Closed Bug 1360973 Opened 7 years ago Closed 7 years ago

Don't do the work needed for same origin referrer policies unless if we have one set

Categories

(Core :: Networking: HTTP, enhancement)

Product:
Core
Component:
Networking: HTTP
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla55
Tracking Flags:
Tracking Status
firefox55 --- fixed

People

(Reporter: ehsan.akhgari, Assigned: ehsan.akhgari)

References

Details

Attachments

(1 file, 5 obsolete files)

Don't do the work needed for same origin referrer policies unless if we need to
6.65 KB, patch
tnguyen
: review+
Details | Diff | Splinter Review 
CheckSameOriginURI() can be expensive and shows up under profiles, so we should
try to avoid calling it unless if we have the same origin referrer policy.
Don't do the work needed for same origin referrer policies unless if we have one set
Attachment #8863296 - Flags: review?(mcmanus)
Assignee: nobody → ehsan
Blocks: 1347376
Attached patch git show -w (obsolete) — Splinter Review 

    
    

    
  
Comment on attachment 8863296 [details] [diff] [review]
t push -f my work# Attachment to Bug 1360973 - Don't do the work needed for same origin referrer policies unless if we have one set

Sorry this isn't quite right, I was building in the wrong ssh window :-(

I will fix up the patch tomorrow.

        Attachment #8863296 -
        Attachment is obsolete: true
Flags: needinfo?(ehsan)

        Attachment #8863296 -
        Flags: review?(mcmanus)

    
    

    
  
I'll delegate the review to :tnguyen when you get there..

    
    

    
  


  
CheckSameOriginURI() can be expensive and shows up under profiles, so we
should try to avoid calling it unless if we are going to use
isCrossOrigin.

        Attachment #8863440 -
        Flags: review?(tnguyen)

    
  

        Attachment #8863297 -
        Attachment is obsolete: true

    
    

    
  

      
      
      
      

        Attached patch
          
          
        git show -w (obsolete)
        — Splinter Review
      

    


  

    
    

    
  
Comment on attachment 8863440 [details] [diff] [review]
Don't do the work needed for same origin referrer policies unless if we need to

Review of attachment 8863440 [details] [diff] [review]:
-----------------------------------------------------------------

Thanks Ehsan

::: netwerk/protocol/http/HttpBaseChannel.cpp
@@ +1650,5 @@
> +  Maybe<bool> isCrossOrigin;
> +  if (mReferrerPolicy == REFERRER_POLICY_SAME_ORIGIN ||
> +      mReferrerPolicy == REFERRER_POLICY_ORIGIN_WHEN_XORIGIN ||
> +      mReferrerPolicy == REFERRER_POLICY_STRICT_ORIGIN_WHEN_XORIGIN ||
> +      gHttpHandler->ReferrerXOriginTrimmingPolicy() != 0) {

Should we check userReferrerTrimmingPolicy != 2?
Because 2 is the strictest policy (origin) and we may not have to compute isCrossOrigin

@@ +1744,5 @@
>    rv = clone->SetUserPass(EmptyCString());
>    if (NS_FAILED(rv)) return rv;
>  
>    nsAutoCString spec;
>  

I think we should move the computing part to here, because other condition checks may bail out early.

@@ +1763,5 @@
>    // "Strict" request from https->http case was bailed out, so here:
>    // "strict-origin" behaves the same as "origin".
>    // "strict-origin-when-cross-origin" behaves the same as "origin-when-cross-origin"
>    if (mReferrerPolicy == REFERRER_POLICY_ORIGIN ||
>        mReferrerPolicy == REFERRER_POLICY_STRICT_ORIGIN ||

These 2 values we also don't have to compute isCrossOrigin. That means if we had the strictest policy userReferrerTrimmingPolicy == 2, we may not have to compute isCrossOrigin

        Attachment #8863440 -
        Flags: review?(tnguyen)

    
    

    
  
(In reply to Thomas Nguyen[:tnguyen] ni plz from comment #8)
> ::: netwerk/protocol/http/HttpBaseChannel.cpp
> @@ +1650,5 @@
> > +  Maybe<bool> isCrossOrigin;
> > +  if (mReferrerPolicy == REFERRER_POLICY_SAME_ORIGIN ||
> > +      mReferrerPolicy == REFERRER_POLICY_ORIGIN_WHEN_XORIGIN ||
> > +      mReferrerPolicy == REFERRER_POLICY_STRICT_ORIGIN_WHEN_XORIGIN ||
> > +      gHttpHandler->ReferrerXOriginTrimmingPolicy() != 0) {
> 
> Should we check userReferrerTrimmingPolicy != 2?
> Because 2 is the strictest policy (origin) and we may not have to compute
> isCrossOrigin

I checked against 0 because of userReferrerXOriginTrimmingPolicy being passed to std::max here.  IOW if userReferrerXOriginTrimmingPolicy is 0, std::max(foo, 0) would be foo, so there would be no side effect to running this branch.  Does that make sense?

