From 8c3bbeb42f76c6227e04ae662f3d3edf971b3e90 Mon Sep 17 00:00:00 2001 From: gsinafirooz Date: Thu, 5 Jan 2023 00:39:26 +0000 Subject: [Backport] CVE-2023-2462: Inappropriate implementation in Prompts (1/10) Cherry-pick of patch originaly reviewed on https://chromium-review.googlesource.com/c/chromium/src/+/4113162: Reject Web Bluetooth requests with an opaque origin The Web Bluetooth API tracks permissions using the origin of the top-level document in the frame tree. If this document has an opaque origin then there is no way to format the origin for display to the user in permission prompts or to write their decision in the preferences file. Access to the Web Bluetooth API from such contexts should therefore be blocked. Bug: 1375133 Change-Id: Idf737c1806eac4342e0fe716e2561e51aa127f53 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4113162 Reviewed-by: Reilly Grant Commit-Queue: Sina Firoozabadi Cr-Commit-Position: refs/heads/main@{#1089042} Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/476754 Reviewed-by: Michal Klocek --- .../blink/renderer/modules/bluetooth/bluetooth.cc | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/chromium/third_party/blink/renderer/modules/bluetooth/bluetooth.cc b/chromium/third_party/blink/renderer/modules/bluetooth/bluetooth.cc index d7f31c5783b..88f6f425789 100644 --- a/chromium/third_party/blink/renderer/modules/bluetooth/bluetooth.cc +++ b/chromium/third_party/blink/renderer/modules/bluetooth/bluetooth.cc @@ -75,6 +75,14 @@ bool IsRequestDenied(LocalDOMWindow* window, ExceptionState& exception_state) { } else if (window->GetFrame()->IsInFencedFrameTree()) { exception_state.ThrowDOMException(DOMExceptionCode::kNotAllowedError, kFencedFrameError); + } else if (window->GetFrame() + ->Top() + ->GetSecurityContext() + ->GetSecurityOrigin() + ->IsOpaque()) { + exception_state.ThrowSecurityError( + "Access to the Web Bluetooth API is denied from contexts where the " + "top-level document has an opaque origin."); } return exception_state.HadException(); @@ -291,6 +299,7 @@ void ConvertRequestDeviceOptions( ScriptPromise Bluetooth::getAvailability(ScriptState* script_state, ExceptionState& exception_state) { LocalDOMWindow* window = GetSupplementable()->DomWindow(); + if (IsRequestDenied(window, exception_state)) { return ScriptPromise(); } @@ -353,6 +362,7 @@ void Bluetooth::RequestDeviceCallback( ScriptPromise Bluetooth::getDevices(ScriptState* script_state, ExceptionState& exception_state) { LocalDOMWindow* window = GetSupplementable()->DomWindow(); + if (IsRequestDenied(window, exception_state)) { return ScriptPromise(); } @@ -380,6 +390,7 @@ ScriptPromise Bluetooth::requestDevice(ScriptState* script_state, const RequestDeviceOptions* options, ExceptionState& exception_state) { LocalDOMWindow* window = GetSupplementable()->DomWindow(); + if (IsRequestDenied(window, exception_state)) { return ScriptPromise(); } @@ -484,6 +495,7 @@ ScriptPromise Bluetooth::requestLEScan(ScriptState* script_state, const BluetoothLEScanOptions* options, ExceptionState& exception_state) { LocalDOMWindow* window = GetSupplementable()->DomWindow(); + if (IsRequestDenied(window, exception_state)) { return ScriptPromise(); } -- cgit v1.2.1