Async Cookies: Add security checks to CookieStoreManager.

Bug: 729800
Change-Id: I17a1adba1fd3f29c8f0cd6e2798048402f9d3a99
Reviewed-on: https://chromium-review.googlesource.com/1070782Reviewed-by: Joshua Bell <jsbell@chromium.org>
Commit-Queue: Victor Costan <pwnall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#561702}

content/browser/cookie_store/cookie_store_host.cc

@@ -13,7 +13,7 @@ namespace content {
 
 CookieStoreHost::CookieStoreHost(CookieStoreManager* manager,
                                  const url::Origin& origin)
-    : manager_(manager), origin_(origin.GetURL()) {}
+    : manager_(manager), origin_(origin) {}
 
 CookieStoreHost::~CookieStoreHost() {
   DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);

content/browser/cookie_store/cookie_store_host.h

@@ -10,13 +10,7 @@
 #include "base/macros.h"
 #include "base/sequence_checker.h"
 #include "third_party/blink/public/mojom/cookie_store/cookie_store.mojom.h"
-#include "url/gurl.h"
-
-namespace url {
-
-class Origin;
-
-}  // namespace url
+#include "url/origin.h"
 
 namespace content {
 
@@ -49,7 +43,7 @@ class CookieStoreHost : public blink::mojom::CookieStore {
   // mojo::BindingSet.
   CookieStoreManager* const manager_;
 
-  const GURL origin_;
+  const url::Origin origin_;
 
   // Instances of this class are currently bound to the IO thread, because they
   // call ServiceWorkerContextWrapper methods that are restricted to the IO

content/browser/cookie_store/cookie_store_manager.cc

@@ -146,7 +146,7 @@ void CookieStoreManager::DidLoadAllSubscriptions(
 
 void CookieStoreManager::AppendSubscriptions(
     int64_t service_worker_registration_id,
-    const GURL& origin,
+    const url::Origin& origin,
     std::vector<blink::mojom::CookieChangeSubscriptionPtr> mojo_subscriptions,
     blink::mojom::CookieStore::AppendSubscriptionsCallback callback) {
   DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
@@ -179,7 +179,9 @@ void CookieStoreManager::AppendSubscriptions(
   ServiceWorkerRegistration* service_worker_registration =
       service_worker_context_->GetLiveRegistration(
           service_worker_registration_id);
-  if (!service_worker_registration) {
+  if (!service_worker_registration ||
+      !origin.IsSameOriginWith(
+          url::Origin::Create(service_worker_registration->pattern()))) {
     // This error case is a good fit for mojo::ReportBadMessage(), because the
     // renderer has passed an invalid registration ID. However, the code here
     // might run without a mojo call context, if the original call was delayed
@@ -239,7 +241,7 @@ void CookieStoreManager::AppendSubscriptions(
 
 void CookieStoreManager::GetSubscriptions(
     int64_t service_worker_registration_id,
-    const GURL& origin,
+    const url::Origin& origin,
     blink::mojom::CookieStore::GetSubscriptionsCallback callback) {
   DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
 
@@ -257,12 +259,35 @@ void CookieStoreManager::GetSubscriptions(
   }
 
   auto it = subscriptions_by_registration_.find(service_worker_registration_id);
-  if (it == subscriptions_by_registration_.end()) {
+  if (it == subscriptions_by_registration_.end() || it->second.empty()) {
     std::move(callback).Run(
         std::vector<blink::mojom::CookieChangeSubscriptionPtr>(), true);
     return;
   }
 
+  const url::Origin& first_origin = url::Origin::Create(it->second[0].url());
+#if DCHECK_IS_ON()
+  for (const auto& subscription : it->second) {
+    DCHECK(
+        first_origin.IsSameOriginWith(url::Origin::Create(subscription.url())))
+        << "Service worker's change subscriptions don't have the same origin";
+  }
+#endif  // DCHECK_IS_ON()
+
+  if (!origin.IsSameOriginWith(first_origin)) {
+    // This error case is a good fit for mojo::ReportBadMessage(), because the
+    // renderer has passed an invalid registration ID. However, the code here
+    // might run without a mojo call context, if the original call was delayed
+    // while loading on-disk subscription data.
+    //
+    // While it would be possible to have two code paths for the two situations,
+    // the extra complexity doesn't seem warranted for the limited debuggig
+    // benefits provided by mojo::ReportBadMessage.
+    std::move(callback).Run(
+        std::vector<blink::mojom::CookieChangeSubscriptionPtr>(), false);
+    return;
+  }
+
   std::move(callback).Run(CookieChangeSubscription::ToMojoVector(it->second),
                           true);
 }

content/browser/cookie_store/cookie_store_manager.h

@@ -77,12 +77,12 @@ class CookieStoreManager : public ServiceWorkerContextCoreObserver,
   // content::mojom::CookieStore implementation
   void AppendSubscriptions(
       int64_t service_worker_registration_id,
-      const GURL& origin,
+      const url::Origin& origin,
       std::vector<blink::mojom::CookieChangeSubscriptionPtr> mojo_subscriptions,
       blink::mojom::CookieStore::AppendSubscriptionsCallback callback);
   void GetSubscriptions(
       int64_t service_worker_registration_id,
-      const GURL& origin,
+      const url::Origin& origin,
       blink::mojom::CookieStore::GetSubscriptionsCallback callback);
 
   // ServiceWorkerContextCoreObserver