Set SiteForCookies for SharedWorkers

To correctly block access to shared workers in nested iframes, they
should consider a SiteForCookies and not just the origin of the
top-level frame when checking cookie access.

RenderFrameHost changes were originally written by
morlovich@chromium.org

Bug: 989926
Change-Id: Ifac24a89717ea782d15bf3479f54e5cd50e41917
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1816545
Commit-Queue: Christian Dullweber <dullweber@chromium.org>
Reviewed-by: Arthur Sonzogni <arthursonzogni@chromium.org>
Reviewed-by: Maks Orlovich <morlovich@chromium.org>
Reviewed-by: Hiroki Nakagawa <nhiroki@chromium.org>
Cr-Commit-Position: refs/heads/master@{#700157}

content/browser/frame_host/render_frame_host_impl.cc

@@ -2162,19 +2162,30 @@ GURL RenderFrameHostImpl::ComputeSiteForCookiesForNavigation(
   if (frame_tree_node_->IsMainFrame())
     return destination;
 
-  GURL base_url;
+  // Check if everything above the frame being navigated is consistent. It's OK
+  // to skip checking the frame itself since it will be validated against
+  // |site_for_cookies| anyway.
+  return ComputeSiteForCookiesInternal(parent_);
+}
+
+GURL RenderFrameHostImpl::ComputeSiteForCookies() const {
+  return ComputeSiteForCookiesInternal(this);
+}
+
+GURL RenderFrameHostImpl::ComputeSiteForCookiesInternal(
+    const RenderFrameHostImpl* render_frame_host) const {
 #if defined(OS_ANDROID)
   // On Android, a base URL can be set for the frame. If this the case, it is
   // the URL to use for cookies.
   NavigationEntry* last_committed_entry =
       frame_tree_node_->navigator()->GetController()->GetLastCommittedEntry();
-  if (last_committed_entry)
-    base_url = last_committed_entry->GetBaseURLForDataURL();
+  if (last_committed_entry &&
+      !last_committed_entry->GetBaseURLForDataURL().is_empty()) {
+    return last_committed_entry->GetBaseURLForDataURL();
+  }
 #endif
-  // This is pre-navigation, but since at this point the frame being navigated
-  // is known to not be the main frame, it's correct post-navigation as well.
-  const GURL& top_document_url =
-      !base_url.is_empty() ? base_url : frame_tree_->root()->current_url();
+
+  const GURL& top_document_url = frame_tree_->root()->current_url();
 
   if (GetContentClient()
           ->browser()
@@ -2183,23 +2194,18 @@ GURL RenderFrameHostImpl::ComputeSiteForCookiesForNavigation(
     return top_document_url;
   }
 
-  // Check if everything above the frame being navigated is consistent. It's OK
-  // to skip checking the frame itself since it will be validated against
-  // |site_for_cookies| anyway.
-  const FrameTreeNode* current = frame_tree_node_->parent();
-  bool ancestors_are_same_site = true;
-  while (current && ancestors_are_same_site) {
+  // Make sure every ancestors are same-domain with the main document. Otherwise
+  // this will be a 3rd party cookie.
+  for (const RenderFrameHostImpl* rfh = render_frame_host; rfh;
+       rfh = rfh->parent_) {
     if (!net::registry_controlled_domains::SameDomainOrHost(
-            top_document_url,
-            current->current_frame_host()->GetLastCommittedOrigin(),
+            top_document_url, rfh->last_committed_origin_,
             net::registry_controlled_domains::INCLUDE_PRIVATE_REGISTRIES)) {
-      ancestors_are_same_site = false;
+      return GURL::EmptyGURL();
     }
-    current = current->parent();
   }
 
-  return (ancestors_are_same_site || !base_url.is_empty()) ? top_document_url
-                                                           : GURL::EmptyGURL();
+  return top_document_url;
 }
 
 void RenderFrameHostImpl::SetOriginOfNewFrame(

content/browser/frame_host/render_frame_host_impl.h

@@ -465,6 +465,11 @@ class CONTENT_EXPORT RenderFrameHostImpl
   // |destination|.
   GURL ComputeSiteForCookiesForNavigation(const GURL& destination) const;
 
+  // Computes site_for_cookies for this frame. It can be used to check
+  // if cookies (including storage APIs and shared/service workers) are
+  // accessible.
+  GURL ComputeSiteForCookies() const;
+
   // Allows overriding the last committed origin in tests.
   void SetLastCommittedOriginForTesting(const url::Origin& origin);
 
@@ -1360,6 +1365,12 @@ class CONTENT_EXPORT RenderFrameHostImpl
   void OnFrameDidCallFocus();
   void OnRenderFallbackContentInParentProcess();
 
+  // To be called by ComputeSiteForCookiesForNavigation() and
+  // ComputeSiteForCookies().
+  // Starts traversing the tree from |render_frame_host|.
+  GURL ComputeSiteForCookiesInternal(
+      const RenderFrameHostImpl* render_frame_host) const;
+
 #if BUILDFLAG(USE_EXTERNAL_POPUP_MENU)
   void OnShowPopup(const FrameHostMsg_ShowPopup_Params& params);
   void OnHidePopup();

content/browser/worker_host/shared_worker_service_impl.cc

@@ -132,9 +132,7 @@ void SharedWorkerServiceImpl::ConnectToWorker(
   RenderFrameHost* main_frame =
       render_frame_host->frame_tree_node()->frame_tree()->GetMainFrame();
   if (!GetContentClient()->browser()->AllowSharedWorker(
-          info->url,
-          // TODO(crbug.com/989926): Get an actual site_for_cookies.
-          main_frame->GetLastCommittedURL(),
+          info->url, render_frame_host->ComputeSiteForCookies(),
           main_frame->GetLastCommittedOrigin(), info->name, constructor_origin,
           WebContentsImpl::FromRenderFrameHostID(client_process_id, frame_id)
               ->GetBrowserContext(),