0
Files
src/content/browser/process_lock.cc
Robbie McElrath eae661ef7c iwa: Don't inherit 'Isolated Application' level in cross-origin frames
IWA-gated features check the WebExposedIsolationLevel of their frame or
process, and enable themselves if the isolation level is
kMaybeIsolatedApplication. Currently WebExposedIsolationLevel (WEIL)
maps directly to WebExposedIsolationInfo (WEII), which results in
cross-origin IWA child frames claiming to have the
kMaybeIsolatedApplication level, which is incorrect.

This direct mapping is incorrect because WEII and WEIL are meant to
represent two different concepts: WEII represents the cross-origin
isolation (COI) mode of a browsing context group, while WEIL
represents the COI capability of a frame or worker, and should take
into account the 'cross-origin-isolated' permissions policy and the
frame/worker's origin.

All agents in a browsing context group will share a WEII, but the
WEIL of a kIsolated frame's child frame (same or cross-origin) could
be kNotIsolated if permissions policy did not delegate the
'cross-origin-isolated' permission. kMaybeIsolatedApplication
can only be delegated to same-origin pages in addition to being
controllable with permissions policy. This CL adds WEIL to
ProcessLock and lowers the isolation level based on origin if needed.
It also adds permissions policy checks to
RenderFrameHost::GetWebExposedIsolationLevel so that it will return
the correct isolation level if the permission policy wasn't
delegated to a child frame.

See go/content-isolation-levels for more background information.

Bug: 1467673, 1159832, b/280497768
Change-Id: I2a328185c9379a96d56f77178ba5e283148524b0
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4568370
Reviewed-by: Alex Moshchuk <alexmos@chromium.org>
Commit-Queue: Robbie McElrath <rmcelrath@chromium.org>
Reviewed-by: Reilly Grant <reillyg@chromium.org>
Reviewed-by: Camille Lamy <clamy@chromium.org>
Reviewed-by: Daniel d'Andrada <dandrader@google.com>
Cr-Commit-Position: refs/heads/main@{#1182214}
2023-08-10 19:05:28 +00:00

