[wpt-sync] Sync PR 29940 - css: Use document (not base) URL for inline style preloads' referrers
Categories
(Core :: DOM: Security, task, P4)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox95 | --- | fixed |
People
(Reporter: mozilla.org, Unassigned)
References
()
Details
(Whiteboard: [wptsync downstream][domsecurity-backlog])
Sync web-platform-tests PR 29940 into mozilla-central (this bug is closed when the sync is complete).
PR: https://github.com/web-platform-tests/wpt/pull/29940
Details from upstream follow.
b'David Van Cleve <davidvc@chromium.org>' wrote:
css: Use document (not base) URL for inline style preloads' referrers
crrev.com/c/2592447 fixed one code path where setting a document's base
URL (via the HTML \<base> tag) led to requests from inline CSS using the
base URL as their referrer, rather than the document URL. While this
behavior isn't specified, it seems like the document URL is the intended
behavior: we generally try to avoid letting pages override outgoing
requests' referrers to diferent-origin URLs---even though this is not a
hard security boundary.It turns out a separate code path can also trigger requests from inline
style sheets: in particular, '@import' statements in inline stylesheets
get prefetched by the HTML parser, which currently has separate logic
that explicity sets those requests' referrers to the document's base
URL.This change removes that logic. After this change, preload requests from
inline style in the HTML parser will use the document's URL, not its
base URL, when generating their referrers. This CL also adds two new WPTs:
- "stylesheet-with-differentorigin-base-url.html" verifies the referrer
for an inline stylesheet requesting another stylesheet via an @import
statement. There are other tests inspecting the referrers for SVG and
image fetches from inline stylesheets, but not for child stylesheet
fetches. This test passes even without this CL applied (because of
crrev.com/c/2592447).- "stylesheet-with-differentorigin-base-url-from-preload.html" does the
same thing, except from a srcdoc iframe: using a srcdoc iframe triggers
the preload code path since the inline stylesheet is hardcoded in a
\<style> HTML tag, in contrast to the former test, which uses JS to add
the style element to the DOM. This test fails without the remainder of
this patch applied. (Previously, there was no coverage for the referrer
generation via this code path.)With this patch applied, the repro in the linked bug no longer succeeds.
Test: New WPT covers the preload path. Manually tested the bug's repro.
Change-Id: I6bd797978b207a4bc0bb1b35565eb93c7162729f
Fixed: 1233375
Reviewed-on: https://chromium-review.googlesource.com/3078937
WPT-Export-Revision: bc320f8a2fa06aea0ee9ba68a03d193b63a8892a
|
Assignee | |
Updated•3 years ago
|
|
||
Updated•3 years ago
|
|
|
Assignee | |
Updated•3 years ago
|
|
|
Assignee | |
Updated•3 years ago
|
|
|
Assignee | |
Comment 1•3 years ago
|
||
Pushed to try (stability) https://treeherder.mozilla.org/#/jobs?repo=try&revision=d8805e568b84cc9e7ef328141df57d48d848b86b
|
|
Assignee | |
Comment 2•3 years ago
|
||
CI Results
Ran 11 Firefox configurations based on mozilla-central, and Firefox, Chrome, and Safari on GitHub CI
Total 11 tests and 1 subtests
Status Summary
Firefox
OK : 11
PASS: 11
Chrome
OK : 11
PASS: 10
FAIL: 1
Safari
OK : 11
PASS: 2
FAIL: 9
Links
Pushed by wptsync@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/7739ab6bad61 [wpt PR 29940] - css: Use document (not base) URL for inline style preloads' referrers, a=testonly
Pushed by wptsync@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/3496e4ca24ae [wpt PR 29940] - css: Use document (not base) URL for inline style preloads' referrers, a=testonly
|
||
Comment 5•3 years ago
|
||
| bugherder | ||
Description
•