[SpeechRecognition] Stop using origin sent from renderer

Changes browser side implementation to use last committed origin instead of receiving and checking an origin sent from the renderer. Bug: 1030892 Change-Id: I5a2c007b80bd1a0a71ac041efc046eb7b8a2317e Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1978998 Commit-Queue: Adithya Srinivasan <adithyas@chromium.org> Reviewed-by: Daniel Cheng <dcheng@chromium.org> Reviewed-by: Łukasz Anforowicz <lukasza@chromium.org> Reviewed-by: Alex Moshchuk <alexmos@chromium.org> Cr-Commit-Position: refs/heads/master@{#728002}

[SpeechRecognition] Stop using origin sent from renderer
Changes browser side implementation to use last committed origin instead of receiving and checking an origin sent from the renderer. Bug: 1030892 Change-Id: I5a2c007b80bd1a0a71ac041efc046eb7b8a2317e Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1978998 Commit-Queue: Adithya Srinivasan <adithyas@chromium.org> Reviewed-by: Daniel Cheng <dcheng@chromium.org> Reviewed-by: Łukasz Anforowicz <lukasza@chromium.org> Reviewed-by: Alex Moshchuk <alexmos@chromium.org> Cr-Commit-Position: refs/heads/master@{#728002}
ba6b634e · Adithya Srinivasan · Commit Bot · 95b03fa9 · ba6b634e · ba6b634e
Commit ba6b634e authored Jan 02, 2020 by Adithya Srinivasan Committed by Commit Bot Jan 02, 2020
4 changed files
--- a/content/browser/speech/speech_recognition_dispatcher_host.cc
+++ b/content/browser/speech/speech_recognition_dispatcher_host.cc
@@ -11,7 +11,6 @@
 #include "base/lazy_instance.h"
 #include "base/task/post_task.h"
 #include "content/browser/browser_plugin/browser_plugin_guest.h"
-#include "content/browser/child_process_security_policy_impl.h"
 #include "content/browser/frame_host/frame_tree_node.h"
 #include "content/browser/frame_host/render_frame_host_manager.h"
 #include "content/browser/speech/speech_recognition_manager_impl.h"
@@ -63,16 +62,6 @@ void SpeechRecognitionDispatcherHost::Start(
    blink::mojom::StartSpeechRecognitionRequestParamsPtr params) {
  DCHECK_CURRENTLY_ON(BrowserThread::IO);

-  // Check that the origin specified by the renderer process is one
-  // that it is allowed to access.
-  if (!params->origin.opaque() &&
-      !ChildProcessSecurityPolicyImpl::GetInstance()->CanRequestURL(
-          render_process_id_, params->origin.GetURL())) {
-    LOG(ERROR) << "SRDH::OnStartRequest, disallowed origin: "
-               << params->origin.Serialize();
-    return;
-  }
-
  base::PostTask(
      FROM_HERE, {BrowserThread::UI},
      base::BindOnce(&SpeechRecognitionDispatcherHost::StartRequestOnUI,
@@ -91,14 +80,14 @@ void SpeechRecognitionDispatcherHost::StartRequestOnUI(
  int embedder_render_process_id = 0;
  int embedder_render_frame_id = MSG_ROUTING_NONE;

-  WebContentsImpl* web_contents =
-      static_cast<WebContentsImpl*>(WebContentsImpl::FromRenderFrameHostID(
-          render_process_id, render_frame_id));
-  if (!web_contents) {
-    // The render frame id is renderer-provided. If it's invalid, don't crash.
+  RenderFrameHostImpl* rfh =
+      RenderFrameHostImpl::FromID(render_process_id, render_frame_id);
+  if (!rfh) {
    DLOG(ERROR) << "SRDH::OnStartRequest, invalid frame";
    return;
  }
+  WebContentsImpl* web_contents =
+      static_cast<WebContentsImpl*>(WebContents::FromRenderFrameHost(rfh));

