How to apply OutOfBlinkCors for a custom URLLoader?

[Marshall Greenblatt]

Hi All,

I have a URLLoaderFactory proxy implementation [1] (originally based on AwProxyingURLLoaderFactory) where I intercept certain HTTP(S) requests via ContentBrowserClient::WillCreateURLLoaderFactory and handle them in the browser process using a custom URLLoader implementation [2]. In cases where I don't specify an "Access-Control-Allow-Origin" header, and when OutOfBlinkCors (OOR-CORS) is disabled, an XMLHttpRequest to the intercepted resource will be blocked as expected with a message like:

"Access to XMLHttpRequest at 'http://internal.com/api.json' from origin 'http://untrusted.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.", source: http://untrusted.com/iframe.html

When OutOfBlinkCors is enabled the CORS restrictions are not applied and the XMLHttpRequest succeeds, which is not the expected behavior. I've also noticed that no "Origin" header is sent with the XHR request in this case.

This lack of CORS enforcement with OutOfBlinkCors is a problem for applications that load both internal and external resources. For example, an application might expose sensitive business logic via an intercepted HTTP request and expect CORS restrictions to keep untrusted content (like a third-party ad loaded in an iframe) from accessing it.

What would be the recommended approach for enforcing CORS restrictions for intercepted requests when OutOfBlinkCors is enabled? It seems that OutOfBlinkCors is implemented via CorsURLLoader which lives in the NetworkService process -- is possible to somehow route a request through a CorsURLLoader while still intercepting/handling it in the browser process?

Thanks,

Marshall

[1] https://github.com/chromiumembedded/cef/blob/master/libcef/browser/net_service/proxy_url_loader_factory.h

[2] https://github.com/chromiumembedded/cef/blob/master/libcef/browser/net_service/stream_reader_url_loader.h

[Yutaka Hirano]

So, you are intercepting a request in a custom URLLoaderFactory. That URLLoaderFactory intercepts a request, and - where does the response come from? If it comes from the network (i.e., you are using a URLLoaderFactory coming from a network::mojom::NetworkContext), then CORS is already applied there. Otherwise, you get the response from other places (e.g., file), then CORS is not enforced. If you want to perform a CORS check, then you need to implement it by yourself.

Does this answer your question?

--
You received this message because you are subscribed to the Google Groups "network-service-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to network-service...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/network-service-dev/CAFW9UJ8vcP05wwffdEj%2BDznUATSGpd-0J%3Dv0OTRf8PWrEgBChA%40mail.gmail.com.