diff options
author | Hiroshige Hayashizaki <hiroshige@chromium.org> | 2021-02-08 21:38:43 +0000 |
---|---|---|
committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2021-04-19 22:46:02 +0000 |
commit | ecc53407b84a64a6a8039978e5c7dc2831d68755 (patch) | |
tree | c82c21152b6291be671b6286328908473bd4a66e | |
parent | 6189ff47fe004effa1d83ab549f4d662f4e50ca4 (diff) |
[Backport] Security bug 1175503
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2681148
Set mode for top-level module worker scripts to kSameOrigin
Bug: 1175503
Change-Id: I9a744da07beea87564b9563656c8ba81325d9a13
Commit-Queue: Hiroshige Hayashizaki <hiroshige@chromium.org>
Reviewed-by: Dominic Farolino <dom@chromium.org>
Reviewed-by: Kouhei Ueno <kouhei@chromium.org>
Reviewed-by: Hiroki Nakagawa <nhiroki@chromium.org>
Cr-Commit-Position: refs/heads/master@{#851900}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
-rw-r--r-- | chromium/third_party/blink/renderer/core/loader/modulescript/module_script_loader.cc | 26 |
1 files changed, 20 insertions, 6 deletions
diff --git a/chromium/third_party/blink/renderer/core/loader/modulescript/module_script_loader.cc b/chromium/third_party/blink/renderer/core/loader/modulescript/module_script_loader.cc index 7bff037bb47..72826a360cd 100644 --- a/chromium/third_party/blink/renderer/core/loader/modulescript/module_script_loader.cc +++ b/chromium/third_party/blink/renderer/core/loader/modulescript/module_script_loader.cc @@ -122,12 +122,6 @@ void ModuleScriptLoader::FetchInternal( ResourceLoaderOptions options(&modulator_->GetScriptState()->World()); - // <spec step="6">If destination is "worker" or "sharedworker" and the - // top-level module fetch flag is set, then set request's mode to - // "same-origin".</spec> - // Cross-origin workers are not supported due to security checks in - // AbstractWorker::ResolveURL, so no action needs to be taken here. - // <spec step="7">Set up the module script request given request and // options.</spec> // @@ -178,6 +172,26 @@ void ModuleScriptLoader::FetchInternal( fetch_client_settings_object.GetSecurityOrigin(), options_.CredentialsMode()); + // <spec step="6">If destination is "worker" or "sharedworker" and the + // top-level module fetch flag is set, then set request's mode to + // "same-origin".</spec> + // + // `kServiceWorker` is included here for consistency, while it isn't mentioned + // in the spec. This doesn't affect the behavior, because we already forbid + // redirects and cross-origin response URLs in other places. + if ((module_request.Destination() == + network::mojom::RequestDestination::kWorker || + module_request.Destination() == + network::mojom::RequestDestination::kSharedWorker || + module_request.Destination() == + network::mojom::RequestDestination::kServiceWorker) && + level == ModuleGraphLevel::kTopLevelModuleFetch) { + // This should be done after SetCrossOriginAccessControl() that sets the + // mode to kCors. + fetch_params.MutableResourceRequest().SetMode( + network::mojom::RequestMode::kSameOrigin); + } + // <spec step="5">... referrer is referrer, ...</spec> fetch_params.MutableResourceRequest().SetReferrerString( module_request.ReferrerString()); |