[Backport] CVE-2022-2615: Insufficient policy enforcement in Cookies

Manual cherry-pick of patch originally reviewed on https://chromium-review.googlesource.com/c/chromium/src/+/3712307: [M96-LTS][Background fetch] passing update_first_party_url_on_redirect=false for fetch M96 merge issues: components/download/internal/common/download_utils.cc Naming conflict for is_main_frame/is_outermost_main_frame Background fetch doesn't work like regular download as it is not considered a top frame navigation. This CL let background fetch to pass update_first_party_url_on_redirect=false to DownloadURLParameters, and handle it properly w.r.t samesite cookies. BUG=1268580 Change-Id: I3a1cc33be8578d5d8c796dbbb21fa35a47bdda36 Commit-Queue: Min Qin <qinmin@chromium.org> Cr-Commit-Position: refs/heads/main@{#1016316} (cherry picked from commit bf1e93c6af21dad12088b615feda07a90a85c158) Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
author: Min Qin <qinmin@chromium.org> 2022-06-21 18:19:05 +0000
committer: Michael Brüning <michael.bruning@qt.io> 2022-08-08 15:23:36 +0000
commit: ab704233c9ef10135ec6b8dd472e868d5f05bf50 (patch)
tree: b3ddf2e6695bcecb754484f3a006dbb43252e245
parent: 3c43c4aaca3548ae5b72be71adb13e3a50416b4b (diff)
download: qtwebengine-chromium-ab704233c9ef10135ec6b8dd472e868d5f05bf50.tar.gz
6 files changed, 27 insertions, 4 deletions
diff --git a/chromium/components/background_fetch/background_fetch_delegate_base.cc b/chromium/components/background_fetch/background_fetch_delegate_base.cc
index b16efe4be36..72934d14ee6 100644
--- a/chromium/components/background_fetch/background_fetch_delegate_base.cc
+++ b/chromium/components/background_fetch/background_fetch_delegate_base.cc
@@ -102,6 +102,7 @@ void BackgroundFetchDelegateBase::DownloadUrl(
                           weak_ptr_factory_.GetWeakPtr());
   params.traffic_annotation =
       net::MutableNetworkTrafficAnnotationTag(traffic_annotation);
+  params.request_params.update_first_party_url_on_redirect = false;
 
   JobDetails* job_details = GetJobDetails(job_id);
   if (job_details->job_state == JobDetails::State::kPendingWillStartPaused ||
diff --git a/chromium/components/download/content/internal/download_driver_impl.cc b/chromium/components/download/content/internal/download_driver_impl.cc
index 9b43def7825..3978fc863b3 100644
--- a/chromium/components/download/content/internal/download_driver_impl.cc
+++ b/chromium/components/download/content/internal/download_driver_impl.cc
@@ -190,6 +190,9 @@ void DownloadDriverImpl::Start(
                           weak_ptr_factory_.GetWeakPtr(), guid));
   download_url_params->set_require_safety_checks(
       request_params.require_safety_checks);
+  download_url_params->set_update_first_party_url_on_redirect(
+      request_params.update_first_party_url_on_redirect);
+
   download_manager_coordinator_->DownloadUrl(std::move(download_url_params));
 }
 
diff --git a/chromium/components/download/internal/common/download_utils.cc b/chromium/components/download/internal/common/download_utils.cc
index 6addf4137a0..0bf7c41792f 100644
--- a/chromium/components/download/internal/common/download_utils.cc
+++ b/chromium/components/download/internal/common/download_utils.cc
@@ -284,8 +284,10 @@ std::unique_ptr<network::ResourceRequest> CreateResourceRequest(
     // cross-site URL has been visited before.
     url::Origin origin = url::Origin::Create(params->url());
     request->trusted_params->isolation_info = net::IsolationInfo::Create(
-        net::IsolationInfo::RequestType::kMainFrame, origin, origin,
-        net::SiteForCookies::FromOrigin(origin));
+        params->update_first_party_url_on_redirect()
+            ? net::IsolationInfo::RequestType::kMainFrame
+            : net::IsolationInfo::RequestType::kOther,
+        origin, origin, net::SiteForCookies::FromOrigin(origin));
     request->site_for_cookies = net::SiteForCookies::FromUrl(params->url());
   }
 
