New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 837627 link

Starred by 3 users
Status: Fixed
Owner:
andypaicu@chromium.org
Last visit > 30 days ago
Closed: Nov 22
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 3
Type: Task

Blocking:
issue 805886



Sign in to add a comment

Figure out a way to properly handle a navigation violation reporting

Project Member Reported by andypaicu@chromium.org, Apr 27 2018 
In the current 'navigate-to' implementation, the RenderFrameHost that is used is the current one instead of the one that initiated the navigation.

This is for a security risk as it will expose potentially critical information to the frame is navigating, not the one that initiated the navigations and owns the CSP.
Project Member

Comment 1 by bugdroid1@chromium.org, Oct 10 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/c93d30860caccb4c17b5bb0a897888575d06c9fd

commit c93d30860caccb4c17b5bb0a897888575d06c9fd
Author: Andy Paicu <andypaicu@chromium.org>
Date: Wed Oct 10 15:33:45 2018

"navigate-to" remaining work

This patch includes:
The security violation event and CSP report are now sent to the correct
document via an interface ptr sent though the common params
Added 'unsafe-allowed-redirects' keyword tests
Bundled all CSP info into one InitiatorCSPInfo struct
Modified existing tests to test the violation event as well

Bug:  837627 , 805886
Change-Id: I03124f29d4205ad4a5c2ac899b15f42e8e23659b
Reviewed-on: https://chromium-review.googlesource.com/c/1124476
Commit-Queue: Andy Paicu <andypaicu@chromium.org>
Reviewed-by: Jochen Eisinger <jochen@chromium.org>
Reviewed-by: Alex Moshchuk <alexmos@chromium.org>
Reviewed-by: Mike West <mkwst@chromium.org>
Reviewed-by: Arthur Sonzogni <arthursonzogni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#598336}
[modify] https://crrev.com/c93d30860caccb4c17b5bb0a897888575d06c9fd/components/printing/renderer/print_render_frame_helper.cc
[modify] https://crrev.com/c93d30860caccb4c17b5bb0a897888575d06c9fd/content/browser/frame_host/form_submission_throttle.cc
[modify] https://crrev.com/c93d30860caccb4c17b5bb0a897888575d06c9fd/content/browser/frame_host/form_submission_throttle.h
[modify] https://crrev.com/c93d30860caccb4c17b5bb0a897888575d06c9fd/content/browser/frame_host/navigation_entry_impl.cc
[modify] https://crrev.com/c93d30860caccb4c17b5bb0a897888575d06c9fd/content/browser/frame_host/navigation_request.cc
[modify] https://crrev.com/c93d30860caccb4c17b5bb0a897888575d06c9fd/content/browser/frame_host/navigation_request.h
[modify] https://crrev.com/c93d30860caccb4c17b5bb0a897888575d06c9fd/content/browser/frame_host/navigator.cc
[modify] https://crrev.com/c93d30860caccb4c17b5bb0a897888575d06c9fd/content/browser/frame_host/navigator.h
[modify] https://crrev.com/c93d30860caccb4c17b5bb0a897888575d06c9fd/content/browser/frame_host/navigator_impl.cc
[modify] https://crrev.com/c93d30860caccb4c17b5bb0a897888575d06c9fd/content/browser/frame_host/navigator_impl.h
[modify] https://crrev.com/c93d30860caccb4c17b5bb0a897888575d06c9fd/content/browser/frame_host/render_frame_host_impl.cc
[modify] https://crrev.com/c93d30860caccb4c17b5bb0a897888575d06c9fd/content/browser/frame_host/render_frame_host_impl.h
[modify] https://crrev.com/c93d30860caccb4c17b5bb0a897888575d06c9fd/content/browser/initiator_csp_context.cc
[modify] https://crrev.com/c93d30860caccb4c17b5bb0a897888575d06c9fd/content/browser/initiator_csp_context.h
[modify] https://crrev.com/c93d30860caccb4c17b5bb0a897888575d06c9fd/content/browser/navigation_browsertest.cc
[modify] https://crrev.com/c93d30860caccb4c17b5bb0a897888575d06c9fd/content/common/content_security_policy/content_security_policy.cc
[modify] https://crrev.com/c93d30860caccb4c17b5bb0a897888575d06c9fd/content/common/content_security_policy/content_security_policy.h
[modify] https://crrev.com/c93d30860caccb4c17b5bb0a897888575d06c9fd/content/common/content_security_policy/content_security_policy_unittest.cc
[modify] https://crrev.com/c93d30860caccb4c17b5bb0a897888575d06c9fd/content/common/content_security_policy/csp_context.cc
[modify] https://crrev.com/c93d30860caccb4c17b5bb0a897888575d06c9fd/content/common/content_security_policy/csp_context.h
[modify] https://crrev.com/c93d30860caccb4c17b5bb0a897888575d06c9fd/content/common/content_security_policy/csp_source.cc
[modify] https://crrev.com/c93d30860caccb4c17b5bb0a897888575d06c9fd/content/common/content_security_policy/csp_source.h
[modify] https://crrev.com/c93d30860caccb4c17b5bb0a897888575d06c9fd/content/common/content_security_policy/csp_source_list.cc
