Add PerformanceResourceTiming: TimingAllowCheck

The purpose of this commit is to implement https://w3c.github.io/resource-timing/#dfn-timing-allow-check
2025-08-06 06:00:15 +01:00 · 2019-09-17 17:58:06 -04:00 · 2019-09-17 17:58:06 -04:00 · bb8166bb97
commit bb8166bb97
parent 4159f01feb
2 changed files with 50 additions and 3 deletions
--- a/components/net/http_loader.rs
+++ b/components/net/http_loader.rs
@ -37,6 +37,7 @@ use hyper::{Body, Client, Method, Response as HyperResponse, StatusCode};
 use hyper_serde::Serde;
 use msg::constellation_msg::{HistoryStateId, PipelineId};
 use net_traits::quality::{quality_to_value, Quality, QualityItem};
+use net_traits::request::Origin::Origin as SpecificOrigin;
 use net_traits::request::{CacheMode, CredentialsMode, Destination, Origin};
 use net_traits::request::{RedirectMode, Referrer, Request, RequestMode};
 use net_traits::request::{ResponseTainting, ServiceWorkersMode};
@ -44,6 +45,7 @@ use net_traits::response::{HttpsState, Response, ResponseBody, ResponseType};
 use net_traits::{CookieSource, FetchMetadata, NetworkError, ReferrerPolicy};
 use net_traits::{RedirectEndValue, RedirectStartValue, ResourceAttribute, ResourceFetchTiming};
 use openssl::ssl::SslConnectorBuilder;
+use servo_arc::Arc;
 use servo_url::{ImmutableOrigin, ServoUrl};
 use std::collections::{HashMap, HashSet};
 use std::error::Error;
@ -51,7 +53,7 @@ use std::iter::FromIterator;
 use std::mem;
 use std::ops::Deref;
 use std::str::FromStr;
-use std::sync::{Arc, Mutex, RwLock};
+use std::sync::{Mutex, RwLock};
 use std::time::{Duration, SystemTime};
 use time::{self, Tm};
 use tokio::prelude::{future, Future, Stream};
@ -631,7 +633,7 @@ pub fn http_fetch(
            request.redirect_count as u16,
        ));

-    response.resource_timing = context.timing.lock().unwrap().clone();
+    response.resource_timing = Arc::clone(&context.timing);

    // Step 6
    response
@ -828,7 +830,6 @@ fn http_network_or_cache_fetch(
 ) -> Response {
    // Step 2
    let mut response: Option<Response> = None;
-
    // Step 4
    let mut revalidating_flag = false;

@ -1302,8 +1303,32 @@ fn http_network_fetch(
        }
    }

+    let header_strings: Vec<&str> = res
+        .headers()
+        .get_all("Timing-Allow-Origin")
+        .iter()
+        .map(|header_value| header_value.to_str().unwrap_or(""))
+        .collect();
+    let wildcard_present = header_strings.iter().any(|header_str| *header_str == "*");
+    // The spec: https://www.w3.org/TR/resource-timing-2/#sec-timing-allow-origin
+    // says that a header string is either an origin or a wildcard so we can just do a straight
+    // check against the document origin
+    let req_origin_in_timing_allow = header_strings
+        .iter()
+        .any(|header_str| match request.origin {
+            SpecificOrigin(ref immutable_request_origin) => {
+                *header_str == immutable_request_origin.ascii_serialization()
+            },
+            _ => false,
+        });
+
+    if !req_origin_in_timing_allow && !wildcard_present {
+        context.timing.lock().unwrap().mark_timing_check_failed();
+    }
+
    let timing = context.timing.lock().unwrap().clone();
    let mut response = Response::new(url.clone(), timing);
+
    response.status = Some((
        res.status(),
        res.status().canonical_reason().unwrap_or("").into(),