Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CORB should block CSV, PDF and other MimeHandlerView types w/o sniffing. #16850

Merged
merged 1 commit into from May 23, 2019

Conversation

@chromium-wpt-export-bot
Copy link
Collaborator

chromium-wpt-export-bot commented May 15, 2019

This CL extends CORB to also cover CSV, PDF and other types handled by
MimeHandlerView. This protection is only turned on when the
kMimeHandlerViewInCrossProcessFrame feature is enabled, because
otherwise the resource body may need to go through a cross-origin
renderer process (see https://crbug.com/929300).

Manually tested by launching
$ out/rel/chrome --user-data-dir=$HOME/.corb-for-pdf
--enable-features=MimeHandlerViewInCrossProcessFrame
http://anforowicz.github.io/xsdb-demo/index.html
and verifying that DevTools console shows CORB warning for
<img src="https://www.w3.org/.../dummy.pdf">

Bug: 802836
Change-Id: Ia13a693d76f50aca52d6241af317d75c07e20b59
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1606589
Reviewed-by: John Abd-El-Malek <jam@chromium.org>
Reviewed-by: Nasko Oskov <nasko@chromium.org>
Reviewed-by: Yutaka Hirano <yhirano@chromium.org>
Reviewed-by: Ehsan Karamad <ekaramad@chromium.org>
Reviewed-by: Charlie Reis <creis@chromium.org>
Commit-Queue: Łukasz Anforowicz <lukasza@chromium.org>
Cr-Commit-Position: refs/heads/master@{#662651}

Copy link
Collaborator

wpt-pr-bot left a comment

Already reviewed downstream.

@chromium-wpt-export-bot chromium-wpt-export-bot changed the title CORB should block CSV, PDF and other MimHandlerView types w/o sniffing. CORB should block CSV, PDF and other MimeHandlerView types w/o sniffing. May 16, 2019
@chromium-wpt-export-bot chromium-wpt-export-bot force-pushed the chromium-export-cl-1606589 branch 5 times, most recently from 99d9ff5 to 7ae77d4 May 16, 2019
This CL extends CORB to also cover CSV, PDF and other types handled by
MimeHandlerView.  This protection is only turned on when the
kMimeHandlerViewInCrossProcessFrame feature is enabled, because
otherwise the resource body may need to go through a cross-origin
renderer process (see https://crbug.com/929300).

Manually tested by launching
    $ out/rel/chrome --user-data-dir=$HOME/.corb-for-pdf     \
        --enable-features=MimeHandlerViewInCrossProcessFrame \
        http://anforowicz.github.io/xsdb-demo/index.html
and verifying that DevTools console shows CORB warning for
<img src="https://www.w3.org/.../dummy.pdf">

Bug: 802836
Change-Id: Ia13a693d76f50aca52d6241af317d75c07e20b59
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1606589
Reviewed-by: John Abd-El-Malek <jam@chromium.org>
Reviewed-by: Nasko Oskov <nasko@chromium.org>
Reviewed-by: Yutaka Hirano <yhirano@chromium.org>
Reviewed-by: Ehsan Karamad <ekaramad@chromium.org>
Reviewed-by: Charlie Reis <creis@chromium.org>
Commit-Queue: Łukasz Anforowicz <lukasza@chromium.org>
Cr-Commit-Position: refs/heads/master@{#662651}
@chromium-wpt-export-bot chromium-wpt-export-bot force-pushed the chromium-export-cl-1606589 branch from 7ae77d4 to 866a79a May 23, 2019
@chromium-wpt-export-bot chromium-wpt-export-bot merged commit 5b362a5 into master May 23, 2019
13 checks passed
13 checks passed
manifest-build-and-tag manifest-build-and-tag
Details
website-build-and-publish website-build-and-publish
Details
Azure Pipelines Build #20190523.89 succeeded
Details
Azure Pipelines (./wpt test-jobs) ./wpt test-jobs succeeded
Details
Azure Pipelines (affected tests (Safari Technology Preview)) affected tests (Safari Technology Preview) succeeded
Details
Azure Pipelines (affected tests without changes (Safari Technology Preview)) affected tests without changes (Safari Technology Preview) succeeded
Details
Azure Pipelines (wpt.fyi hook: safari-preview-affected-tests) wpt.fyi hook: safari-preview-affected-tests succeeded
Details
Azure Pipelines (wpt.fyi hook: safari-preview-affected-tests-without-changes) wpt.fyi hook: safari-preview-affected-tests-without-changes succeeded
Details
Taskcluster (pull_request) TaskGroup: success
Details
staging.wpt.fyi - safari[experimental] Safari results
Details
wpt.fyi - chrome[experimental] Chrome results
Details
wpt.fyi - firefox[experimental] Firefox results
Details
wpt.fyi - safari[experimental] Safari results
Details
@chromium-wpt-export-bot chromium-wpt-export-bot deleted the chromium-export-cl-1606589 branch May 23, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

3 participants
You can’t perform that action at this time.