Move FrameMsg_DidUpdateOrigin to mojo

Move FrameMsg_DidUpdateOrigin to a RemoteFrame mojo
interface.

Addded DecodeURLEscapeSequences to the mojo deserialization
of a url.mojom.Origin when converting to a blink::SecurityOrigin.
Change https://crrev.com/5f709c23e66 added a change to the legacy
IPC path but the relevant change wasn't in the mojo path. So adjusting
this message to go through mojo causes the test case to fail so fix
the decoding appropriately to match the legacy path.

BUG=1008432

Change-Id: I63b4a47e37e5740a4712f921c87292dcb15ca8a4
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1874197Reviewed-by: Daniel Cheng <dcheng@chromium.org>
Reviewed-by: Avi Drissman <avi@chromium.org>
Commit-Queue: Dave Tapuska <dtapuska@chromium.org>
Cr-Commit-Position: refs/heads/master@{#711004}

content/browser/frame_host/render_frame_host_manager.cc

@@ -1006,9 +1006,8 @@ void RenderFrameHostManager::OnDidUpdateOrigin(
     const url::Origin& origin,
     bool is_potentially_trustworthy_unique_origin) {
   for (const auto& pair : proxy_hosts_) {
-    pair.second->Send(
-        new FrameMsg_DidUpdateOrigin(pair.second->GetRoutingID(), origin,
-                                     is_potentially_trustworthy_unique_origin));
+    pair.second->GetAssociatedRemoteFrame()->SetReplicatedOrigin(
+        origin, is_potentially_trustworthy_unique_origin);
   }
 }
 

content/common/frame_messages.h

@@ -770,12 +770,6 @@ IPC_MESSAGE_ROUTED1(FrameMsg_AddContentSecurityPolicies,
 IPC_MESSAGE_ROUTED1(FrameMsg_EnforceInsecureRequestPolicy,
                     blink::WebInsecureRequestPolicy)
 
-// Update a proxy's replicated origin.  Used when the frame is navigated to a
-// new origin.
-IPC_MESSAGE_ROUTED2(FrameMsg_DidUpdateOrigin,
-                    url::Origin /* origin */,
-                    bool /* is potentially trustworthy unique origin */)
-
 // Notifies RenderFrameProxy that its associated RenderWidgetHostView has
 // changed.
 IPC_MESSAGE_ROUTED1(FrameMsg_ViewChanged,

content/renderer/render_frame_proxy.cc

@@ -416,7 +416,6 @@ bool RenderFrameProxy::OnMessageReceived(const IPC::Message& msg) {
                         OnEnforceInsecureRequestPolicy)
     IPC_MESSAGE_HANDLER(FrameMsg_SetFrameOwnerProperties,
                         OnSetFrameOwnerProperties)
-    IPC_MESSAGE_HANDLER(FrameMsg_DidUpdateOrigin, OnDidUpdateOrigin)
     IPC_MESSAGE_HANDLER(InputMsg_SetFocus, OnSetPageFocus)
     IPC_MESSAGE_HANDLER(FrameMsg_DidUpdateVisualProperties,
                         OnDidUpdateVisualProperties)
@@ -539,13 +538,6 @@ void RenderFrameProxy::OnSetFrameOwnerProperties(
       ConvertFrameOwnerPropertiesToWebFrameOwnerProperties(properties));
 }
 
-void RenderFrameProxy::OnDidUpdateOrigin(
-    const url::Origin& origin,
-    bool is_potentially_trustworthy_unique_origin) {
-  web_frame_->SetReplicatedOrigin(origin,
-                                  is_potentially_trustworthy_unique_origin);
-}
-
 void RenderFrameProxy::OnSetPageFocus(bool is_focused) {
   render_view_->SetFocus(is_focused);
 }

content/renderer/render_frame_proxy.h

@@ -250,8 +250,6 @@ class CONTENT_EXPORT RenderFrameProxy : public IPC::Listener,
       const std::vector<ContentSecurityPolicyHeader>& header);
   void OnEnforceInsecureRequestPolicy(blink::WebInsecureRequestPolicy policy);
   void OnSetFrameOwnerProperties(const FrameOwnerProperties& properties);
-  void OnDidUpdateOrigin(const url::Origin& origin,
-                         bool is_potentially_trustworthy_unique_origin);
   void OnSetPageFocus(bool is_focused);
   void OnSetFocusedFrame();
   void OnWillEnterFullscreen();

