Pchen0/electron @ d8baceb08caae374d3931d5747152e3971a1a379

Tree: d8baceb08c

1-3-x

1-4-x

1-5-x

1-6-x

1-7-x

1-8-x

10-x-y

11-x-y

12-x-y

13-x-y

14-x-y

15-x-y

16-x-y

17-x-y

18-x-y

19-x-y

2-0-x

2-1-x

20-x-y

21-x-y

22-x-y

23-x-y

24-x-y

25-x-y

26-x-y

27-x-y

28-x-y

29-x-y

3-0-x

3-1-x

30-x-y

31-x-y

32-x-y

33-x-y

34-x-y

35-x-y

36-x-y

4-0-x

4-1-x

4-2-x

5-0-x

6-0-x

6-1-x

7-0-x

7-1-x

7-2-x

7-3-x

8-x-y

9-x-y

actions-mac-test

alice-fix-open-external-bug

alice-prototype-same-site

alice-remove-import

appveyor-node2017-bake

better-console-message

build/preserve-patch-line-endings

build/remove-fs-extra-devdep--31-x-y

bump-appveyor-image

bump-appveyor-image-node-18

check-mnt

cherry-pick/33-x-y/chromium/df77f100c3c2

cherry-pick/33-x-y/v8/20d9a7f760c0

cherry-pick/33-x-y/v8/3fdedec45691

cherry-pick/main/chromium/013961609785

cherry-pick/security/29-x-y/release-1-m121

cherry-pick/security/30-x-y/2-m127-to-2-m129

cherry-pick/security/30-x-y/2-m129

cherry-pick/security/32-x-y/3-m126

cherry-pick/security/33-x-y/3-m129

chore/add-domain-is-check

chore/comment-out-unused-arg-names

chore/eslint-code-blocks

chore/prefer-as-const

chromium-lts-31-x-y

circle-windows

clavin/remove-unused-spellcheck-srcs

clavin/smooth-corner-rounding

close-windows-harder

codesign-fix

confirm-bg-color-corruption

custom-error-pages

dd-tests

delete-src-artifacts-when-done

dependabot/github_actions/main/actions/setup-node-4.3.0

dependabot/npm_and_yarn/main/eslint-plugin-unicorn-56.0.1

dependabot/npm_and_yarn/main/markdownlint-cli2-0.17.2

dip-screen-rect-linux

display_id-to-displayId

docs/deprecate-null-session

docs/win-asar

dsanders11/test-mdx-docs

enable-read-write-svg

enable-report-specs

eslint-code-blocks-test

esm-loading-pkg-json

feat/enable-extension

feat/frame-copy-image

feat/gamescope-overlay

feat/resync-default-font-list

feat/toggle-extensions

fix-browser-view-drag-remove

fix-drag-drop-crash

fix-ensure-win-close

fix-frameless-frame

fix-ipc-race-2

fix-lint

fix-message-port-crash

fix-message-port-serialize-issue

fix-same-party-cookie-patch

fix-service-worker-registration-24

fix-setbg-wcv

fix-user-agent

fix-util-proc-crash

fix-visibilitystate-webview

fix/Wunsafe-buffer-usage-warning

fix/actionable-submenu-accels

fix/capture-window-on-top

fix/ipc-callback-crash

fix/webrequest-checks

fixup-win-release-checkout

flake-fix

fps-patch

get-recent-documents

get-resource-usage

gh-actions-fixup-publish

gh-actions-mac-publish

gh-actions-publish-both-question-mark

gh-actions-publish-linux

gh-actions-split-publish-jobs

gh-macos-publish

gha

gha-lin-test

gxu-add-handlers

gxu-frame-eviction-patch

hardfalcon-26-x-y_simdutf-3.2.9

legacymainresolvefix

lf-patch-test

line-numbers-wildcard

m1-tests-x64

m1-x64

main

miniak/browser-view-apis

miniak/deprecate-event-sender

miniak/document-idle

miniak/drop-macos-10.13-10.14-support

miniak/frozen-intrinsics

miniak/get-user-default-from-suite

miniak/gpu-info-update

miniak/ipc-renderer-internal

miniak/listen-url-slash

miniak/prefer-switch

miniak/set-window-open-handler-features

miniak/unicorn-prefer

mp-33-x-y-appveyor-node-20-17

net-no-response-error

no-onwindowshow

node-20.17-appveyor

pdf-tests

perf/avoid-double-map-lookup-in-ElectronComponentExtensionResourceManager

perf/avoid-double-map-lookup-in-WebContents.DevToolsIndexPath()