@@ -293,7 +295,8 @@ std::unique_ptr<network::ResourceRequest> CreateResourceRequest(
   request->referrer = params->referrer();
   request->referrer_policy = params->referrer_policy();
   request->is_main_frame = true;
-  request->update_first_party_url_on_redirect = true;
+  request->update_first_party_url_on_redirect =
+      params->update_first_party_url_on_redirect();
 
   // Downloads should be treated as navigations from Fetch spec perspective.
   // See also:
diff --git a/chromium/components/download/public/background_service/download_params.h b/chromium/components/download/public/background_service/download_params.h
index 6cb0b1c93e5..7d77ba05ed8 100644
--- a/chromium/components/download/public/background_service/download_params.h
+++ b/chromium/components/download/public/background_service/download_params.h
@@ -114,6 +114,12 @@ struct RequestParams {
 
   // The credentials mode of the request.
   ::network::mojom::CredentialsMode credentials_mode;
+
+  // First-party URL redirect policy: During server redirects, whether the
+  // first-party URL for cookies will need to be changed. Download is normally
+  // considered a main frame navigation. However, this is not true for
+  // background fetch.
+  bool update_first_party_url_on_redirect = true;
 };
 
 // The parameters that describe a download request made to the DownloadService.
diff --git a/chromium/components/download/public/common/download_url_parameters.cc b/chromium/components/download/public/common/download_url_parameters.cc
index 3dec7148d86..25ea6f13e0d 100644
--- a/chromium/components/download/public/common/download_url_parameters.cc
+++ b/chromium/components/download/public/common/download_url_parameters.cc
@@ -34,7 +34,8 @@ DownloadUrlParameters::DownloadUrlParameters(
       traffic_annotation_(traffic_annotation),
       download_source_(DownloadSource::UNKNOWN),
       require_safety_checks_(true),
-      has_user_gesture_(false) {}
+      has_user_gesture_(false),
+      update_first_party_url_on_redirect_(true) {}
 
 DownloadUrlParameters::~DownloadUrlParameters() = default;
 
diff --git a/chromium/components/download/public/common/download_url_parameters.h b/chromium/components/download/public/common/download_url_parameters.h
index 5e94c13dcaa..aeb358f1c04 100644
--- a/chromium/components/download/public/common/download_url_parameters.h
+++ b/chromium/components/download/public/common/download_url_parameters.h
@@ -270,6 +270,11 @@ class COMPONENTS_DOWNLOAD_EXPORT DownloadUrlParameters {
     has_user_gesture_ = has_user_gesture;
   }
 
+  void set_update_first_party_url_on_redirect(
+      bool update_first_party_url_on_redirect) {
+    update_first_party_url_on_redirect_ = update_first_party_url_on_redirect;
+  }
+
   OnStartedCallback& callback() { return callback_; }
   bool content_initiated() const { return content_initiated_; }
   const std::string& last_modified() const { return last_modified_; }
@@ -322,6 +327,9 @@ class COMPONENTS_DOWNLOAD_EXPORT DownloadUrlParameters {
     return isolation_info_;
   }
   bool has_user_gesture() const { return has_user_gesture_; }
+  bool update_first_party_url_on_redirect() const {
+    return update_first_party_url_on_redirect_;
+  }
 
   // STATE CHANGING: All save_info_ sub-objects will be in an indeterminate
   // state following this call.
@@ -370,6 +378,7 @@ class COMPONENTS_DOWNLOAD_EXPORT DownloadUrlParameters {
   bool require_safety_checks_;
   absl::optional<net::IsolationInfo> isolation_info_;
   bool has_user_gesture_;
+  bool update_first_party_url_on_redirect_;
 
   DISALLOW_COPY_AND_ASSIGN(DownloadUrlParameters);
 };
author	Min Qin <qinmin@chromium.org>	2022-06-21 18:19:05 +0000
committer	Michael Brüning <michael.bruning@qt.io>	2022-08-08 15:23:36 +0000
commit	ab704233c9ef10135ec6b8dd472e868d5f05bf50 (patch)
tree	b3ddf2e6695bcecb754484f3a006dbb43252e245
parent	3c43c4aaca3548ae5b72be71adb13e3a50416b4b (diff)
download	qtwebengine-chromium-ab704233c9ef10135ec6b8dd472e868d5f05bf50.tar.gz