Define report-to #62

domenic · 2019-12-11T21:24:11Z

Presumably it should be another top-level dictionary member. Draw inspiration from the spec at https://w3c.github.io/webappsec-csp/#report-violation .

Parsing failures or policy mismatches should presumably get reported here, which will require spec updates in those parts.

This is the first step at implementing the new fetching semantics from the updated origin policy specification. It also deletes some parts that are no longer in the spec and would have needed updating anyway. In particular, this removes: * The distinction between default origin policies and versioned origin policies, and along with it, the "latest version map". Since the code currently always re-fetches the current policy anyway, we don't need to track the version, at least until we implement the caching semantics (crbug.com/1042040). * Redirect-handling logic for default policies. Redirects are now always an error. * Parsing of the response header from the server. We currently just check for its presence, and will do parsing according to the new spec as part of crbug.com/1042036. * Sending Sec-Origin-Policy: 0 on the request. We may add this back later, but it is still under discussion: WICG/origin-policy#51 * A good amount of C++ "unit tests" that were rather integration test-ey, and would have had to be rewritten anyway. Instead they are replaced with web platform test integration tests. * A thorough web platform test of the origin policy installation/deletion cycle, which would have had to be rewritten, and then rewritten again once we tackle crbug.com/1042049. We'll want to refer to it in version history once those foundations are stable. * Reporting, for now. We need to first spec this and then add it back. See WICG/origin-policy#62. Additionally, although we removed all parsing of the response header, we changed the code to look for the presence of Origin-Policy instead of Sec-Origin-Policy per the latest spec. Apart from removals, this CL's biggest changes are to the web platform tests. This implements the plan discussed at #20773 and web-platform-tests/rfcs#44 which allows us to serve different origin policies per subdomain. Bug: 1042034 Change-Id: I4674fe2cfbc1f3e174c76415d86a487e750cdb0d

This is the first step at implementing the new fetching semantics from the updated origin policy specification. It also deletes some parts that are no longer in the spec and would have needed updating anyway. In particular, this removes: * The distinction between default origin policies and versioned origin policies, and along with it, the "latest version map". This removes, for now, the application of origin policies to pages without an Origin-Policy header; that will be added back as part of the caching work in crbug.com/1042040. * Redirect-handling logic for default policies. Redirects are now always an error. * Parsing of the response header from the server. We currently just check for its presence, and will do parsing according to the new spec as part of crbug.com/1042036. * Sending Sec-Origin-Policy: 0 on the request. We may add this back later, but it is still under discussion: WICG/origin-policy#51 * A good amount of C++ "unit tests" that were rather integration test-ey, and would have had to be rewritten anyway. Instead they are replaced with web platform test integration tests. * A thorough web platform test of the origin policy installation/deletion cycle, which would have had to be rewritten, and then rewritten again once we tackle crbug.com/1042049. We'll want to refer to it in version history once those foundations are stable. * Reporting, for now. We need to first spec this and then add it back. See WICG/origin-policy#62. Additionally, although we removed all parsing of the response header, we changed the code to look for the presence of Origin-Policy instead of Sec-Origin-Policy per the latest spec. Apart from removals, this CL's biggest changes are to the web platform tests. This implements the plan discussed at #20773 and web-platform-tests/rfcs#44 which allows us to serve different origin policies per subdomain. The test origin policies also now contain "id" members, but those are not used or tested for now; that will occur in https://crbug.com/1042036. Bug: 1042034

This is the first step at implementing the new fetching semantics from the updated origin policy specification. It also deletes some parts that are no longer in the spec and would have needed updating anyway. In particular, this removes: * The distinction between default origin policies and versioned origin policies, and along with it, the "latest version map". This removes, for now, the application of origin policies to pages without an Origin-Policy header; that will be added back as part of the caching work in crbug.com/1042040. * Redirect-handling logic for default policies. Redirects are now always an error. * Parsing of the response header from the server. We currently just check for its presence, and will do parsing according to the new spec as part of crbug.com/1042036. * Sending Sec-Origin-Policy: 0 on the request. We may add this back later, but it is still under discussion: WICG/origin-policy#51 * A good amount of C++ "unit tests" that were rather integration test-ey, and would have had to be rewritten anyway. Instead they are replaced with web platform test integration tests. * A thorough web platform test of the origin policy installation/deletion cycle, which would have had to be rewritten, and then rewritten again once we tackle crbug.com/1042049. We'll want to refer to it in version history once those foundations are stable. * Reporting, for now. We need to first spec this and then add it back. See WICG/origin-policy#62. Additionally, although we removed all parsing of the response header, we changed the code to look for the presence of Origin-Policy instead of Sec-Origin-Policy per the latest spec. Apart from removals, this CL's biggest changes are to the web platform tests. This implements the plan discussed at #20773 and web-platform-tests/rfcs#44 which allows us to serve different origin policies per subdomain. The test origin policies also now contain "id" members, but those are not used or tested for now; that will occur in https://crbug.com/1042036. Bug: 1042034 Change-Id: I4674fe2cfbc1f3e174c76415d86a487e750cdb0d

