Worker: Stop passing creator's origin for starting a dedicated worker

This CL makes DedicatedWorkerHostFactoryImpl use its |parent_execution_origin_| (renamed to |creator_origin| by this CL) for starting a dedicated worker instead of an origin passed from a renderer process. This was not feasible before because |parent_execution_origin_| is provided from parent's |RenderFrameHostImpl::last_committed_origin_| that is set during navigation commit. Worker creation IPC from the renderer to browser could race with navigation commit, and could see the wrong last committed origin. Now this is feasible. This is because worker creation IPC is now tied with RenderFrameHostImpl's BrowserInterfaceBroker that is re-bound during navigation commit[*]. This ensures that worker creation requests issued before the navigation commit are discarded by the previous BrowserInterfaceBroker, and new requests via the new BrowserInterfaceBroker are scoped to the new last committed origin. [*] The call path between binding BrowserInterfaceBroker and updating the last committed origin is as follows. These are synchronously done. - RenderFrameHostImpl::DidCommitNavigation() re-binds the interface broker https://source.chromium.org/chromium/chromium/src/+/master:content/browser/frame_host/render_frame_host_impl.cc;l=7489;drc=d54ee0c3d25dfc644282b50c5f57e23b7ab4dda4?originalUrl=https:%2F%2Fcs.chromium.org%2F -> RenderFrameHostImpl::DidCommitNavigationInternal() -> NavigatorImpl::DidNavigate() -> RenderFrameHostImpl::DidNavigate() -> RenderFrameHostImpl::SetLastCommittedOrigin() Change-Id: Id69c3d66e50aa8cbb7fee520a1479b28970de1c6 Bug: 906991, 1030909 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1971660Reviewed-by: Daniel Cheng <dcheng@chromium.org> Reviewed-by: Matt Falkenhagen <falken@chromium.org> Commit-Queue: Hiroki Nakagawa <nhiroki@chromium.org> Cr-Commit-Position: refs/heads/master@{#748127}

Worker: Stop passing creator's origin for starting a dedicated worker
This CL makes DedicatedWorkerHostFactoryImpl use its |parent_execution_origin_| (renamed to |creator_origin| by this CL) for starting a dedicated worker instead of an origin passed from a renderer process. This was not feasible before because |parent_execution_origin_| is provided from parent's |RenderFrameHostImpl::last_committed_origin_| that is set during navigation commit. Worker creation IPC from the renderer to browser could race with navigation commit, and could see the wrong last committed origin. Now this is feasible. This is because worker creation IPC is now tied with RenderFrameHostImpl's BrowserInterfaceBroker that is re-bound during navigation commit[*]. This ensures that worker creation requests issued before the navigation commit are discarded by the previous BrowserInterfaceBroker, and new requests via the new BrowserInterfaceBroker are scoped to the new last committed origin. [*] The call path between binding BrowserInterfaceBroker and updating the last committed origin is as follows. These are synchronously done. - RenderFrameHostImpl::DidCommitNavigation() re-binds the interface broker https://source.chromium.org/chromium/chromium/src/+/master:content/browser/frame_host/render_frame_host_impl.cc;l=7489;drc=d54ee0c3d25dfc644282b50c5f57e23b7ab4dda4?originalUrl=https:%2F%2Fcs.chromium.org%2F -> RenderFrameHostImpl::DidCommitNavigationInternal() -> NavigatorImpl::DidNavigate() -> RenderFrameHostImpl::DidNavigate() -> RenderFrameHostImpl::SetLastCommittedOrigin() Change-Id: Id69c3d66e50aa8cbb7fee520a1479b28970de1c6 Bug: 906991, 1030909 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1971660Reviewed-by: Daniel Cheng <dcheng@chromium.org> Reviewed-by: Matt Falkenhagen <falken@chromium.org> Commit-Queue: Hiroki Nakagawa <nhiroki@chromium.org> Cr-Commit-Position: refs/heads/master@{#748127}
e2468717 · Hiroki Nakagawa · Commit Bot · 758d885f · e2468717 · e2468717
Commit e2468717 authored Mar 09, 2020 by Hiroki Nakagawa Committed by Commit Bot Mar 09, 2020
9 changed files
--- a/content/browser/browser_interface_binders.cc
+++ b/content/browser/browser_interface_binders.cc
@@ -748,7 +748,7 @@ RenderFrameHost* GetContextForHost(RenderFrameHostImpl* host) {

