[Webkit-unassigned] [Bug 84886] [Resource Timing] Implement cross-origin restrictions

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Nov 30 13:55:45 PST 2012 

https://bugs.webkit.org/show_bug.cgi?id=84886





--- Comment #3 from James Simonsen <simonjam at chromium.org>  2012-11-30 13:58:04 PST ---
(From update of attachment 170155)
View in context: https://bugs.webkit.org/attachment.cgi?id=170155&action=review

> Source/WebCore/page/Performance.cpp:189
> +static bool passesTimingAllowCheck(const ResourceResponse& response, SecurityOrigin* securityOrigin)

I think this should happen in the PerformanceResourceTiming constructor. It's really only applicable to that class.

> Source/WebCore/page/Performance.cpp:201
> +    if (timingAllowOriginString != securityOrigin->toString())

The string may be a space separated list. We should check each item in it.

> Source/WebCore/page/Performance.cpp:207
> +void Performance::addResourceTiming(const ResourceRequest& request, const ResourceResponse& response, double finishTime, Document* requestingDocument, SecurityOrigin* initiatorOrigin)

We don't need to pass in the origin. You can get it from requestingDocument->securityOrigin().

> Source/WebCore/page/Performance.cpp:213
> +    bool allowTiming = WebCore::SecurityOrigin::create(response.url())->equal(initiatorOrigin) || passesTimingAllowCheck(response, initiatorOrigin);

allowTiming -> shouldReportDetails

> Source/WebCore/page/PerformanceResourceTiming.h:52
> +    static PassRefPtr<PerformanceResourceTiming> create(const ResourceRequest& request, const ResourceResponse& response, double finishTime, Document* requestingDocument, bool isAllowTiming)

isAllowTiming -> shouldReportDetails

> Source/WebCore/page/PerformanceResourceTiming.h:74
> +    PerformanceResourceTiming(const ResourceRequest&, const ResourceResponse&, double finishTime, Document*, bool);

This needs a name. You can only omit the name if it's clear what it is.

> LayoutTests/http/tests/w3c/webperf/submission/Intel/resource-timing/test_resource_timing_timing_allow_cross_origin_resource_request.html:51
> +            requestUrl += '?origin=http://' + pageOrigin;

We should have a test where it's allowed by this parameter.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list