From 89ae1b2331bdc668aa804e63cf0560aeeea04f65 Mon Sep 17 00:00:00 2001
From: Noam Rosenthal <nrosenthal@chromium.org>
Date: Tue, 7 Feb 2023 10:13:12 -0800
Subject: [PATCH] Consolidate iframe & object resource timing code paths

So far some of the logic  in resource timing for subframe navigations
iframe/object/embed) was duplicated, e.g. both in blink and in content.

This has led to race conditions, inconsistencies and sometimes XSS leaks.

This patch attempts to improve the situation by consolidating the code
paths:

- CorsUrlLoader registers redirect end time, and whether subframe
  navigations should be considered as "cross-origin" for resource timing
  (both defined in the fetch spec).

- NavigationRequest saves is_container_initiated, which ensures only
  container-initiated navigations are reported to the parent, as
  specified in the HTML spec
  (https://html.spec.whatwg.org/#create-navigation-params-by-fetching, #8)

- Both object fallbacks and cancelled navigations (204/205) report
  to the parent via RenderFrameImpl, and blink converts that to a
  ResourceTimingInfo object. This allows us to remove the duplicated
  resource timing creation code in //content.

- We report fallback resource timing also for plugin error events and
  not only for load events.

Bug: 1399862
Bug: 1410705
Change-Id: Id37d23cd02eee9e38f812e6f3da99caedafdee3d
---
 ...entries-for-object-frame-options-deny.html | 35 +++++++++++++++++++
 .../resources/object-frame-options-200.asis   |  6 ++++
 .../resources/object-frame-options-403.asis   |  6 ++++
 3 files changed, 47 insertions(+)
 create mode 100644 resource-timing/entries-for-object-frame-options-deny.html
 create mode 100644 resource-timing/resources/object-frame-options-200.asis
 create mode 100644 resource-timing/resources/object-frame-options-403.asis

diff --git a/resource-timing/entries-for-object-frame-options-deny.html b/resource-timing/entries-for-object-frame-options-deny.html
new file mode 100644
index 00000000000000..a69b642971ba6a
--- /dev/null
+++ b/resource-timing/entries-for-object-frame-options-deny.html
@@ -0,0 +1,35 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+<meta charset="utf-8" />
+<meta name="timeout" content="long">
+<link rel="author" title="Noam Rosenthal" href="noam@chromium.org">
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+<script src="resources/entry-invariants.js"></script>
+</head>
+<body>
+<script>
+const {REMOTE_ORIGIN} = get_host_info();
+
+promise_test(async t => {
+  const success_url = new URL("/resource-timing/resources/object-frame-options-200.asis", REMOTE_ORIGIN).href;
+  const fail_url = new URL("/resource-timing/resources/object-frame-options-403.asis", REMOTE_ORIGIN).href;
+  const load_object = async url => {
+    const object = document.createElement("object");
+    object.data = url;
+    document.body.appendChild(object);
+    t.add_cleanup(() => object.remove());
+    await new Promise(resolve => {
+      object.onload = object.onerror = resolve;
+    });
+  };
+
+  await Promise.all([success_url, fail_url].map(load_object));
+  assert_equals(performance.getEntriesByName(success_url).length, 1);
+  assert_equals(performance.getEntriesByName(fail_url).length, 1);
+}, "Test that object elements with X-Frame-Options: Deny produce resource timing entries");
+</script>
+</body>
+</html>
diff --git a/resource-timing/resources/object-frame-options-200.asis b/resource-timing/resources/object-frame-options-200.asis
new file mode 100644
index 00000000000000..122445326bdef6
--- /dev/null
+++ b/resource-timing/resources/object-frame-options-200.asis
@@ -0,0 +1,6 @@
+HTTP/1.0 200 OK
+Content-Type: text/html
+X-Frame-Options: DENY
+Content-Security-Policy: frame-ancestors 'none'
+
+Hello
diff --git a/resource-timing/resources/object-frame-options-403.asis b/resource-timing/resources/object-frame-options-403.asis
new file mode 100644
index 00000000000000..fd64f0bcdbb7c1
--- /dev/null
+++ b/resource-timing/resources/object-frame-options-403.asis
@@ -0,0 +1,6 @@
+HTTP/1.0 403 OK
+Content-Type: text/html
+X-Frame-Options: DENY
+Content-Security-Policy: frame-ancestors 'none'
+
+Hello