 // Dedicated workers
 const url::Origin& GetContextForHost(DedicatedWorkerHost* host) {
-  return host->GetOrigin();
+  return host->GetWorkerOrigin();
 }

 void PopulateDedicatedWorkerBinders(DedicatedWorkerHost* host,

--- a/content/browser/worker_host/dedicated_worker_host.cc
+++ b/content/browser/worker_host/dedicated_worker_host.cc
--- a/content/browser/worker_host/dedicated_worker_host.h
+++ b/content/browser/worker_host/dedicated_worker_host.h
@@ -54,7 +54,7 @@ CONTENT_EXPORT void CreateDedicatedWorkerHostFactory(
    int worker_process_id,
    base::Optional<GlobalFrameRoutingId> creator_render_frame_host_id,
    GlobalFrameRoutingId ancestor_render_frame_host_id,
-    const url::Origin& origin,
+    const url::Origin& creator_origin,
    const network::CrossOriginEmbedderPolicy& cross_origin_embedder_policy,
    mojo::PendingReceiver<blink::mojom::DedicatedWorkerHostFactory> receiver);

@@ -70,7 +70,7 @@ class DedicatedWorkerHost final : public blink::mojom::DedicatedWorkerHost,
      RenderProcessHost* worker_process_host,
      base::Optional<GlobalFrameRoutingId> creator_render_frame_host_id,
      GlobalFrameRoutingId ancestor_render_frame_host_id,
-      const url::Origin& origin,
+      const url::Origin& creator_origin,
      const network::CrossOriginEmbedderPolicy& cross_origin_embedder_policy,
      mojo::PendingReceiver<blink::mojom::DedicatedWorkerHost> host);
  ~DedicatedWorkerHost() final;
@@ -79,7 +79,7 @@ class DedicatedWorkerHost final : public blink::mojom::DedicatedWorkerHost,
      mojo::PendingReceiver<blink::mojom::BrowserInterfaceBroker> receiver);

  RenderProcessHost* GetProcessHost() { return worker_process_host_; }
-  const url::Origin& GetOrigin() { return origin_; }
+  const url::Origin& GetWorkerOrigin() { return worker_origin_; }
  const network::CrossOriginEmbedderPolicy& cross_origin_embedder_policy()
      const {
    return cross_origin_embedder_policy_;
@@ -114,7 +114,6 @@ class DedicatedWorkerHost final : public blink::mojom::DedicatedWorkerHost,
  // PlzDedicatedWorker:
  void StartScriptLoad(
      const GURL& script_url,
-      const url::Origin& request_initiator_origin,
      network::mojom::CredentialsMode credentials_mode,
      blink::mojom::FetchClientSettingsObjectPtr
          outside_fetch_client_settings_object,
@@ -195,7 +194,12 @@ class DedicatedWorkerHost final : public blink::mojom::DedicatedWorkerHost,
  // of nested workers) indirectly via a tree of dedicated workers.
  const GlobalFrameRoutingId ancestor_render_frame_host_id_;

-  const url::Origin origin_;
+  // The origin of the frame or dedicated worker that starts this worker.
+  const url::Origin creator_origin_;
+
+  // The origin of this worker.
+  // https://html.spec.whatwg.org/C/#concept-settings-object-origin
+  const url::Origin worker_origin_;

  // The network isolation key to be used for both the worker script and the
  // worker's subresources.

--- a/content/browser/worker_host/dedicated_worker_service_impl_unittest.cc
+++ b/content/browser/worker_host/dedicated_worker_service_impl_unittest.cc
@@ -36,14 +36,14 @@ class MockDedicatedWorker

    if (base::FeatureList::IsEnabled(blink::features::kPlzDedicatedWorker)) {
      factory_->CreateWorkerHostAndStartScriptLoad(
-          GURL(), url::Origin(), network::mojom::CredentialsMode::kSameOrigin,
+          /*script_url=*/GURL(), network::mojom::CredentialsMode::kSameOrigin,
          blink::mojom::FetchClientSettingsObject::New(),
          mojo::PendingRemote<blink::mojom::BlobURLToken>(),
          receiver_.BindNewPipeAndPassRemote(),
          remote_host_.BindNewPipeAndPassReceiver());
    } else {
      factory_->CreateWorkerHost(
-          url::Origin(), browser_interface_broker_.BindNewPipeAndPassReceiver(),
+          browser_interface_broker_.BindNewPipeAndPassReceiver(),
          remote_host_.BindNewPipeAndPassReceiver());
    }
  }

