Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Resource Timing] Test XO redirection sandwich with and without TAO #13518

Merged
merged 5 commits into from Apr 17, 2019

Conversation

Projects
None yet
6 participants
@yoavweiss
Copy link
Contributor

commented Oct 15, 2018

Add a test to make sure that a Same-Origin=>Cross-Origin=>Same-origin redirection chain is not exposing timing information unless Timing-Allow-Origin is set.

Partially fixes w3c/resource-timing#152

@annevk

This comment has been minimized.

Copy link
Member

commented Oct 15, 2018

Going from the description, do you require Timing-Allow-Origin on each response in the chain?

@wpt-pr-bot

This comment has been minimized.

Copy link
Collaborator

commented Oct 15, 2018

There are no reviewers for this pull request besides its author. Please reach out on W3C's irc server (irc.w3.org, port 6665) on channel #testing (web client) to get help with this. Thank you!

@yoavweiss

This comment has been minimized.

Copy link
Contributor Author

commented Nov 2, 2018

Going from the description, do you require Timing-Allow-Origin on each response in the chain?

The "with TAO" test does indeed have TAO on each response other than the last one (which is same origin). Is there value in making sure that only cross-origin responses have TAO?

@annevk

This comment has been minimized.

Copy link
Member

commented Nov 2, 2018

The last one also needs to have it, if you ever went cross-origin. Otherwise you have a different design from CORS which seems bad for security (as I tried to explain in the corresponding issue and maybe also some other PR in that repo).

@npm1

This comment has been minimized.

Copy link
Contributor

commented Apr 3, 2019

Test looks good to me, we should have tests for these sandwiches now instead of waiting on the integration with fetch which will make it consistent with CORS. Do you mind adding a comment in multi_redirect.py to be precise about what it is doing?

@yoavweiss

This comment has been minimized.

Copy link
Contributor Author

commented Apr 12, 2019

@annevk - PTAL. This tests the current behavior that's specified and implemented for TAO, which is to not require TAO on same-origin after a cross-origin redirect. I plan to try and align the behavior with CORS as part of L3, but want to first document and test what's implemented today.

@npm1

npm1 approved these changes Apr 16, 2019

Copy link
Contributor

left a comment

LGTM

@yoavweiss yoavweiss force-pushed the yoavweiss:XO_sandwich branch from e6d882e to 4700573 Apr 16, 2019

@Hexcles Hexcles merged commit dbc26ae into web-platform-tests:master Apr 17, 2019

6 of 10 checks passed

Taskcluster (pull_request) TaskGroup: failure
Details
wpt.fyi - chrome[experimental] Chrome results
Details
wpt.fyi - firefox[experimental] Firefox results
Details
wpt.fyi - safari[experimental] Safari results
Details
Azure Pipelines Build #20190416.40 succeeded
Details
Azure Pipelines (./wpt test-jobs) ./wpt test-jobs succeeded
Details
Azure Pipelines (affected tests (Safari Technology Preview)) affected tests (Safari Technology Preview) succeeded
Details
Azure Pipelines (affected tests without changes (Safari Technology Preview)) affected tests without changes (Safari Technology Preview) succeeded
Details
Azure Pipelines (wpt.fyi hook: safari-preview-affected-tests) wpt.fyi hook: safari-preview-affected-tests succeeded
Details
Azure Pipelines (wpt.fyi hook: safari-preview-affected-tests-without-changes) wpt.fyi hook: safari-preview-affected-tests-without-changes succeeded
Details
@Hexcles

This comment has been minimized.

Copy link
Member

commented Apr 17, 2019

Force-merging because a file in common/ was modified, affecting too many tests and causing stability checks to time out.

mattto pushed a commit to mattto/web-platform-tests that referenced this pull request Apr 18, 2019

Matt Falkenhagen
Fix get-host-info.sub.js so workers can use it.
Access self.location instead of window.location. Fixes web-platform-tests#13518.

gsnedders added a commit that referenced this pull request Apr 18, 2019

Fix get-host-info.sub.js so workers can use it. (#16405)
Access self.location instead of window.location. Fixes #13518.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.