204375 – Fix Timing-Allow-Origin check in ResourceTiming

NEW 204375

Fix Timing-Allow-Origin check in ResourceTiming

https://bugs.webkit.org/show_bug.cgi?id=204375

Summary Fix Timing-Allow-Origin check in ResourceTiming

Nicolas

Reported 2019-11-19 14:09:53 PST

In https://github.com/web-platform-tests/wpt/pull/20320 I added a test to check the behavior landing in https://github.com/whatwg/fetch/pull/955. Essentially there are two changes: Same-origin check is replaced with 'response tainting' from Fetch. When Fetch's 'tainted origin flag' is set, having a TAO header equal to the request origin is not a valid way to pass the TAO check (instead, requires '*' or 'null'). Use https://wpt.fyi/results/resource-timing/crossorigin-sandwich-TAO.sub.html?label=master&label=experimental to know whether this passes on Safari (probably doesn't but hasn't loaded the test yet).

Attachments
Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2019-11-22 16:05:12 PST

Note You need to log in before you can comment on or make changes to this bug.

Status NEW

Resolution

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Nightly Build

Hardware Unspecified

OS Unspecified

Product WebKit

Component New Bugs

Assignee

Nobody

Reported

2019-11-19 14:09 PST

Modified

2019-11-22 16:05 PST History

CC List

2 users Show

URL

Keywords InRadar

Depends on

Blocks