0

Handle blob URL deregister on same-site RFH swap in origin comparison code

Now that blob URL calculations can fully happen on the browser side, we
can compare browser vs renderer origin in all blob cases. One exception
is when we do a same-site RFH swap from the document that registers the
blob URL we're navigating to. In this case the blob URL's origin might
get deleted from the map before the commit finishes, causing the
renderer to think that the origin is opaque. In this case the browser
side has the correct origin, which is used as the precursor for the
renderer's opaque origin. This CL makes us compare the precursor for
this case.

Bug: 888079
Change-Id: I52da40a27457344a588e06305115b57e1597be07
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5860177
Reviewed-by: Nasko Oskov <nasko@chromium.org>
Commit-Queue: Nasko Oskov <nasko@chromium.org>
Auto-Submit: Rakina Zata Amni <rakina@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1356018}
This commit is contained in:
Rakina Zata Amni
2024-09-16 18:52:22 +00:00
committed by Chromium LUCI CQ
parent 557fe3e61c
commit 55910bd23e

@ -755,17 +755,10 @@ void VerifyThatBrowserAndRendererCalculatedOriginsToCommitMatch(
if (navigation_request->state() < NavigationRequest::WILL_PROCESS_RESPONSE)
return;
// Blob urls with content scheme are opaque on browser side because the
// browser doesn't have access to the BlobURLNullOriginMap.
// (https://crbug.com/1295268).
const url::Origin& renderer_side_origin = params.origin;
std::pair<std::optional<url::Origin>, std::string>
browser_side_origin_and_debug_info =
navigation_request->browser_side_origin_to_commit_with_debug_info();
if (renderer_side_origin.scheme() == url::kContentScheme &&
browser_side_origin_and_debug_info.first->opaque()) {
return;
}
// For non-opaque origins, we say the browser and renderer calculated origins
// match if they are exactly the same.
@ -792,6 +785,21 @@ void VerifyThatBrowserAndRendererCalculatedOriginsToCommitMatch(
->GetTupleOrPrecursorTupleIfOpaque());
}
// For Blob URLs, it's possible that the renderer thinks the origin is opaque
// while the browser thinks it's not opaque if the Blob URL origin is
// registered in the BlobURLNullOriginMap by the document that the navigation
// is replacing, causing the origin to be de-registered just before the new
// document commits. In this case the browser actually has the correct origin,
// so just compare the precursor origin of the renderer side.
if (params.url.SchemeIsBlob() && renderer_side_origin.opaque() &&
params.origin_calculation_debug_info.ends_with("is_newly_created") &&
navigation_request->GetRenderFrameHost()
->ShouldChangeRenderFrameHostOnSameSiteNavigation()) {
origins_match = (renderer_side_origin.GetTupleOrPrecursorTupleIfOpaque() ==
browser_side_origin_and_debug_info.first
->GetTupleOrPrecursorTupleIfOpaque());
}
// TODO(crbug.com/40092527): Remove the DumpWithoutCrashing below, once
// we are sure that the `browser_side_origin` is always the same as the
// `renderer_side_origin`.