This is the first step at implementing the new fetching semantics from the updated origin policy specification. It also deletes some parts that are no longer in the spec and would have needed updating anyway. In particular, this removes: * The distinction between default origin policies and versioned origin policies, and along with it, the "latest version map". This removes, for now, the application of origin policies to pages without an Origin-Policy header; that will be added back as part of the caching work in crbug.com/1042040. * Redirect-handling logic for default policies. Redirects are now always an error. * Parsing of the response header from the server. We currently just check for its presence, and will do parsing according to the new spec as part of crbug.com/1042036. * Sending Sec-Origin-Policy: 0 on the request. We may add this back later, but it is still under discussion: WICG/origin-policy#51 * A good amount of C++ "unit tests" that were rather integration test-ey, and would have had to be rewritten anyway. Instead they are replaced with web platform test integration tests. * A thorough web platform test of the origin policy installation/deletion cycle, which would have had to be rewritten, and then rewritten again once we tackle crbug.com/1042049. We'll want to refer to it in version history once those foundations are stable. * Reporting, for now. We need to first spec this and then add it back. See WICG/origin-policy#62. Additionally, although we removed all parsing of the response header, we changed the code to look for the presence of Origin-Policy instead of Sec-Origin-Policy per the latest spec. Apart from removals, this CL's biggest changes are to the web platform tests. This implements the plan discussed at #20773 and web-platform-tests/rfcs#44 which allows us to serve different origin policies per subdomain. The test origin policies also now contain "id" members, but those are not used or tested for now; that will occur in https://crbug.com/1042036. Bug: 1042034 Change-Id: I4674fe2cfbc1f3e174c76415d86a487e750cdb0d Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2020488 Commit-Queue: Domenic Denicola <domenic@chromium.org> Reviewed-by: Martin Šrámek <msramek@chromium.org> Reviewed-by: Matt Mueller <mattm@chromium.org> Reviewed-by: Kinuko Yasuda <kinuko@chromium.org> Reviewed-by: Dominic Battré <battre@chromium.org> Reviewed-by: Daniel Vogelheim <vogelheim@chromium.org> Cr-Commit-Position: refs/heads/master@{#745187}

This is the first step at implementing the new fetching semantics from the updated origin policy specification. It also deletes some parts that are no longer in the spec and would have needed updating anyway. In particular, this removes: * The distinction between default origin policies and versioned origin policies, and along with it, the "latest version map". This removes, for now, the application of origin policies to pages without an Origin-Policy header; that will be added back as part of the caching work in crbug.com/1042040. * Redirect-handling logic for default policies. Redirects are now always an error. * Parsing of the response header from the server. We currently just check for its presence, and will do parsing according to the new spec as part of crbug.com/1042036. * Sending Sec-Origin-Policy: 0 on the request. We may add this back later, but it is still under discussion: WICG/origin-policy#51 * A good amount of C++ "unit tests" that were rather integration test-ey, and would have had to be rewritten anyway. Instead they are replaced with web platform test integration tests. * A thorough web platform test of the origin policy installation/deletion cycle, which would have had to be rewritten, and then rewritten again once we tackle crbug.com/1042049. We'll want to refer to it in version history once those foundations are stable. * Reporting, for now. We need to first spec this and then add it back. See WICG/origin-policy#62. Additionally, although we removed all parsing of the response header, we changed the code to look for the presence of Origin-Policy instead of Sec-Origin-Policy per the latest spec. Apart from removals, this CL's biggest changes are to the web platform tests. This implements the plan discussed at web-platform-tests/wpt#20773 and web-platform-tests/rfcs#44 which allows us to serve different origin policies per subdomain. The test origin policies also now contain "id" members, but those are not used or tested for now; that will occur in https://crbug.com/1042036. Bug: 1042034 Change-Id: I4674fe2cfbc1f3e174c76415d86a487e750cdb0d Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2020488 Commit-Queue: Domenic Denicola <domenic@chromium.org> Reviewed-by: Martin Šrámek <msramek@chromium.org> Reviewed-by: Matt Mueller <mattm@chromium.org> Reviewed-by: Kinuko Yasuda <kinuko@chromium.org> Reviewed-by: Dominic Battré <battre@chromium.org> Reviewed-by: Daniel Vogelheim <vogelheim@chromium.org> Cr-Commit-Position: refs/heads/master@{#745187}