perf/avoid-double-map-lookup-in-WebFrameMain-ctor

perf/avoid-map-temporaries-in-IsDevToolsFileSystemAdded

perf/avoid-redundant-map-lookup-when-creating-ElectronBrowserContext

perf/avoid-redundant-map-lookups-in-GlobalShortcut

perf/use-NewFromUtf8Literal-for-literals

perf/use-v8-eternal-for-immortal-globals

permission-v2

ppontes/restore-force-lf-for-patches

ppontes/restore-force-lf-for-patches-split

pr/31571

printing-rework

qpt

re-add-occluded

re-enable-thin-lto

re-enable-thin-lto-node-22

refactor/UvTaskRunner

refactor/aggregate-RootView-main_view_

refactor/avoid-deprecated-WIDGET_OWNS_NATIVE_WIDGET

refactor/extension-registrar

refactor/gin-span

refactor/migrate-to-crypto-hash

refactor/prefer-span-over-node-buffer-api

refactor/put-empty-virtual-function-definitions-in-header

refactor/reduce-use-of-AdaptCallbackForRepeating

refactor/remove-unnecessary-template-type-in-EmitEvent()

replace-browserview-merge-check

replace-browserview-update

req-origin-ses

resource-allowlist

restore-window-state

revert-44516-doc/fix-apostrophe-typos

revert-destroy-url-loader-wrapper

revert-domainis-refactor

revert-dxDiagNodeData

revert-wayland-generic-capturer

robo/add_wpt_testing

robo/enable_spare_renderer

robo/support_url_property_fetch_response

roll-mantle

roller/chromium/36-x-y

roller/chromium/main

roller/node/34-x-y

roller/orb/continuousauth/npm/main

roller/orb/electronjs/node/main

same-party-patch

sckp

sckp-chrome-upstream

sckp-k

sckp-macos15

security/29-x-y/0-m126

security/29-x-y/2-m124

single-check

slow-same-party-revert

spike-storage-access-api

split-ipc-renderer

support-dip-screen-conversion-linux

support-system-context-menu-linux

switch-check

tabs-onupdated

test-bake-image

test-macos

test-menu-accelerators

test-mksnapshot-compile

test-patch-lf

test-patch-roll

test/native-click

test/osr-colors

testing-nan-patch

thumb-cap

timeout-never-click-fix

trop/29-x-y-bp-fix-wco-maximize-button-visibility-when-non-maximizable-1712824186798

trop/30-x-y-bp-fix-wco-maximize-button-visibility-when-non-maximizable-1712824180841

trop/31-x-y-bp-build-remove-appveyor-bake-1739909097137

trop/32-x-y-bp-build-remove-appveyor-bake-1739909098763

trop/32-x-y-bp-chore-add-process-memory-limit-details-in-parition_alloc-oom-handler-1730720959588

trop/33-x-y-bp-build-remove-appveyor-bake-1739909100722

trop/33-x-y-bp-fix-destroy-url-loader-wrapper-when-js-env-exits-1732033976533

trop/34-x-y-bp-build-remove-appveyor-bake-1739909097719

trop/34-x-y-bp-fix-webcontents-printtopdf-with-cross-process-subframes-1742908615986

trop/34-x-y-bp-perf-don-t-wait-for-thumbnails-if-they-were-not-requested-on-macos-1742901653464

trop/35-x-y-bp-build-fixup-release-builds-1742842528613

trop/35-x-y-bp-fix-oob-string-read-when-parsing-node_options-1742898799929

trop/35-x-y-bp-fix-webcontents-printtopdf-with-cross-process-subframes-1742908615377

trop/35-x-y-bp-refactor-add-electronbrowsercontext-getdefaultbrowsercontext--1742219011551

trop/36-x-y-bp-fix-webcontents-printtopdf-with-cross-process-subframes-1742908616946

trop/36-x-y-bp-perf-don-t-wait-for-thumbnails-if-they-were-not-requested-on-macos-1742901658374

try-fix-applescript

try-remove-embedder-exception-patch--34-x-y

try-remove-timeout

use-custom-upterm-server

utility-process-wrapper-check

wayland-roll-tests

wfm-cross-origin

win-cross

windows-runner-2

windows-runner-big

writing-tools

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172

From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Shelley Vohr <[email protected]>
Date: Mon, 29 Aug 2022 11:44:57 +0200
Subject: fix: crash loading non-standard schemes in iframes

This fixes a crash that occurs when loading non-standard schemes from
iframes or webviews. This was happening because
ChildProcessSecurityPolicyImpl::CanAccessDataForOrigin contains explicit
exceptions to allow built-in non-standard schemes, but does not check
for non-standard schemes registered by the embedder.

