Fix crashes from bindings checks that the agent clusters are the same

If a Webview app delays setting the allowUniversalAccessFromFileURLs it is possible that further accesses will fail because they are different agent clusters. Grant corss agent cluster access. BUG=1006684 Change-Id: Ic19b5ae26ffc03747f5d352f824a00e2deda776a Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1857301Reviewed-by: Kentaro Hara <haraken@chromium.org> Commit-Queue: Dave Tapuska <dtapuska@chromium.org> Cr-Commit-Position: refs/heads/master@{#706096}

Fix crashes from bindings checks that the agent clusters are the same
If a Webview app delays setting the allowUniversalAccessFromFileURLs it is possible that further accesses will fail because they are different agent clusters. Grant corss agent cluster access. BUG=1006684 Change-Id: Ic19b5ae26ffc03747f5d352f824a00e2deda776a Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1857301Reviewed-by: Kentaro Hara <haraken@chromium.org> Commit-Queue: Dave Tapuska <dtapuska@chromium.org> Cr-Commit-Position: refs/heads/master@{#706096}
ecfcd3c3 · Dave Tapuska · Commit Bot · 8094a9ff · ecfcd3c3 · ecfcd3c3
Commit ecfcd3c3 authored Oct 15, 2019 by Dave Tapuska Committed by Commit Bot Oct 15, 2019
7 changed files
--- a/third_party/blink/renderer/core/frame/settings.json5
+++ b/third_party/blink/renderer/core/frame/settings.json5
@@ -103,6 +103,7 @@
    {
      name: "allowUniversalAccessFromFileURLs",
      initial: true,
+      invalidate: "UniversalAccess",
    },
    {
      name: "allowFileAccessFromFileURLs",

--- a/third_party/blink/renderer/core/frame/settings_delegate.h
+++ b/third_party/blink/renderer/core/frame/settings_delegate.h
@@ -71,6 +71,7 @@ class CORE_EXPORT SettingsDelegate {
    kScrollbarLayoutChange,
    kColorSchemeChange,
    kSpatialNavigationChange,
+    kUniversalAccessChange,
  };
  virtual void SettingsChanged(ChangeType) = 0;

--- a/third_party/blink/renderer/core/page/page.cc
+++ b/third_party/blink/renderer/core/page/page.cc
@@ -743,6 +743,22 @@ void Page::SettingsChanged(SettingsDelegate::ChangeType change_type) {
        GetSpatialNavigationController().OnSpatialNavigationSettingChanged();
      }
      break;
+    case SettingsDelegate::kUniversalAccessChange: {
+      if (!GetSettings().GetAllowUniversalAccessFromFileURLs())
+        break;
+      for (Frame* frame = MainFrame(); frame;
+           frame = frame->Tree().TraverseNext()) {
+        // If we got granted universal access from file urls we need to grant
+        // any outstanding security origin cross agent cluster access since
+        // newly allocated agent clusters will be the universal agent.
+        if (auto* local_frame = DynamicTo<LocalFrame>(frame)) {
+          local_frame->GetDocument()
+              ->GetMutableSecurityOrigin()
+              ->GrantCrossAgentClusterAccess();
+        }
+      }
+      break;
+    }
  }
 }

--- a/third_party/blink/renderer/core/testing/internal_settings.cc
+++ b/third_party/blink/renderer/core/testing/internal_settings.cc
@@ -549,6 +549,13 @@ void InternalSettings::setAutoplayPolicy(const String& policy_str,
  GetSettings()->SetAutoplayPolicy(policy);
 }
+void InternalSettings::setUniversalAccessFromFileURLs(
+    bool enabled,
+    ExceptionState& exception_state) {
+  InternalSettingsGuardForSettings();
+  GetSettings()->SetAllowUniversalAccessFromFileURLs(enabled);
+}
 void InternalSettings::PrepareForLeakDetection() {
  // Prepares for leak detection by removing all InternalSetting objects from
  // Pages.

--- a/third_party/blink/renderer/core/testing/internal_settings.h
+++ b/third_party/blink/renderer/core/testing/internal_settings.h
@@ -127,6 +127,7 @@ class InternalSettings final : public InternalSettingsGenerated,
  void setViewportStyle(const String& preference, ExceptionState&);
  void setPresentationReceiver(bool, ExceptionState&);
  void setAutoplayPolicy(const String&, ExceptionState&);
+  void setUniversalAccessFromFileURLs(bool, ExceptionState&);
  // FIXME: The following are RuntimeEnabledFeatures and likely
  // cannot be changed after process start. These setters should

--- a/third_party/blink/renderer/core/testing/internal_settings.idl
+++ b/third_party/blink/renderer/core/testing/internal_settings.idl
@@ -55,6 +55,7 @@ interface InternalSettings : InternalSettingsGenerated {
    [RaisesException] void setImageAnimationPolicy(DOMString policy);
    [RaisesException] void setPresentationReceiver(boolean enabled);
    [RaisesException] void setAutoplayPolicy(DOMString policy);
+    [RaisesException] void setUniversalAccessFromFileURLs(boolean enabled);
    // FIXME: The following are RuntimeEnabledFeatures and likely
    // cannot be changed after process start.  These setters should

--- a/third_party/blink/web_tests/http/tests/security/agent-universal-access.html
+++ b/third_party/blink/web_tests/http/tests/security/agent-universal-access.html
+<!DOCTYPE html>
+<html>
+<head>
+<title>Agent Universal Access Test</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+</head>
+<body>
+<script>
+// Load an iframe after the universal access setting (normally set by
+// Android webview) has been set. The agents on the two iframes will
+// be different but access should still be allowed.
+async_test(t => {
+  internals.settings.setUniversalAccessFromFileURLs(true);
+  // create same origin iframe
+  let iframe = document.createElement('iframe');
+  iframe.addEventListener(
+    'load',
+    t.step_func(evt => {
+      iframe.contentDocument.body.style.backgroundColor = 'blue';
+      t.done();
+    }));
+  document.body.appendChild(iframe);
+  iframe.src =
+    'http://127.0.0.1:8000/security/resources/blank.html';
+  t.add_cleanup(() => {
+    document.body.removeChild(iframe);
+    internals.settings.setUniversalAccessFromFileURLs(false);
+  });
+}, 'Same-origin documents must share the same agent.');
+</script>
+</body>
+</html>