[Backport] Fix for CVE-2018-17468

Do not forward resource timing to parent frame after back-forward navigation

LocalFrame has |should_send_resource_timing_info_to_parent_| flag not to
send timing info to parent except for the first navigation. This flag is
cleared when the first timing is sent to parent, however this does not happen
if iframe's first navigation was by back-forward navigation. For such
iframes, we shouldn't send timings to parent at all.

Bug: 876822
Reviewed-on: https://chromium-review.googlesource.com/1186215
Reviewed-by: Kinuko Yasuda <kinuko@chromium.org>
Commit-Queue: Kunihiko Sakamoto <ksakamoto@chromium.org>
Cr-Commit-Position: refs/heads/master@{#585736}
Change-Id: Iceb050ba3314de64e87f99f64d705a7e9c62d653
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>

3 files changed, 9 insertions, 7 deletions

diff --git a/chromium/third_party/WebKit/Source/core/frame/LocalFrame.h b/chromium/third_party/WebKit/Source/core/frame/LocalFrame.h
index 72018c71f8a..52d9f9ab413 100644
--- a/chromium/third_party/WebKit/Source/core/frame/LocalFrame.h
+++ b/chromium/third_party/WebKit/Source/core/frame/LocalFrame.h
@@ -300,8 +300,8 @@ class CORE_EXPORT LocalFrame final : public Frame,
   bool should_send_resource_timing_info_to_parent() const {
     return should_send_resource_timing_info_to_parent_;
   }
-  void DidSendResourceTimingInfoToParent() {
-    should_send_resource_timing_info_to_parent_ = false;
+  void SetShouldSendResourceTimingInfoToParent(bool value) {
+    should_send_resource_timing_info_to_parent_ = value;
   }
 
   void SetIsProvisional(bool is_provisional) {
diff --git a/chromium/third_party/WebKit/Source/core/frame/WebLocalFrameImpl.cpp b/chromium/third_party/WebKit/Source/core/frame/WebLocalFrameImpl.cpp
index a25fc1f45a1..d1a25df5153 100644
--- a/chromium/third_party/WebKit/Source/core/frame/WebLocalFrameImpl.cpp
+++ b/chromium/third_party/WebKit/Source/core/frame/WebLocalFrameImpl.cpp
@@ -2186,7 +2186,7 @@ void WebLocalFrameImpl::SetCommittedFirstRealLoad() {
   DCHECK(GetFrame());
   GetFrame()->Loader().StateMachine()->AdvanceTo(
       FrameLoaderStateMachine::kCommittedMultipleRealLoads);
-  GetFrame()->DidSendResourceTimingInfoToParent();
+  GetFrame()->SetShouldSendResourceTimingInfoToParent(false);
 }
 
 void WebLocalFrameImpl::SetHasReceivedUserGesture() {
diff --git a/chromium/third_party/WebKit/Source/core/loader/FrameFetchContext.cpp b/chromium/third_party/WebKit/Source/core/loader/FrameFetchContext.cpp
index 5b25946840a..4e48c2d504c 100644
--- a/chromium/third_party/WebKit/Source/core/loader/FrameFetchContext.cpp
+++ b/chromium/third_party/WebKit/Source/core/loader/FrameFetchContext.cpp
@@ -729,7 +729,7 @@ void FrameFetchContext::AddResourceTiming(const ResourceTimingInfo& info) {
     // Main resource timing information is reported through the owner to be
     // passed to the parent frame, if appropriate.
     frame->Owner()->AddResourceTiming(info);
-    frame->DidSendResourceTimingInfoToParent();
+    frame->SetShouldSendResourceTimingInfoToParent(false);
     return;
   }
 
@@ -817,10 +817,12 @@ bool FrameFetchContext::UpdateTimingInfoForIFrameNavigation(
   // when crossing process boundaries.
   if (!GetFrame()->should_send_resource_timing_info_to_parent())
     return false;
-  // Do not report iframe navigation that restored from history, since its
-  // location may have been changed after initial navigation.
-  if (MasterDocumentLoader()->LoadType() == kFrameLoadTypeInitialHistoryLoad)
+  // location may have been changed after initial navigation,
+  if (MasterDocumentLoader()->LoadType() == WebFrameLoadType::kBackForward) {
+    // ...and do not report subsequent navigations in the iframe too.
+    GetFrame()->SetShouldSendResourceTimingInfoToParent(false);
     return false;
+  }
   return true;
 }