This patch adjusts the origin calculation for subframe non-standard schemes in
 - browser process at `NavigationRequest::GetOriginForURLLoaderFactoryUncheckedWithDebugInfo`
 - render process at `DocumentLoader::CalculateOrigin`

When top level frame navigates to non-standard scheme url, the origin is calculated
as `null` without any derivation. It is only in cases where there is a `initiator_origin`
then the origin is derived from it, which is usually the case for renderer initiated
navigations and iframes are no exceptions from this rule.

The patch should be removed in favor of either:
  - Remove support for non-standard custom schemes
  - Register non-standard custom schemes as websafe schemes and update
  CPSPI::CanAccessDataForOrigin to allow them for any navigation.
  - Update the callsite to use RFHI::CanCommitOriginAndUrl in upstream, previous
  effort to do this can be found at https://chromium-review.googlesource.com/c/chromium/src/+/3856266.

Upstream bug https://bugs.chromium.org/p/chromium/issues/detail?id=1081397.

diff --git a/content/browser/renderer_host/navigation_request.cc b/content/browser/renderer_host/navigation_request.cc
index 0c67607fd99b2fceba176308a041c8f08643506a..6b38139e1b58db7c7a0c4d553ed2cdaa11a63d2d 100644
--- a/content/browser/renderer_host/navigation_request.cc
+++ b/content/browser/renderer_host/navigation_request.cc
@@ -10980,6 +10980,12 @@ NavigationRequest::GetOriginForURLLoaderFactoryUncheckedWithDebugInfo() {
         "blob");
   }
 
+  if (!common_params().url.IsStandard() && !common_params().url.IsAboutBlank()) {
+    return std::make_pair(url::Origin::Resolve(common_params().url,
+                                url::Origin()),
+          "url_non_standard");
+  }
+
   // In cases not covered above, URLLoaderFactory should be associated with the
   // origin of |common_params.url| and/or |common_params.initiator_origin|.
   url::Origin resolved_origin = url::Origin::Resolve(
diff --git a/third_party/blink/renderer/core/loader/document_loader.cc b/third_party/blink/renderer/core/loader/document_loader.cc
index cbf8b2ed5ce03a3b4524f4e7f97bbb7750e5c583..b84bdff826390234f470025edba02abddefff045 100644
--- a/third_party/blink/renderer/core/loader/document_loader.cc
+++ b/third_party/blink/renderer/core/loader/document_loader.cc
@@ -2325,6 +2325,10 @@ Frame* DocumentLoader::CalculateOwnerFrame() {
 scoped_refptr<SecurityOrigin> DocumentLoader::CalculateOrigin(
     Document* owner_document) {
   scoped_refptr<SecurityOrigin> origin;
+  bool is_standard = false;
+  std::string protocol = url_.Protocol().Ascii();
+  is_standard = url::IsStandard(
+      protocol.data(), url::Component(0, static_cast<int>(protocol.size())));
   StringBuilder debug_info_builder;
   // Whether the origin is newly created within this call, instead of copied
   // from an existing document's origin or from `origin_to_commit_`. If this is
@@ -2378,6 +2382,10 @@ scoped_refptr<SecurityOrigin> DocumentLoader::CalculateOrigin(
     // the end of this function.
     origin = origin_to_commit_;
     debug_info_builder.Append("use_origin_to_commit");
+  } else if (!SecurityOrigin::ShouldUseInnerURL(url_) &&
+             !is_standard) {
+    debug_info_builder.Append("use_url_with_non_standard_scheme");
+    origin = SecurityOrigin::Create(url_);
   } else {
     debug_info_builder.Append("use_url_with_precursor");
     // Otherwise, create an origin that propagates precursor information

fix_crash_loading_non-standard_schemes_in_iframes.patch 3.9 KB History Raw

fix_crash_loading_non-standard_schemes_in_iframes.patch 3.9 KB

History Raw