[Webkit-unassigned] [Bug 84886] [Resource Timing] Implement cross-origin restrictions
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Nov 30 13:55:45 PST 2012
https://bugs.webkit.org/show_bug.cgi?id=84886
--- Comment #3 from James Simonsen <simonjam at chromium.org> 2012-11-30 13:58:04 PST ---
(From update of attachment 170155)
View in context: https://bugs.webkit.org/attachment.cgi?id=170155&action=review
> Source/WebCore/page/Performance.cpp:189
> +static bool passesTimingAllowCheck(const ResourceResponse& response, SecurityOrigin* securityOrigin)
I think this should happen in the PerformanceResourceTiming constructor. It's really only applicable to that class.
> Source/WebCore/page/Performance.cpp:201
> + if (timingAllowOriginString != securityOrigin->toString())
The string may be a space separated list. We should check each item in it.
> Source/WebCore/page/Performance.cpp:207
> +void Performance::addResourceTiming(const ResourceRequest& request, const ResourceResponse& response, double finishTime, Document* requestingDocument, SecurityOrigin* initiatorOrigin)
We don't need to pass in the origin. You can get it from requestingDocument->securityOrigin().
> Source/WebCore/page/Performance.cpp:213
> + bool allowTiming = WebCore::SecurityOrigin::create(response.url())->equal(initiatorOrigin) || passesTimingAllowCheck(response, initiatorOrigin);
allowTiming -> shouldReportDetails
> Source/WebCore/page/PerformanceResourceTiming.h:52
> + static PassRefPtr<PerformanceResourceTiming> create(const ResourceRequest& request, const ResourceResponse& response, double finishTime, Document* requestingDocument, bool isAllowTiming)
isAllowTiming -> shouldReportDetails
> Source/WebCore/page/PerformanceResourceTiming.h:74
> + PerformanceResourceTiming(const ResourceRequest&, const ResourceResponse&, double finishTime, Document*, bool);
This needs a name. You can only omit the name if it's clear what it is.
> LayoutTests/http/tests/w3c/webperf/submission/Intel/resource-timing/test_resource_timing_timing_allow_cross_origin_resource_request.html:51
> + requestUrl += '?origin=http://' + pageOrigin;
We should have a test where it's allowed by this parameter.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list