diff options
Diffstat (limited to 'chromium/services/network/cors')
-rw-r--r-- | chromium/services/network/cors/cors_url_loader.cc | 12 | ||||
-rw-r--r-- | chromium/services/network/cors/cors_url_loader_factory.cc | 83 |
2 files changed, 13 insertions, 82 deletions
diff --git a/chromium/services/network/cors/cors_url_loader.cc b/chromium/services/network/cors/cors_url_loader.cc index 7606ceb59fb..266520702c0 100644 --- a/chromium/services/network/cors/cors_url_loader.cc +++ b/chromium/services/network/cors/cors_url_loader.cc @@ -129,18 +129,6 @@ void CorsURLLoader::FollowRedirect( const net::HttpRequestHeaders& modified_headers, const net::HttpRequestHeaders& modified_cors_exempt_headers, const base::Optional<GURL>& new_url) { - // If this is a navigation from a renderer, then its a service worker - // passthrough of a navigation request. Since this case uses manual - // redirect mode FollowRedirect() should never be called. - if (process_id_ != mojom::kBrowserProcessId && - request_.mode == mojom::RequestMode::kNavigate) { - mojo::ReportBadMessage( - "CorsURLLoader: navigate from non-browser-process should not call " - "FollowRedirect"); - HandleComplete(URLLoaderCompletionStatus(net::ERR_FAILED)); - return; - } - if (!network_loader_ || !deferred_redirect_url_) { HandleComplete(URLLoaderCompletionStatus(net::ERR_FAILED)); return; diff --git a/chromium/services/network/cors/cors_url_loader_factory.cc b/chromium/services/network/cors/cors_url_loader_factory.cc index dfc110d0596..60f73825b80 100644 --- a/chromium/services/network/cors/cors_url_loader_factory.cc +++ b/chromium/services/network/cors/cors_url_loader_factory.cc @@ -379,76 +379,18 @@ bool CorsURLLoaderFactory::IsValidRequest(const ResourceRequest& request, return false; } - // The `force_main_frame_for_same_site_cookies` should only be set when a - // service worker passes through a navigation request. In this case the - // mode must be `kNavigate` and the destination must be empty. - if (request.original_destination == mojom::RequestDestination::kDocument && - (request.mode != mojom::RequestMode::kNavigate || - request.destination != mojom::RequestDestination::kEmpty)) { - mojo::ReportBadMessage( - "CorsURLLoaderFactory: original_destination is unexpectedly set to " - "kDocument"); - return false; - } - - // Validate that a navigation redirect chain is not sent for a non-navigation - // request. - if (!request.navigation_redirect_chain.empty() && - request.mode != mojom::RequestMode::kNavigate) { - mojo::ReportBadMessage( - "CorsURLLoaderFactory: navigation redirect chain set for a " - "non-navigation"); - return false; - } - - // By default we compare the `request_initiator` to the lock below. This is - // overridden for renderer navigations, however. - base::Optional<url::Origin> origin_to_validate = request.request_initiator; - // Ensure that renderer requests are covered either by CORS or CORB. if (process_id_ != mojom::kBrowserProcessId) { switch (request.mode) { case mojom::RequestMode::kNavigate: - // A navigation request from a renderer can legally occur when a service - // worker passes it through from its `FetchEvent.request` to `fetch()`. - // In this case it is making a navigation request on behalf of the - // original initiator. Since that initiator may be cross-origin, its - // possible the request's initiator will not match our lock. - // - // To make this operation safe we instead compare the request URL origin - // against the initiator lock. We can do this since service workers - // should only ever handle same-origin navigations. - // - // With this approach its possible the initiator could be spoofed by the - // renderer. However, since we have validated the request URL they can - // only every lie to the origin that they have already compromised. It - // does not allow an attacker to target other arbitrary origins. - origin_to_validate = url::Origin::Create(request.url); - - // We further validate the navigation request by ensuring it has the - // correct redirect mode. This avoids an attacker attempting to - // craft a navigation that is then automatically followed to a separate - // target origin. With manual mode the redirect will instead be - // processed as an opaque redirect response that is passed back to the - // renderer and navigation code. The redirected requested must be - // sent anew and go through this validation again. - if (request.redirect_mode != mojom::RedirectMode::kManual) { - mojo::ReportBadMessage( - "CorsURLLoaderFactory: navigate from non-browser-process with " - "redirect_mode set to 'follow'"); - return false; - } - - // Validate that a navigation redirect chain is always provided for a - // navigation request. - if (request.navigation_redirect_chain.empty()) { - mojo::ReportBadMessage( - "CorsURLLoaderFactory: navigate from non-browser-process without " - "a redirect chain provided"); - return false; - } - - break; + // Only the browser process can initiate navigations. This helps ensure + // that a malicious/compromised renderer cannot bypass CORB by issuing + // kNavigate, rather than kNoCors requests. (CORB should apply only to + // no-cors requests as tracked in https://crbug.com/953315 and as + // captured in https://fetch.spec.whatwg.org/#main-fetch). + mojo::ReportBadMessage( + "CorsURLLoaderFactory: navigate from non-browser-process"); + return false; case mojom::RequestMode::kSameOrigin: case mojom::RequestMode::kCors: @@ -462,11 +404,11 @@ bool CorsURLLoaderFactory::IsValidRequest(const ResourceRequest& request, } } - // Depending on the type of request, compare either `request_initiator` or - // `request.url` to `request_initiator_origin_lock_`. + // Compare |request_initiator| and |request_initiator_origin_lock_|. InitiatorLockCompatibility initiator_lock_compatibility = - VerifyRequestInitiatorLockWithPluginCheck( - process_id_, request_initiator_origin_lock_, origin_to_validate); + VerifyRequestInitiatorLockWithPluginCheck(process_id_, + request_initiator_origin_lock_, + request.request_initiator); UMA_HISTOGRAM_ENUMERATION( "NetworkService.URLLoader.RequestInitiatorOriginLockCompatibility", initiator_lock_compatibility); @@ -495,6 +437,7 @@ bool CorsURLLoaderFactory::IsValidRequest(const ResourceRequest& request, case InitiatorLockCompatibility::kIncorrectLock: // Requests from the renderer need to always specify a correct initiator. + NOTREACHED(); if (base::FeatureList::IsEnabled( features::kRequestInitiatorSiteLockEnfocement)) { url::debug::ScopedOriginCrashKey initiator_lock_crash_key( |