Fix how file:-based opaque origins are validated in a prefetch IPC.

This CL changes how PrefetchURLLoaderService::IsValidCrossOriginPrefetch compares network::ResourceRequest::request_initiator argument with content::RenderFrameHostImpl::GetLastCommittedOrigin. The comparison needs to take into account differences with how Blink and //content layer compute origins of file: URLs. Fixed: 1140947 Change-Id: I261959bd1df346e9d1a7144892ce06d62a453e43 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2493283 Auto-Submit: Łukasz Anforowicz <lukasza@chromium.org> Reviewed-by: Alex Moshchuk <alexmos@chromium.org> Commit-Queue: Łukasz Anforowicz <lukasza@chromium.org> Cr-Commit-Position: refs/heads/master@{#820801}

Fix how file:-based opaque origins are validated in a prefetch IPC.
This CL changes how PrefetchURLLoaderService::IsValidCrossOriginPrefetch compares network::ResourceRequest::request_initiator argument with content::RenderFrameHostImpl::GetLastCommittedOrigin. The comparison needs to take into account differences with how Blink and //content layer compute origins of file: URLs. Fixed: 1140947 Change-Id: I261959bd1df346e9d1a7144892ce06d62a453e43 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2493283 Auto-Submit: Łukasz Anforowicz <lukasza@chromium.org> Reviewed-by: Alex Moshchuk <alexmos@chromium.org> Commit-Queue: Łukasz Anforowicz <lukasza@chromium.org> Cr-Commit-Position: refs/heads/master@{#820801}
a2ab8688 · Lukasz Anforowicz · Commit Bot · fc6a6f88 · a2ab8688 · a2ab8688
Commit a2ab8688 authored Oct 26, 2020 by Lukasz Anforowicz Committed by Commit Bot Oct 26, 2020
Showing with 52 additions and 2 deletions

content/browser/loader/prefetch_browsertest.cc content/browser/loader/prefetch_browsertest.cc +49 -0

content/browser/loader/prefetch_url_loader_service.cc content/browser/loader/prefetch_url_loader_service.cc +3 -2

No files found.
--- a/content/browser/loader/prefetch_browsertest.cc
+++ b/content/browser/loader/prefetch_browsertest.cc
@@ -5,8 +5,13 @@
 #include <string>
 #include <vector>

+#include "base/files/file_path.h"
+#include "base/files/file_util.h"
+#include "base/files/scoped_temp_dir.h"
+#include "base/run_loop.h"
 #include "base/strings/stringprintf.h"
 #include "base/test/scoped_feature_list.h"
+#include "base/threading/thread_restrictions.h"
 #include "content/browser/loader/prefetch_browsertest_base.h"
 #include "content/browser/web_package/mock_signed_exchange_handler.h"
 #include "content/public/browser/browser_task_traits.h"
@@ -20,6 +25,7 @@
 #include "content/public/test/url_loader_monitor.h"
 #include "content/shell/browser/shell.h"
 #include "net/base/features.h"
+#include "net/base/filename_util.h"
 #include "net/base/isolation_info.h"
 #include "net/dns/mock_host_resolver.h"
 #include "services/network/public/cpp/features.h"
@@ -955,6 +961,49 @@ IN_PROC_BROWSER_TEST_P(PrefetchBrowserTest,
  NavigateToURLAndWaitTitle(target_sxg_url, "done");
 }

+IN_PROC_BROWSER_TEST_P(PrefetchBrowserTest, FileToHttp) {
+  const char* target_path = "/target.html";
+  RegisterResponse(
+      target_path,
+      ResponseEntry("<head><title>Prefetch Target</title></head>"));
+
+  base::RunLoop prefetch_waiter;
+  auto request_counter = RequestCounter::CreateAndMonitor(
+      embedded_test_server(), target_path, &prefetch_waiter);
+  RegisterRequestHandler(embedded_test_server());
+  ASSERT_TRUE(embedded_test_server()->Start());
+  EXPECT_EQ(0, request_counter->GetRequestCount());
+  EXPECT_EQ(0, GetPrefetchURLLoaderCallCount());
+
+  const GURL target_url = embedded_test_server()->GetURL(target_path);
+
+  {
+    base::ScopedAllowBlockingForTesting allow_blocking;
+    base::ScopedTempDir temp_dir;
+    ASSERT_TRUE(temp_dir.CreateUniqueTempDir());
+    base::FilePath file_path = temp_dir.GetPath().AppendASCII("test.html");
+    std::string file_content = base::StringPrintf(
+        "<body><link rel='prefetch' as='document' href='%s'></body>",
+        target_url.spec().c_str());
+    ASSERT_TRUE(base::WriteFile(file_path, file_content));
+
+    // Loading a page that prefetches the target URL would increment the
+    // |request_counter|.
+    GURL file_url = net::FilePathToFileURL(file_path);
+    EXPECT_TRUE(NavigateToURL(shell(), file_url));
+    prefetch_waiter.Run();
+    EXPECT_EQ(1, request_counter->GetRequestCount());
+    EXPECT_EQ(1, GetPrefetchURLLoaderCallCount());
+  }
+
+  // Shutdown the server.
+  EXPECT_TRUE(embedded_test_server()->ShutdownAndWaitUntilComplete());
+
+  // Subsequent navigation to the target URL wouldn't hit the network for
+  // the target URL. The target content should still be read correctly.
+  NavigateToURLAndWaitTitle(target_url, "Prefetch Target");
+}
+
 INSTANTIATE_TEST_SUITE_P(PrefetchBrowserTest,
                         PrefetchBrowserTest,
                         testing::Combine(testing::Bool(), testing::Bool()));

--- a/content/browser/loader/prefetch_url_loader_service.cc
+++ b/content/browser/loader/prefetch_url_loader_service.cc
@@ -272,8 +272,9 @@ bool PrefetchURLLoaderService::IsValidCrossOriginPrefetch(
  // Presence of |render_frame_host| is guaranteed by the caller - the caller
  // calls earlier EnsureCrossOriginFactory which has the same DCHECK.
  DCHECK(current_context.render_frame_host);
-  if (resource_request.request_initiator.value() !=
-      current_context.render_frame_host->GetLastCommittedOrigin()) {
+  if (!resource_request.request_initiator->opaque() &&
+      resource_request.request_initiator.value() !=
+          current_context.render_frame_host->GetLastCommittedOrigin()) {
    mojo::ReportBadMessage(
        "Prefetch/IsValidCrossOrigin: frame origin mismatch");
    return false;