diff options
author | Sina Firoozabadi <sinafirooz@google.com> | 2023-03-08 00:20:01 +0000 |
---|---|---|
committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2023-05-15 11:35:05 +0000 |
commit | 8b5a3aefa3110817e6e94647df785fb3de7eaf23 (patch) | |
tree | 8748791eeee6c6afdd5b013a9b9a47b447eb0c81 | |
parent | 9f18dcee05fa9769ee41d04eaecbaa1c9eddd5dd (diff) | |
download | qtwebengine-chromium-8b5a3aefa3110817e6e94647df785fb3de7eaf23.tar.gz |
[Backport] CVE-2023-2462: Inappropriate implementation in Prompts (5/10)
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/4112672:
Reject HidService interface requests from opaque origins
The Web HID API tracks permissions using the origin of the top-level document in the frame tree. If a document has an opaque origin then the requests to access Web HID get rejected on renderer side.
To add a second layer of security in case of the renderer process being compromised, responding to the Web HID mojoms from such renderer process should be avoided.
Bug: 1375133
Change-Id: I76dcccae558ef583787d646746671086d8199940
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4112672
Commit-Queue: Sina Firoozabadi <sinafirooz@chromium.org>
Reviewed-by: Reilly Grant <reillyg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1114294}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/476758
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
-rw-r--r-- | chromium/content/browser/hid/hid_service.cc | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/chromium/content/browser/hid/hid_service.cc b/chromium/content/browser/hid/hid_service.cc index 11c695ec1fb..c5495923e9a 100644 --- a/chromium/content/browser/hid/hid_service.cc +++ b/chromium/content/browser/hid/hid_service.cc @@ -184,6 +184,13 @@ void HidService::Create( return; } + if (render_frame_host->GetOutermostMainFrame() + ->GetLastCommittedOrigin() + .opaque()) { + mojo::ReportBadMessage("WebHID is not allowed from an opaque origin."); + return; + } + // DocumentHelper observes the lifetime of the document connected to // `render_frame_host` and destroys the HidService when the Mojo connection is // disconnected, RenderFrameHost is deleted, or the RenderFrameHost commits a @@ -199,6 +206,13 @@ void HidService::Create( mojo::PendingReceiver<blink::mojom::HidService> receiver) { DCHECK(service_worker_context); + if (origin.opaque()) { + // Service worker should not be available to a window/worker client which + // origin is opaque according to Service Worker specification. + mojo::ReportBadMessage("WebHID is blocked in an opaque origin."); + return; + } + // Avoid creating the HidService if there is no HID delegate to provide // the implementation. if (!GetContentClient()->browser()->GetHidDelegate()) |