Add support for OutOfBlinkCors with request handling

Issue #2716 resolved
Marshall Greenblatt created an issue

OutOfBlinkCors (OOR-CORS) moves CORS restriction handling from Blink (in the renderer process) to the NetworkService. This functionality is enabled by default in Chromium starting with version 76.0.3809.0 (PR #240). It will be disabled in CEF because it currently breaks the application of CORS restrictions for requests that are handled by the client (for example, via a registered scheme handler).

Tracking bug: https://bugs.chromium.org/p/chromium/issues/detail?id=736308

Design document: https://docs.google.com/document/d/1JNmUcvbw2UcjfdI2uyUpveHXCbae-DQ1n8d_sVs5fLg/edit#

Comments (7)

  1. Marshall Greenblatt reporter

    The following tests currently fail when OutOfBlinkCors is enabled:

    [  FAILED  ] SchemeHandlerTest.CustomNonStandardXHRSameOriginSync
    [  FAILED  ] SchemeHandlerTest.CustomNonStandardXHRSameOriginAsync
    [  FAILED  ] SchemeHandlerTest.CustomStandardXHRDifferentOriginSync
    [  FAILED  ] SchemeHandlerTest.CustomStandardXHRDifferentOriginAsync
    [  FAILED  ] SchemeHandlerTest.CustomStandardFetchDifferentOrigin
    [  FAILED  ] SchemeHandlerTest.HttpXHRDifferentOriginSync
    [  FAILED  ] SchemeHandlerTest.HttpXHRDifferentOriginAsync
    [  FAILED  ] SchemeHandlerTest.HttpFetchDifferentOriginAsync
    [  FAILED  ] SchemeHandlerTest.CustomStandardXHRDifferentOriginRedirectSync
    [  FAILED  ] SchemeHandlerTest.CustomStandardXHRDifferentOriginRedirectAsync
    [  FAILED  ] SchemeHandlerTest.CustomStandardFetchDifferentOriginRedirect
    

    Comparing to the previous behavior:

    ceftests.exe --gtest_filter=SchemeHandlerTest.HttpXHRDifferentOriginAsync --disable-features=OutOfBlinkCors
    Note: Google Test filter = SchemeHandlerTest.HttpXHRDifferentOriginAsync
    [==========] Running 1 test from 1 test suite.
    [----------] Global test environment set-up.
    [----------] 1 test from SchemeHandlerTest
    [ RUN      ] SchemeHandlerTest.HttpXHRDifferentOriginAsync
    [0710/094905.917:INFO:CONSOLE(0)] "Access to XMLHttpRequest at 'http://test2/xhr.html' from origin 'http://test1' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.", source: http://test1/run.html (0)
    [0710/094905.919:INFO:CONSOLE(1)] "XMLHttpRequest failed with error [object ProgressEvent]", source: http://test1/run.html (1)
    [       OK ] SchemeHandlerTest.HttpXHRDifferentOriginAsync (583 ms)
    [----------] 1 test from SchemeHandlerTest (584 ms total)
    
    ceftests.exe --gtest_filter=SchemeHandlerTest.HttpXHRDifferentOriginAsync
    Note: Google Test filter = SchemeHandlerTest.HttpXHRDifferentOriginAsync
    [==========] Running 1 test from 1 test suite.
    [----------] Global test environment set-up.
    [----------] 1 test from SchemeHandlerTest
    [ RUN      ] SchemeHandlerTest.HttpXHRDifferentOriginAsync
    ../../cef/tests/ceftests/scheme_handler_unittest.cc(1248): error: Value of: g_TestResults.got_sub_success
      Actual: true
    Expected: false
    Stack trace:
    Backtrace:
            base::debug::StackTrace::StackTrace [0x6F131472+34] (C:\code\chromium_git\chromium\src\base\debug\stack_trace.cc:203)
            StackTraceGetter::CurrentStackTrace [0x007A014A+90] (C:\code\chromium_git\chromium\src\third_party\googletest\custom\gtest\internal\custom\stack_trace_getter.cc:24)
            testing::internal::UnitTestImpl::CurrentOsStackTraceExceptTop [0x007B71CA+74] (C:\code\chromium_git\chromium\src\third_party\googletest\src\googletest\src\gtest.cc:827)
            testing::internal::AssertHelper::operator= [0x007B6D3B+75] (C:\code\chromium_git\chromium\src\third_party\googletest\src\googletest\src\gtest.cc:404)
    
    [  FAILED  ] SchemeHandlerTest.HttpXHRDifferentOriginAsync (727 ms)
    [----------] 1 test from SchemeHandlerTest (735 ms total)
    

    When OutOfBlinkCors is enabled no Origin: http://test1 header is sent with XHR request. CORS restrictions are now implemented by CorsURLLoaderFactory::CreateLoaderAndStart, which is not being called for handled requests. Some changes in the handling of Origin headers during redirect may also be required as shown here.

  2. Marshall Greenblatt reporter

    Add support and enable out-of-Blink CORS (fixes issue #2716)

    It can still be disabled for a short time by passing --disable-features=OutOfBlinkCors on the command-line.

    → <<cset 6b1e5335bc61>>

  3. Marshall Greenblatt reporter

    Add support and enable out-of-Blink CORS (fixes issue #2716)

    It can still be disabled for a short time by passing --disable-features=OutOfBlinkCors on the command-line.

    → <<cset 1119d2723c7c>>

  4. Log in to comment