css: Use document (not base) URL for inline style preloads' referrers #29940
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
wpt-pr-bot
approved these changes
Aug 7, 2021
chromium-wpt-export-bot
force-pushed
the
chromium-export-cl-3078937
branch
from
98f4660
to
1665ca8
Compare
chromium-wpt-export-bot
force-pushed
the
chromium-export-cl-3078937
branch
2 times, most recently
from
6f3c39a
to
f3326ef
Compare
chromium-wpt-export-bot
force-pushed
the
chromium-export-cl-3078937
branch
3 times, most recently
from
c2bbae1
to
3594e68
Compare
crrev.com/c/2592447 fixed one code path where setting a document's base URL (via the HTML <base> tag) led to requests from inline CSS using the base URL as their referrer, rather than the document URL. This goes against the recommendation in the Referrer Policy spec that requests from inline CSS use their documents' referrers. [1] In general, we try to avoid letting pages override outgoing requests' referrers to different-origin URLs, even though this is not a hard security boundary. It turns out a separate code path can also trigger requests from inline style sheets: in particular, '@import' statements in inline stylesheets get prefetched by the HTML parser, which currently has separate logic that explicitly sets those requests' referrers to the document's base URL. This change removes that logic. After this change, preload requests from inline style in the HTML parser will use the document's URL, not its base URL, when generating their referrers. This CL also adds two new WPTs: * "stylesheet-with-differentorigin-base-url.html" verifies the referrer for an inline stylesheet requesting another stylesheet via an @import statement. There are other tests inspecting the referrers for SVG and image fetches from inline stylesheets, but not for child stylesheet fetches. This test passes even without this CL applied (because of crrev.com/c/2592447). * "stylesheet-with-differentorigin-base-url-from-preload.html" does the same thing, except from a srcdoc iframe. Using a srcdoc iframe triggers the preload code path since the inline stylesheet is hardcoded in a <style> HTML tag. (In contrast, the test above uses JS to add the style element to the DOM.) Because this second test exercises the preload codepath, it fails without this patch's functional changes applied. With this patch applied, the repro in the linked bug no longer succeeds. [1] https://www.w3.org/TR/referrer-policy/#integration-with-css Test: New WPT covers the preload path. Manually tested the bug's repro. Change-Id: I6bd797978b207a4bc0bb1b35565eb93c7162729f Fixed: 1233375 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3078937 Commit-Queue: David Van Cleve <davidvc@chromium.org> Reviewed-by: Jochen Eisinger <jochen@chromium.org> Reviewed-by: Emily Stark <estark@chromium.org> Reviewed-by: Yoav Weiss <yoavweiss@chromium.org> Cr-Commit-Position: refs/heads/main@{#924146}
chromium-wpt-export-bot
force-pushed
the
chromium-export-cl-3078937
branch
from
3594e68
to
9c11cf7
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
crrev.com/c/2592447 fixed one code path where setting a document's base
URL (via the HTML <base> tag) led to requests from inline CSS using the
base URL as their referrer, rather than the document URL. This goes
against the recommendation in the Referrer Policy spec that requests
from inline CSS use their documents' referrers. [1] In general, we try
to avoid letting pages override outgoing requests' referrers to
different-origin URLs, even though this is not a hard security boundary.
It turns out a separate code path can also trigger requests from inline
style sheets: in particular, '@import' statements in inline stylesheets
get prefetched by the HTML parser, which currently has separate logic
that explicitly sets those requests' referrers to the document's base
URL.
This change removes that logic. After this change, preload requests from
inline style in the HTML parser will use the document's URL, not its
base URL, when generating their referrers. This CL also adds two new WPTs:
for an inline stylesheet requesting another stylesheet via an @import
statement. There are other tests inspecting the referrers for SVG and
image fetches from inline stylesheets, but not for child stylesheet
fetches. This test passes even without this CL applied (because of
crrev.com/c/2592447).
same thing, except from a srcdoc iframe. Using a srcdoc iframe triggers
the preload code path since the inline stylesheet is hardcoded in a
<style> HTML tag. (In contrast, the test above uses JS to add the style
element to the DOM.) Because this second test exercises the preload
codepath, it fails without this patch's functional changes applied.
With this patch applied, the repro in the linked bug no longer succeeds.
[1] https://www.w3.org/TR/referrer-policy/#integration-with-css
Test: New WPT covers the preload path. Manually tested the bug's repro.
Change-Id: I6bd797978b207a4bc0bb1b35565eb93c7162729f
Fixed: 1233375
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3078937
Commit-Queue: David Van Cleve <davidvc@chromium.org>
Reviewed-by: Jochen Eisinger <jochen@chromium.org>
Reviewed-by: Emily Stark <estark@chromium.org>
Reviewed-by: Yoav Weiss <yoavweiss@chromium.org>
Cr-Commit-Position: refs/heads/main@{#924146}