Fetch is not setting origin correctly.

[asajeffrey]

In https://github.com/servo/servo/blob/master/components/script/fetch.rs#L60 we have:

fn request_init_from_request(request: NetTraitsRequest) -> NetTraitsRequestInit {
    NetTraitsRequestInit {
        ...
        // TODO: NetTraitsRequestInit and NetTraitsRequest have different "origin"
        // ... NetTraitsRequestInit.origin: Url
        // ... NetTraitsRequest.origin: RefCell<Origin>
        origin: request.url(),
        ...
    }
}

which sets the origin of the request to be the origin of the request url (that is, the resource being fetched) rather than the origin of the requester. This means that when we come to do the same-origin test https://github.com/servo/servo/blob/master/components/net/fetch/methods.rs#L211:

/// [Main fetch](https://fetch.spec.whatwg.org/#concept-main-fetch)
pub fn main_fetch(request: Rc<Request>,
                  cache: &mut CorsCache,
                  cors_flag: bool,
                  recursive_flag: bool,
                  target: Target,
                  done_chan: &mut DoneChannel,
                  context: &FetchContext)
                  -> Response {
    ...
    // Step 11
    let response = match response {
        Some(response) => response,
        None => {
            let current_url = request.current_url();
            let same_origin = if let Origin::Origin(ref origin) = *request.origin.borrow() {
                *origin == current_url.origin()
            } else {
                false
            };
    ...

all fetches are considered to be same-origin. This is not a good security feature!

IRC chat with @Manishearth and @KiChjang: http://logs.glob.uno/?c=mozilla%23servo&s=26+Jan+2017&e=26+Jan+2017#c600706

[asajeffrey]

This is probably the root cause of the test failure at #15232 (comment)

[fnune]

I would like to work on this.

[asajeffrey]

@brainlessdeveloper cool, thanks! (I was on vacation, sorry about the delay.) Let me know if there's any help you need.

[fnune]

Oh, I'd forgotten about this one haha. Would you mind adding the assigned label to it?

[asajeffrey]

@cbrewster beat me to it :)

[KiChjang]

@brainlessdeveloper The following conversation snippet would light your path forward:

19:36	jdm	KiChjang: "Set request's client to the element's node document's Window object's environment settings object and type to "image"."
19:36	jdm	(for example)
19:36	jdm	the environment settings object is derived from the request's client
19:37	jdm	although new Request(...) uses the current global
19:37	jdm	(ie. GlobalScope::current())
19:37	KiChjang	"element's node document's window object's"
19:38	KiChjang	too many apostrophes
19:42	KiChjang	okay, looks like the request origin should come from GlobalScope::curent().get_url()
19:43	KiChjang	though ideally we should also have a origin() method on GlobalScope

[fnune]

@KiChjang Awesome! I read the whole chat but on a first read I didn't figure out much. Thanks!

[fnune]

So in short I should fix origin in fn request_init_from_request here and also figure out if we need an origin method on GlobalScope. If so, implement it, and it should return the origin url. Did I get it all right?

[KiChjang]

The origin method on GlobalScope would just be a shorthand for GlobalScope::current().get_url(), so that method would just be there to save some typing, but it's not strictly necessary. You may also want to grep places where we instantiate a new RequestInit struct and read the relevant section of the spec to see whether it is initializing the origin correctly.