> @@ +1744,5 @@
> >    rv = clone->SetUserPass(EmptyCString());
> >    if (NS_FAILED(rv)) return rv;
> >  
> >    nsAutoCString spec;
> >  
> 
> I think we should move the computing part to here, because other condition
> checks may bail out early.

Sure.  I guess technically that changes the behavior if some of the reordered code fails and returns an error code but hopefully nothing will depend on that.

I'll attach another version of my patch although I suspect it will need to change based on the rest of this comment, but that's OK.  :-)

> @@ +1763,5 @@
> >    // "Strict" request from https->http case was bailed out, so here:
> >    // "strict-origin" behaves the same as "origin".
> >    // "strict-origin-when-cross-origin" behaves the same as "origin-when-cross-origin"
> >    if (mReferrerPolicy == REFERRER_POLICY_ORIGIN ||
> >        mReferrerPolicy == REFERRER_POLICY_STRICT_ORIGIN ||
> 
> These 2 values we also don't have to compute isCrossOrigin. That means if we
> had the strictest policy userReferrerTrimmingPolicy == 2, we may not have to
> compute isCrossOrigin

Are you sure?  If we don't check isCrossOrigin for these two values, then if content specifies "origin-when-cross-origin" it will effectively be treated as "origin", and if content specifies "strict-origin-when-cross-origin" it will effectively be treated as "strict-origin".  That seems wrong to me...  What am I missing?
Flags: needinfo?(tnguyen)

    
    

    
  


  
CheckSameOriginURI() can be expensive and shows up under profiles, so we
should try to avoid calling it unless if we are going to use
isCrossOrigin.

    
  

        Attachment #8863440 -
        Attachment is obsolete: true

    
  

        Attachment #8863441 -
        Attachment is obsolete: true

    
    

    
  
(In reply to :Ehsan Akhgari (super long backlog, slow to respond) from comment #9)
> (In reply to Thomas Nguyen[:tnguyen] ni plz from comment #8)
> 
> Are you sure?  If we don't check isCrossOrigin for these two values, then if
> content specifies "origin-when-cross-origin" it will effectively be treated
> as "origin", and if content specifies "strict-origin-when-cross-origin" it
> will effectively be treated as "strict-origin".  That seems wrong to me... 
> What am I missing?
Sorry for confusing you. I meant REFERRER_POLICY_ORIGIN and REFERRER_POLICY_STRICT_ORIGIN, we do not have to compute isCrossOrigin though CheckSameOriginURI() (even gHttpHandler->ReferrerXOriginTrimmingPolicy() != 0). Because we expect to send origin no matter the site is cross origin.
Flags: needinfo?(tnguyen)

    
    

    
  
(In reply to :Ehsan Akhgari (super long backlog, slow to respond) from comment #9)
> (In reply to Thomas Nguyen[:tnguyen] ni plz from comment #8)
> > ::: netwerk/protocol/http/HttpBaseChannel.cpp
> > @@ +1650,5 @@
> > > +  Maybe<bool> isCrossOrigin;
> > > +  if (mReferrerPolicy == REFERRER_POLICY_SAME_ORIGIN ||
> > > +      mReferrerPolicy == REFERRER_POLICY_ORIGIN_WHEN_XORIGIN ||
> > > +      mReferrerPolicy == REFERRER_POLICY_STRICT_ORIGIN_WHEN_XORIGIN ||
> > > +      gHttpHandler->ReferrerXOriginTrimmingPolicy() != 0) {
> > 
> > Should we check userReferrerTrimmingPolicy != 2?
> > Because 2 is the strictest policy (origin) and we may not have to compute
> > isCrossOrigin
> 
> I checked against 0 because of userReferrerXOriginTrimmingPolicy being
> passed to std::max here.  IOW if userReferrerXOriginTrimmingPolicy is 0,
> std::max(foo, 0) would be foo, so there would be no side effect to running
> this branch.  Does that make sense?
The same here, I meant userReferrerTrimmingPolicy
We have userReferrerXOriginTrimmingPolicy = max(userReferrerTrimmingPolicy, userReferrerXOriginTrimmingPolicy)
So if userReferrerTrimmingPolicy == 2, then max(2, userReferrerXOriginTrimmingPolicy) == 2 no matter if cross origin

    
    

    
  
