Trust Tokens: Remove an overzealous bad-renderer check in RFHI

Document.hasTrustToken is a JS method only available in secure contexts.
Its implementation involves getting a Mojo interface from the browser
and sending an IPC. In the browser-side code, in RenderFrameHostImpl,
where we handle requests from the renderer for this Mojo interface, we
perform a security check to make sure we aren't receiving requests for
the interface from unexpected places, which could indicate a bad
renderer. The current check makes sure that the request is coming from a
frame with a potentially trustworthy origin. However, this is not
exactly the same thing as a secure context: in particular, allow-scripts
sandboxed iframes can be secure but not have potentially trustworthy
frame origins. This leads to false positives in the check and unwanted
renderer kills.

This CL removes the check.

R=dcheng

Bug: 1144057
Change-Id: I0e57669606effb15c672586297ef7dcf2711bc91
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2511882
Commit-Queue: David Van Cleve <davidvc@chromium.org>
Commit-Queue: Charlie Reis <creis@chromium.org>
Reviewed-by: Daniel Cheng <dcheng@chromium.org>
Reviewed-by: Charlie Reis <creis@chromium.org>
Auto-Submit: David Van Cleve <davidvc@chromium.org>
Cr-Commit-Position: refs/heads/master@{#823819}

content/browser/renderer_host/render_frame_host_impl.cc

@@ -7935,14 +7935,6 @@ void RenderFrameHostImpl::BindHasTrustTokensAnswerer(
     return;
   }
 
-  // This is enforced in benign renderers by the [SecureContext] IDL
-  // attribute on Document::hasTrustToken.
-  if (!network::IsOriginPotentiallyTrustworthy(GetLastCommittedOrigin())) {
-    mojo::ReportBadMessage(
-        "Attempted to get a HasTrustTokensAnswerer from an insecure context.");
-    return;
-  }
-
   // This is enforced in benign renderers by the RuntimeEnabled=TrustTokens IDL
   // attribute (the base::Feature's value is tied to the
   // RuntimeEnabledFeature's).
@@ -7953,6 +7945,11 @@ void RenderFrameHostImpl::BindHasTrustTokensAnswerer(
     return;
   }
 
+  // TODO(crbug.com/1145346): Document.hasTrustToken is restricted to secure
+  // contexts, so we could additionally add a check verifying that the bind
+  // request "is coming from a secure context"---but there's currently no
+  // direct way to perform such a check in the browser.
+
   GetProcess()->GetStoragePartition()->CreateHasTrustTokensAnswerer(
       std::move(receiver), ComputeTopFrameOrigin(GetLastCommittedOrigin()));
 }

content/test/trust_token_browsertest.cc

@@ -887,6 +887,23 @@ IN_PROC_BROWSER_TEST_F(TrustTokenBrowsertest,
                               .catch(error => error.name);)"));
 }
 
+// A hasTrustToken call initiated from a secure context should succeed even if
+// the initiating frame's origin is opaque (e.g. from a sandboxed iframe).
+IN_PROC_BROWSER_TEST_F(TrustTokenBrowsertest,
+                       HasTrustTokenFromSecureSubframeWithOpaqueOrigin) {
+  ASSERT_TRUE(NavigateToURL(
+      shell(), server_.GetURL("a.test", "/page_with_sandboxed_iframe.html")));
+
+  FrameTreeNode* root = static_cast<WebContentsImpl*>(shell()->web_contents())
+                            ->GetFrameTree()
+                            ->root();
+
+  EXPECT_EQ("Success",
+            EvalJs(root->child_at(0)->current_frame_host(),
+                   R"(document.hasTrustToken('https://davids.website')
+                              .then(()=>'Success');)"));
+}
+
 // An operation initiated from a secure context should succeed even if the
 // operation's associated request's initiator is opaque (e.g. from a sandboxed
 // iframe).