Fix WebView crashes related to data: URLs.

This fixes WebView crashes introduced by http://crrev.com/c/1837093 . This change introduces an exception for the origin consistency check because WebView doesn't generate opaque origins for data: URLs. This is a temporary workaround to avoid crashing while we figure out how to make data: origin behavior more consistent with other platforms. Bug: 1013171, 991607 Change-Id: I304fef3d5eda5bd0d31495e62e4292641392575f Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1852421 Commit-Queue: Aaron Colwell <acolwell@chromium.org> Commit-Queue: Bo <boliu@chromium.org> Auto-Submit: Aaron Colwell <acolwell@chromium.org> Reviewed-by: Bo <boliu@chromium.org> Reviewed-by: Alex Moshchuk <alexmos@chromium.org> Cr-Commit-Position: refs/heads/master@{#705120}

Fix WebView crashes related to data: URLs.
This fixes WebView crashes introduced by http://crrev.com/c/1837093 . This change introduces an exception for the origin consistency check because WebView doesn't generate opaque origins for data: URLs. This is a temporary workaround to avoid crashing while we figure out how to make data: origin behavior more consistent with other platforms. Bug: 1013171, 991607 Change-Id: I304fef3d5eda5bd0d31495e62e4292641392575f Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1852421 Commit-Queue: Aaron Colwell <acolwell@chromium.org> Commit-Queue: Bo <boliu@chromium.org> Auto-Submit: Aaron Colwell <acolwell@chromium.org> Reviewed-by: Bo <boliu@chromium.org> Reviewed-by: Alex Moshchuk <alexmos@chromium.org> Cr-Commit-Position: refs/heads/master@{#705120}
bb9cfb87 · Aaron Colwell · Commit Bot · cba1e996 · bb9cfb87 · bb9cfb87
Commit bb9cfb87 authored Oct 11, 2019 by Aaron Colwell Committed by Commit Bot Oct 11, 2019
2 changed files
--- a/android_webview/javatests/src/org/chromium/android_webview/test/LoadUrlTest.java
+++ b/android_webview/javatests/src/org/chromium/android_webview/test/LoadUrlTest.java
@@ -462,4 +462,89 @@ public class LoadUrlTest {
            webServer.shutdown();
        }
    }
+
+    // Test loadDataSync() with a page containing an iframe that has a data:
+    // URL for its source. WebView handles conversion from data: URLs to origins
+    // in  a different way than normal desktop and Android builds so we want to
+    // make sure commit time checks properly pass on WebView.
+    // See http://crbug.com/1013171 for details.
+    @Test
+    @SmallTest
+    @Feature({"AndroidWebView"})
+    public void testLoadDataWithDataUrlIframe() throws Throwable {
+        final TestAwContentsClient contentsClient = new TestAwContentsClient();
+        final AwTestContainerView testContainerView =
+                mActivityTestRule.createAwTestContainerViewOnMainSync(contentsClient);
+        final AwContents awContents = testContainerView.getAwContents();
+        AwActivityTestRule.enableJavaScriptOnUiThread(awContents);
+
+        final String iframeLoadedMessage = "iframe loaded";
+        final String iframeHtml = "<html><body><script>"
+                + "console.log('" + iframeLoadedMessage + "')"
+                + ";</script></body></html>";
+        final String pageHtml = "<html><body>"
+                + "<iframe src=\"data:text/html," + iframeHtml + "\"></iframe>"
+                + "</body></html>";
+
+        CallbackHelper onPageFinishedHelper = contentsClient.getOnPageFinishedHelper();
+        int onPageFinishedCallCount = onPageFinishedHelper.getCallCount();
+
+        TestAwContentsClient.AddMessageToConsoleHelper addMessageToConsoleHelper =
+                contentsClient.getAddMessageToConsoleHelper();
+        int logCallCount = addMessageToConsoleHelper.getCallCount();
+
+        // Test load with an anonymous opaque origin.