--- a/content/renderer/worker/dedicated_worker_host_factory_client.cc
+++ b/content/renderer/worker/dedicated_worker_host_factory_client.cc
@@ -18,7 +18,6 @@
 #include "third_party/blink/public/mojom/service_worker/service_worker_provider.mojom.h"
 #include "third_party/blink/public/mojom/worker/worker_main_script_load_params.mojom.h"
 #include "third_party/blink/public/platform/web_dedicated_worker.h"
-#include "third_party/blink/public/platform/web_security_origin.h"
 #include "third_party/blink/public/platform/web_url.h"

 namespace content {
@@ -32,28 +31,25 @@ DedicatedWorkerHostFactoryClient::DedicatedWorkerHostFactoryClient(

 DedicatedWorkerHostFactoryClient::~DedicatedWorkerHostFactoryClient() = default;

-void DedicatedWorkerHostFactoryClient::CreateWorkerHostDeprecated(
-    const blink::WebSecurityOrigin& script_origin) {
+void DedicatedWorkerHostFactoryClient::CreateWorkerHostDeprecated() {
  DCHECK(!base::FeatureList::IsEnabled(blink::features::kPlzDedicatedWorker));
  mojo::PendingRemote<blink::mojom::BrowserInterfaceBroker>
      browser_interface_broker;
  factory_->CreateWorkerHost(
-      script_origin, browser_interface_broker.InitWithNewPipeAndPassReceiver(),
+      browser_interface_broker.InitWithNewPipeAndPassReceiver(),
      remote_host_.BindNewPipeAndPassReceiver());
  OnWorkerHostCreated(std::move(browser_interface_broker));
 }

 void DedicatedWorkerHostFactoryClient::CreateWorkerHost(
    const blink::WebURL& script_url,
-    const blink::WebSecurityOrigin& script_origin,
    network::mojom::CredentialsMode credentials_mode,
-    const blink::WebSecurityOrigin& fetch_client_security_origin,
    const blink::WebFetchClientSettingsObject& fetch_client_settings_object,
    mojo::ScopedMessagePipeHandle blob_url_token) {
  DCHECK(base::FeatureList::IsEnabled(blink::features::kPlzDedicatedWorker));

  factory_->CreateWorkerHostAndStartScriptLoad(
-      script_url, script_origin, credentials_mode,
+      script_url, credentials_mode,
      FetchClientSettingsObjectFromWebToMojom(fetch_client_settings_object),
      mojo::PendingRemote<blink::mojom::BlobURLToken>(
          std::move(blob_url_token), blink::mojom::BlobURLToken::Version_),

--- a/content/renderer/worker/dedicated_worker_host_factory_client.h
+++ b/content/renderer/worker/dedicated_worker_host_factory_client.h
@@ -43,13 +43,10 @@ class DedicatedWorkerHostFactoryClient final
  ~DedicatedWorkerHostFactoryClient() override;

  // Implements blink::WebDedicatedWorkerHostFactoryClient.
-  void CreateWorkerHostDeprecated(
-      const blink::WebSecurityOrigin& script_origin) override;
+  void CreateWorkerHostDeprecated() override;
  void CreateWorkerHost(
      const blink::WebURL& script_url,
-      const blink::WebSecurityOrigin& script_origin,
      network::mojom::CredentialsMode credentials_mode,
-      const blink::WebSecurityOrigin& fetch_client_security_origin,
      const blink::WebFetchClientSettingsObject& fetch_client_settings_object,
      mojo::ScopedMessagePipeHandle blob_url_token) override;
  scoped_refptr<blink::WebWorkerFetchContext> CloneWorkerFetchContext(

--- a/third_party/blink/public/mojom/worker/dedicated_worker_host_factory.mojom
+++ b/third_party/blink/public/mojom/worker/dedicated_worker_host_factory.mojom
@@ -14,7 +14,6 @@ import "third_party/blink/public/mojom/worker/dedicated_worker_host.mojom";
 import "third_party/blink/public/mojom/worker/worker_main_script_load_params.mojom";
 import "third_party/blink/public/mojom/service_worker/controller_service_worker.mojom";
 import "third_party/blink/public/mojom/service_worker/service_worker_provider.mojom";
-import "url/mojom/origin.mojom";
 import "url/mojom/url.mojom";

