reverts commit da0a6501cf321579bd46a27ff9fba1bb8ea910bb. Reason for revert: Failure on many bots with the following error message: The service worker navigation preload request was cancelled before 'preloadResponse' settled. If you intend to use 'preloadResponse', use waitUntil() or respondWith() to wait for the promise to settle.", source: (0) Original change's description: > Fetch: Plumb request initiator through passthrough service workers. > > This CL contains essentially two changes: > > 1. The request initiator origin is plumbed through service workers > that do `fetch(evt.request)`. In addition to plumbing, this > requires changes to how we validate navigation requests in the > CorsURLLoaderFactory. > 2. Tracks the original destination of a request passed through a > service worker. This is then used in the network service to force > SameSite=Lax cookies to treat the request as a main frame navigation > where appropriate. > > For more detailed information about these changes please see the > internal design doc at: > > https://docs.google.com/document/d/1KZscujuV7bCFEnzJW-0DaCPU-I40RJimQKoCcI0umTQ/edit?usp=sharing > > In addition, there is some discussion of these features in the following > spec issues: > > whatwg/fetch#1321 > whatwg/fetch#1327 > > The test includes WPT tests that verify navigation headers and SameSite > cookies. Note, chrome has a couple expected failures in the SameSite > cookie tests because of the "lax-allowing-unsafe" intervention that is > currently enabled. See: > > https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/web_tests/TestExpectations;l=4635;drc=e8133cbf2469adb99c6610483ab78bcfb8cc4c76 > > Bug: 1115847,1241188 > Change-Id: I7e236fa20aeabb705aef40fcf8d5c36da6d2798c > Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3115917 > Reviewed-by: Matt Menke <mmenke@chromium.org> > Reviewed-by: Yutaka Hirano <yhirano@chromium.org> > Reviewed-by: Nasko Oskov <nasko@chromium.org> > Reviewed-by: Łukasz Anforowicz <lukasza@chromium.org> > Commit-Queue: Ben Kelly <wanderview@chromium.org> > Cr-Commit-Position: refs/heads/main@{#936029} Bug: 1115847,1241188 Change-Id: I3044a6d20de172b4a8ab7e39a9f26191580003fa No-Presubmit: true No-Tree-Checks: true No-Try: true Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3251692 Auto-Submit: Alan Screen <awscreen@chromium.org> Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com> Commit-Queue: Alan Screen <awscreen@chromium.org> Owners-Override: Alan Screen <awscreen@chromium.org> Cr-Commit-Position: refs/heads/main@{#936125} NOKEYCHECK=True GitOrigin-RevId: a6601b2cf2bb7c0a0ffa3c795a0dbc730ef81d1a
mjfroman
pushed a commit
to mjfroman/moz-libwebrtc-third-party
that referenced
this issue
Oct 14, 2022
…rkers." This is a reland of da0a6501cf321579bd46a27ff9fba1bb8ea910bb This CL also includes a change to mark the two WPT tests as requiring long timeout durations. On my fast build machine with an opt build they take ~5 seconds each to complete and the default timeout is 10 seconds. On slower bots with debug builds its highly likely that these tests would be marked as timing out. This change gives them a 60 second timeout instead. Original change's description: > Fetch: Plumb request initiator through passthrough service workers. > > This CL contains essentially two changes: > > 1. The request initiator origin is plumbed through service workers > that do `fetch(evt.request)`. In addition to plumbing, this > requires changes to how we validate navigation requests in the > CorsURLLoaderFactory. > 2. Tracks the original destination of a request passed through a > service worker. This is then used in the network service to force > SameSite=Lax cookies to treat the request as a main frame navigation > where appropriate. > > For more detailed information about these changes please see the > internal design doc at: > > https://docs.google.com/document/d/1KZscujuV7bCFEnzJW-0DaCPU-I40RJimQKoCcI0umTQ/edit?usp=sharing > > In addition, there is some discussion of these features in the following > spec issues: > > whatwg/fetch#1321 > whatwg/fetch#1327 > > The test includes WPT tests that verify navigation headers and SameSite > cookies. Note, chrome has a couple expected failures in the SameSite > cookie tests because of the "lax-allowing-unsafe" intervention that is > currently enabled. See: > > https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/web_tests/TestExpectations;l=4635;drc=e8133cbf2469adb99c6610483ab78bcfb8cc4c76 > > Bug: 1115847,1241188 > Change-Id: I7e236fa20aeabb705aef40fcf8d5c36da6d2798c > Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3115917 > Reviewed-by: Matt Menke <mmenke@chromium.org> > Reviewed-by: Yutaka Hirano <yhirano@chromium.org> > Reviewed-by: Nasko Oskov <nasko@chromium.org> > Reviewed-by: Łukasz Anforowicz <lukasza@chromium.org> > Commit-Queue: Ben Kelly <wanderview@chromium.org> > Cr-Commit-Position: refs/heads/main@{#936029} Bug: 1115847,1241188 Change-Id: Ia26acbdd0d7ce6583d9a44f83ed086708657b8bd Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3251368 Reviewed-by: Matt Menke <mmenke@chromium.org> Reviewed-by: Yutaka Hirano <yhirano@chromium.org> Reviewed-by: Nasko Oskov <nasko@chromium.org> Reviewed-by: Łukasz Anforowicz <lukasza@chromium.org> Auto-Submit: Ben Kelly <wanderview@chromium.org> Commit-Queue: Ben Kelly <wanderview@chromium.org> Cr-Commit-Position: refs/heads/main@{#936560} NOKEYCHECK=True GitOrigin-RevId: 2d916566085e4f09bca93021f2b1650ea6237077
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Currently, the Request constructor always resets the request
origininternal field to "client". See step 12 in:https://fetch.spec.whatwg.org/#dom-request
This is problematic because a pass-through FetchEvent SW handler will end up using the service worker's origin for things like:
It would be safer for sites if we propagated the internal
originfield from the original request. We also need to propagate thetainted origin flagas well in order to properly handle redirects.This was discussed at the virtual F2F (w3c/ServiceWorker#1604). Notes are available.
The text was updated successfully, but these errors were encountered: