Skip to content

Commit

Permalink
Consolidate iframe & object resource timing code paths
Browse files Browse the repository at this point in the history
So far some of the logic  in resource timing for subframe navigations
iframe/object/embed) was duplicated, e.g. both in blink and in content.

This has led to race conditions, inconsistencies and sometimes
XSS leaks.

This patch attempts to improve the situation by consolidating the code
paths:

- NavigationRequest receives is_container_initiated, which ensures only
  container-initiated navigations are reported to the parent. This
  is a clarification of something that was ambiguous in the spec
  previously (whatwg/html#8846).
  It later uses ParentResourceTimingAccess to decide if a navigation
  should report to its parent with/without response details
  (status code and mime-type), or not report at all (TAO-fail, not
  an iframe, not container-initiated).

- Both object fallbacks and cancelled navigations (204/205) report
  to the parent via RenderFrameImpl, and blink converts that to a
  ResourceTimingInfo object. This allows us to remove the duplicated
  resource timing creation code in //content.

- We report fallback resource timing also for plugin error events and
  not only for load events.

Bug: 1399862
Bug: 1410705
Change-Id: Id37d23cd02eee9e38f812e6f3da99caedafdee3d
  • Loading branch information
noamr authored and chromium-wpt-export-bot committed Feb 8, 2023
1 parent 3e863c1 commit 6822cb3
Show file tree
Hide file tree
Showing 3 changed files with 47 additions and 0 deletions.
35 changes: 35 additions & 0 deletions resource-timing/entries-for-object-frame-options-deny.html
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
<!DOCTYPE HTML>
<html>
<head>
<meta charset="utf-8" />
<meta name="timeout" content="long">
<link rel="author" title="Noam Rosenthal" href="noam@chromium.org">
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="/common/get-host-info.sub.js"></script>
<script src="resources/entry-invariants.js"></script>
</head>
<body>
<script>
const {REMOTE_ORIGIN} = get_host_info();

promise_test(async t => {
const success_url = new URL("/resource-timing/resources/object-frame-options-200.asis", REMOTE_ORIGIN).href;
const fail_url = new URL("/resource-timing/resources/object-frame-options-403.asis", REMOTE_ORIGIN).href;
const load_object = async url => {
const object = document.createElement("object");
object.data = url;
document.body.appendChild(object);
t.add_cleanup(() => object.remove());
await new Promise(resolve => {
object.onload = object.onerror = resolve;
});
};

await Promise.all([success_url, fail_url].map(load_object));
assert_equals(performance.getEntriesByName(success_url).length, 1);
assert_equals(performance.getEntriesByName(fail_url).length, 1);
}, "Test that object elements with X-Frame-Options: Deny produce resource timing entries");
</script>
</body>
</html>
6 changes: 6 additions & 0 deletions resource-timing/resources/object-frame-options-200.asis
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
HTTP/1.0 200 OK
Content-Type: text/html
X-Frame-Options: DENY
Content-Security-Policy: frame-ancestors 'none'

Hello
6 changes: 6 additions & 0 deletions resource-timing/resources/object-frame-options-403.asis
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
HTTP/1.0 403 OK
Content-Type: text/html
X-Frame-Options: DENY
Content-Security-Policy: frame-ancestors 'none'

Hello

0 comments on commit 6822cb3

Please sign in to comment.