[Backport] Security bug 1175503

Manual backport of patch originally reviewed on https://chromium-review.googlesource.com/c/chromium/src/+/2681148 Set mode for top-level module worker scripts to kSameOrigin Bug: 1175503 Change-Id: I9a744da07beea87564b9563656c8ba81325d9a13 Commit-Queue: Hiroshige Hayashizaki <hiroshige@chromium.org> Reviewed-by: Dominic Farolino <dom@chromium.org> Reviewed-by: Kouhei Ueno <kouhei@chromium.org> Reviewed-by: Hiroki Nakagawa <nhiroki@chromium.org> Cr-Commit-Position: refs/heads/master@{#851900} Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
author: Hiroshige Hayashizaki <hiroshige@chromium.org> 2021-02-08 21:38:43 +0000
committer: Michael Brüning <michael.bruning@qt.io> 2021-05-07 13:31:20 +0000
commit: cbc5e3de65dcf78692fbc7dc7bc53163c3fea594 (patch)
tree: c863c67c4bba3e5452aa7ef02d6fad9c65573e0f
parent: bda00397362bf03ff7b8d88fa54625524f604c7e (diff)
download: qtwebengine-chromium-cbc5e3de65dcf78692fbc7dc7bc53163c3fea594.tar.gz
1 files changed, 20 insertions, 0 deletions
diff --git a/chromium/third_party/blink/renderer/core/loader/modulescript/module_script_loader.cc b/chromium/third_party/blink/renderer/core/loader/modulescript/module_script_loader.cc
index 5b6548957fa..32e05d15ca4 100644
--- a/chromium/third_party/blink/renderer/core/loader/modulescript/module_script_loader.cc
+++ b/chromium/third_party/blink/renderer/core/loader/modulescript/module_script_loader.cc
@@ -152,6 +152,26 @@ void ModuleScriptLoader::FetchInternal(
       fetch_client_settings_object->GetSecurityOrigin(),
       options_.CredentialsMode());
 
+  // <spec step="6">If destination is "worker" or "sharedworker" and the
+  // top-level module fetch flag is set, then set request's mode to
+  // "same-origin".</spec>
+  //
+  // `kServiceWorker` is included here for consistency, while it isn't mentioned
+  // in the spec. This doesn't affect the behavior, because we already forbid
+  // redirects and cross-origin response URLs in other places.
+  if ((module_request.Destination() ==
+           WebURLRequest::kRequestContextWorker ||
+       module_request.Destination() ==
+           WebURLRequest::kRequestContextSharedWorker ||
+       module_request.Destination() ==
+           WebURLRequest::kRequestContextServiceWorker) &&
+      level == ModuleGraphLevel::kTopLevelModuleFetch) {
+    // This should be done after SetCrossOriginAccessControl() that sets the
+    // mode to kCors.
+    fetch_params.MutableResourceRequest().SetMode(
+        network::mojom::RequestMode::kSameOrigin);
+  }
+
   // Step 5. "... referrer is referrer, ..." [spec text]
   fetch_params.MutableResourceRequest().SetHTTPReferrer(
       module_request.GetReferrer());
author	Hiroshige Hayashizaki <hiroshige@chromium.org>	2021-02-08 21:38:43 +0000
committer	Michael Brüning <michael.bruning@qt.io>	2021-05-07 13:31:20 +0000
commit	cbc5e3de65dcf78692fbc7dc7bc53163c3fea594 (patch)
tree	c863c67c4bba3e5452aa7ef02d6fad9c65573e0f
parent	bda00397362bf03ff7b8d88fa54625524f604c7e (diff)
download	qtwebengine-chromium-cbc5e3de65dcf78692fbc7dc7bc53163c3fea594.tar.gz