[modify] https://crrev.com/c93d30860caccb4c17b5bb0a897888575d06c9fd/content/common/content_security_policy/csp_source_list.h
[modify] https://crrev.com/c93d30860caccb4c17b5bb0a897888575d06c9fd/content/common/frame.mojom
[modify] https://crrev.com/c93d30860caccb4c17b5bb0a897888575d06c9fd/content/common/frame_messages.h
[modify] https://crrev.com/c93d30860caccb4c17b5bb0a897888575d06c9fd/content/common/navigation_params.cc
[modify] https://crrev.com/c93d30860caccb4c17b5bb0a897888575d06c9fd/content/common/navigation_params.h
[modify] https://crrev.com/c93d30860caccb4c17b5bb0a897888575d06c9fd/content/public/test/navigation_simulator.cc
[modify] https://crrev.com/c93d30860caccb4c17b5bb0a897888575d06c9fd/content/public/test/render_view_test.cc
[modify] https://crrev.com/c93d30860caccb4c17b5bb0a897888575d06c9fd/content/renderer/pepper/pepper_plugin_instance_impl.cc
[modify] https://crrev.com/c93d30860caccb4c17b5bb0a897888575d06c9fd/content/renderer/render_frame_impl.cc
[modify] https://crrev.com/c93d30860caccb4c17b5bb0a897888575d06c9fd/content/renderer/render_frame_impl.h
[modify] https://crrev.com/c93d30860caccb4c17b5bb0a897888575d06c9fd/content/test/test_render_frame.cc
[modify] https://crrev.com/c93d30860caccb4c17b5bb0a897888575d06c9fd/content/test/test_render_frame_host.cc
[modify] https://crrev.com/c93d30860caccb4c17b5bb0a897888575d06c9fd/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/navigate-to/child-navigates-parent-allowed.html
[modify] https://crrev.com/c93d30860caccb4c17b5bb0a897888575d06c9fd/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/navigate-to/child-navigates-parent-blocked.sub.html
[modify] https://crrev.com/c93d30860caccb4c17b5bb0a897888575d06c9fd/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/navigate-to/form-action/form-action-allows-navigate-to-allows.html
[modify] https://crrev.com/c93d30860caccb4c17b5bb0a897888575d06c9fd/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/navigate-to/form-action/form-action-allows-navigate-to-blocks.html
[modify] https://crrev.com/c93d30860caccb4c17b5bb0a897888575d06c9fd/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/navigate-to/form-action/form-action-blocks-navigate-to-allows.html
[modify] https://crrev.com/c93d30860caccb4c17b5bb0a897888575d06c9fd/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/navigate-to/form-action/form-action-blocks-navigate-to-blocks.html
[modify] https://crrev.com/c93d30860caccb4c17b5bb0a897888575d06c9fd/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/navigate-to/form-blocked.sub.html
[modify] https://crrev.com/c93d30860caccb4c17b5bb0a897888575d06c9fd/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/navigate-to/form-cross-origin-blocked.sub.html
[modify] https://crrev.com/c93d30860caccb4c17b5bb0a897888575d06c9fd/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/navigate-to/form-redirected-blocked.sub.html
[modify] https://crrev.com/c93d30860caccb4c17b5bb0a897888575d06c9fd/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/navigate-to/href-location-blocked.sub.html
[modify] https://crrev.com/c93d30860caccb4c17b5bb0a897888575d06c9fd/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/navigate-to/href-location-cross-origin-blocked.sub.html
[modify] https://crrev.com/c93d30860caccb4c17b5bb0a897888575d06c9fd/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/navigate-to/href-location-redirected-blocked.sub.html
[modify] https://crrev.com/c93d30860caccb4c17b5bb0a897888575d06c9fd/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/navigate-to/link-click-allowed.html
[modify] https://crrev.com/c93d30860caccb4c17b5bb0a897888575d06c9fd/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/navigate-to/link-click-blocked.sub.html
[modify] https://crrev.com/c93d30860caccb4c17b5bb0a897888575d06c9fd/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/navigate-to/link-click-cross-origin-allowed.sub.html
[modify] https://crrev.com/c93d30860caccb4c17b5bb0a897888575d06c9fd/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/navigate-to/link-click-cross-origin-blocked.sub.html
[modify] https://crrev.com/c93d30860caccb4c17b5bb0a897888575d06c9fd/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/navigate-to/link-click-redirected-allowed.html
[modify] https://crrev.com/c93d30860caccb4c17b5bb0a897888575d06c9fd/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/navigate-to/link-click-redirected-blocked.sub.html
[modify] https://crrev.com/c93d30860caccb4c17b5bb0a897888575d06c9fd/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/navigate-to/meta-refresh-blocked.sub.html