181 lines
6.2 KiB
C++

// Copyright 2021 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "content/browser/process_lock.h"
#include "base/strings/stringprintf.h"
#include "content/public/browser/browser_thread.h"
#include "content/public/browser/web_exposed_isolation_level.h"
namespace content {
// static
ProcessLock ProcessLock::CreateAllowAnySite(
const StoragePartitionConfig& storage_partition_config,
const WebExposedIsolationInfo& web_exposed_isolation_info) {
WebExposedIsolationLevel web_exposed_isolation_level =
SiteInfo::ComputeWebExposedIsolationLevelForEmptySite(
web_exposed_isolation_info);
return ProcessLock(SiteInfo(
/*site_url=*/GURL(), /*process_lock_url=*/GURL(),
/*requires_origin_keyed_process=*/false,
/*requires_origin_keyed_process_by_default=*/false,
/*is_sandboxed=*/false, UrlInfo::kInvalidUniqueSandboxId,
storage_partition_config, web_exposed_isolation_info,
web_exposed_isolation_level, /*is_guest=*/false,
/*does_site_request_dedicated_process_for_coop=*/false,
/*is_jit_disabled=*/false, /*is_pdf=*/false, /*is_fenced=*/false));
}
// static
ProcessLock ProcessLock::Create(const IsolationContext& isolation_context,
const UrlInfo& url_info) {
DCHECK(url_info.storage_partition_config.has_value());
if (BrowserThread::CurrentlyOn(BrowserThread::UI))
return ProcessLock(SiteInfo::Create(isolation_context, url_info));
DCHECK_CURRENTLY_ON(BrowserThread::IO);
// On the IO thread we need to use a special SiteInfo creation method because
// we cannot properly compute some SiteInfo fields on that thread.
// ProcessLocks must always match no matter which thread they were created on,
// but the SiteInfo objects used to create them may not always match.
return ProcessLock(SiteInfo::CreateOnIOThread(isolation_context, url_info));
}
// static
ProcessLock ProcessLock::FromSiteInfo(const SiteInfo& site_info) {
return ProcessLock(site_info);
}
ProcessLock::ProcessLock(const SiteInfo& site_info) : site_info_(site_info) {}
ProcessLock::ProcessLock() = default;
ProcessLock::ProcessLock(const ProcessLock&) = default;
ProcessLock& ProcessLock::operator=(const ProcessLock&) = default;
ProcessLock::~ProcessLock() = default;
StoragePartitionConfig ProcessLock::GetStoragePartitionConfig() const {
DCHECK(site_info_.has_value());
return site_info_->storage_partition_config();
}
WebExposedIsolationInfo ProcessLock::GetWebExposedIsolationInfo() const {
return site_info_.has_value() ? site_info_->web_exposed_isolation_info()
: WebExposedIsolationInfo::CreateNonIsolated();
}
WebExposedIsolationLevel ProcessLock::GetWebExposedIsolationLevel() const {
return site_info_.has_value() ? site_info_->web_exposed_isolation_level()
: WebExposedIsolationLevel::kNotIsolated;
}
bool ProcessLock::IsASiteOrOrigin() const {
const GURL lock_url = ProcessLock::lock_url();
return lock_url.has_scheme() && lock_url.has_host() && lock_url.is_valid();
}
bool ProcessLock::HasOpaqueOrigin() const {
DCHECK(is_locked_to_site());
return url::Origin::Create(lock_url()).opaque();
}
bool ProcessLock::MatchesOrigin(const url::Origin& origin) const {
url::Origin process_lock_origin = url::Origin::Create(lock_url());
return origin == process_lock_origin;
}
bool ProcessLock::IsCompatibleWithWebExposedIsolation(
const SiteInfo& site_info) const {
return site_info_.has_value() && site_info_->web_exposed_isolation_info() ==
site_info.web_exposed_isolation_info();
}
bool ProcessLock::operator==(const ProcessLock& rhs) const {
if (site_info_.has_value() != rhs.site_info_.has_value())
return false;
if (!site_info_.has_value()) // Neither has a value, so they're equal.
return true;
// At this point, both `this` and `rhs` are known to have valid SiteInfos.
// Here we proceed with a comparison almost identical to
// SiteInfo::MakeSecurityPrincipalKey(), except that `site_url_` is excluded.
return site_info_->ProcessLockCompareTo(rhs.site_info_.value()) == 0;
}
bool ProcessLock::operator!=(const ProcessLock& rhs) const {
return !(*this == rhs);
}
bool ProcessLock::operator<(const ProcessLock& rhs) const {
if (!site_info_.has_value() && !rhs.site_info_.has_value())
return false;
if (!site_info_.has_value()) // Here rhs.site_info_.has_value() is true.
return true;
if (!rhs.site_info_.has_value()) // Here site_info_.has_value() is true.
return false;
// At this point, both `this` and `rhs` are known to have valid SiteInfos.
// Here we proceed with a comparison almost identical to
// SiteInfo::MakeSecurityPrincipalKey(), except that `site_url_` is excluded.
return site_info_->ProcessLockCompareTo(rhs.site_info_.value()) < 0;
}
std::string ProcessLock::ToString() const {
std::string ret = "{ ";
if (site_info_.has_value()) {
ret += lock_url().possibly_invalid_spec();
if (is_origin_keyed_process())
ret += " origin-keyed";
if (is_sandboxed()) {
ret += " sandboxed";
if (site_info_->unique_sandbox_id() != UrlInfo::kInvalidUniqueSandboxId)
ret += base::StringPrintf(" (id=%d)", site_info_->unique_sandbox_id());
}
if (is_pdf())
ret += " pdf";
if (is_guest())
ret += " guest";
if (is_fenced())
ret += " fenced";
if (GetWebExposedIsolationInfo().is_isolated()) {
ret += " cross-origin-isolated";
if (GetWebExposedIsolationInfo().is_isolated_application())
ret += "-application";
ret += " coi-origin='" +
GetWebExposedIsolationInfo().origin().GetDebugString() + "'";
}
if (!GetStoragePartitionConfig().is_default()) {
ret += ", partition=" + GetStoragePartitionConfig().partition_domain() +
"." + GetStoragePartitionConfig().partition_name();
if (GetStoragePartitionConfig().in_memory())
ret += ", in-memory";
}
} else {
ret += " no-site-info";
}
ret += " }";
return ret;
}
std::ostream& operator<<(std::ostream& out, const ProcessLock& process_lock) {
return out << process_lock.ToString();
}
} // namespace content