2 files changed, 13 insertions, 82 deletions

diff --git a/chromium/services/network/cors/cors_url_loader.cc b/chromium/services/network/cors/cors_url_loader.cc
index 7606ceb59fb..266520702c0 100644
--- a/chromium/services/network/cors/cors_url_loader.cc
+++ b/chromium/services/network/cors/cors_url_loader.cc
@@ -129,18 +129,6 @@ void CorsURLLoader::FollowRedirect(
     const net::HttpRequestHeaders& modified_headers,
     const net::HttpRequestHeaders& modified_cors_exempt_headers,
     const base::Optional<GURL>& new_url) {
-  // If this is a navigation from a renderer, then its a service worker
-  // passthrough of a navigation request.  Since this case uses manual
-  // redirect mode FollowRedirect() should never be called.
-  if (process_id_ != mojom::kBrowserProcessId &&
-      request_.mode == mojom::RequestMode::kNavigate) {
-    mojo::ReportBadMessage(
-        "CorsURLLoader: navigate from non-browser-process should not call "
-        "FollowRedirect");
-    HandleComplete(URLLoaderCompletionStatus(net::ERR_FAILED));
-    return;
-  }
-
   if (!network_loader_ || !deferred_redirect_url_) {
     HandleComplete(URLLoaderCompletionStatus(net::ERR_FAILED));
     return;
diff --git a/chromium/services/network/cors/cors_url_loader_factory.cc b/chromium/services/network/cors/cors_url_loader_factory.cc
index dfc110d0596..60f73825b80 100644
--- a/chromium/services/network/cors/cors_url_loader_factory.cc
+++ b/chromium/services/network/cors/cors_url_loader_factory.cc
@@ -379,76 +379,18 @@ bool CorsURLLoaderFactory::IsValidRequest(const ResourceRequest& request,
     return false;
   }
 
-  // The `force_main_frame_for_same_site_cookies` should only be set when a
-  // service worker passes through a navigation request.  In this case the
-  // mode must be `kNavigate` and the destination must be empty.
-  if (request.original_destination == mojom::RequestDestination::kDocument &&
-      (request.mode != mojom::RequestMode::kNavigate ||
-       request.destination != mojom::RequestDestination::kEmpty)) {
-    mojo::ReportBadMessage(
-        "CorsURLLoaderFactory: original_destination is unexpectedly set to "
-        "kDocument");
-    return false;
-  }
-
-  // Validate that a navigation redirect chain is not sent for a non-navigation
-  // request.
-  if (!request.navigation_redirect_chain.empty() &&
-      request.mode != mojom::RequestMode::kNavigate) {
-    mojo::ReportBadMessage(
-        "CorsURLLoaderFactory: navigation redirect chain set for a "
-        "non-navigation");
-    return false;
-  }
-
-  // By default we compare the `request_initiator` to the lock below.  This is
-  // overridden for renderer navigations, however.
-  base::Optional<url::Origin> origin_to_validate = request.request_initiator;
-
   // Ensure that renderer requests are covered either by CORS or CORB.
   if (process_id_ != mojom::kBrowserProcessId) {
     switch (request.mode) {
       case mojom::RequestMode::kNavigate:
-        // A navigation request from a renderer can legally occur when a service
-        // worker passes it through from its `FetchEvent.request` to `fetch()`.
-        // In this case it is making a navigation request on behalf of the
-        // original initiator.  Since that initiator may be cross-origin, its
-        // possible the request's initiator will not match our lock.
-        //
-        // To make this operation safe we instead compare the request URL origin
-        // against the initiator lock.  We can do this since service workers
-        // should only ever handle same-origin navigations.
-        //
-        // With this approach its possible the initiator could be spoofed by the
-        // renderer.  However, since we have validated the request URL they can
-        // only every lie to the origin that they have already compromised.  It
-        // does not allow an attacker to target other arbitrary origins.
-        origin_to_validate = url::Origin::Create(request.url);
-
-        // We further validate the navigation request by ensuring it has the
-        // correct redirect mode.  This avoids an attacker attempting to
-        // craft a navigation that is then automatically followed to a separate
-        // target origin.  With manual mode the redirect will instead be
-        // processed as an opaque redirect response that is passed back to the
-        // renderer and navigation code.  The redirected requested must be
-        // sent anew and go through this validation again.
-        if (request.redirect_mode != mojom::RedirectMode::kManual) {
-          mojo::ReportBadMessage(
-              "CorsURLLoaderFactory: navigate from non-browser-process with "
-              "redirect_mode set to 'follow'");
-          return false;
-        }
-
-        // Validate that a navigation redirect chain is always provided for a
-        // navigation request.
-        if (request.navigation_redirect_chain.empty()) {
-          mojo::ReportBadMessage(
-              "CorsURLLoaderFactory: navigate from non-browser-process without "
-              "a redirect chain provided");
-          return false;
-        }
-
-        break;
+        // Only the browser process can initiate navigations.  This helps ensure
+        // that a malicious/compromised renderer cannot bypass CORB by issuing
+        // kNavigate, rather than kNoCors requests.  (CORB should apply only to
+        // no-cors requests as tracked in https://crbug.com/953315 and as
+        // captured in https://fetch.spec.whatwg.org/#main-fetch).
+        mojo::ReportBadMessage(
+            "CorsURLLoaderFactory: navigate from non-browser-process");
+        return false;
 
       case mojom::RequestMode::kSameOrigin:
       case mojom::RequestMode::kCors:
@@ -462,11 +404,11 @@ bool CorsURLLoaderFactory::IsValidRequest(const ResourceRequest& request,
     }
   }
 
-  // Depending on the type of request, compare either `request_initiator` or
-  // `request.url` to `request_initiator_origin_lock_`.
+  // Compare |request_initiator| and |request_initiator_origin_lock_|.
   InitiatorLockCompatibility initiator_lock_compatibility =
-      VerifyRequestInitiatorLockWithPluginCheck(
-          process_id_, request_initiator_origin_lock_, origin_to_validate);
+      VerifyRequestInitiatorLockWithPluginCheck(process_id_,
+                                                request_initiator_origin_lock_,
+                                                request.request_initiator);
   UMA_HISTOGRAM_ENUMERATION(
       "NetworkService.URLLoader.RequestInitiatorOriginLockCompatibility",
       initiator_lock_compatibility);
@@ -495,6 +437,7 @@ bool CorsURLLoaderFactory::IsValidRequest(const ResourceRequest& request,
 
     case InitiatorLockCompatibility::kIncorrectLock:
       // Requests from the renderer need to always specify a correct initiator.
+      NOTREACHED();
       if (base::FeatureList::IsEnabled(
               features::kRequestInitiatorSiteLockEnfocement)) {
         url::debug::ScopedOriginCrashKey initiator_lock_crash_key(