From 8b5a3aefa3110817e6e94647df785fb3de7eaf23 Mon Sep 17 00:00:00 2001
From: Sina Firoozabadi <sinafirooz@google.com>
Date: Wed, 8 Mar 2023 00:20:01 +0000
Subject: [Backport] CVE-2023-2462: Inappropriate implementation in Prompts
 (5/10)

Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/4112672:
Reject HidService interface requests from opaque origins

The Web HID API tracks permissions using the origin of the top-level document in the frame tree. If a document has an opaque origin then the requests to access Web HID get rejected on renderer side.

To add a second layer of security in case of the renderer process being compromised, responding to the Web HID mojoms from such renderer process should be avoided.

Bug: 1375133
Change-Id: I76dcccae558ef583787d646746671086d8199940
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4112672
Commit-Queue: Sina Firoozabadi <sinafirooz@chromium.org>
Reviewed-by: Reilly Grant <reillyg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1114294}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/476758
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
---
 chromium/content/browser/hid/hid_service.cc | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/chromium/content/browser/hid/hid_service.cc b/chromium/content/browser/hid/hid_service.cc
index 11c695ec1fb..c5495923e9a 100644
--- a/chromium/content/browser/hid/hid_service.cc
+++ b/chromium/content/browser/hid/hid_service.cc
@@ -184,6 +184,13 @@ void HidService::Create(
     return;
   }
 
+  if (render_frame_host->GetOutermostMainFrame()
+          ->GetLastCommittedOrigin()
+          .opaque()) {
+    mojo::ReportBadMessage("WebHID is not allowed from an opaque origin.");
+    return;
+  }
+
   // DocumentHelper observes the lifetime of the document connected to
   // `render_frame_host` and destroys the HidService when the Mojo connection is
   // disconnected, RenderFrameHost is deleted, or the RenderFrameHost commits a
@@ -199,6 +206,13 @@ void HidService::Create(
     mojo::PendingReceiver<blink::mojom::HidService> receiver) {
   DCHECK(service_worker_context);
 
+  if (origin.opaque()) {
+    // Service worker should not be available to a window/worker client which
+    // origin is opaque according to Service Worker specification.
+    mojo::ReportBadMessage("WebHID is blocked in an opaque origin.");
+    return;
+  }
+
   // Avoid creating the HidService if there is no HID delegate to provide
   // the implementation.
   if (!GetContentClient()->browser()->GetHidDelegate())
-- 
cgit v1.2.1