css: Use document (not base) URL for inline style preloads' referrers #29940
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
crrev.com/c/2592447 fixed one code path where setting a document's base
URL (via the HTML <base> tag) led to requests from inline CSS using the
base URL as their referrer, rather than the document URL. This goes
against the recommendation in the Referrer Policy spec that requests
from inline CSS use their documents' referrers. [1] In general, we try
to avoid letting pages override outgoing requests' referrers to
different-origin URLs, even though this is not a hard security boundary.
It turns out a separate code path can also trigger requests from inline
style sheets: in particular, '@import' statements in inline stylesheets
get prefetched by the HTML parser, which currently has separate logic
that explicitly sets those requests' referrers to the document's base
URL.
This change removes that logic. After this change, preload requests from
inline style in the HTML parser will use the document's URL, not its
base URL, when generating their referrers. This CL also adds two new WPTs:
for an inline stylesheet requesting another stylesheet via an @import
statement. There are other tests inspecting the referrers for SVG and
image fetches from inline stylesheets, but not for child stylesheet
fetches. This test passes even without this CL applied (because of
crrev.com/c/2592447).
same thing, except from a srcdoc iframe. Using a srcdoc iframe triggers
the preload code path since the inline stylesheet is hardcoded in a
<style> HTML tag. (In contrast, the test above uses JS to add the style
element to the DOM.) Because this second test exercises the preload
codepath, it fails without this patch's functional changes applied.
With this patch applied, the repro in the linked bug no longer succeeds.
[1] https://www.w3.org/TR/referrer-policy/#integration-with-css
Test: New WPT covers the preload path. Manually tested the bug's repro.
Change-Id: I6bd797978b207a4bc0bb1b35565eb93c7162729f
Fixed: 1233375
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3078937
Commit-Queue: David Van Cleve <davidvc@chromium.org>
Reviewed-by: Jochen Eisinger <jochen@chromium.org>
Reviewed-by: Emily Stark <estark@chromium.org>
Reviewed-by: Yoav Weiss <yoavweiss@chromium.org>
Cr-Commit-Position: refs/heads/main@{#924146}