+        mActivityTestRule.loadDataSync(
+                awContents, contentsClient.getOnPageFinishedHelper(), pageHtml, "text/html", false);
+        onPageFinishedHelper.waitForCallback(onPageFinishedCallCount);
+
+        addMessageToConsoleHelper.waitForCallback(logCallCount);
+        Assert.assertEquals(iframeLoadedMessage, addMessageToConsoleHelper.getMessage());
+    }
+
+    // Test loadUrlSync() with a page containing an iframe that has a data: URL
+    // for its source. WebView handles conversion from data: URLs to origins in
+    // a different way than normal desktop and Android builds so we want to make
+    // sure commit time checks properly pass on WebView.
+    // See http://crbug.com/1013171 for details.
+    @Test
+    @SmallTest
+    @Feature({"AndroidWebView"})
+    public void testLoadUrlWithDataUrlIframe() throws Throwable {
+        final TestAwContentsClient contentsClient = new TestAwContentsClient();
+        final AwTestContainerView testContainerView =
+                mActivityTestRule.createAwTestContainerViewOnMainSync(contentsClient);
+        final AwContents awContents = testContainerView.getAwContents();
+        AwActivityTestRule.enableJavaScriptOnUiThread(awContents);
+
+        final String iframeLoadedMessage = "iframe loaded";
+        final String iframeHtml = "<html><body><script>"
+                + "console.log('" + iframeLoadedMessage + "')"
+                + ";</script></body></html>";
+        final String pageHtml = "<html><body>"
+                + "<iframe src=\"data:text/html," + iframeHtml + "\"></iframe>"
+                + "</body></html>";
+
+        CallbackHelper onPageFinishedHelper = contentsClient.getOnPageFinishedHelper();
+        int onPageFinishedCallCount = onPageFinishedHelper.getCallCount();
+
+        TestAwContentsClient.AddMessageToConsoleHelper addMessageToConsoleHelper =
+                contentsClient.getAddMessageToConsoleHelper();
+        int logCallCount = addMessageToConsoleHelper.getCallCount();
+
+        // Test load with an opaque origin that contains precursor info.
+        TestWebServer webServer = TestWebServer.start();
+        try {
+            final String url = webServer.setResponse("/page.html", pageHtml, null);
+
+            mActivityTestRule.loadUrlSync(
+                    awContents, contentsClient.getOnPageFinishedHelper(), url);
+            onPageFinishedHelper.waitForCallback(onPageFinishedCallCount);
+
+            addMessageToConsoleHelper.waitForCallback(logCallCount);
+            Assert.assertEquals(iframeLoadedMessage, addMessageToConsoleHelper.getMessage());
+        } finally {
+            webServer.shutdown();
+        }
+    }
 }
--- a/content/browser/child_process_security_policy_impl.cc
+++ b/content/browser/child_process_security_policy_impl.cc
@@ -1285,6 +1285,16 @@ CanCommitStatus ChildProcessSecurityPolicyImpl::CanCommitOriginAndUrl(
  if (!url_tuple_or_precursor_tuple.IsInvalid() &&
      !origin_tuple_or_precursor_tuple.IsInvalid() &&
      origin_tuple_or_precursor_tuple != url_tuple_or_precursor_tuple) {
+    // Allow a WebView specific exception for origins that have a data scheme.
+    // WebView converts data: URLs into non-opaque data:// origins which is
+    // different than what all other builds do. This causes the consistency
+    // check to fail because we try to compare a data:// origin with an opaque
+    // origin that contains precursor info.
+    if (url_tuple_or_precursor_tuple.scheme() == url::kDataScheme &&
+        url::AllowNonStandardSchemesForAndroidWebView()) {
+      return CanCommitStatus::CAN_COMMIT_ORIGIN_AND_URL;
+    }
+
    return CanCommitStatus::CANNOT_COMMIT_ORIGIN;
  }