New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 670219 link

Starred by 1 user
Status: Assigned
Owner:
arthurso...@chromium.org
Cc:
mkwst@chromium.org
clamy@chromium.org
creis@chromium.org
nasko@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 2
Type: Bug



Sign in to add a comment

Upgrade-insecure-request: URL is compared against the wrong frame's origin set.

Project Member Reported by arthurso...@chromium.org, Dec 1 2016 
As defined in the specification:
https://www.w3.org/TR/upgrade-insecure-requests/#algorithms

When the top-frame is asked to navigate to a new URL (by another frame),
the URL's origin is compared against an "upgrade insecure navigations set".
The problem is that the we are currently comparing the set of the frame that
is asked to navigate instead of the frame that asked the navigation.

Top-frame's set is empty or contains only its current origin. Children-frame's sets
are bigger and contain the top-frame's set.
The concrete result is that some URLs are not upgraded, while they should be.

A set of tests have been made there:
https://codereview.chromium.org/2538143004
Project Member

Comment 1 by bugdroid1@chromium.org, Jan 17 2018 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/4b62a5cb43c43dcc9a76d8aa2409c1467513412d

commit 4b62a5cb43c43dcc9a76d8aa2409c1467513412d
Author: arthursonzogni <arthursonzogni@chromium.org>
Date: Wed Jan 17 14:14:26 2018

Upgrade Insecure Requests: OOPIF support, bugfixes & tests.

This CL fixes several bugs with Upgrade Insecure Requests. The main one
is that URL were compared against the 'upgrade insecure navigation set'
of the frame that is navigating instead of the frame that has initiated
the navigation.

It fixes  bug 796538 .
8 new tests are added to ensure regressions won't happen anymore.

Finally, it adds the support for OOPIF. The 'upgrade insecure
navigations set' is now replicated across the different processes.

CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_site_isolation

BUG=670219,  796538 

Change-Id: I1d138989a1873cd902435de25845ae660769ff98
Reviewed-on: https://chromium-review.googlesource.com/848836
Commit-Queue: Arthur Sonzogni <arthursonzogni@chromium.org>
Reviewed-by: Alex Moshchuk <alexmos@chromium.org>
Reviewed-by: Mike West <mkwst@chromium.org>
Cr-Commit-Position: refs/heads/master@{#529732}
[modify] https://crrev.com/4b62a5cb43c43dcc9a76d8aa2409c1467513412d/content/browser/frame_host/frame_tree_node.cc
[modify] https://crrev.com/4b62a5cb43c43dcc9a76d8aa2409c1467513412d/content/browser/frame_host/frame_tree_node.h
[modify] https://crrev.com/4b62a5cb43c43dcc9a76d8aa2409c1467513412d/content/browser/frame_host/navigator_impl.cc
[modify] https://crrev.com/4b62a5cb43c43dcc9a76d8aa2409c1467513412d/content/browser/frame_host/render_frame_host_impl.cc
[modify] https://crrev.com/4b62a5cb43c43dcc9a76d8aa2409c1467513412d/content/browser/frame_host/render_frame_host_impl.h
[modify] https://crrev.com/4b62a5cb43c43dcc9a76d8aa2409c1467513412d/content/browser/frame_host/render_frame_host_manager.cc
[modify] https://crrev.com/4b62a5cb43c43dcc9a76d8aa2409c1467513412d/content/browser/frame_host/render_frame_host_manager.h
[modify] https://crrev.com/4b62a5cb43c43dcc9a76d8aa2409c1467513412d/content/common/frame.mojom
[modify] https://crrev.com/4b62a5cb43c43dcc9a76d8aa2409c1467513412d/content/common/frame_messages.h
[modify] https://crrev.com/4b62a5cb43c43dcc9a76d8aa2409c1467513412d/content/common/frame_replication_state.cc
[modify] https://crrev.com/4b62a5cb43c43dcc9a76d8aa2409c1467513412d/content/common/frame_replication_state.h
[modify] https://crrev.com/4b62a5cb43c43dcc9a76d8aa2409c1467513412d/content/renderer/render_frame_impl.cc
[modify] https://crrev.com/4b62a5cb43c43dcc9a76d8aa2409c1467513412d/content/renderer/render_frame_impl.h
[modify] https://crrev.com/4b62a5cb43c43dcc9a76d8aa2409c1467513412d/content/renderer/render_frame_proxy.cc
[modify] https://crrev.com/4b62a5cb43c43dcc9a76d8aa2409c1467513412d/content/renderer/render_frame_proxy.h
[modify] https://crrev.com/4b62a5cb43c43dcc9a76d8aa2409c1467513412d/content/test/test_render_frame.cc
[add] https://crrev.com/4b62a5cb43c43dcc9a76d8aa2409c1467513412d/third_party/WebKit/LayoutTests/external/wpt/upgrade-insecure-requests/link-upgrade.sub.https.html
[add] https://crrev.com/4b62a5cb43c43dcc9a76d8aa2409c1467513412d/third_party/WebKit/LayoutTests/external/wpt/upgrade-insecure-requests/link-upgrade/basic-link-no-upgrade.sub.html
[add] https://crrev.com/4b62a5cb43c43dcc9a76d8aa2409c1467513412d/third_party/WebKit/LayoutTests/external/wpt/upgrade-insecure-requests/link-upgrade/basic-link-no-upgrade.sub.html.headers
[add] https://crrev.com/4b62a5cb43c43dcc9a76d8aa2409c1467513412d/third_party/WebKit/LayoutTests/external/wpt/upgrade-insecure-requests/link-upgrade/basic-link-upgrade.sub.html
[add] https://crrev.com/4b62a5cb43c43dcc9a76d8aa2409c1467513412d/third_party/WebKit/LayoutTests/external/wpt/upgrade-insecure-requests/link-upgrade/basic-link-upgrade.sub.html.headers
[add] https://crrev.com/4b62a5cb43c43dcc9a76d8aa2409c1467513412d/third_party/WebKit/LayoutTests/external/wpt/upgrade-insecure-requests/link-upgrade/iframe-link-upgrade.sub.html
[add] https://crrev.com/4b62a5cb43c43dcc9a76d8aa2409c1467513412d/third_party/WebKit/LayoutTests/external/wpt/upgrade-insecure-requests/link-upgrade/iframe-link-upgrade.sub.html.headers
[add] https://crrev.com/4b62a5cb43c43dcc9a76d8aa2409c1467513412d/third_party/WebKit/LayoutTests/external/wpt/upgrade-insecure-requests/link-upgrade/iframe-top-navigation-no-upgrade-1.sub.html
[add] https://crrev.com/4b62a5cb43c43dcc9a76d8aa2409c1467513412d/third_party/WebKit/LayoutTests/external/wpt/upgrade-insecure-requests/link-upgrade/iframe-top-navigation-no-upgrade-1.sub.html.headers
[add] https://crrev.com/4b62a5cb43c43dcc9a76d8aa2409c1467513412d/third_party/WebKit/LayoutTests/external/wpt/upgrade-insecure-requests/link-upgrade/iframe-top-navigation-no-upgrade-2.sub.html
[add] https://crrev.com/4b62a5cb43c43dcc9a76d8aa2409c1467513412d/third_party/WebKit/LayoutTests/external/wpt/upgrade-insecure-requests/link-upgrade/iframe-top-navigation-upgrade-1.sub.html