 // The name of the InterfaceProviderSpec in service manifests used by the
@@ -74,11 +73,7 @@ interface DedicatedWorkerHostFactory {
  //
  // Creates a new DedicatedWorkerHost, and requests |browser_interface_broker|
  // to provide the worker access to mojo interfaces.
-  // |origin| must either be
-  // unique or match the origin of the creating context (Document or
-  // DedicatedWorkerGlobalScope).
  CreateWorkerHost(
-      url.mojom.Origin origin,
      pending_receiver<blink.mojom.BrowserInterfaceBroker>
          browser_interface_broker,
      pending_receiver<DedicatedWorkerHost> host);
@@ -90,14 +85,11 @@ interface DedicatedWorkerHostFactory {
  // Creates a new DedicatedWorkerHost, and requests to start top-level worker
  // script loading for |script_url| using |credentials_mode| and
  // |outside_fetch_client_settings_object|.
-  // |origin| must either be unique or match the origin of the creating context
-  // (Document or DedicatedWorkerGlobalScope).
  // |blob_url_token| should be non-null when |script_url| is a blob URL.
  // |client| is used for notifying the renderer process of results of worker
  // host creation and script loading.
  CreateWorkerHostAndStartScriptLoad(
      url.mojom.Url script_url,
-      url.mojom.Origin origin,
      network.mojom.CredentialsMode credentials_mode,
      blink.mojom.FetchClientSettingsObject
          outside_fetch_client_settings_object,

--- a/third_party/blink/public/platform/web_dedicated_worker_host_factory_client.h
+++ b/third_party/blink/public/platform/web_dedicated_worker_host_factory_client.h
@@ -18,7 +18,6 @@ class SingleThreadTaskRunner;

 namespace blink {

-class WebSecurityOrigin;
 class WebURL;
 class WebWorkerFetchContext;

@@ -31,17 +30,11 @@ class WebDedicatedWorkerHostFactoryClient {
  // Requests the creation of DedicatedWorkerHost in the browser process.
  // For non-PlzDedicatedWorker. This will be removed once PlzDedicatedWorker is
  // enabled by default.
-  virtual void CreateWorkerHostDeprecated(
-      const blink::WebSecurityOrigin& script_origin) = 0;
+  virtual void CreateWorkerHostDeprecated() = 0;
  // For PlzDedicatedWorker.
-  // |fetch_client_security_origin| is intentionally separated from
-  // |fetch_client_settings_object| as it shouldn't be passed from renderer
-  // process from the security perspective.
  virtual void CreateWorkerHost(
      const blink::WebURL& script_url,
-      const blink::WebSecurityOrigin& script_origin,
      network::mojom::CredentialsMode credentials_mode,
-      const blink::WebSecurityOrigin& fetch_client_security_origin,
      const blink::WebFetchClientSettingsObject& fetch_client_settings_object,
      mojo::ScopedMessagePipeHandle blob_url_token) = 0;


--- a/third_party/blink/renderer/core/workers/dedicated_worker.cc
+++ b/third_party/blink/renderer/core/workers/dedicated_worker.cc
@@ -194,18 +194,14 @@ void DedicatedWorker::Start() {

    factory_client_->CreateWorkerHost(
        script_request_url_,
-        WebSecurityOrigin(GetExecutionContext()->GetSecurityOrigin()),
        credentials_mode,
-        WebSecurityOrigin(
-            outside_fetch_client_settings_object_->GetSecurityOrigin()),
        WebFetchClientSettingsObject(*outside_fetch_client_settings_object_),
        blob_url_token.PassPipe());
    // Continue in OnScriptLoadStarted() or OnScriptLoadStartFailed().
    return;
  }

-  factory_client_->CreateWorkerHostDeprecated(
-      WebSecurityOrigin(GetExecutionContext()->GetSecurityOrigin()));
+  factory_client_->CreateWorkerHostDeprecated();

  if (options_->type() == "classic") {
    // Legacy code path (to be deprecated, see https://crbug.com/835717):