diff options
author | Min Qin <qinmin@chromium.org> | 2022-06-21 18:19:05 +0000 |
---|---|---|
committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2022-08-08 15:23:36 +0000 |
commit | ab704233c9ef10135ec6b8dd472e868d5f05bf50 (patch) | |
tree | b3ddf2e6695bcecb754484f3a006dbb43252e245 | |
parent | 3c43c4aaca3548ae5b72be71adb13e3a50416b4b (diff) | |
download | qtwebengine-chromium-ab704233c9ef10135ec6b8dd472e868d5f05bf50.tar.gz |
[Backport] CVE-2022-2615: Insufficient policy enforcement in Cookies
Manual cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3712307:
[M96-LTS][Background fetch] passing update_first_party_url_on_redirect=false for fetch
M96 merge issues:
components/download/internal/common/download_utils.cc
Naming conflict for is_main_frame/is_outermost_main_frame
Background fetch doesn't work like regular download as it is not
considered a top frame navigation. This CL let background fetch to
pass update_first_party_url_on_redirect=false to DownloadURLParameters,
and handle it properly w.r.t samesite cookies.
BUG=1268580
Change-Id: I3a1cc33be8578d5d8c796dbbb21fa35a47bdda36
Commit-Queue: Min Qin <qinmin@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1016316}
(cherry picked from commit bf1e93c6af21dad12088b615feda07a90a85c158)
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
6 files changed, 27 insertions, 4 deletions
diff --git a/chromium/components/background_fetch/background_fetch_delegate_base.cc b/chromium/components/background_fetch/background_fetch_delegate_base.cc index b16efe4be36..72934d14ee6 100644 --- a/chromium/components/background_fetch/background_fetch_delegate_base.cc +++ b/chromium/components/background_fetch/background_fetch_delegate_base.cc @@ -102,6 +102,7 @@ void BackgroundFetchDelegateBase::DownloadUrl( weak_ptr_factory_.GetWeakPtr()); params.traffic_annotation = net::MutableNetworkTrafficAnnotationTag(traffic_annotation); + params.request_params.update_first_party_url_on_redirect = false; JobDetails* job_details = GetJobDetails(job_id); if (job_details->job_state == JobDetails::State::kPendingWillStartPaused || diff --git a/chromium/components/download/content/internal/download_driver_impl.cc b/chromium/components/download/content/internal/download_driver_impl.cc index 9b43def7825..3978fc863b3 100644 --- a/chromium/components/download/content/internal/download_driver_impl.cc +++ b/chromium/components/download/content/internal/download_driver_impl.cc @@ -190,6 +190,9 @@ void DownloadDriverImpl::Start( weak_ptr_factory_.GetWeakPtr(), guid)); download_url_params->set_require_safety_checks( request_params.require_safety_checks); + download_url_params->set_update_first_party_url_on_redirect( + request_params.update_first_party_url_on_redirect); + download_manager_coordinator_->DownloadUrl(std::move(download_url_params)); } diff --git a/chromium/components/download/internal/common/download_utils.cc b/chromium/components/download/internal/common/download_utils.cc index 6addf4137a0..0bf7c41792f 100644 --- a/chromium/components/download/internal/common/download_utils.cc +++ b/chromium/components/download/internal/common/download_utils.cc @@ -284,8 +284,10 @@ std::unique_ptr<network::ResourceRequest> CreateResourceRequest( // cross-site URL has been visited before. url::Origin origin = url::Origin::Create(params->url()); request->trusted_params->isolation_info = net::IsolationInfo::Create( - net::IsolationInfo::RequestType::kMainFrame, origin, origin, - net::SiteForCookies::FromOrigin(origin)); + params->update_first_party_url_on_redirect() + ? net::IsolationInfo::RequestType::kMainFrame + : net::IsolationInfo::RequestType::kOther, + origin, origin, net::SiteForCookies::FromOrigin(origin)); request->site_for_cookies = net::SiteForCookies::FromUrl(params->url()); } @@ -293,7 +295,8 @@ std::unique_ptr<network::ResourceRequest> CreateResourceRequest( request->referrer = params->referrer(); request->referrer_policy = params->referrer_policy(); request->is_main_frame = true; - request->update_first_party_url_on_redirect = true; + request->update_first_party_url_on_redirect = + params->update_first_party_url_on_redirect(); // Downloads should be treated as navigations from Fetch spec perspective. // See also: diff --git a/chromium/components/download/public/background_service/download_params.h b/chromium/components/download/public/background_service/download_params.h index 6cb0b1c93e5..7d77ba05ed8 100644 --- a/chromium/components/download/public/background_service/download_params.h +++ b/chromium/components/download/public/background_service/download_params.h @@ -114,6 +114,12 @@ struct RequestParams { // The credentials mode of the request. ::network::mojom::CredentialsMode credentials_mode; + + // First-party URL redirect policy: During server redirects, whether the + // first-party URL for cookies will need to be changed. Download is normally + // considered a main frame navigation. However, this is not true for + // background fetch. + bool update_first_party_url_on_redirect = true; }; // The parameters that describe a download request made to the DownloadService. diff --git a/chromium/components/download/public/common/download_url_parameters.cc b/chromium/components/download/public/common/download_url_parameters.cc index 3dec7148d86..25ea6f13e0d 100644 --- a/chromium/components/download/public/common/download_url_parameters.cc +++ b/chromium/components/download/public/common/download_url_parameters.cc @@ -34,7 +34,8 @@ DownloadUrlParameters::DownloadUrlParameters( traffic_annotation_(traffic_annotation), download_source_(DownloadSource::UNKNOWN), require_safety_checks_(true), - has_user_gesture_(false) {} + has_user_gesture_(false), + update_first_party_url_on_redirect_(true) {} DownloadUrlParameters::~DownloadUrlParameters() = default; diff --git a/chromium/components/download/public/common/download_url_parameters.h b/chromium/components/download/public/common/download_url_parameters.h index 5e94c13dcaa..aeb358f1c04 100644 --- a/chromium/components/download/public/common/download_url_parameters.h +++ b/chromium/components/download/public/common/download_url_parameters.h @@ -270,6 +270,11 @@ class COMPONENTS_DOWNLOAD_EXPORT DownloadUrlParameters { has_user_gesture_ = has_user_gesture; } + void set_update_first_party_url_on_redirect( + bool update_first_party_url_on_redirect) { + update_first_party_url_on_redirect_ = update_first_party_url_on_redirect; + } + OnStartedCallback& callback() { return callback_; } bool content_initiated() const { return content_initiated_; } const std::string& last_modified() const { return last_modified_; } @@ -322,6 +327,9 @@ class COMPONENTS_DOWNLOAD_EXPORT DownloadUrlParameters { return isolation_info_; } bool has_user_gesture() const { return has_user_gesture_; } + bool update_first_party_url_on_redirect() const { + return update_first_party_url_on_redirect_; + } // STATE CHANGING: All save_info_ sub-objects will be in an indeterminate // state following this call. @@ -370,6 +378,7 @@ class COMPONENTS_DOWNLOAD_EXPORT DownloadUrlParameters { bool require_safety_checks_; absl::optional<net::IsolationInfo> isolation_info_; bool has_user_gesture_; + bool update_first_party_url_on_redirect_; DISALLOW_COPY_AND_ASSIGN(DownloadUrlParameters); }; |