[add] https://crrev.com/4b62a5cb43c43dcc9a76d8aa2409c1467513412d/third_party/WebKit/LayoutTests/external/wpt/upgrade-insecure-requests/link-upgrade/iframe-top-navigation-upgrade-1.sub.html.headers
[add] https://crrev.com/4b62a5cb43c43dcc9a76d8aa2409c1467513412d/third_party/WebKit/LayoutTests/external/wpt/upgrade-insecure-requests/link-upgrade/iframe-top-navigation-upgrade-2.sub.html
[add] https://crrev.com/4b62a5cb43c43dcc9a76d8aa2409c1467513412d/third_party/WebKit/LayoutTests/external/wpt/upgrade-insecure-requests/link-upgrade/iframe-top-navigation-upgrade-2.sub.html.headers
[add] https://crrev.com/4b62a5cb43c43dcc9a76d8aa2409c1467513412d/third_party/WebKit/LayoutTests/external/wpt/upgrade-insecure-requests/link-upgrade/iframe-top-navigation-upgrade-meta.sub.html
[add] https://crrev.com/4b62a5cb43c43dcc9a76d8aa2409c1467513412d/third_party/WebKit/LayoutTests/external/wpt/upgrade-insecure-requests/link-upgrade/resources/click-on-link.sub.html
[add] https://crrev.com/4b62a5cb43c43dcc9a76d8aa2409c1467513412d/third_party/WebKit/LayoutTests/external/wpt/upgrade-insecure-requests/link-upgrade/resources/dummy.html
[add] https://crrev.com/4b62a5cb43c43dcc9a76d8aa2409c1467513412d/third_party/WebKit/LayoutTests/external/wpt/upgrade-insecure-requests/link-upgrade/resources/navigate-top-frame-upgrade.sub.html
[add] https://crrev.com/4b62a5cb43c43dcc9a76d8aa2409c1467513412d/third_party/WebKit/LayoutTests/external/wpt/upgrade-insecure-requests/link-upgrade/resources/navigate-top-frame-upgrade.sub.html.headers
[add] https://crrev.com/4b62a5cb43c43dcc9a76d8aa2409c1467513412d/third_party/WebKit/LayoutTests/external/wpt/upgrade-insecure-requests/link-upgrade/resources/navigate-top-frame.sub.html
[add] https://crrev.com/4b62a5cb43c43dcc9a76d8aa2409c1467513412d/third_party/WebKit/LayoutTests/external/wpt/upgrade-insecure-requests/link-upgrade/resources/post-message-to-opener.sub.html
[modify] https://crrev.com/4b62a5cb43c43dcc9a76d8aa2409c1467513412d/third_party/WebKit/Source/core/dom/Document.cpp
[modify] https://crrev.com/4b62a5cb43c43dcc9a76d8aa2409c1467513412d/third_party/WebKit/Source/core/dom/Document.h
[modify] https://crrev.com/4b62a5cb43c43dcc9a76d8aa2409c1467513412d/third_party/WebKit/Source/core/dom/SecurityContext.cpp
[modify] https://crrev.com/4b62a5cb43c43dcc9a76d8aa2409c1467513412d/third_party/WebKit/Source/core/dom/SecurityContext.h
[modify] https://crrev.com/4b62a5cb43c43dcc9a76d8aa2409c1467513412d/third_party/WebKit/Source/core/exported/LocalFrameClientImpl.cpp
[modify] https://crrev.com/4b62a5cb43c43dcc9a76d8aa2409c1467513412d/third_party/WebKit/Source/core/exported/LocalFrameClientImpl.h
[modify] https://crrev.com/4b62a5cb43c43dcc9a76d8aa2409c1467513412d/third_party/WebKit/Source/core/exported/WebFrame.cpp
[modify] https://crrev.com/4b62a5cb43c43dcc9a76d8aa2409c1467513412d/third_party/WebKit/Source/core/exported/WebRemoteFrameImpl.cpp
[modify] https://crrev.com/4b62a5cb43c43dcc9a76d8aa2409c1467513412d/third_party/WebKit/Source/core/exported/WebRemoteFrameImpl.h
[modify] https://crrev.com/4b62a5cb43c43dcc9a76d8aa2409c1467513412d/third_party/WebKit/Source/core/frame/LocalFrameClient.h
[modify] https://crrev.com/4b62a5cb43c43dcc9a76d8aa2409c1467513412d/third_party/WebKit/Source/core/frame/RemoteFrame.cpp
[modify] https://crrev.com/4b62a5cb43c43dcc9a76d8aa2409c1467513412d/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp
[modify] https://crrev.com/4b62a5cb43c43dcc9a76d8aa2409c1467513412d/third_party/WebKit/Source/core/loader/FrameFetchContextTest.cpp
[modify] https://crrev.com/4b62a5cb43c43dcc9a76d8aa2409c1467513412d/third_party/WebKit/Source/core/loader/FrameLoader.cpp
[modify] https://crrev.com/4b62a5cb43c43dcc9a76d8aa2409c1467513412d/third_party/WebKit/Source/core/loader/FrameLoader.h
[modify] https://crrev.com/4b62a5cb43c43dcc9a76d8aa2409c1467513412d/third_party/WebKit/public/web/WebFrame.h
[modify] https://crrev.com/4b62a5cb43c43dcc9a76d8aa2409c1467513412d/third_party/WebKit/public/web/WebFrameClient.h
[modify] https://crrev.com/4b62a5cb43c43dcc9a76d8aa2409c1467513412d/third_party/WebKit/public/web/WebRemoteFrame.h

Sign in to add a comment