Sora2455 · 2020-02-29T08:48:04Z

Worth noting that calling the dictionary method "report-to" would probably cause people to confuse it with the "Report-To" header from the Reporting API. (Incidentally, the Report-To header and the NEL would both be great candidates for being included in Origin Policy.)

…-known/origin-policy, a=testonly Automatic update from web-platform-tests Always fetch origin policies from /.well-known/origin-policy This is the first step at implementing the new fetching semantics from the updated origin policy specification. It also deletes some parts that are no longer in the spec and would have needed updating anyway. In particular, this removes: * The distinction between default origin policies and versioned origin policies, and along with it, the "latest version map". This removes, for now, the application of origin policies to pages without an Origin-Policy header; that will be added back as part of the caching work in crbug.com/1042040. * Redirect-handling logic for default policies. Redirects are now always an error. * Parsing of the response header from the server. We currently just check for its presence, and will do parsing according to the new spec as part of crbug.com/1042036. * Sending Sec-Origin-Policy: 0 on the request. We may add this back later, but it is still under discussion: WICG/origin-policy#51 * A good amount of C++ "unit tests" that were rather integration test-ey, and would have had to be rewritten anyway. Instead they are replaced with web platform test integration tests. * A thorough web platform test of the origin policy installation/deletion cycle, which would have had to be rewritten, and then rewritten again once we tackle crbug.com/1042049. We'll want to refer to it in version history once those foundations are stable. * Reporting, for now. We need to first spec this and then add it back. See WICG/origin-policy#62. Additionally, although we removed all parsing of the response header, we changed the code to look for the presence of Origin-Policy instead of Sec-Origin-Policy per the latest spec. Apart from removals, this CL's biggest changes are to the web platform tests. This implements the plan discussed at web-platform-tests/wpt#20773 and web-platform-tests/rfcs#44 which allows us to serve different origin policies per subdomain. The test origin policies also now contain "id" members, but those are not used or tested for now; that will occur in https://crbug.com/1042036. Bug: 1042034 Change-Id: I4674fe2cfbc1f3e174c76415d86a487e750cdb0d Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2020488 Commit-Queue: Domenic Denicola <domenic@chromium.org> Reviewed-by: Martin Šrámek <msramek@chromium.org> Reviewed-by: Matt Mueller <mattm@chromium.org> Reviewed-by: Kinuko Yasuda <kinuko@chromium.org> Reviewed-by: Dominic Battré <battre@chromium.org> Reviewed-by: Daniel Vogelheim <vogelheim@chromium.org> Cr-Commit-Position: refs/heads/master@{#745187} -- wpt-commits: 496499a3188a8da571cbe59e182d555c2a6b8d69 wpt-pr: 21904

chromium-wpt-export-bot mentioned this issue Feb 11, 2020

[DISCARDED] Always fetch origin policies from /.well-known/origin-policy web-platform-tests/wpt#21739

Closed

domenic mentioned this issue Feb 12, 2020

Consolidating allowed/preferred? #61

Closed

KyleJu mentioned this issue Feb 13, 2020

[DISCARDED] web-platform-tests/wpt#21771

Closed

chromium-wpt-export-bot mentioned this issue Feb 20, 2020

Always fetch origin policies from /.well-known/origin-policy web-platform-tests/wpt#21904

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Define report-to #62

Define report-to #62

domenic commented Dec 11, 2019 •

edited

Sora2455 commented Feb 29, 2020

Define report-to #62

Define report-to #62

Comments

domenic commented Dec 11, 2019 • edited

Sora2455 commented Feb 29, 2020

domenic commented Dec 11, 2019 •

edited