(In reply to Thomas Nguyen[:tnguyen] ni plz from comment #12)
> (In reply to :Ehsan Akhgari (super long backlog, slow to respond) from
> comment #9)
> > I checked against 0 because of userReferrerXOriginTrimmingPolicy being
> > passed to std::max here.  IOW if userReferrerXOriginTrimmingPolicy is 0,
> > std::max(foo, 0) would be foo, so there would be no side effect to running
> > this branch.  Does that make sense?
> The same here, I meant userReferrerTrimmingPolicy
> We have userReferrerXOriginTrimmingPolicy = max(userReferrerTrimmingPolicy,
> userReferrerXOriginTrimmingPolicy)
> So if userReferrerTrimmingPolicy == 2, then max(2,
> userReferrerXOriginTrimmingPolicy) == 2 no matter if cross origin
Typo
    userReferrerTrimmingPolicy =
      std::max(userReferrerTrimmingPolicy, userReferrerXOriginTrimmingPolicy);

    
    

    
  
(In reply to Thomas Nguyen[:tnguyen] ni plz from comment #11)
> (In reply to :Ehsan Akhgari (super long backlog, slow to respond) from
> comment #9)
> > (In reply to Thomas Nguyen[:tnguyen] ni plz from comment #8)
> > 
> > Are you sure?  If we don't check isCrossOrigin for these two values, then if
> > content specifies "origin-when-cross-origin" it will effectively be treated
> > as "origin", and if content specifies "strict-origin-when-cross-origin" it
> > will effectively be treated as "strict-origin".  That seems wrong to me... 
> > What am I missing?
> Sorry for confusing you. I meant REFERRER_POLICY_ORIGIN and
> REFERRER_POLICY_STRICT_ORIGIN, we do not have to compute isCrossOrigin
> though CheckSameOriginURI() (even
> gHttpHandler->ReferrerXOriginTrimmingPolicy() != 0). Because we expect to
> send origin no matter the site is cross origin. 

Oh, great point, I understand now.  Thanks!

    
    

    
  


  
CheckSameOriginURI() can be expensive and shows up under profiles, so we
should try to avoid calling it unless if we are going to use
isCrossOrigin.

        Attachment #8864392 -
        Flags: review?(tnguyen)

    
  

        Attachment #8863597 -
        Attachment is obsolete: true

    
    

    
  
Comment on attachment 8864392 [details] [diff] [review]
Don't do the work needed for same origin referrer policies unless if we need to

Review of attachment 8864392 [details] [diff] [review]:
-----------------------------------------------------------------

Lgtm with the bellow comment

::: netwerk/protocol/http/HttpBaseChannel.cpp
@@ +1720,5 @@
> +        mReferrerPolicy != REFERRER_POLICY_STRICT_ORIGIN)) &&
> +      // 2 (origin-only) is already the strictest policy which we'd adopt if we
> +      // were cross-origin, so there is no point to compute whether we are or
> +      // not.
> +      gHttpHandler->ReferrerXOriginTrimmingPolicy() != 2) {

And plz check && gHttpHandler->ReferrerTrimmingPolicy() != 2 (because ReferrerTrimmingPolicy is applied in both cases cross/same origin. If we have the strictest ReferrerTrimmingPolicy, we also don't have to compute)

        Attachment #8864392 -
        Flags: review?(tnguyen) → review+

    
    

    
  
(In reply to Thomas Nguyen[:tnguyen] ni plz from comment #16)
> ::: netwerk/protocol/http/HttpBaseChannel.cpp
> @@ +1720,5 @@
> > +        mReferrerPolicy != REFERRER_POLICY_STRICT_ORIGIN)) &&
> > +      // 2 (origin-only) is already the strictest policy which we'd adopt if we
> > +      // were cross-origin, so there is no point to compute whether we are or
> > +      // not.
> > +      gHttpHandler->ReferrerXOriginTrimmingPolicy() != 2) {
> 
> And plz check && gHttpHandler->ReferrerTrimmingPolicy() != 2 (because
> ReferrerTrimmingPolicy is applied in both cases cross/same origin. If we
> have the strictest ReferrerTrimmingPolicy, we also don't have to compute)

D'oh, I think I should do this instead, and not additionally in fact, since the cross origin trimming policy doesn't matter here, it is the non-cross-origin policy that overrides the cross-origin policy.  Thankfully a test failure on the try server caught this mistake.  :-)  Thanks for spotting it!

    
    

    
  
Pushed by eakhgari@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/e07dcfd3c4a5
Don't do the work needed for same origin referrer policies unless if we need to; r=tnguyen

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/e07dcfd3c4a5
Status: NEW → RESOLVED
Closed: 7 years ago

          status-firefox55:
          --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla55
Depends on: 1416344

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: