Handle blob URL deregister on same-site RFH swap in origin comparison code
Now that blob URL calculations can fully happen on the browser side, we can compare browser vs renderer origin in all blob cases. One exception is when we do a same-site RFH swap from the document that registers the blob URL we're navigating to. In this case the blob URL's origin might get deleted from the map before the commit finishes, causing the renderer to think that the origin is opaque. In this case the browser side has the correct origin, which is used as the precursor for the renderer's opaque origin. This CL makes us compare the precursor for this case. Bug: 888079 Change-Id: I52da40a27457344a588e06305115b57e1597be07 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5860177 Reviewed-by: Nasko Oskov <nasko@chromium.org> Commit-Queue: Nasko Oskov <nasko@chromium.org> Auto-Submit: Rakina Zata Amni <rakina@chromium.org> Cr-Commit-Position: refs/heads/main@{#1356018}
This commit is contained in:

committed by
Chromium LUCI CQ

parent
557fe3e61c
commit
55910bd23e
@ -755,17 +755,10 @@ void VerifyThatBrowserAndRendererCalculatedOriginsToCommitMatch(
|
||||
if (navigation_request->state() < NavigationRequest::WILL_PROCESS_RESPONSE)
|
||||
return;
|
||||
|
||||
// Blob urls with content scheme are opaque on browser side because the
|
||||
// browser doesn't have access to the BlobURLNullOriginMap.
|
||||
// (https://crbug.com/1295268).
|
||||
const url::Origin& renderer_side_origin = params.origin;
|
||||
std::pair<std::optional<url::Origin>, std::string>
|
||||
browser_side_origin_and_debug_info =
|
||||
navigation_request->browser_side_origin_to_commit_with_debug_info();
|
||||
if (renderer_side_origin.scheme() == url::kContentScheme &&
|
||||
browser_side_origin_and_debug_info.first->opaque()) {
|
||||
return;
|
||||
}
|
||||
|
||||
// For non-opaque origins, we say the browser and renderer calculated origins
|
||||
// match if they are exactly the same.
|
||||
@ -792,6 +785,21 @@ void VerifyThatBrowserAndRendererCalculatedOriginsToCommitMatch(
|
||||
->GetTupleOrPrecursorTupleIfOpaque());
|
||||
}
|
||||
|
||||
// For Blob URLs, it's possible that the renderer thinks the origin is opaque
|
||||
// while the browser thinks it's not opaque if the Blob URL origin is
|
||||
// registered in the BlobURLNullOriginMap by the document that the navigation
|
||||
// is replacing, causing the origin to be de-registered just before the new
|
||||
// document commits. In this case the browser actually has the correct origin,
|
||||
// so just compare the precursor origin of the renderer side.
|
||||
if (params.url.SchemeIsBlob() && renderer_side_origin.opaque() &&
|
||||
params.origin_calculation_debug_info.ends_with("is_newly_created") &&
|
||||
navigation_request->GetRenderFrameHost()
|
||||
->ShouldChangeRenderFrameHostOnSameSiteNavigation()) {
|
||||
origins_match = (renderer_side_origin.GetTupleOrPrecursorTupleIfOpaque() ==
|
||||
browser_side_origin_and_debug_info.first
|
||||
->GetTupleOrPrecursorTupleIfOpaque());
|
||||
}
|
||||
|
||||
// TODO(crbug.com/40092527): Remove the DumpWithoutCrashing below, once
|
||||
// we are sure that the `browser_side_origin` is always the same as the
|
||||
// `renderer_side_origin`.
|
||||
|
Reference in New Issue
Block a user