Explicit Handling for PrefetchProxy Mixed Content

By default, Chrome should not be requesting mixed content on secure pages so this is not really changing any behavior, but is more of a safety guardrail. Change-Id: If48c05889bcde94d63ad06ea5cc79df5076eb645 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2551677Reviewed-by: Ryan Sturm <ryansturm@chromium.org> Commit-Queue: Robert Ogden <robertogden@chromium.org> Cr-Commit-Position: refs/heads/master@{#829471}

Explicit Handling for PrefetchProxy Mixed Content
By default, Chrome should not be requesting mixed content on secure pages so this is not really changing any behavior, but is more of a safety guardrail. Change-Id: If48c05889bcde94d63ad06ea5cc79df5076eb645 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2551677Reviewed-by: Ryan Sturm <ryansturm@chromium.org> Commit-Queue: Robert Ogden <robertogden@chromium.org> Cr-Commit-Position: refs/heads/master@{#829471}
9d6dc821 · Robert Ogden · Commit Bot · 52cb762e · 9d6dc821 · 9d6dc821
Commit 9d6dc821 authored Nov 20, 2020 by Robert Ogden Committed by Commit Bot Nov 20, 2020
2 changed files
--- a/chrome/browser/prefetch/prefetch_proxy/prefetch_proxy_browsertest.cc
+++ b/chrome/browser/prefetch/prefetch_proxy/prefetch_proxy_browsertest.cc
@@ -2881,6 +2881,33 @@ std::unique_ptr<net::test_server::HttpResponse> HandleNonEligibleOrigin(
  return nullptr;
 }
+std::unique_ptr<net::test_server::HttpResponse>
+HandleOriginWithIneligibleSubresources(
+    net::EmbeddedTestServer* non_eligible_server,
+    const net::test_server::HttpRequest& request) {
+  GURL url = request.GetURL();
+  if (url.path() == "/page.html") {
+    GURL same_origin_resource =
+        non_eligible_server->GetURL("a.test", "/script.js");
+    std::unique_ptr<net::test_server::BasicHttpResponse> resp =
+        std::make_unique<net::test_server::BasicHttpResponse>();
+    resp->set_code(net::HTTP_OK);
+    resp->set_content_type("text/html");
+    resp->set_content(base::StringPrintf(R"(
+        <html>
+          <head>
+            <script src="%s">
+          </head>
+          <body>Test</body>
+        </html>)",
+                                         same_origin_resource.spec().c_str()));
+    return resp;
+  }
+  return nullptr;
+}
 std::unique_ptr<net::test_server::HttpResponse> HandleEligibleOrigin(
    net::EmbeddedTestServer* eligible_server,
    net::EmbeddedTestServer* non_eligible_server,
@@ -2993,6 +3020,63 @@ IN_PROC_BROWSER_TEST_F(
  EXPECT_EQ(expected_subresources, manager->successfully_loaded_subresources());
 }
+IN_PROC_BROWSER_TEST_F(
+    PrefetchProxyWithNSPBrowserTest,
+    DISABLE_ON_WIN_MAC_CHROMEOS(NSPWithIneligibleSubresources)) {
+  TestServerConnectionCounter http_counter;
+  net::EmbeddedTestServer non_eligible_origin(
+      net::EmbeddedTestServer::TYPE_HTTP);
+  non_eligible_origin.SetConnectionListener(&http_counter);
+  ASSERT_TRUE(non_eligible_origin.Start());
+  net::EmbeddedTestServer eligible_origin(net::EmbeddedTestServer::TYPE_HTTPS);
+  eligible_origin.SetSSLConfig(net::EmbeddedTestServer::CERT_TEST_NAMES);
+  eligible_origin.RegisterRequestHandler(base::BindRepeating(
+      &HandleOriginWithIneligibleSubresources, &non_eligible_origin));
+  ASSERT_TRUE(eligible_origin.Start());
+  SetDataSaverEnabled(true);
+  WaitForUpdatedCustomProxyConfig();
+  PrefetchProxyTabHelper* tab_helper =
+      PrefetchProxyTabHelper::FromWebContents(GetWebContents());
+  GURL eligible_link = eligible_origin.GetURL("a.test", "/page.html");
+  TestTabHelperObserver tab_helper_observer(tab_helper);
+  tab_helper_observer.SetExpectedSuccessfulURLs({eligible_link});
+  base::RunLoop prefetch_run_loop;
+  base::RunLoop nsp_run_loop;
+  tab_helper_observer.SetOnPrefetchSuccessfulClosure(
+      prefetch_run_loop.QuitClosure());
+  tab_helper_observer.SetOnNSPFinishedClosure(nsp_run_loop.QuitClosure());
+  GURL doc_url("https://www.google.com/search?q=test");
+  MakeNavigationPrediction(doc_url, {eligible_link});
+  // This run loop will quit when all the prefetch responses have been
+  // successfully done and processed.
+  prefetch_run_loop.Run();
+  // This run loop will quit when a NSP finishes.
+  nsp_run_loop.Run();
+  EXPECT_EQ(0U, http_counter.count());
+  // Verify the resource load was reported to the subresource manager.
+  PrefetchProxyService* service =
+      PrefetchProxyServiceFactory::GetForProfile(browser()->profile());
+  PrefetchProxySubresourceManager* manager =
+      service->GetSubresourceManagerForURL(eligible_link);
+  ASSERT_TRUE(manager);
+  base::RunLoop().RunUntilIdle();
+  EXPECT_TRUE(manager->successfully_loaded_subresources().empty());
+}
 IN_PROC_BROWSER_TEST_F(PrefetchProxyWithNSPBrowserTest,
                       DISABLE_ON_WIN_MAC_CHROMEOS(PrefetchButNSPDenied)) {
  // NSP is disabled on low-end devices.

--- a/chrome/browser/prefetch/prefetch_proxy/prefetch_proxy_proxying_url_loader_factory.cc
+++ b/chrome/browser/prefetch/prefetch_proxy/prefetch_proxy_proxying_url_loader_factory.cc
@@ -365,6 +365,16 @@ void PrefetchProxyProxyingURLLoaderFactory::CreateLoaderAndStart(
  // If this request is happening during a prerender then check if it is
  // eligible for caching before putting it on the network.
  if (ShouldHandleRequestForPrerender()) {
+    // Do not allow insecure resources to be fetched due to risk of privacy
+    // leaks in an HSTS setting.
+    if (!request.url.SchemeIs(url::kHttpsScheme)) {
+      std::unique_ptr<AbortRequest> request = std::make_unique<AbortRequest>(
+          std::move(loader_receiver), std::move(client));
+      // The request will manage its own lifecycle based on the mojo pipes.
+      request.release();
+      return;
+    }
    // Check if this prerender has exceeded its max number of subresources.
    request_count_++;
    if (request_count_ > PrefetchProxyMaxSubresourcesPerPrerender()) {