From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Shelley Vohr Date: Mon, 29 Aug 2022 11:44:57 +0200 Subject: fix: crash loading non-standard schemes in iframes This fixes a crash that occurs when loading non-standard schemes from iframes or webviews. This was happening because ChildProcessSecurityPolicyImpl::CanAccessDataForOrigin contains explicit exceptions to allow built-in non-standard schemes, but does not check for non-standard schemes registered by the embedder. Upstream, https://bugs.chromium.org/p/chromium/issues/detail?id=1081397 contains several paths forward - here I chose to swap out the CHECK in navigation_request.cc from policy->CanAccessDataForOrigin to policy->CanCommitOriginAndUrl. Upstreamed at https://chromium-review.googlesource.com/c/chromium/src/+/3856266. diff --git a/content/browser/renderer_host/navigation_request.cc b/content/browser/renderer_host/navigation_request.cc index da87a4f823d6fa36589b6efc7e3b381fdd07b11c..c242e3ac8d62faf29f39a8d7bc46d08192e850f4 100644 --- a/content/browser/renderer_host/navigation_request.cc +++ b/content/browser/renderer_host/navigation_request.cc @@ -7454,10 +7454,11 @@ NavigationRequest::GetOriginForURLLoaderFactoryAfterResponseWithDebugInfo() { if (IsForMhtmlSubframe()) return origin_with_debug_info; - int process_id = GetRenderFrameHost()->GetProcess()->GetID(); - auto* policy = ChildProcessSecurityPolicyImpl::GetInstance(); - CHECK( - policy->CanAccessDataForOrigin(process_id, origin_with_debug_info.first)); + CanCommitStatus can_commit = GetRenderFrameHost()->CanCommitOriginAndUrl( + origin_with_debug_info.first, GetURL(), IsSameDocument(), IsPdf(), + GetUrlInfo().is_sandboxed); + CHECK_EQ(CanCommitStatus::CAN_COMMIT_ORIGIN_AND_URL, can_commit); + return origin_with_debug_info; } diff --git a/content/browser/renderer_host/render_frame_host_impl.h b/content/browser/renderer_host/render_frame_host_impl.h index 1e6cfb0e983bd432a6b21c08bb9b2855c0c3889c..57107b584b442d5b3c2d4c1e4c4653e3fddf862f 100644 --- a/content/browser/renderer_host/render_frame_host_impl.h +++ b/content/browser/renderer_host/render_frame_host_impl.h @@ -2953,6 +2953,17 @@ class CONTENT_EXPORT RenderFrameHostImpl // last committed document. CookieChangeListener::CookieChangeInfo GetCookieChangeInfo(); + // Returns whether the given origin and URL is allowed to commit in the + // current RenderFrameHost. The |url| is used to ensure it matches the origin + // in cases where it is applicable. This is a more conservative check than + // RenderProcessHost::FilterURL, since it will be used to kill processes that + // commit unauthorized origins. + CanCommitStatus CanCommitOriginAndUrl(const url::Origin& origin, + const GURL& url, + bool is_same_document_navigation, + bool is_pdf, + bool is_sandboxed); + // Sets a ResourceCache in the renderer. `this` must be active and there must // be no pending navigation. `remote` must have the same and process // isolation policy. @@ -3344,17 +3355,6 @@ class CONTENT_EXPORT RenderFrameHostImpl // relevant. void ResetWaitingState(); - // Returns whether the given origin and URL is allowed to commit in the - // current RenderFrameHost. The |url| is used to ensure it matches the origin - // in cases where it is applicable. This is a more conservative check than - // RenderProcessHost::FilterURL, since it will be used to kill processes that - // commit unauthorized origins. - CanCommitStatus CanCommitOriginAndUrl(const url::Origin& origin, - const GURL& url, - bool is_same_document_navigation, - bool is_pdf, - bool is_sandboxed); - // Returns whether a subframe navigation request should be allowed to commit // to the current RenderFrameHost. bool CanSubframeCommitOriginAndUrl(NavigationRequest* navigation_request);