s/request_initiator_site_lock/request_initiator_origin_lock/
After r797542 (which removed
SiteInstanceImpl::GetRequestInitiatorSiteLock) we always use an exact
origin (never an approximate site) as |request_initiator_site_lock|.
Because of that, this CL renames ..._site_lock to ..._origin_lock.
Bug: 918967
Tbr: [email protected] (//chrome/renderer/net)
Tbr: [email protected] (//extensions/browser)
Tbr: [email protected] (histograms.xml)
Change-Id: Ifbe801eafccd641d11cb14ecef83ab097d01eb0f
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2274251
Reviewed-by: Kinuko Yasuda <[email protected]>
Commit-Queue: Ćukasz Anforowicz <[email protected]>
Cr-Commit-Position: refs/heads/master@{#799354}
diff --git a/docs/security/compromised-renderers.md b/docs/security/compromised-renderers.md
index 61e52c4..7c6ec16 100644
--- a/docs/security/compromised-renderers.md
+++ b/docs/security/compromised-renderers.md
@@ -44,7 +44,7 @@
legitimately claim authority over a given origin (e.g. by checking via
`CanAccessDataForOrigin` if the process lock matches).
Another example is making sure that capabilities handed over to renderer
-processes are origin-bound (e.g. by setting `request_initiator_site_lock`
+processes are origin-bound (e.g. by setting `request_initiator_origin_lock`
on a `URLLoaderFactory` given to renderer processes).
Yet another example is making security decisions based on trustworthy knowledge,
calculated within the privileged browser process (e.g. using
@@ -87,12 +87,12 @@
`network::mojom::URLLoaderFactory` objects that handle HTTP requests.
This lets the browser process carefully control security-sensitive
`network::mojom::URLLoaderFactoryParams` of such factories (such as
- `request_initiator_site_lock`, `is_corb_enabled`, `disable_web_security` or
+ `request_initiator_origin_lock`, `is_corb_enabled`, `disable_web_security` or
`isolation_info`).
This also lets the CORB implementation in the NetworkService process
prevent spoofing of `network::ResourceRequest::request_initiator`
by using `network::GetTrustworthyInitiator` for comparison with
- the trustworthy `request_initiator_site_lock`.
+ the trustworthy `request_initiator_origin_lock`.
**Known gaps in protection**:
- Content types for which CORB does not apply
@@ -263,7 +263,7 @@
(i.e. before the HTTP response is handed out to the renderer process).
- Preventing spoofing of `network::ResourceRequest::request_initiator`
by using `network::GetTrustworthyInitiator` which enforces
- browser-controlled `request_initiator_site_lock`.
+ browser-controlled `request_initiator_origin_lock`.
## Frame-ancestors CSP and X-Frame-Options response headers
@@ -297,7 +297,7 @@
- `Sec-Fetch-Site` is robust against spoofing of
`network::ResourceRequest::request_initiator` by using
`network::GetTrustworthyInitiator` which enforces browser-controlled
- `request_initiator_site_lock`.
+ `request_initiator_origin_lock`.
**Known gaps in protection**:
- `Origin` header. Tracked by