Async Cookies: Add security checks to CookieStoreManager.

Bug: 729800 Change-Id: I17a1adba1fd3f29c8f0cd6e2798048402f9d3a99 Reviewed-on: https://chromium-review.googlesource.com/1070782Reviewed-by: Joshua Bell <jsbell@chromium.org> Commit-Queue: Victor Costan <pwnall@chromium.org> Cr-Commit-Position: refs/heads/master@{#561702}

Async Cookies: Add security checks to CookieStoreManager.
Bug: 729800 Change-Id: I17a1adba1fd3f29c8f0cd6e2798048402f9d3a99 Reviewed-on: https://chromium-review.googlesource.com/1070782Reviewed-by: Joshua Bell <jsbell@chromium.org> Commit-Queue: Victor Costan <pwnall@chromium.org> Cr-Commit-Position: refs/heads/master@{#561702}
89403a1f · Victor Costan · Commit Bot · 1caf60ef · 89403a1f · 89403a1f
Commit 89403a1f authored May 25, 2018 by Victor Costan Committed by Commit Bot May 25, 2018
5 changed files
--- a/content/browser/cookie_store/cookie_store_host.cc
+++ b/content/browser/cookie_store/cookie_store_host.cc
@@ -13,7 +13,7 @@ namespace content {
 CookieStoreHost::CookieStoreHost(CookieStoreManager* manager,
                                 const url::Origin& origin)
-    : manager_(manager), origin_(origin.GetURL()) {}
+    : manager_(manager), origin_(origin) {}
 CookieStoreHost::~CookieStoreHost() {
  DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);

--- a/content/browser/cookie_store/cookie_store_host.h
+++ b/content/browser/cookie_store/cookie_store_host.h
@@ -10,13 +10,7 @@
 #include "base/macros.h"
 #include "base/sequence_checker.h"
 #include "third_party/blink/public/mojom/cookie_store/cookie_store.mojom.h"
-#include "url/gurl.h"
+#include "url/origin.h"
-namespace url {
-class Origin;
-}  // namespace url
 namespace content {
@@ -49,7 +43,7 @@ class CookieStoreHost : public blink::mojom::CookieStore {
  // mojo::BindingSet.
  CookieStoreManager* const manager_;
-  const GURL origin_;
+  const url::Origin origin_;
  // Instances of this class are currently bound to the IO thread, because they
  // call ServiceWorkerContextWrapper methods that are restricted to the IO

--- a/content/browser/cookie_store/cookie_store_manager.cc
+++ b/content/browser/cookie_store/cookie_store_manager.cc
@@ -146,7 +146,7 @@ void CookieStoreManager::DidLoadAllSubscriptions(
 void CookieStoreManager::AppendSubscriptions(
    int64_t service_worker_registration_id,
-    const GURL& origin,
+    const url::Origin& origin,
    std::vector<blink::mojom::CookieChangeSubscriptionPtr> mojo_subscriptions,
    blink::mojom::CookieStore::AppendSubscriptionsCallback callback) {
  DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
@@ -179,7 +179,9 @@ void CookieStoreManager::AppendSubscriptions(
  ServiceWorkerRegistration* service_worker_registration =
      service_worker_context_->GetLiveRegistration(
          service_worker_registration_id);
-  if (!service_worker_registration) {
+  if (!service_worker_registration ||
+      !origin.IsSameOriginWith(
+          url::Origin::Create(service_worker_registration->pattern()))) {
    // This error case is a good fit for mojo::ReportBadMessage(), because the
    // renderer has passed an invalid registration ID. However, the code here
    // might run without a mojo call context, if the original call was delayed
@@ -239,7 +241,7 @@ void CookieStoreManager::AppendSubscriptions(
 void CookieStoreManager::GetSubscriptions(
    int64_t service_worker_registration_id,
-    const GURL& origin,
+    const url::Origin& origin,
    blink::mojom::CookieStore::GetSubscriptionsCallback callback) {
  DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
@@ -257,12 +259,35 @@ void CookieStoreManager::GetSubscriptions(
  }
  auto it = subscriptions_by_registration_.find(service_worker_registration_id);
-  if (it == subscriptions_by_registration_.end()) {
+  if (it == subscriptions_by_registration_.end() || it->second.empty()) {
    std::move(callback).Run(
        std::vector<blink::mojom::CookieChangeSubscriptionPtr>(), true);
    return;
  }
+  const url::Origin& first_origin = url::Origin::Create(it->second[0].url());
+#if DCHECK_IS_ON()
+  for (const auto& subscription : it->second) {
+    DCHECK(
+        first_origin.IsSameOriginWith(url::Origin::Create(subscription.url())))
+        << "Service worker's change subscriptions don't have the same origin";
+  }
+#endif  // DCHECK_IS_ON()
+  if (!origin.IsSameOriginWith(first_origin)) {
+    // This error case is a good fit for mojo::ReportBadMessage(), because the
+    // renderer has passed an invalid registration ID. However, the code here
+    // might run without a mojo call context, if the original call was delayed
+    // while loading on-disk subscription data.
+    //
+    // While it would be possible to have two code paths for the two situations,
+    // the extra complexity doesn't seem warranted for the limited debuggig
+    // benefits provided by mojo::ReportBadMessage.
+    std::move(callback).Run(
+        std::vector<blink::mojom::CookieChangeSubscriptionPtr>(), false);
+    return;
+  }
  std::move(callback).Run(CookieChangeSubscription::ToMojoVector(it->second),
                          true);
 }

--- a/content/browser/cookie_store/cookie_store_manager.h
+++ b/content/browser/cookie_store/cookie_store_manager.h
@@ -77,12 +77,12 @@ class CookieStoreManager : public ServiceWorkerContextCoreObserver,
  // content::mojom::CookieStore implementation
  void AppendSubscriptions(
      int64_t service_worker_registration_id,
-      const GURL& origin,
+      const url::Origin& origin,
      std::vector<blink::mojom::CookieChangeSubscriptionPtr> mojo_subscriptions,
      blink::mojom::CookieStore::AppendSubscriptionsCallback callback);
  void GetSubscriptions(
      int64_t service_worker_registration_id,
-      const GURL& origin,
+      const url::Origin& origin,
      blink::mojom::CookieStore::GetSubscriptionsCallback callback);
  // ServiceWorkerContextCoreObserver

--- a/content/browser/cookie_store/cookie_store_manager_unittest.cc
+++ b/content/browser/cookie_store/cookie_store_manager_unittest.cc