[wpt-sync] Sync PR 14722 - Allow same-origin responses in CORB (even initiated by content scripts).

RESOLVED FIXED in Firefox 67

Status

()

enhancement
P4
normal
RESOLVED FIXED
7 months ago
4 months ago

People

(Reporter: wptsync, Unassigned)

Tracking

unspecified
mozilla67
Points:
---

Firefox Tracking Flags

(firefox67 fixed)

Details

(Whiteboard: [wptsync downstream], )

Sync web-platform-tests PR 14722 into mozilla-central (this bug is closed when the sync is complete).

PR: https://github.com/web-platform-tests/wpt/pull/14722
Details from upstream follow.

Lukasz Anforowicz <lukasza@chromium.org> wrote:
>  Allow same-origin responses in CORB (even initiated by content scripts).
>  
>  Consider the following scenario: A content script from
>  chrome-extension://example-extension injected into
>  https://example.com/page.html performs an XHR/fetch of
>  https://example.com/resource.json.
>  
>  The scenario above has been problematic for CORB, because
>  CrossOriginReadBlocking::ResponseAnalyzer::ShouldBlockBasedOnHeaders
>  sees that |initiator| (chrome-extension://example-extension) is
>  different from |target_origin| (https://example.com).  Before this
>  CL, such case would be considered cross-origin and blocked (this didn't
>  happen in practice only because URLLoaderFactories for extensions had
>  CORB turned off).  After this CL, such case would be considered
>  same-origin based on a matching |request_initiator_site_lock| (this
>  change enables turning CORB on for extensions in a separate, later CL).
>  
>  Change-Id: I367a5452f7aa080d590ff46bf4a57d1403ae80dd
>  Bug: 918660
>  Reviewed-on: https://chromium-review.googlesource.com/1394432
>  WPT-Export-Revision: cbe9e6597682ec0369bf96fd67403305d0f02ea8
Component: web-platform-tests → DOM
Product: Testing → Core
Pushed by james@hoppipolla.co.uk:
https://hg.mozilla.org/integration/mozilla-inbound/rev/fae2c3eae0f2
[wpt PR 14722] - Allow same-origin responses in CORB (even initiated by content scripts)., a=testonly
Pushed by james@hoppipolla.co.uk:
https://hg.mozilla.org/integration/mozilla-inbound/rev/8c9722a9c976
[wpt PR 14722] - Allow same-origin responses in CORB (even initiated by content scripts)., a=testonly
Status: NEW → RESOLVED
Closed: 5 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla67
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.