diff options
author | Emily Stark <estark@google.com> | 2019-12-20 01:35:29 +0000 |
---|---|---|
committer | Kirill Burtsev <kirill.burtsev@qt.io> | 2020-04-23 11:26:25 +0000 |
commit | 28996bc48bcc69f59603aa344b5cbe4f9b33e385 (patch) | |
tree | 8b6a358062c9089d40b149b927002e4fa41f1ba5 | |
parent | 0b633aff1ddc6f8cf6540e5b9e5ff44993f9f85f (diff) | |
download | qtwebengine-chromium-28996bc48bcc69f59603aa344b5cbe4f9b33e385.tar.gz |
[Backport] Fix for CVE-2020-6441
Carry over SSL content status flags for same-doc navigations
Same-document navigations shouldn't clear content status flags,
because if there was mixed content on the page, it's still there after
a same-document navigation.
In many same-document navigation cases, this fix doesn't matter
because content status flags are copied as part of cloning the
original NavigationEntry to create the new one (see the
NavigationEntry::CloneAndReplace call in
NavigationControllerImpl::RendererDidNavigateToNewPage). However, not
all same-document navigations involve cloning an existing entry, and
in these cases it is important to copy over the previous entry's
content status flags. (See linked bug for an example.)
Bug: 959571
Change-Id: I353995ea153b10736020e24f29eca6f7e7be9ed9
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
-rw-r--r-- | chromium/content/browser/ssl/ssl_manager.cc | 12 |
1 files changed, 7 insertions, 5 deletions
diff --git a/chromium/content/browser/ssl/ssl_manager.cc b/chromium/content/browser/ssl/ssl_manager.cc index 62351a19956..c5c59a2cc15 100644 --- a/chromium/content/browser/ssl/ssl_manager.cc +++ b/chromium/content/browser/ssl/ssl_manager.cc @@ -185,16 +185,18 @@ void SSLManager::DidCommitProvisionalLoad(const LoadCommittedDetails& details) { int add_content_status_flags = 0; int remove_content_status_flags = 0; - if (!details.is_main_frame) { - // If it wasn't a main-frame navigation, then carry over content - // status flags. (For example, the mixed content flag shouldn't - // clear because of a frame navigation.) + if (!details.is_main_frame || details.is_same_document) { + // For subframe navigations, and for same-document main-frame navigations, + // carry over content status flags from the previously committed entry. For + // example, the mixed content flag shouldn't clear because of a subframe + // navigation, or because of a back/forward navigation that doesn't leave + // the current document. (See https://crbug.com/959571.) NavigationEntryImpl* previous_entry = controller_->GetEntryAtIndex(details.previous_entry_index); if (previous_entry) { add_content_status_flags = previous_entry->GetSSL().content_status; } - } else if (!details.is_same_document) { + } else { // For main-frame non-same-page navigations, clear content status // flags. These flags are set based on the content on the page, and thus // should reflect the current content, even if the navigation was to an |