From 799b46219664a8b3f005cadeb02076590f6dbcc2 Mon Sep 17 00:00:00 2001
From: Jack Hsieh <chengweih@chromium.org>
Date: Mon, 13 Mar 2023 21:19:03 +0000
Subject: [Backport] CVE-2023-2462: Inappropriate implementation in Prompts
 (8/10)

Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/4237626:
usb: Reject using WebUSB API in an opaque origin

Rejects renderer's request of using WebUSB API when the top-level
document has an opaque origin.

Bug: 1375133
Change-Id: I1b449389e55ea8ead412ea9e87fc99971997b491
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4237626
Reviewed-by: Hiroki Nakagawa <nhiroki@chromium.org>
Commit-Queue: Jack Hsieh <chengweih@chromium.org>
Reviewed-by: Alex Moshchuk <alexmos@chromium.org>
Reviewed-by: Reilly Grant <reillyg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1116595}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/476782
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
---
 .../browser/renderer_host/render_frame_host_impl.cc       |  6 ++++++
 .../content/browser/service_worker/service_worker_host.cc | 15 +++++++++++++--
 2 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/chromium/content/browser/renderer_host/render_frame_host_impl.cc b/chromium/content/browser/renderer_host/render_frame_host_impl.cc
index d5745cea447..83789e10899 100644
--- a/chromium/content/browser/renderer_host/render_frame_host_impl.cc
+++ b/chromium/content/browser/renderer_host/render_frame_host_impl.cc
@@ -10521,6 +10521,12 @@ void RenderFrameHostImpl::CreateWebUsbService(
     mojo::ReportBadMessage("Permissions policy blocks access to USB.");
     return;
   }
+  if (GetOutermostMainFrame()->GetLastCommittedOrigin().opaque()) {
+    mojo::ReportBadMessage(
+        "WebUSB is not allowed when the top-level document has an opaque "
+        "origin.");
+    return;
+  }
   BackForwardCache::DisableForRenderFrameHost(
       this, BackForwardCacheDisable::DisabledReason(
                 BackForwardCacheDisable::DisabledReasonId::kWebUSB));
diff --git a/chromium/content/browser/service_worker/service_worker_host.cc b/chromium/content/browser/service_worker/service_worker_host.cc
index 180d775cd6a..95005b5bfca 100644
--- a/chromium/content/browser/service_worker/service_worker_host.cc
+++ b/chromium/content/browser/service_worker/service_worker_host.cc
@@ -109,8 +109,19 @@ void ServiceWorkerHost::BindHidService(
 void ServiceWorkerHost::BindUsbService(
     mojo::PendingReceiver<blink::mojom::WebUsbService> receiver) {
   DCHECK_CURRENTLY_ON(BrowserThread::UI);
-  version_->embedded_worker()->BindUsbService(version_->key().origin(),
-                                              std::move(receiver));
+  DCHECK(container_host_->top_frame_origin());
+  if (container_host_->top_frame_origin()->opaque()) {
+    // Service worker should not be available to a window/worker client whose
+    // origin is opaque according to Service Worker specification. However, this
+    // can possibly be triggered by a compromised renderer, so reject it and
+    // report a bad mojo message.
+    mojo::ReportBadMessage(
+        "WebUSB is not allowed for the service worker scope when the top-level "
+        "frame has an opaque origin.");
+    return;
+  }
+  version_->embedded_worker()->BindUsbService(
+      *container_host_->top_frame_origin(), std::move(receiver));
 }
 
 net::NetworkIsolationKey ServiceWorkerHost::GetNetworkIsolationKey() const {
-- 
cgit v1.2.1