  // If the speech API request was from an inner WebContents or a guest, save
  // the context of the outer WebContents or the embedder since we will use it
@@ -143,7 +132,7 @@ void SpeechRecognitionDispatcherHost::StartRequestOnUI(
          &SpeechRecognitionDispatcherHost::StartSessionOnIO,
          speech_recognition_dispatcher_host, std::move(params),
          embedder_render_process_id, embedder_render_frame_id,
-          filter_profanities,
+          rfh->GetLastCommittedOrigin(), filter_profanities,
          storage_partition->GetURLLoaderFactoryForBrowserProcessIOThread(),
          GetContentClient()->browser()->GetAcceptLangs(browser_context)));
 }
@@ -152,6 +141,7 @@ void SpeechRecognitionDispatcherHost::StartSessionOnIO(
    blink::mojom::StartSpeechRecognitionRequestParamsPtr params,
    int embedder_render_process_id,
    int embedder_render_frame_id,
+    const url::Origin& origin,
    bool filter_profanities,
    std::unique_ptr<network::PendingSharedURLLoaderFactory>
        pending_shared_url_loader_factory,
@@ -159,7 +149,7 @@ void SpeechRecognitionDispatcherHost::StartSessionOnIO(
  DCHECK_CURRENTLY_ON(BrowserThread::IO);

  SpeechRecognitionSessionContext context;
-  context.security_origin = params->origin;
+  context.security_origin = origin;
  context.render_process_id = render_process_id_;
  context.render_frame_id = render_frame_id_;
  context.embedder_render_process_id = embedder_render_process_id;
@@ -172,7 +162,7 @@ void SpeechRecognitionDispatcherHost::StartSessionOnIO(
  config.language = params->language;
  config.accept_language = accept_language;
  config.max_hypotheses = params->max_hypotheses;
-  config.origin = params->origin;
+  config.origin = origin;
  config.initial_context = context;
  config.shared_url_loader_factory = network::SharedURLLoaderFactory::Create(
      std::move(pending_shared_url_loader_factory));

--- a/content/browser/speech/speech_recognition_dispatcher_host.h
+++ b/content/browser/speech/speech_recognition_dispatcher_host.h
@@ -23,6 +23,10 @@ namespace network {
 class PendingSharedURLLoaderFactory;
 }

+namespace url {
+class Origin;
+}
+
 namespace content {

 class SpeechRecognitionSession;
@@ -57,6 +61,7 @@ class CONTENT_EXPORT SpeechRecognitionDispatcherHost
      blink::mojom::StartSpeechRecognitionRequestParamsPtr params,
      int embedder_render_process_id,
      int embedder_render_frame_id,
+      const url::Origin& origin,
      bool filter_profanities,
      std::unique_ptr<network::PendingSharedURLLoaderFactory>
          pending_shared_url_loader_factory,

--- a/third_party/blink/public/mojom/speech/speech_recognizer.mojom
+++ b/third_party/blink/public/mojom/speech/speech_recognizer.mojom
@@ -7,7 +7,6 @@ module blink.mojom;
 import "third_party/blink/public/mojom/speech/speech_recognition_grammar.mojom";
 import "third_party/blink/public/mojom/speech/speech_recognition_result.mojom";
 import "third_party/blink/public/mojom/speech/speech_recognition_error.mojom";
-import "url/mojom/origin.mojom";

 // Created by the renderer and sent to the browser to start a speech recognition
 // session.
@@ -26,9 +25,6 @@ struct StartSpeechRecognitionRequestParams {
  // Speech grammars to use.
  array<SpeechRecognitionGrammar> grammars;

-  // URL of the page (or iframe if applicable).
-  url.mojom.Origin origin;
-
  // Maximum number of hypotheses allowed for each results.
  uint32 max_hypotheses;


--- a/third_party/blink/renderer/modules/speech/speech_recognition_controller.cc
+++ b/third_party/blink/renderer/modules/speech/speech_recognition_controller.cc
@@ -66,7 +66,6 @@ void SpeechRecognitionController::Start(
  msg_params->max_hypotheses = max_alternatives;
  msg_params->continuous = continuous;
  msg_params->interim_results = interim_results;
-  msg_params->origin = GetSupplementable()->GetDocument()->GetSecurityOrigin();
  msg_params->client = std::move(session_client);
  msg_params->session_receiver = std::move(session_receiver);