Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge to M115 of "Fenced frames: Local network access."
This CL is to merge the Fenced frames local network access support (crrev.com/c/4595521) back to M115. Original CL description: This is a reland of commit c02af16 Previous submit caused test timeout for the two new tests: 1. fenced-frame-subresource-fetch.tentative.https.window.js 2. fenced-frame.tentative.https.window.js For fenced frames, we obtain messages by writing value to/reading value from a server. This is significantly slower than similar tests using iframes, because iframes can simply use `window.postMessage()`. I've specified long timeout for both tests by `// META: timeout=long`. Otherwise this CL is the same as the original one. Original change's description: > Fenced frames: Local network access. > > Fenced frames are only allowed in secure context. So the tests are > all in secure contexts. > > 1. Subresource fetch: > > Fenced frame's IP address space is set to `kPublic` in order to make > it subject to local network access check. > > web_tests/external/wpt/fetch/local-network-access/ > fetch.https.window.js is replicated and replaced iframes with fenced > frames. All test cases are passing with the same behaviors as iframes. > > 2. Document fetch: > > Fenced frame's document fetch initiator can only be the parent. > Fenced frames can only be navigated in two ways: > > 1. Directly by their parent, and never by another frame at a distance > via `window.location` or `window.open`; in this case the `ClientSecurityState` needs to come from the parent. > 2. By themselves; in this case the `ClientSecurityState` also needs to > come from its embedder/parent. > > The ClientSecurityState of its parent is supplied to the > NavigationURLLoader. > > web_tests/external/wpt/fetch/local-network-access/ > iframe.tentative.https.window.js is replicated and replaced iframes > with fenced frames. All test cases have the same results as the > iframe test expectations, except one: > > treat-as-public-address to local (same-origin): no preflight > required > > - Iframe: the request is made without preflight. The nested iframe is > loaded successfully. > > - Fenced frame: a preflight is made, and gets blocked. See a. below. > > I changed the test expectation for this test only. (PASS for iframe, > but FAIL for fenced frame) > > Here are some noteworthy things we observed for document fetch. The > following only applies to embedder-initiated navigations (i.e., the > initial navigation of the frame): > a. Fenced frame's document fetch's preflight request is always sent > with `Origin: null`. This applies to embedder-initiated navigations > (i.e., the initial navigation of the frame). I think this affects the > outcome of Local Network Access check algorithm. > https://source.chromium.org/chromium/chromium/src/+/main:content/browser/fenced_frame/fenced_frame.cc;l=119-126?q=fencedframe::n&ss=chromium%2Fchromium%2Fsrc > > A `null` origin implies > LocalNetworkAccessChecker::is_potentially_trustworthy_same_origin_ > will always be false. > > b. For testing purposes, we tried manually overriding the initiator > origin with a real origin and found that the preflight request still > failed. This is because the credentials mode of the navigation is > `'include'`, which prevents `Access-Control-Allow-Origin: '*'` from > working, which iframes equivalently suffer from: https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/web_tests/external/wpt/fetch/local-network-access/iframe.tentative.https.window-expected.txt?q=%22FAIL%20%22%20f:third_party%2Fblink%2Fweb_tests%2Fexternal%2Fwpt%2Ffetch%2Flocal-network-access%2Fiframe.tentative.https.window-expected.txt. > > Bug: 1420626 > Change-Id(Omit): I74c97369d235e1725c650bfe87f29372992cb56b > Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4532557 > Reviewed-by: Titouan Rigoudy <titouan@chromium.org> > Reviewed-by: Alex Moshchuk <alexmos@chromium.org> > Reviewed-by: Weizhong Xia <weizhong@google.com> > Commit-Queue: Xiaochen Zhou <xiaochenzh@chromium.org> > Cr-Commit-Position: refs/heads/main@{#1154027} Change-Id(Omit): I5c1f326e991f14125f5c3991046553d6e3200784 (cherry picked from commit 7fbb078) Bug: 1420626, 1451954 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4595521 Reviewed-by: Titouan Rigoudy <titouan@chromium.org> Reviewed-by: Alex Moshchuk <alexmos@chromium.org> Reviewed-by: Weizhong Xia <weizhong@google.com> Commit-Queue: Xiaochen Zhou <xiaochenzh@chromium.org> Cr-Original-Commit-Position: refs/heads/main@{#1155231} Change-Id: I5c1f326e991f14125f5c3991046553d6e3200784 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4606102 Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com> Cr-Commit-Position: refs/branch-heads/5790@{#659} Cr-Branched-From: 1d71a33-refs/heads/main@{#1148114}
- Loading branch information