diff options
| author | Antonio Sartori <antoniosartori@chromium.org> | 2020-11-18 09:33:55 +0000 |
|---|---|---|
| committer | Michael Brüning <michael.bruning@qt.io> | 2021-04-06 11:13:41 +0000 |
| commit | 35caa7c78115cc22c405c1b6de386b73d36f8609 (patch) | |
| tree | 3821a9e63e0a014e8ba9f3bb4fb06b8e260f3426 | |
| parent | 54668112ebdc2e4f3656661bc190efdb66b5f4d5 (diff) | |
| download | qtwebengine-chromium-35caa7c78115cc22c405c1b6de386b73d36f8609.tar.gz | |
[Backport] CVE-2021-21175: Inappropriate implementation in Site isolation
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2731577:
Strip url to origin in X-Frame-Options violation messages
X-Frame-Options violations are logged via a console message in the
parent frame. To avoid leaking sensitive data to the parent frame,
let's report as "blocked url" just the origin of the blocked frame's
url, as we are already doing for the frame-ancestors CSP directive.
[M86 Merge]: ancestor_throttle.cc was moved.
(cherry picked from commit 93ce5606cd9a9597993ba70670b4092ab6722281)
Bug: 1146651
Change-Id: If5e5ac62f7e44e714b109e6adc389f11999e0f8b
Commit-Queue: Antonio Sartori <antoniosartori@chromium.org>
Reviewed-by: Charlie Reis <creis@chromium.org>
Reviewed-by: Arthur Sonzogni <arthursonzogni@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#828651}
Reviewed-by: Achuith Bhandarkar <achuith@chromium.org>
Commit-Queue: Victor-Gabriel Savu <vsavu@google.com>
Cr-Commit-Position: refs/branch-heads/4240@{#1563}
Cr-Branched-From: f297677702651916bbf65e59c0d4bbd4ce57d1ee-refs/heads/master@{#800218}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
| -rw-r--r-- | chromium/content/browser/frame_host/ancestor_throttle.cc | 22 |
1 files changed, 19 insertions, 3 deletions
diff --git a/chromium/content/browser/frame_host/ancestor_throttle.cc b/chromium/content/browser/frame_host/ancestor_throttle.cc index 129c3777020..cab0b80ab63 100644 --- a/chromium/content/browser/frame_host/ancestor_throttle.cc +++ b/chromium/content/browser/frame_host/ancestor_throttle.cc @@ -227,12 +227,20 @@ void AncestorThrottle::ParseError(const std::string& value, "Refused to display '%s' in a frame because it set multiple " "'X-Frame-Options' headers with conflicting values " "('%s'). Falling back to 'deny'.", - navigation_handle()->GetURL().spec().c_str(), value.c_str()); + url::Origin::Create(navigation_handle()->GetURL()) + .GetURL() + .spec() + .c_str(), + value.c_str()); } else { message = base::StringPrintf( "Invalid 'X-Frame-Options' header encountered when loading '%s': " "'%s' is not a recognized directive. The header will be ignored.", - navigation_handle()->GetURL().spec().c_str(), value.c_str()); + url::Origin::Create(navigation_handle()->GetURL()) + .GetURL() + .spec() + .c_str(), + value.c_str()); } // Log a console error in the parent of the current RenderFrameHost (as @@ -250,11 +258,19 @@ void AncestorThrottle::ConsoleError(HeaderDisposition disposition) { std::string message = base::StringPrintf( "Refused to display '%s' in a frame because it set 'X-Frame-Options' " "to '%s'.", - navigation_handle()->GetURL().spec().c_str(), + url::Origin::Create(navigation_handle()->GetURL()) + .GetURL() + .spec() + .c_str(), disposition == HeaderDisposition::DENY ? "deny" : "sameorigin"); // Log a console error in the parent of the current RenderFrameHost (as // the current RenderFrameHost itself doesn't yet have a document). + // + // TODO(https://crbug.com/1146651): We should not leak any information at all + // to the parent frame. Send a message directly to Devtools instead (without + // passing through a renderer): that can also contain more information (like + // the full blocked url). navigation_handle()->GetRenderFrameHost()->GetParent()->AddMessageToConsole( CONSOLE_MESSAGE_LEVEL_ERROR, message); } |