Google Git
Sign in
chromium / chromium / src / 0431b6bc6c9bf5624cccf1121285392b07b74ec6
commit0431b6bc6c9bf5624cccf1121285392b07b74ec6[log] [tgz]
authoralexmos <alexmos@chromium.org>Wed Mar 01 02:52:43 2017
committerCommit bot <commit-bot@chromium.org>Wed Mar 01 02:52:43 2017
treef9195e746e509e1e192558852cdaeaf0dbc573c8
parent3fc8c8329936a042def389cd18e95269dec21f21 [diff]
Fix cross-site subframe navigations that transfer back to original RFH.

This fixes a bug where if an OOPIF at site A navigates to site B which
redirects back to A, the navigation timed out because Transfer() was
never called on transfer_navigation_handle_, and the pending RFH for B
was never canceled.  This is because UpdateStateForNavigate returned
the current RFH early, due to checking CanSubframeSwapProcess before
reaching those steps.  Not calling Transfer() later led to the
transferred request being dropped in
ResourceDispatcherHostImpl::CompleteTransfer, due to not finding a
matching entry in pending_loaders_.  This CL fixes the
CanSubframeSwapProcess check to be performed after calling Transfer()
and canceling the pending RFH (if necessary).

This uncovered another complication, which is that while redirects
to data: and about: URLs are explicitly disallowed as unsafe (e.g.,
see DataProtocolHandler::IsSafeRedirectTarget), they are allowed when
an extension uses the webRequest API to redirect certain URLs.
One of the tests, ExtensionWebRequestApiTest.WebRequestDeclarative1,
was exercising this: it had a subframe which made a same-site request
that was redirected to data:,.  Previously, in --site-per-process, it
worked due to the ordering problem that this CL fixes: we first
decided to transfer the request (IsRendererTransferNeededForNavigation
returned true), then we returned the current RFH early due to
CanSubframeSwapProcess returning |false| before calling Transfer().
With the fixed ordering, we were now also calling Transfer(), as we
were expecting the data: request to be put into a new SiteInstance
which didn't match the current one, yet the request was never
transferred (we weren't spinning up a new pending RFH, and we weren't
sending a Navigate IPC to the current RFH due to the
is_transfer_to_same case in NavigateToEntry, so no one actually made a
request to the data: URL).

To address this, CanSubframeSwapProcess is changed to allow a process
swap for such transfers to data: and about:.  This changes behavior
where these redirects were previously kept in the original
SiteInstance, but this should be safer, and it should not break any
scripting relationships (the redirect URLs are provided by an
extension; the site that made the request that's being redirected
can't expect to script the redirect target).

BUG=681077,660407,659613
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_site_isolation

Review-Url: https://codereview.chromium.org/2636193003
Cr-Commit-Position: refs/heads/master@{#453800}
3 files changed
tree: f9195e746e509e1e192558852cdaeaf0dbc573c8
  1. android_webview/
  2. apps/
  3. ash/
  4. base/
  5. blink/
  6. breakpad/
  7. build/
  8. build_overrides/
  9. cc/
  10. chrome/
  11. chrome_elf/
  12. chromecast/
  13. chromeos/
  14. cloud_print/
  15. components/
  16. content/
  17. courgette/
  18. crypto/
  19. dbus/
  20. device/
  21. docs/
  22. extensions/
  23. gin/
  24. google_apis/
  25. google_update/
  26. gpu/
  27. headless/
  28. infra/
  29. ios/
  30. ipc/
  31. jingle/
  32. mash/
  33. media/
  34. mojo/
  35. native_client_sdk/
  36. net/
  37. pdf/
  38. ppapi/
  39. printing/
  40. remoting/
  41. rlz/
  42. sandbox/
  43. sdch/
  44. services/
  45. skia/
  46. sql/
  47. storage/
  48. styleguide/
  49. testing/
  50. third_party/
  51. tools/
  52. ui/
  53. url/
  54. .clang-format
  55. .git-blame-ignore-revs
  56. .gitattributes
  57. .gitignore
  58. .gn
  59. AUTHORS
  60. BUILD.gn
  61. CODE_OF_CONDUCT.md
  62. codereview.settings
  63. DEPS
  64. LICENSE
  65. LICENSE.chromium_os
  66. OWNERS
  67. PRESUBMIT.py
  68. PRESUBMIT_test.py
  69. PRESUBMIT_test_mocks.py
  70. WATCHLISTS