From 39ae61b30ab321d324ca520a1c2a7ef8e86b74e3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michael=20Br=C3=BCning?= Date: Wed, 31 Oct 2018 18:26:29 +0100 Subject: [Backport] Fix for CVE-2018-17468 Do not forward resource timing to parent frame after back-forward navigation LocalFrame has |should_send_resource_timing_info_to_parent_| flag not to send timing info to parent except for the first navigation. This flag is cleared when the first timing is sent to parent, however this does not happen if iframe's first navigation was by back-forward navigation. For such iframes, we shouldn't send timings to parent at all. Bug: 876822 Reviewed-on: https://chromium-review.googlesource.com/1186215 Reviewed-by: Kinuko Yasuda Commit-Queue: Kunihiko Sakamoto Cr-Commit-Position: refs/heads/master@{#585736} Change-Id: Iceb050ba3314de64e87f99f64d705a7e9c62d653 Reviewed-by: Allan Sandfeld Jensen --- chromium/third_party/WebKit/Source/core/frame/LocalFrame.h | 4 ++-- .../third_party/WebKit/Source/core/frame/WebLocalFrameImpl.cpp | 2 +- .../WebKit/Source/core/loader/FrameFetchContext.cpp | 10 ++++++---- 3 files changed, 9 insertions(+), 7 deletions(-) diff --git a/chromium/third_party/WebKit/Source/core/frame/LocalFrame.h b/chromium/third_party/WebKit/Source/core/frame/LocalFrame.h index 72018c71f8a..52d9f9ab413 100644 --- a/chromium/third_party/WebKit/Source/core/frame/LocalFrame.h +++ b/chromium/third_party/WebKit/Source/core/frame/LocalFrame.h @@ -300,8 +300,8 @@ class CORE_EXPORT LocalFrame final : public Frame, bool should_send_resource_timing_info_to_parent() const { return should_send_resource_timing_info_to_parent_; } - void DidSendResourceTimingInfoToParent() { - should_send_resource_timing_info_to_parent_ = false; + void SetShouldSendResourceTimingInfoToParent(bool value) { + should_send_resource_timing_info_to_parent_ = value; } void SetIsProvisional(bool is_provisional) { diff --git a/chromium/third_party/WebKit/Source/core/frame/WebLocalFrameImpl.cpp b/chromium/third_party/WebKit/Source/core/frame/WebLocalFrameImpl.cpp index a25fc1f45a1..d1a25df5153 100644 --- a/chromium/third_party/WebKit/Source/core/frame/WebLocalFrameImpl.cpp +++ b/chromium/third_party/WebKit/Source/core/frame/WebLocalFrameImpl.cpp @@ -2186,7 +2186,7 @@ void WebLocalFrameImpl::SetCommittedFirstRealLoad() { DCHECK(GetFrame()); GetFrame()->Loader().StateMachine()->AdvanceTo( FrameLoaderStateMachine::kCommittedMultipleRealLoads); - GetFrame()->DidSendResourceTimingInfoToParent(); + GetFrame()->SetShouldSendResourceTimingInfoToParent(false); } void WebLocalFrameImpl::SetHasReceivedUserGesture() { diff --git a/chromium/third_party/WebKit/Source/core/loader/FrameFetchContext.cpp b/chromium/third_party/WebKit/Source/core/loader/FrameFetchContext.cpp index 5b25946840a..4e48c2d504c 100644 --- a/chromium/third_party/WebKit/Source/core/loader/FrameFetchContext.cpp +++ b/chromium/third_party/WebKit/Source/core/loader/FrameFetchContext.cpp @@ -729,7 +729,7 @@ void FrameFetchContext::AddResourceTiming(const ResourceTimingInfo& info) { // Main resource timing information is reported through the owner to be // passed to the parent frame, if appropriate. frame->Owner()->AddResourceTiming(info); - frame->DidSendResourceTimingInfoToParent(); + frame->SetShouldSendResourceTimingInfoToParent(false); return; } @@ -817,10 +817,12 @@ bool FrameFetchContext::UpdateTimingInfoForIFrameNavigation( // when crossing process boundaries. if (!GetFrame()->should_send_resource_timing_info_to_parent()) return false; - // Do not report iframe navigation that restored from history, since its - // location may have been changed after initial navigation. - if (MasterDocumentLoader()->LoadType() == kFrameLoadTypeInitialHistoryLoad) + // location may have been changed after initial navigation, + if (MasterDocumentLoader()->LoadType() == WebFrameLoadType::kBackForward) { + // ...and do not report subsequent navigations in the iframe too. + GetFrame()->SetShouldSendResourceTimingInfoToParent(false); return false; + } return true; } -- cgit v1.2.3