Prerender: Stop using initiator origin passed from renderer

PrerenderProcessorImpl etc should not trust an initiator origin passed
from a renderer process that can be compromised. Instead of the passed
origin, this CL makes the prerender components use the origin given by
RenderFrameHostImpl::GetLastCommittedOrigin().

Bug: 1133185
Change-Id: I47b8ea93f9e73099fc1c1ef82eb19d8f9b71d86b
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2437713Reviewed-by: Matt Falkenhagen <falken@chromium.org>
Reviewed-by: Robert Ogden <robertogden@chromium.org>
Reviewed-by: Kinuko Yasuda <kinuko@chromium.org>
Commit-Queue: Hiroki Nakagawa <nhiroki@chromium.org>
Cr-Commit-Position: refs/heads/master@{#812049}

chrome/browser/prerender/prerender_unittest.cc

@@ -392,7 +392,6 @@ class PrerenderTest : public testing::Test {
     attributes->rel_type = blink::mojom::PrerenderRelType::kPrerender;
     attributes->referrer = blink::mojom::Referrer::New(
         initiator_url, network::mojom::ReferrerPolicy::kDefault);
-    attributes->initiator_origin = url::Origin::Create(initiator_url);
     attributes->view_size = kDefaultViewSize;
 
     mojo::PendingRemote<blink::mojom::PrerenderProcessorClient>
@@ -404,7 +403,7 @@ class PrerenderTest : public testing::Test {
     base::Optional<int> prerender_id =
         prerender_link_manager()->OnStartPrerender(
             render_process_id, render_view_id, std::move(attributes),
-            std::move(processor_client));
+            url::Origin::Create(initiator_url), std::move(processor_client));
 
     // Check if the new prerender request was added and running.
     return prerender_id && LastPrerenderIsRunning();

components/prerender/browser/prerender_link_manager.cc

@@ -52,6 +52,7 @@ PrerenderLinkManager::LinkPrerender::LinkPrerender(
     int launcher_render_process_id,
     int launcher_render_view_id,
     blink::mojom::PrerenderAttributesPtr attributes,
+    const url::Origin& initiator_origin,
     mojo::PendingRemote<blink::mojom::PrerenderProcessorClient>
         processor_client,
     base::TimeTicks creation_time,
@@ -61,7 +62,7 @@ PrerenderLinkManager::LinkPrerender::LinkPrerender(
       url(attributes->url),
       rel_type(attributes->rel_type),
       referrer(content::Referrer(*attributes->referrer)),
-      initiator_origin(attributes->initiator_origin),
+      initiator_origin(initiator_origin),
       size(attributes->view_size),
       remote_processor_client(std::move(processor_client)),
       creation_time(creation_time),
@@ -92,6 +93,7 @@ base::Optional<int> PrerenderLinkManager::OnStartPrerender(
     int launcher_render_process_id,
     int launcher_render_view_id,
     blink::mojom::PrerenderAttributesPtr attributes,
+    const url::Origin& initiator_origin,
     mojo::PendingRemote<blink::mojom::PrerenderProcessorClient>
         processor_client) {
 // TODO(crbug.com/722453): Use a dedicated build flag for GuestView.
@@ -120,7 +122,7 @@ base::Optional<int> PrerenderLinkManager::OnStartPrerender(
 
   auto prerender = std::make_unique<LinkPrerender>(
       launcher_render_process_id, launcher_render_view_id,
-      std::move(attributes), std::move(processor_client),
+      std::move(attributes), initiator_origin, std::move(processor_client),
       manager_->GetCurrentTimeTicks(), prerender_contents);
 
   // Observe disconnect of the client and treat as equivalent to explicit

components/prerender/browser/prerender_link_manager.h

@@ -44,6 +44,7 @@ class PrerenderLinkManager : public KeyedService,
       int launcher_render_process_id,
       int launcher_render_view_id,
       blink::mojom::PrerenderAttributesPtr attributes,
+      const url::Origin& initiator_origin,
       mojo::PendingRemote<blink::mojom::PrerenderProcessorClient>
           processor_client);
 
