Fuzzer: Check ancestors for web url loader factory override.

We might create child frames, and those frames will need to create a URL loader factory. Since we override the factory before we actually parse and create child frames, we can't set it directly on all possible children. Instead, when asked to create a factory and we don't have an override, navigate the ancestor chain and check if any of the ancestors have an override. This also adds a Clone function, since we need to be able to retain multiple copies of the override (one for each of the child frames, and one for self). R=yhirano@chromium.org Bug: 986050 Change-Id: I5d1023379eb4b7c305e3b07640ee6a4d31a2d9d4 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1717677Reviewed-by: Yutaka Hirano <yhirano@chromium.org> Reviewed-by: Stefan Zager <szager@chromium.org> Reviewed-by: Scott Violet <sky@chromium.org> Reviewed-by: Chris Harrelson <chrishtr@chromium.org> Commit-Queue: vmpstr <vmpstr@chromium.org> Cr-Commit-Position: refs/heads/master@{#682384}

Fuzzer: Check ancestors for web url loader factory override.
We might create child frames, and those frames will need to create a URL loader factory. Since we override the factory before we actually parse and create child frames, we can't set it directly on all possible children. Instead, when asked to create a factory and we don't have an override, navigate the ancestor chain and check if any of the ancestors have an override. This also adds a Clone function, since we need to be able to retain multiple copies of the override (one for each of the child frames, and one for self). R=yhirano@chromium.org Bug: 986050 Change-Id: I5d1023379eb4b7c305e3b07640ee6a4d31a2d9d4 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1717677Reviewed-by: Yutaka Hirano <yhirano@chromium.org> Reviewed-by: Stefan Zager <szager@chromium.org> Reviewed-by: Scott Violet <sky@chromium.org> Reviewed-by: Chris Harrelson <chrishtr@chromium.org> Commit-Queue: vmpstr <vmpstr@chromium.org> Cr-Commit-Position: refs/heads/master@{#682384}
cfca852b · Vladimir Levin · Commit Bot · f6f4d1d7 · cfca852b · cfca852b
Commit cfca852b authored Jul 30, 2019 by Vladimir Levin Committed by Commit Bot Jul 30, 2019
4 changed files
--- a/content/public/test/render_view_test.cc
+++ b/content/public/test/render_view_test.cc
@@ -159,7 +159,7 @@ class FakeWebURLLoader : public blink::WebURLLoader {
  base::WeakPtrFactory<FakeWebURLLoader> weak_factory_{this};
 };
-class FakeWebURLLoaderFactory : public blink::WebURLLoaderFactory {
+class FakeWebURLLoaderFactory : public blink::WebURLLoaderFactoryForTest {
 public:
  std::unique_ptr<blink::WebURLLoader> CreateURLLoader(
      const WebURLRequest&,
@@ -167,6 +167,10 @@ class FakeWebURLLoaderFactory : public blink::WebURLLoaderFactory {
          task_runner_handle) override {
    return std::make_unique<FakeWebURLLoader>(std::move(task_runner_handle));
  }
+  std::unique_ptr<WebURLLoaderFactoryForTest> Clone() override {
+    return std::make_unique<FakeWebURLLoaderFactory>();
+  }
 };
 // Converts |ascii_character| into |key_code| and returns true on success.

--- a/content/renderer/render_frame_impl.cc
+++ b/content/renderer/render_frame_impl.cc
@@ -7461,8 +7461,24 @@ RenderFrameImpl::CreateURLLoaderFactory() {
  if (!RenderThreadImpl::current()) {
    // Some tests (e.g. RenderViewTests) do not have RenderThreadImpl,
    // and must create a factory override instead.
-    DCHECK(web_url_loader_factory_override_for_test_);
+    if (web_url_loader_factory_override_for_test_)
-    return std::move(web_url_loader_factory_override_for_test_);
+      return web_url_loader_factory_override_for_test_->Clone();
+    // If the override does not exist, try looking in the ancestor chain since
+    // we might have created child frames and asked them to create a URL loader
+    // factory.
+    for (auto* ancestor = GetWebFrame()->Parent(); ancestor;
+         ancestor = ancestor->Parent()) {
+      RenderFrameImpl* ancestor_frame = RenderFrameImpl::FromWebFrame(ancestor);
+      if (ancestor_frame &&
+          ancestor_frame->web_url_loader_factory_override_for_test_) {
+        return ancestor_frame->web_url_loader_factory_override_for_test_
+            ->Clone();
+      }
+    }
+    // At this point we can't create anything.
+    NOTREACHED();
+    return nullptr;
  }
  return std::make_unique<FrameURLLoaderFactory>(weak_factory_.GetWeakPtr());
 }
@@ -7763,7 +7779,7 @@ void RenderFrameImpl::AddMessageToConsoleImpl(
 }
 void RenderFrameImpl::SetWebURLLoaderFactoryOverrideForTest(
-    std::unique_ptr<blink::WebURLLoaderFactory> factory) {
+    std::unique_ptr<blink::WebURLLoaderFactoryForTest> factory) {
  web_url_loader_factory_override_for_test_ = std::move(factory);
 }

--- a/content/renderer/render_frame_impl.h
+++ b/content/renderer/render_frame_impl.h
@@ -1009,7 +1009,7 @@ class CONTENT_EXPORT RenderFrameImpl
  // Used in tests to install a fake WebURLLoaderFactory via
  // RenderViewTest::CreateFakeWebURLLoaderFactory().
  void SetWebURLLoaderFactoryOverrideForTest(
-      std::unique_ptr<blink::WebURLLoaderFactory> factory);
+      std::unique_ptr<blink::WebURLLoaderFactoryForTest> factory);
 protected:
  explicit RenderFrameImpl(CreateParams params);
@@ -1790,7 +1790,7 @@ class CONTENT_EXPORT RenderFrameImpl
  class MHTMLBodyLoaderClient;
  std::unique_ptr<MHTMLBodyLoaderClient> mhtml_body_loader_client_;
-  std::unique_ptr<blink::WebURLLoaderFactory>
+  std::unique_ptr<blink::WebURLLoaderFactoryForTest>
      web_url_loader_factory_override_for_test_;
  base::WeakPtrFactory<RenderFrameImpl> weak_factory_{this};

--- a/third_party/blink/public/platform/web_url_loader_factory.h
+++ b/third_party/blink/public/platform/web_url_loader_factory.h
@@ -28,6 +28,14 @@ class WebURLLoaderFactory {
      std::unique_ptr<scheduler::WebResourceLoadingTaskRunnerHandle>) = 0;
 };
+// A test version of the above factory interface, which supports cloning the
+// factory.
+class WebURLLoaderFactoryForTest : public WebURLLoaderFactory {
+ public:
+  // Clones this factory.
+  virtual std::unique_ptr<WebURLLoaderFactoryForTest> Clone() = 0;
+};
 }  // namespace blink
 #endif  // THIRD_PARTY_BLINK_PUBLIC_PLATFORM_WEB_URL_LOADER_FACTORY_H_