[modify] https://crrev.com/c93d30860caccb4c17b5bb0a897888575d06c9fd/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/navigate-to/meta-refresh-cross-origin-blocked.sub.html
[modify] https://crrev.com/c93d30860caccb4c17b5bb0a897888575d06c9fd/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/navigate-to/meta-refresh-redirected-blocked.sub.html
[modify] https://crrev.com/c93d30860caccb4c17b5bb0a897888575d06c9fd/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/navigate-to/parent-navigates-child-allowed.html
[modify] https://crrev.com/c93d30860caccb4c17b5bb0a897888575d06c9fd/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/navigate-to/parent-navigates-child-blocked.html
[add] https://crrev.com/c93d30860caccb4c17b5bb0a897888575d06c9fd/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/navigate-to/spv-only-sent-to-initiator.html
[add] https://crrev.com/c93d30860caccb4c17b5bb0a897888575d06c9fd/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/navigate-to/support/delayed_frame.py
[modify] https://crrev.com/c93d30860caccb4c17b5bb0a897888575d06c9fd/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/navigate-to/support/href_location_navigation.sub.html
[modify] https://crrev.com/c93d30860caccb4c17b5bb0a897888575d06c9fd/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/navigate-to/support/link_click_navigation.sub.html
[modify] https://crrev.com/c93d30860caccb4c17b5bb0a897888575d06c9fd/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/navigate-to/support/redirect_to_post_message_to_frame_owner.py
[add] https://crrev.com/c93d30860caccb4c17b5bb0a897888575d06c9fd/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/navigate-to/support/spv-test-iframe1.sub.html
[add] https://crrev.com/c93d30860caccb4c17b5bb0a897888575d06c9fd/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/navigate-to/support/spv-test-iframe1.sub.html.sub.headers
[add] https://crrev.com/c93d30860caccb4c17b5bb0a897888575d06c9fd/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/navigate-to/support/spv-test-iframe2.sub.html
[add] https://crrev.com/c93d30860caccb4c17b5bb0a897888575d06c9fd/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/navigate-to/support/spv-test-iframe3.sub.html
[add] https://crrev.com/c93d30860caccb4c17b5bb0a897888575d06c9fd/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/navigate-to/unsafe-allow-redirects/allowed-end-of-chain-because-of-same-origin.sub.html
[add] https://crrev.com/c93d30860caccb4c17b5bb0a897888575d06c9fd/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/navigate-to/unsafe-allow-redirects/allowed-end-of-chain.sub.html
[add] https://crrev.com/c93d30860caccb4c17b5bb0a897888575d06c9fd/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/navigate-to/unsafe-allow-redirects/blocked-end-of-chain.sub.html
[modify] https://crrev.com/c93d30860caccb4c17b5bb0a897888575d06c9fd/third_party/blink/public/mojom/BUILD.gn
[add] https://crrev.com/c93d30860caccb4c17b5bb0a897888575d06c9fd/third_party/blink/public/mojom/frame/navigation_initiator.mojom
[modify] https://crrev.com/c93d30860caccb4c17b5bb0a897888575d06c9fd/third_party/blink/public/platform/web_url_request.h
[modify] https://crrev.com/c93d30860caccb4c17b5bb0a897888575d06c9fd/third_party/blink/public/web/web_local_frame_client.h
[modify] https://crrev.com/c93d30860caccb4c17b5bb0a897888575d06c9fd/third_party/blink/renderer/core/dom/document.cc
[modify] https://crrev.com/c93d30860caccb4c17b5bb0a897888575d06c9fd/third_party/blink/renderer/core/dom/document.h
[modify] https://crrev.com/c93d30860caccb4c17b5bb0a897888575d06c9fd/third_party/blink/renderer/core/exported/local_frame_client_impl.cc
[modify] https://crrev.com/c93d30860caccb4c17b5bb0a897888575d06c9fd/third_party/blink/renderer/core/exported/local_frame_client_impl.h
[modify] https://crrev.com/c93d30860caccb4c17b5bb0a897888575d06c9fd/third_party/blink/renderer/core/exported/web_document_subresource_filter_test.cc
[modify] https://crrev.com/c93d30860caccb4c17b5bb0a897888575d06c9fd/third_party/blink/renderer/core/exported/web_frame_test.cc
[modify] https://crrev.com/c93d30860caccb4c17b5bb0a897888575d06c9fd/third_party/blink/renderer/core/frame/local_frame_client.h
[modify] https://crrev.com/c93d30860caccb4c17b5bb0a897888575d06c9fd/third_party/blink/renderer/core/loader/empty_clients.h
[modify] https://crrev.com/c93d30860caccb4c17b5bb0a897888575d06c9fd/third_party/blink/renderer/core/loader/frame_loader.cc
[modify] https://crrev.com/c93d30860caccb4c17b5bb0a897888575d06c9fd/third_party/blink/renderer/platform/exported/web_url_request.cc

Comment 2 by andypaicu@chromium.org, Nov 22

Status: Fixed (was: Assigned)

Sign in to add a comment