Fetch is not setting origin correctly. #15247
Description
fn request_init_from_request(request: NetTraitsRequest) -> NetTraitsRequestInit {
NetTraitsRequestInit {
...
// TODO: NetTraitsRequestInit and NetTraitsRequest have different "origin"
// ... NetTraitsRequestInit.origin: Url
// ... NetTraitsRequest.origin: RefCell<Origin>
origin: request.url(),
...
}
}which sets the origin of the request to be the origin of the request url (that is, the resource being fetched) rather than the origin of the requester. This means that when we come to do the same-origin test https://github.com/servo/servo/blob/master/components/net/fetch/methods.rs#L211:
/// [Main fetch](https://fetch.spec.whatwg.org/#concept-main-fetch)
pub fn main_fetch(request: Rc<Request>,
cache: &mut CorsCache,
cors_flag: bool,
recursive_flag: bool,
target: Target,
done_chan: &mut DoneChannel,
context: &FetchContext)
-> Response {
...
// Step 11
let response = match response {
Some(response) => response,
None => {
let current_url = request.current_url();
let same_origin = if let Origin::Origin(ref origin) = *request.origin.borrow() {
*origin == current_url.origin()
} else {
false
};
...all fetches are considered to be same-origin. This is not a good security feature!
IRC chat with @Manishearth and @KiChjang: http://logs.glob.uno/?c=mozilla%23servo&s=26+Jan+2017&e=26+Jan+2017#c600706