Assert CanAccessDataForOrigin(process, request_initiator_site_lock).

Bug: 888079 Change-Id: Ic05a6d37c1457239330036149537f260a8c05bdc Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1669879 Commit-Queue: Łukasz Anforowicz <lukasza@chromium.org> Reviewed-by: Charlie Reis <creis@chromium.org> Auto-Submit: Łukasz Anforowicz <lukasza@chromium.org> Cr-Commit-Position: refs/heads/master@{#671882}

Assert CanAccessDataForOrigin(process, request_initiator_site_lock).
Bug: 888079 Change-Id: Ic05a6d37c1457239330036149537f260a8c05bdc Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1669879 Commit-Queue: Łukasz Anforowicz <lukasza@chromium.org> Reviewed-by: Charlie Reis <creis@chromium.org> Auto-Submit: Łukasz Anforowicz <lukasza@chromium.org> Cr-Commit-Position: refs/heads/master@{#671882}
b438c4ef · Lukasz Anforowicz · Commit Bot · 5b50b8fe · b438c4ef
Commit b438c4ef authored Jun 25, 2019 by Lukasz Anforowicz Committed by Commit Bot Jun 25, 2019
Hide whitespace changes
Inline Side-by-side

Showing with 25 additions and 1 deletion

content/browser/frame_host/render_frame_host_impl.cc content/browser/frame_host/render_frame_host_impl.cc +25 -1

No files found.
--- a/content/browser/frame_host/render_frame_host_impl.cc
+++ b/content/browser/frame_host/render_frame_host_impl.cc
@@ -429,7 +429,7 @@ void LogRendererKillCrashKeys(const GURL& site_url) {
  base::debug::SetCrashKeyString(site_url_key, site_url.spec());
 }

-base::Optional<url::Origin> GetOriginForURLLoaderFactory(
+base::Optional<url::Origin> GetOriginForURLLoaderFactoryUnchecked(
    NavigationRequest* navigation_request) {
  // Return a safe unique origin when there is no |navigation_request| (e.g.
  // when RFHI::CommitNavigation is called via RFHI::NavigateToInterstitialURL).
@@ -464,6 +464,13 @@ base::Optional<url::Origin> GetOriginForURLLoaderFactory(
    return url::Origin::Create(common_params.base_url_for_data_url);
  }

+  // MHTML frames should commit as unique origin (and should not be able to make
+  // network requests on behalf of the real origin).
+  //
+  // TODO(lukasza): Cover MHTML main frames here.
+  if (navigation_request->IsForMhtmlSubframe())
+    return url::Origin();
+
  // TODO(lukasza, nasko): https://crbug.com/888079: Use exact origin, instead
  // of falling back to site URL for about:blank and about:srcdoc.
  if (common_params.url.SchemeIs(url::kAboutScheme)) {
@@ -489,6 +496,23 @@ base::Optional<url::Origin> GetOriginForURLLoaderFactory(
  return url::Origin::Create(common_params.url);
 }

+base::Optional<url::Origin> GetOriginForURLLoaderFactory(
+    NavigationRequest* navigation_request) {
+  base::Optional<url::Origin> result =
+      GetOriginForURLLoaderFactoryUnchecked(navigation_request);
+
+  // Any non-opaque |result| must be an origin that is allowed to be accessed
+  // from the process that is the target of this navigation.
+  if (result.has_value() && !result->opaque()) {
+    auto* policy = ChildProcessSecurityPolicyImpl::GetInstance();
+    CHECK(policy->CanAccessDataForOrigin(
+        navigation_request->render_frame_host()->GetProcess()->GetID(),
+        *result));
+  }
+
+  return result;
+}
+
 std::unique_ptr<blink::URLLoaderFactoryBundleInfo> CloneFactoryBundle(
    scoped_refptr<blink::URLLoaderFactoryBundle> bundle) {
  return base::WrapUnique(static_cast<blink::URLLoaderFactoryBundleInfo*>(