third_party/blink/public/mojom/frame/frame.mojom

@@ -118,4 +118,9 @@ interface RemoteFrame {
   // is a hashed set of host/port pairs. See
   // SecurityContext::SetInsecureNavigationsSet.
   EnforceInsecureNavigationsSet(array<uint32> set);
+
+  // Update the replicated origin. Used when the frame is navigated to a
+  // new origin.
+  SetReplicatedOrigin(url.mojom.Origin origin,
+    bool is_potentially_trustworthy_unique_origin);
 };
\ No newline at end of file

third_party/blink/renderer/core/exported/web_remote_frame_impl.cc

@@ -256,25 +256,8 @@ void WebRemoteFrameImpl::SetReplicatedOrigin(
     const WebSecurityOrigin& origin,
     bool is_potentially_trustworthy_opaque_origin) {
   DCHECK(GetFrame());
-  scoped_refptr<SecurityOrigin> security_origin = origin.Get()->IsolatedCopy();
-  security_origin->SetOpaqueOriginIsPotentiallyTrustworthy(
-      is_potentially_trustworthy_opaque_origin);
-  GetFrame()->GetSecurityContext()->SetReplicatedOrigin(security_origin);
-  ApplyReplicatedFeaturePolicyHeader();
-
-  // If the origin of a remote frame changed, the accessibility object for the
-  // owner element now points to a different child.
-  //
-  // TODO(dmazzoni, dcheng): there's probably a better way to solve this.
-  // Run SitePerProcessAccessibilityBrowserTest.TwoCrossSiteNavigations to
-  // ensure an alternate fix works.  http://crbug.com/566222
-  FrameOwner* owner = GetFrame()->Owner();
-  HTMLElement* owner_element = DynamicTo<HTMLFrameOwnerElement>(owner);
-  if (owner_element) {
-    AXObjectCache* cache = owner_element->GetDocument().ExistingAXObjectCache();
-    if (cache)
-      cache->ChildrenChanged(owner_element);
-  }
+  GetFrame()->SetReplicatedOrigin(origin,
+                                  is_potentially_trustworthy_opaque_origin);
 }
 
 void WebRemoteFrameImpl::SetReplicatedSandboxFlags(WebSandboxFlags flags) {
@@ -291,31 +274,9 @@ void WebRemoteFrameImpl::SetReplicatedName(const WebString& name) {
 void WebRemoteFrameImpl::SetReplicatedFeaturePolicyHeaderAndOpenerPolicies(
     const ParsedFeaturePolicy& parsed_header,
     const FeaturePolicy::FeatureState& opener_feature_state) {
-  feature_policy_header_ = parsed_header;
-  if (RuntimeEnabledFeatures::FeaturePolicyForSandboxEnabled()) {
-    DCHECK(opener_feature_state.empty() || frame_->IsMainFrame());
-    if (frame_->OpenerFeatureState().empty()) {
-      frame_->SetOpenerFeatureState(opener_feature_state);
-    }
-  }
-  ApplyReplicatedFeaturePolicyHeader();
-}
-
-void WebRemoteFrameImpl::ApplyReplicatedFeaturePolicyHeader() {
-  const FeaturePolicy* parent_feature_policy = nullptr;
-  if (Parent()) {
-    Frame* parent_frame = GetFrame()->Client()->Parent();
-    parent_feature_policy =
-        parent_frame->GetSecurityContext()->GetFeaturePolicy();
-  }
-  ParsedFeaturePolicy container_policy;
-  if (GetFrame()->Owner())
-    container_policy = GetFrame()->Owner()->GetFramePolicy().container_policy;
-  const FeaturePolicy::FeatureState& opener_feature_state =
-      frame_->OpenerFeatureState();
-  GetFrame()->GetSecurityContext()->InitializeFeaturePolicy(
-      feature_policy_header_, container_policy, parent_feature_policy,
-      opener_feature_state.empty() ? nullptr : &opener_feature_state);
+  DCHECK(GetFrame());
+  GetFrame()->SetReplicatedFeaturePolicyHeaderAndOpenerPolicies(
+      parsed_header, opener_feature_state);
 }
 
