New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Origin isolation: add basic header-based WPTs #22406
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The review process for this patch is being conducted in the Chromium project.
a2240b9
to
3604bab
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
JavaScript modules! I like it. And sorry for the delay, this was easier to review than anticipated.
|
||
// Must not throw | ||
frameWindow.document; | ||
}, "setting document.domain must give sync access"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Interesting, how does this work? If the parent sets it, it will succeed, its origin will have a domain component, and it can no longer be same origin-domain with something where setting did not succeed. I would expect it to not succeed in the frame.
(I guess you might not actually want this behavior as it's less compatible, but then it would necessitate adding complexity to same origin-domain. Might warrant some investigation to see if that's really needed.)
|
||
// Must not throw | ||
frameWindow.document; | ||
}, "setting document.domain must give sync access"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same as above.
@@ -0,0 +1,29 @@ | |||
<!DOCTYPE html> | |||
<meta charset="utf-8"> | |||
<title>Parent is isolated, child is not isolated, child is same-origin to the parent</title> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This title mismatches with the URL.
@@ -0,0 +1,30 @@ | |||
<!DOCTYPE html> | |||
<meta charset="utf-8"> | |||
<title>Parent is isolated, child is not isolated, child is a subdomain of the parent</title> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same as above.
// This function is coupled to ./send-origin-isolation-header.py, which ensures | ||
// that sending such a message will result in a message back. | ||
export async function setBothDocumentDomains(frameWindow) { | ||
document.domain = document.domain; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It would be nice if a future test ensures relevant exceptions are still thrown. I.e., I expect we want this to align with the cross-origin isolated check which returns near the very end of the setter.
f36aa6e
to
0b0ea51
Compare
Bug: 1042415 Change-Id: I771434df7a4dbcf8b26ea0bceded1f3e7b136ada Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2116833 Commit-Queue: Domenic Denicola <domenic@chromium.org> Reviewed-by: James MacLean <wjmaclean@chromium.org> Cr-Commit-Position: refs/heads/master@{#758044}
0b0ea51
to
2a6575b
Compare
Bug: 1042415
Change-Id: I771434df7a4dbcf8b26ea0bceded1f3e7b136ada
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2116833
Commit-Queue: Domenic Denicola <domenic@chromium.org>
Reviewed-by: James MacLean <wjmaclean@chromium.org>
Cr-Commit-Position: refs/heads/master@{#758044}