@@ -70,6 +71,7 @@ class PrerenderLinkManager : public KeyedService,
     LinkPrerender(int launcher_render_process_id,
                   int launcher_render_view_id,
                   blink::mojom::PrerenderAttributesPtr attributes,
+                  const url::Origin& initiator_origin,
                   mojo::PendingRemote<blink::mojom::PrerenderProcessorClient>
                       processor_client,
                   base::TimeTicks creation_time,

components/prerender/browser/prerender_processor_impl.cc

@@ -17,9 +17,11 @@ namespace prerender {
 PrerenderProcessorImpl::PrerenderProcessorImpl(
     int render_process_id,
     int render_frame_id,
+    const url::Origin& initiator_origin,
     std::unique_ptr<PrerenderProcessorImplDelegate> delegate)
     : render_process_id_(render_process_id),
       render_frame_id_(render_frame_id),
+      initiator_origin_(initiator_origin),
       delegate_(std::move(delegate)) {}
 
 PrerenderProcessorImpl::~PrerenderProcessorImpl() = default;
@@ -32,17 +34,17 @@ void PrerenderProcessorImpl::Create(
   mojo::MakeSelfOwnedReceiver(
       std::make_unique<PrerenderProcessorImpl>(
           frame_host->GetProcess()->GetID(), frame_host->GetRoutingID(),
-          std::move(delegate)),
+          frame_host->GetLastCommittedOrigin(), std::move(delegate)),
       std::move(receiver));
 }
 
 void PrerenderProcessorImpl::Start(
     blink::mojom::PrerenderAttributesPtr attributes,
     mojo::PendingRemote<blink::mojom::PrerenderProcessorClient> client) {
-  if (!attributes->initiator_origin.opaque() &&
+  if (!initiator_origin_.opaque() &&
       !content::ChildProcessSecurityPolicy::GetInstance()
            ->CanAccessDataForOrigin(render_process_id_,
-                                    attributes->initiator_origin.GetURL())) {
+                                    initiator_origin_.GetURL())) {
     mojo::ReportBadMessage("PPI_INVALID_INITIATOR_ORIGIN");
     return;
   }
@@ -66,7 +68,7 @@ void PrerenderProcessorImpl::Start(
   prerender_id_ = link_manager->OnStartPrerender(
       render_process_id_,
       render_frame_host->GetRenderViewHost()->GetRoutingID(),
-      std::move(attributes), std::move(client));
+      std::move(attributes), initiator_origin_, std::move(client));
 }
 
 void PrerenderProcessorImpl::Cancel() {

components/prerender/browser/prerender_processor_impl.h

@@ -7,6 +7,7 @@
 
 #include "components/prerender/browser/prerender_processor_impl_delegate.h"
 #include "third_party/blink/public/mojom/prerender/prerender.mojom.h"
+#include "url/origin.h"
 
 namespace content {
 class RenderFrameHost;
@@ -19,6 +20,7 @@ class PrerenderProcessorImpl : public blink::mojom::PrerenderProcessor {
   PrerenderProcessorImpl(
       int render_process_id,
       int render_frame_id,
+      const url::Origin& initiator_origin,
       std::unique_ptr<PrerenderProcessorImplDelegate> delegate);
   ~PrerenderProcessorImpl() override;
 
@@ -39,6 +41,7 @@ class PrerenderProcessorImpl : public blink::mojom::PrerenderProcessor {
 
   const int render_process_id_;
   const int render_frame_id_;
+  const url::Origin initiator_origin_;
   const std::unique_ptr<PrerenderProcessorImplDelegate> delegate_;
 
   // The ID of PrerenderLinkManager::LinkPrerender. Used for canceling or

third_party/blink/public/mojom/prerender/prerender.mojom

@@ -6,7 +6,6 @@ module blink.mojom;
 
 import "third_party/blink/public/mojom/loader/referrer.mojom";
 import "ui/gfx/geometry/mojom/geometry.mojom";
-import "url/mojom/origin.mojom";
 import "url/mojom/url.mojom";
 
 // This interface is used to notify of events about prerendering from the
@@ -39,7 +38,6 @@ struct PrerenderAttributes {
   url.mojom.Url url;
   PrerenderRelType rel_type;
   blink.mojom.Referrer referrer;
-  url.mojom.Origin initiator_origin;
   gfx.mojom.Size view_size;
 };
 

third_party/blink/renderer/core/loader/private/prerender_handle.cc

@@ -62,7 +62,6 @@ PrerenderHandle* PrerenderHandle::Create(
   attributes->rel_type = prerender_rel_type;
   attributes->referrer = mojom::blink::Referrer::New(
       KURL(NullURL(), referrer.referrer), referrer.referrer_policy);
-  attributes->initiator_origin = context->GetSecurityOrigin();
   attributes->view_size =
       gfx::Size(document.GetFrame()->GetMainFrameViewportSize());