[Backport] CVE-2020-6433

Check for initiator origin in ExtensionNavigationThrottle.

Changes one of the checks in ExtensionNavigationThrottle to check if the
initiator origin of a navigation is empty, to more correctly handle
history.back() being used to navigate a window. Adds tests to cover this
case.

Also adds a test for a similar case which navigates a local frame, which
results in the navigation being blocked at the renderer level.

Bug: 1043965
Change-Id: Ic4cc99326ed2394b54e684044153cb3ddbdd37ed
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>

1 files changed, 5 insertions, 2 deletions

diff --git a/chromium/extensions/browser/extension_navigation_throttle.cc b/chromium/extensions/browser/extension_navigation_throttle.cc
index 8214f2ebc6f..8b046da23ad 100644
--- a/chromium/extensions/browser/extension_navigation_throttle.cc
+++ b/chromium/extensions/browser/extension_navigation_throttle.cc
@@ -123,12 +123,15 @@ ExtensionNavigationThrottle::WillStartOrRedirectRequest() {
     }
   }
 
-  // Browser-initiated requests are always considered trusted, and thus allowed.
+  // Navigations with no initiator (e.g. browser-initiated requests) are always
+  // considered trusted, and thus allowed.
   //
   // Note that GuestView navigations initiated by the embedder also count as a
   // browser-initiated navigation.
-  if (!navigation_handle()->IsRendererInitiated())
+  if (!navigation_handle()->GetInitiatorOrigin().has_value()) {
+    DCHECK(!navigation_handle()->IsRendererInitiated());
     return content::NavigationThrottle::PROCEED;
+  }
 
   // All renderer-initiated navigations must have an initiator.
   DCHECK(navigation_handle()->GetInitiatorOrigin().has_value());