[Prefetch] Handle incorrectly set recursive prefetch token.

The recursive prefetch token is generated from the browser process,
passed to the renderer process and then back to the browser process.

This crashes the renderer in response to a request with an incorrectly
set recursive prefetch token.

Bug: 1123715
Change-Id: Ia6e627de66566a506b44d31b93e65d4acf07e27b
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2421597Reviewed-by: Dominic Farolino <dom@chromium.org>
Reviewed-by: Kinuko Yasuda <kinuko@chromium.org>
Commit-Queue: Mugdha Lakhani <nator@chromium.org>
Cr-Commit-Position: refs/heads/master@{#810729}

content/browser/loader/prefetch_url_loader_service.cc

@@ -5,6 +5,7 @@
 #include "content/browser/loader/prefetch_url_loader_service.h"
 
 #include "base/bind.h"
+#include "base/debug/dump_without_crashing.h"
 #include "base/feature_list.h"
 #include "base/time/default_tick_clock.h"
 #include "content/browser/loader/prefetch_url_loader.h"
@@ -27,6 +28,14 @@
 #include "third_party/blink/public/mojom/loader/resource_load_info.mojom-shared.h"
 #include "third_party/blink/public/mojom/renderer_preferences.mojom.h"
 
+namespace {
+void DumpWithoutCrashing(const network::ResourceRequest& request) {
+  DEBUG_ALIAS_FOR_GURL(prefetch_buf, request.url);
+  DEBUG_ALIAS_FOR_GURL(initiator_buf, request.request_initiator->GetURL());
+  base::debug::DumpWithoutCrashing();
+}
+}  // namespace
+
 namespace content {
 
 struct PrefetchURLLoaderService::BindContext {
@@ -164,7 +173,17 @@ void PrefetchURLLoaderService::CreateLoaderAndStart(
     // A request's |recursive_prefetch_token| is only provided if the request is
     // a recursive prefetch. This means it is expected that the current
     // context's |cross_origin_factory| was already created.
-    DCHECK(current_context.cross_origin_factory);
+    if (!current_context.cross_origin_factory) {
+      // This could happen due to a compromised renderer passing in a recursive
+      // prefetch token for a request that's not a recursive prefetch. Cancel
+      // the request.
+      DVLOG(1) << "Recursive prefetch token unexpectedly set.";
+      DumpWithoutCrashing(resource_request);
+      mojo::Remote<network::mojom::URLLoaderClient>(std::move(client))
+          ->OnComplete(
+              network::URLLoaderCompletionStatus(net::ERR_INVALID_ARGUMENT));
+      return;
+    }
 
     // Resurrect the request's IsolationInfo from the current context's map, and
     // use it for this request.
@@ -176,6 +195,8 @@ void PrefetchURLLoaderService::CreateLoaderAndStart(
     // a request in a special way. We'll cancel the request.
     if (isolation_info_iterator ==
         current_context.prefetch_isolation_infos.end()) {
+      DVLOG(1) << "Recursive prefetch request is missing prefetch isolation";
+      DumpWithoutCrashing(resource_request);
       mojo::Remote<network::mojom::URLLoaderClient>(std::move(client))
           ->OnComplete(
               network::URLLoaderCompletionStatus(net::ERR_INVALID_ARGUMENT));