 void WebRemoteFrameImpl::AddReplicatedContentSecurityPolicyHeader(

third_party/blink/renderer/core/exported/web_remote_frame_impl.h

@@ -123,7 +123,6 @@ class CORE_EXPORT WebRemoteFrameImpl final
   friend class RemoteFrameClientImpl;
 
   void SetCoreFrame(RemoteFrame*);
-  void ApplyReplicatedFeaturePolicyHeader();
 
   // Inherited from WebFrame, but intentionally hidden: it never makes sense
   // to call these on a WebRemoteFrameImpl.
@@ -137,8 +136,6 @@ class CORE_EXPORT WebRemoteFrameImpl final
   Member<RemoteFrameClientImpl> frame_client_;
   Member<RemoteFrame> frame_;
 
-  ParsedFeaturePolicy feature_policy_header_;
-
   InterfaceRegistry* const interface_registry_;
 
   // Oilpan: WebRemoteFrameImpl must remain alive until close() is called.

third_party/blink/renderer/core/frame/remote_frame.cc

@@ -231,6 +231,19 @@ void RemoteFrame::DidChangeVisibleToHitTesting() {
       IsIgnoredForHitTest());
 }
 
+void RemoteFrame::SetReplicatedFeaturePolicyHeaderAndOpenerPolicies(
+    const ParsedFeaturePolicy& parsed_header,
+    const FeaturePolicy::FeatureState& opener_feature_state) {
+  feature_policy_header_ = parsed_header;
+  if (RuntimeEnabledFeatures::FeaturePolicyForSandboxEnabled()) {
+    DCHECK(opener_feature_state.empty() || IsMainFrame());
+    if (OpenerFeatureState().empty()) {
+      SetOpenerFeatureState(opener_feature_state);
+    }
+  }
+  ApplyReplicatedFeaturePolicyHeader();
+}
+
 void RemoteFrame::WillEnterFullscreen() {
   // This should only ever be called when the FrameOwner is local.
   HTMLFrameOwnerElement* owner_element = To<HTMLFrameOwnerElement>(Owner());
@@ -261,6 +274,30 @@ void RemoteFrame::EnforceInsecureNavigationsSet(
   GetSecurityContext()->SetInsecureNavigationsSet(set);
 }
 
+void RemoteFrame::SetReplicatedOrigin(
+    const scoped_refptr<const SecurityOrigin>& origin,
+    bool is_potentially_trustworthy_unique_origin) {
+  scoped_refptr<SecurityOrigin> security_origin = origin->IsolatedCopy();
+  security_origin->SetOpaqueOriginIsPotentiallyTrustworthy(
+      is_potentially_trustworthy_unique_origin);
+  GetSecurityContext()->SetReplicatedOrigin(security_origin);
+  ApplyReplicatedFeaturePolicyHeader();
+
+  // If the origin of a remote frame changed, the accessibility object for the
+  // owner element now points to a different child.
+  //
+  // TODO(dmazzoni, dcheng): there's probably a better way to solve this.
+  // Run SitePerProcessAccessibilityBrowserTest.TwoCrossSiteNavigations to
+  // ensure an alternate fix works.  http://crbug.com/566222
+  FrameOwner* owner = Owner();
+  HTMLElement* owner_element = DynamicTo<HTMLFrameOwnerElement>(owner);
+  if (owner_element) {
+    AXObjectCache* cache = owner_element->GetDocument().ExistingAXObjectCache();
+    if (cache)
+      cache->ChildrenChanged(owner_element);
+  }
+}
+
 bool RemoteFrame::IsIgnoredForHitTest() const {
   HTMLFrameOwnerElement* owner = DeprecatedLocalOwner();
   if (!owner || !owner->GetLayoutObject())
@@ -306,6 +343,22 @@ void RemoteFrame::DetachChildren() {
     child->Detach(FrameDetachType::kRemove);
 }
 
