From cbc5e3de65dcf78692fbc7dc7bc53163c3fea594 Mon Sep 17 00:00:00 2001 From: Hiroshige Hayashizaki Date: Mon, 8 Feb 2021 21:38:43 +0000 Subject: [Backport] Security bug 1175503 Manual backport of patch originally reviewed on https://chromium-review.googlesource.com/c/chromium/src/+/2681148 Set mode for top-level module worker scripts to kSameOrigin Bug: 1175503 Change-Id: I9a744da07beea87564b9563656c8ba81325d9a13 Commit-Queue: Hiroshige Hayashizaki Reviewed-by: Dominic Farolino Reviewed-by: Kouhei Ueno Reviewed-by: Hiroki Nakagawa Cr-Commit-Position: refs/heads/master@{#851900} Reviewed-by: Allan Sandfeld Jensen --- .../core/loader/modulescript/module_script_loader.cc | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/chromium/third_party/blink/renderer/core/loader/modulescript/module_script_loader.cc b/chromium/third_party/blink/renderer/core/loader/modulescript/module_script_loader.cc index 5b6548957fa..32e05d15ca4 100644 --- a/chromium/third_party/blink/renderer/core/loader/modulescript/module_script_loader.cc +++ b/chromium/third_party/blink/renderer/core/loader/modulescript/module_script_loader.cc @@ -152,6 +152,26 @@ void ModuleScriptLoader::FetchInternal( fetch_client_settings_object->GetSecurityOrigin(), options_.CredentialsMode()); + // If destination is "worker" or "sharedworker" and the + // top-level module fetch flag is set, then set request's mode to + // "same-origin". + // + // `kServiceWorker` is included here for consistency, while it isn't mentioned + // in the spec. This doesn't affect the behavior, because we already forbid + // redirects and cross-origin response URLs in other places. + if ((module_request.Destination() == + WebURLRequest::kRequestContextWorker || + module_request.Destination() == + WebURLRequest::kRequestContextSharedWorker || + module_request.Destination() == + WebURLRequest::kRequestContextServiceWorker) && + level == ModuleGraphLevel::kTopLevelModuleFetch) { + // This should be done after SetCrossOriginAccessControl() that sets the + // mode to kCors. + fetch_params.MutableResourceRequest().SetMode( + network::mojom::RequestMode::kSameOrigin); + } + // Step 5. "... referrer is referrer, ..." [spec text] fetch_params.MutableResourceRequest().SetHTTPReferrer( module_request.GetReferrer()); -- cgit v1.2.1