Google Git
Sign in
chromium / chromium / src / 4cf1e7bf7a79dcd98967ffe8db93490614a8d4b2
commit4cf1e7bf7a79dcd98967ffe8db93490614a8d4b2[log] [tgz]
authorcreis <creis@chromium.org>Thu Oct 06 23:33:56 2016
committerCommit bot <commit-bot@chromium.org>Thu Oct 06 23:37:09 2016
tree687281910c60158fe0e93f1d8ee66280cf77a642
parent21782b2a5046f0ae1394c7552354cee5bd2c1c2d [diff]
Merges six security fixes to M54, related to blobs.

Merge patch created pair programming style with creis@ and nick@.
Several manual fixups were required to get the tests passing on M54.

BUG=644966,646278,652784
TEST=Manual testing included:
 - Verifying exploit steps w/ chrome w/ --isolate-extensions
 - content_browsertests and content_unittests
 - The following browser_tests subsets, both w/ and w/o --isolate-extensions:
   *ProcessManager*
   *Grants*
   *Exploit*
   *TouchFocuses*
NOPRESUBMIT=true
NOTRY=true
TBR=nick@chromium.org

The following six fixes are included in this diff:

1. https://codereview.chromium.org/2322673005:
  > Fix process transfers for blob urls of sites requiring dedicated processes
  >
  > RenderFrameHostManager::IsRendererTransferNeededForNavigation had a bug
  > where it passed an effective url, instead of an effective SITE url, to
  > a function that was expecting the latter.
  >
  > Add a test that exercises this case. Add a CHECK to content shell browser
  > client to verify that we're actually getting site urls all the time.
  >
  > Committed: https://crrev.com/db193a1b105de523fd0bb089c9769a71ed287d9e
  > Cr-Commit-Position: refs/heads/master@{#417752}

2. https://codereview.chromium.org/2331063002:
  > Fix IsolateIcelandFrameTreeBrowserTest.ProcessSwitchForIsolatedBlob so
  > that it's not flaky under --site-per-process.
  >
  > Committed: https://crrev.com/07fd7e19e0095aeb30bd2c99109d083bb67732cb
  > Cr-Commit-Position: refs/heads/master@{#417987}

3. https://codereview.chromium.org/2365433002:
  > (re-land) Disallow navigations to blob URLs with non-canonical origins.
  >
  > Re-landing this with a fix for xhr-to-blob-in-isolated-world.html
  >
  > Review-Url: https://codereview.chromium.org/2365433002
  > Cr-Commit-Position: refs/heads/master@{#420436}

4. https://codereview.chromium.org/2332263002
   [partial merge, just for the helper function it added, used by later CLs]
  > Updated suborigin serialization to latest spec proposal
  >
  > This modifiest the serialization format of suborigins so they are now
  > represented in the form https-so://suboriginname.host.name (or,
  > alternatively, with the scheme http-so). This change removes collisions
  > with potentially valid URLs that were being deserialized as suborigins.
  >
  > Additionally, this adds suborigins back as an experimental web platform
  > feature rather than a testing feature.
  >
  > Review-Url: https://codereview.chromium.org/2332263002
  > Cr-Commit-Position: refs/heads/master@{#420828}
  > CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_site_isolation

5. https://codereview.chromium.org/2364633004:
  > Update ChildProcessSecurityPolicy so that the chrome-extension:// scheme
  > is considered "web safe" to be requestable from any process, but only
  > "web safe" to commit in extension processes.
  >
  > In ChildProcessSecurityPolicy::CanRequestURL and CanCommitURL, when
  > seeing blob and filesystem urls, make a security decision based
  > on the inner origin rather than the scheme.
  >
  > When the extensions ProcessManager (via ExtensionWebContentsObserver)
  > notices a RenderFrame being created in an extension SiteInstance,
  > grant that process permission to commit chrome-extension:// URLs.
  >
  > In BlobDispatcherHost, only allow creation of blob URLs from processes
  > that would be able to commit them.
  >
  > Add a security exploit browsertest that verifies the above mechanisms
  > working together.
  >
  > Committed: https://crrev.com/a411fd062bc68fc2b5fc3aca7e4cbb8e4a3e074e
  > Committed: https://crrev.com/2a8ba8c4c186e5ea0a2ed938cc5d41441af64228
  > Cr-Original-Commit-Position: refs/heads/master@{#421964}
  > Cr-Commit-Position: refs/heads/master@{#422474}

6. https://codereview.chromium.org/2396533003:
  > Allow <webview> to access URLs in the origin of the app embedding it.
  >
  > With r422474 creation of blob: URLs with origin of a chrome-extension://
  > was locked down. However, the case of a <webview> loading an
  > accessible_resource from its embedder and creating a blob: is disallowed.
  > This CL adds permission for <webview> to create such URLs in the origin
  > of its embedder.
  >
  > This CL is based on work by nick@chromium.org.
  >
  > Committed: https://crrev.com/5edda59b0b1cb8fff058b47567ac32e58be5168a
  > Cr-Commit-Position: refs/heads/master@{#422976}
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_site_isolation

Review-Url: https://codereview.chromium.org/2399853003
Cr-Commit-Position: refs/branch-heads/2840@{#672}
Cr-Branched-From: 1ae106dbab4bddd85132d5b75c670794311f4c57-refs/heads/master@{#414607}
28 files changed
tree: 687281910c60158fe0e93f1d8ee66280cf77a642
  1. android_webview/
  2. apps/
  3. ash/
  4. base/
  5. blimp/
  6. blink/
  7. breakpad/
  8. build/
  9. build_overrides/
  10. cc/
  11. chrome/
  12. chrome_elf/
  13. chromecast/
  14. chromeos/
  15. components/
  16. content/
  17. courgette/
  18. crypto/
  19. dbus/
  20. device/
  21. docs/
  22. extensions/
  23. gin/
  24. google_apis/
  25. google_update/
  26. gpu/
  27. headless/
  28. infra/
  29. ios/
  30. ipc/
  31. jingle/
  32. mash/
  33. media/
  34. mojo/
  35. native_client_sdk/
  36. net/
  37. pdf/
  38. ppapi/
  39. printing/
  40. remoting/
  41. rlz/
  42. sandbox/
  43. sdch/
  44. services/
  45. skia/
  46. sql/
  47. storage/
  48. styleguide/
  49. testing/
  50. third_party/
  51. tools/
  52. ui/
  53. url/
  54. .clang-format
  55. .git-blame-ignore-revs
  56. .gitattributes
  57. .gitignore
  58. .gn
  59. AUTHORS
  60. BUILD.gn
  61. CODE_OF_CONDUCT.md
  62. codereview.settings
  63. DEPS
  64. LICENSE
  65. LICENSE.chromium_os
  66. OWNERS
  67. PRESUBMIT.py
  68. PRESUBMIT_test.py
  69. PRESUBMIT_test_mocks.py
  70. WATCHLISTS