+void RemoteFrame::ApplyReplicatedFeaturePolicyHeader() {
+  const FeaturePolicy* parent_feature_policy = nullptr;
+  if (Frame* parent_frame = Client()->Parent()) {
+    parent_feature_policy =
+        parent_frame->GetSecurityContext()->GetFeaturePolicy();
+  }
+  ParsedFeaturePolicy container_policy;
+  if (Owner())
+    container_policy = Owner()->GetFramePolicy().container_policy;
+  const FeaturePolicy::FeatureState& opener_feature_state =
+      OpenerFeatureState();
+  GetSecurityContext()->InitializeFeaturePolicy(
+      feature_policy_header_, container_policy, parent_feature_policy,
+      opener_feature_state.empty() ? nullptr : &opener_feature_state);
+}
+
 void RemoteFrame::BindToReceiver(
     blink::RemoteFrame* frame,
     mojo::PendingAssociatedReceiver<mojom::blink::RemoteFrame> receiver) {

third_party/blink/renderer/core/frame/remote_frame.h

@@ -73,10 +73,17 @@ class CORE_EXPORT RemoteFrame final : public Frame,
 
   void DidChangeVisibleToHitTesting() override;
 
+  void SetReplicatedFeaturePolicyHeaderAndOpenerPolicies(
+      const ParsedFeaturePolicy& parsed_header,
+      const FeaturePolicy::FeatureState&);
+
   // blink::mojom::LocalFrame overrides:
   void WillEnterFullscreen() override;
   void ResetReplicatedContentSecurityPolicy() override;
   void EnforceInsecureNavigationsSet(const WTF::Vector<uint32_t>& set) override;
+  void SetReplicatedOrigin(
+      const scoped_refptr<const SecurityOrigin>& origin,
+      bool is_potentially_trustworthy_unique_origin) override;
 
  private:
   // Frame protected overrides:
@@ -88,6 +95,7 @@ class CORE_EXPORT RemoteFrame final : public Frame,
   bool IsRemoteFrame() const override { return true; }
 
   void DetachChildren();
+  void ApplyReplicatedFeaturePolicyHeader();
 
   static void BindToReceiver(
       blink::RemoteFrame* frame,
@@ -98,6 +106,7 @@ class CORE_EXPORT RemoteFrame final : public Frame,
   cc::Layer* cc_layer_ = nullptr;
   bool prevent_contents_opaque_changes_ = false;
   bool is_surface_layer_ = false;
+  ParsedFeaturePolicy feature_policy_header_;
 
   mojo::AssociatedReceiver<mojom::blink::RemoteFrame> receiver_{this};
 };

third_party/blink/renderer/platform/mojo/security_origin_mojom_traits.h

@@ -5,6 +5,7 @@
 #ifndef THIRD_PARTY_BLINK_RENDERER_PLATFORM_MOJO_SECURITY_ORIGIN_MOJOM_TRAITS_H_
 #define THIRD_PARTY_BLINK_RENDERER_PLATFORM_MOJO_SECURITY_ORIGIN_MOJOM_TRAITS_H_
 
+#include "third_party/blink/renderer/platform/weborigin/kurl.h"
 #include "third_party/blink/renderer/platform/weborigin/security_origin.h"
 #include "third_party/blink/renderer/platform/wtf/text/wtf_string.h"
 #include "url/mojom/origin.mojom-blink-forward.h"
@@ -22,9 +23,13 @@ struct UrlOriginAdapter {
       const base::Optional<base::UnguessableToken>& nonce_if_opaque) {
     scoped_refptr<blink::SecurityOrigin> tuple_origin;
     if (!tuple.IsInvalid()) {
+      // url::SchemeHostPort is percent encoded and SecurityOrigin is percent
+      // decoded.
+      String host = blink::DecodeURLEscapeSequences(
+          String::FromUTF8(tuple.host()),
+          url::DecodeURLMode::kUTF8OrIsomorphic);
       tuple_origin = blink::SecurityOrigin::Create(
-          String::FromUTF8(tuple.scheme()), String::FromUTF8(tuple.host()),
-          tuple.port());
+          String::FromUTF8(tuple.scheme()), host, tuple.port());
     }
 
     if (nonce_if_opaque) {