Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fix: crash loading non-standard schemes in iframes
- Loading branch information
1 parent
4744674
commit 17c4c86
Showing
4 changed files
with
112 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
78 changes: 78 additions & 0 deletions
78
patches/chromium/fix_crash_loading_non-standard_schemes_in_iframes.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,78 @@ | ||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 | ||
From: Shelley Vohr <shelley.vohr@gmail.com> | ||
Date: Mon, 29 Aug 2022 11:44:57 +0200 | ||
Subject: fix: crash loading non-standard schemes in iframes | ||
|
||
This fixes a crash that occurs when loading non-standard schemes from | ||
iframes or webviews. This was happening because | ||
ChildProcessSecurityPolicyImpl::CanAccessDataForOrigin contains explicit | ||
exceptions to allow built-in non-standard schemes, but does not check | ||
for non-standard schemes registered by the embedder. | ||
|
||
Upstream, https://bugs.chromium.org/p/chromium/issues/detail?id=1081397 | ||
contains several paths forward - here I chose to swap out the | ||
CHECK in navigation_request.cc from policy->CanAccessDataForOrigin to | ||
policy->CanCommitOriginAndUrl. | ||
|
||
This, or a version of it, will be upstreamed. | ||
|
||
diff --git a/content/browser/renderer_host/navigation_request.cc b/content/browser/renderer_host/navigation_request.cc | ||
index b1120c9270a255e4b6070c0d2b5f49e6f99d935d..407888cb17d3e609ad7aaa2ed1c079642df60bca 100644 | ||
--- a/content/browser/renderer_host/navigation_request.cc | ||
+++ b/content/browser/renderer_host/navigation_request.cc | ||
@@ -6517,10 +6517,11 @@ std::pair<url::Origin, std::string> NavigationRequest:: | ||
if (IsForMhtmlSubframe()) | ||
return origin_with_debug_info; | ||
|
||
- int process_id = GetRenderFrameHost()->GetProcess()->GetID(); | ||
- auto* policy = ChildProcessSecurityPolicyImpl::GetInstance(); | ||
- CHECK( | ||
- policy->CanAccessDataForOrigin(process_id, origin_with_debug_info.first)); | ||
+ CanCommitStatus can_commit = GetRenderFrameHost()->CanCommitOriginAndUrl( | ||
+ origin_with_debug_info.first, GetURL(), IsSameDocument(), IsPdf(), | ||
+ GetUrlInfo().is_sandboxed); | ||
+ CHECK_EQ(CanCommitStatus::CAN_COMMIT_ORIGIN_AND_URL, can_commit); | ||
+ | ||
return origin_with_debug_info; | ||
} | ||
|
||
diff --git a/content/browser/renderer_host/render_frame_host_impl.h b/content/browser/renderer_host/render_frame_host_impl.h | ||
index b1259618ff4dc1848cf007d853e6f3e70b08829f..3d4e6c4c7e0348c52c3f0ccd0f6c19e0e1ec15a5 100644 | ||
--- a/content/browser/renderer_host/render_frame_host_impl.h | ||
+++ b/content/browser/renderer_host/render_frame_host_impl.h | ||
@@ -2550,6 +2550,17 @@ class CONTENT_EXPORT RenderFrameHostImpl | ||
HandleAXEvents(tree_id, std::move(updates_and_events), reset_token); | ||
} | ||
|
||
+ // Returns whether the given origin and URL is allowed to commit in the | ||
+ // current RenderFrameHost. The |url| is used to ensure it matches the origin | ||
+ // in cases where it is applicable. This is a more conservative check than | ||
+ // RenderProcessHost::FilterURL, since it will be used to kill processes that | ||
+ // commit unauthorized origins. | ||
+ CanCommitStatus CanCommitOriginAndUrl(const url::Origin& origin, | ||
+ const GURL& url, | ||
+ bool is_same_document_navigation, | ||
+ bool is_pdf, | ||
+ bool is_sandboxed); | ||
+ | ||
protected: | ||
friend class RenderFrameHostFactory; | ||
|
||
@@ -2879,17 +2890,6 @@ class CONTENT_EXPORT RenderFrameHostImpl | ||
// relevant. | ||
void ResetWaitingState(); | ||
|
||
- // Returns whether the given origin and URL is allowed to commit in the | ||
- // current RenderFrameHost. The |url| is used to ensure it matches the origin | ||
- // in cases where it is applicable. This is a more conservative check than | ||
- // RenderProcessHost::FilterURL, since it will be used to kill processes that | ||
- // commit unauthorized origins. | ||
- CanCommitStatus CanCommitOriginAndUrl(const url::Origin& origin, | ||
- const GURL& url, | ||
- bool is_same_document_navigation, | ||
- bool is_pdf, | ||
- bool is_sandboxed); | ||
- | ||
// Returns whether a subframe navigation request should be allowed to commit | ||
// to the current RenderFrameHost. | ||
bool CanSubframeCommitOriginAndUrl(NavigationRequest* navigation_request); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
<body> | ||
<iframe src="custom://base-page.html"></iframe> | ||
<script> | ||
const { ipcRenderer } = require('electron'); | ||
const iframe = document.querySelector('iframe'); | ||
|
||
iframe.addEventListener('load', () => { | ||
ipcRenderer.send('loaded-iframe-custom-protocol'); | ||
}); | ||
</script> | ||
</body> |