Install |pending_loader_factories_| slightly earlier.

This CL tries to speculatively avoid 1) cases where a |direct_network_factory_| might be getting used with non-opaque origins (see https://crbug.com/1105794) and 2) cases where a |request_initiator_site_lock| doesn't match |request_initiator|. We speculate that one such case might occur when RenderFrameObserver::ReadyToCommitNavigation triggers a fetch in a new document *before* the new factories have been installed. After this CL, the new factories are installed earlier, before calling RenderFrameObserver::ReadyToCommitNavigation. Bug: 1105794, 1098938, 920634, 1056949 Change-Id: I1f06750d4211e12d196eba0f3a78edeaeaa98cdf Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2303678 Commit-Queue: Łukasz Anforowicz <lukasza@chromium.org> Auto-Submit: Łukasz Anforowicz <lukasza@chromium.org> Reviewed-by: Nasko Oskov <nasko@chromium.org> Cr-Commit-Position: refs/heads/master@{#789714}

Install |pending_loader_factories_| slightly earlier.
This CL tries to speculatively avoid 1) cases where a |direct_network_factory_| might be getting used with non-opaque origins (see https://crbug.com/1105794) and 2) cases where a |request_initiator_site_lock| doesn't match |request_initiator|. We speculate that one such case might occur when RenderFrameObserver::ReadyToCommitNavigation triggers a fetch in a new document *before* the new factories have been installed. After this CL, the new factories are installed earlier, before calling RenderFrameObserver::ReadyToCommitNavigation. Bug: 1105794, 1098938, 920634, 1056949 Change-Id: I1f06750d4211e12d196eba0f3a78edeaeaa98cdf Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2303678 Commit-Queue: Łukasz Anforowicz <lukasza@chromium.org> Auto-Submit: Łukasz Anforowicz <lukasza@chromium.org> Reviewed-by: Nasko Oskov <nasko@chromium.org> Cr-Commit-Position: refs/heads/master@{#789714}
b5592721 · Lukasz Anforowicz · Commit Bot · 5e6dc3bc · b5592721
Commit b5592721 authored Jul 18, 2020 by Lukasz Anforowicz Committed by Commit Bot Jul 18, 2020
Hide whitespace changes
Inline Side-by-side

Showing with 12 additions and 3 deletions

content/renderer/render_frame_impl.cc content/renderer/render_frame_impl.cc +12 -3

No files found.
--- a/content/renderer/render_frame_impl.cc
+++ b/content/renderer/render_frame_impl.cc
@@ -4147,6 +4147,18 @@ void RenderFrameImpl::DidCommitNavigation(
               "RenderFrameImpl::didStartProvisionalLoad", "id", routing_id_,
               "url", document_loader->GetUrl().GetString().Utf8());

+  // Install factories as early as possible - it needs to happen before the
+  // newly committed document starts any subresource fetches.  In particular,
+  // this needs to happen before invoking
+  // RenderFrameObserver::ReadyToCommitNavigation below.
+  //
+  // Note that |pending_loader_factories_| might be missing in some cases - one
+  // example is when committing an empty document synchronously, without a
+  // roundtrip to the browser process - this is what happens as a result of
+  // `window.open('', '_blank').
+  if (pending_loader_factories_)
+    loader_factories_ = std::move(pending_loader_factories_);
+
  // TODO(dgozman): call DidStartNavigation in various places where we call
  // CommitNavigation() on the frame.
  if (!navigation_state->was_initiated_in_this_frame()) {
@@ -4159,9 +4171,6 @@ void RenderFrameImpl::DidCommitNavigation(
  for (auto& observer : observers_)
    observer.ReadyToCommitNavigation(document_loader);

-  if (pending_loader_factories_)
-    loader_factories_ = std::move(pending_loader_factories_);
-
  for (auto& observer : observers_)
    observer.DidCreateNewDocument();