Bug 204375
| Summary: | Fix Timing-Allow-Origin check in ResourceTiming | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Nicolas <npm> |
| Component: | New Bugs | Assignee: | Nobody <webkit-unassigned> |
| Status: | NEW | ||
| Severity: | Normal | CC: | achristensen, webkit-bug-importer |
| Priority: | P2 | Keywords: | InRadar |
| Version: | WebKit Nightly Build | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
Nicolas
In https://github.com/web-platform-tests/wpt/pull/20320 I added a test to check the behavior landing in https://github.com/whatwg/fetch/pull/955. Essentially there are two changes:
Same-origin check is replaced with 'response tainting' from Fetch.
When Fetch's 'tainted origin flag' is set, having a TAO header equal to the request origin is not a valid way to pass the TAO check (instead, requires '*' or 'null').
Use https://wpt.fyi/results/resource-timing/crossorigin-sandwich-TAO.sub.html?label=master&label=experimental to know whether this passes on Safari (probably doesn't but hasn't loaded the test yet).
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Radar WebKit Bug Importer
<rdar://problem/57444359>