New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 850999 link

Starred by 1 user
Status: Available
Owner: ----
Cc:
creis@chromium.org
alex...@chromium.org
nasko@chromium.org
wfh@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 2
Type: Bug

Blocking:
issue 786673



Sign in to add a comment

Same-document navigations should not be allowed to commit a different origin and request policy

Project Member Reported by alex...@chromium.org, Jun 8 2018 
Filing this as a followup to  issue 825677 .  Currently, NavigatorImpl::DidNavigate() is updating the current origin and insecure request policy to whatever the renderer sends for all navigations, including same-document navigations:

  frame_tree_node->SetCurrentOrigin(
      params.origin, params.has_potentially_trustworthy_unique_origin);
  frame_tree_node->SetInsecureRequestPolicy(params.insecure_request_policy);
  frame_tree_node->SetInsecureNavigationsSet(params.insecure_navigations_set);


However, same-document navigations shouldn't really be changing the origin or insecure request policy, so it would make sense to skip these calls for them, and/or ensure that the origin they send in DidCommit doesn't change.  I ran a small investigation for that in https://chromium-review.googlesource.com/c/chromium/src/+/1081937/3, and discovered there are some corner cases that we'll need to deal with, including: 
- unique origins
- if we add an iframe with src="about:blank#ref", the same-document navigation is the only commit this frame would see, and it should probably be allowed to set the inherited origin (which at that point had never been set on the FTN).  (This came up in RenderFrameHostImplBrowserTest.InterfaceProviderRequestNotPresentForFirstRealLoadAfterAboutBlankWithRef.)

For the record, the list of potentially affected tests is:

content_browsertests:
RenderFrameHostManagerTest.ClearPendingWebUIOnCommit
SecurityExploitBrowserTest.PageStateToWrongEntry
RenderFrameHostImplBrowserTest.InterfaceProviderRequestNotPresentForFirstRealLoadAfterAboutBlankWithRef
NavigationControllerBrowserTest.BackAfterIframeDocumentWriteInDataURL
ContentBrowserTest.DataURLSameDocumentNavigation

content_unittests:
NavigationControllerTest.UnreachableURLGivesErrorPage
NavigationControllerTest.PushStateUpdatesTitleAndFavicon
NavigationControllerTest.SameDocument
NavigationControllerTest.SameDocument_Replace
NavigationControllerTest.ClientRedirectAfterSameDocumentNavigation
WebContentsImplTest.ResetJavaScriptDialogOnUserNavigate
NavigationControllerTest.PostThenReplaceStateThenReload

sync_integration_tests:
USS/SingleClientSessionsSyncTest.FragmentURLNavigation/1
USS/SingleClientSessionsSyncTest.FragmentURLNavigation/0

layout tests:
http/tests/navigation/pushstate-whitelisted-at-unique-origin-denied.php
virtual/stable/http/tests/navigation/pushstate-whitelisted-at-unique-origin-denied.php
http/tests/navigation/anchor-frames-shifting-focus.html
virtual/stable/http/tests/navigation/pushstate-at-unique-origin-denied.php
virtual/stable/http/tests/navigation/anchor-frames-shifting-focus.html
http/tests/navigation/pushstate-at-unique-origin-denied.php

This might be good to address as part of our work on site isolation enforcements.

Comment 1 by alex...@chromium.org, Jun 8 2018

Summary: Same-document navigations should not be allowed to commit a different origin and request policy (was: Same-document navigations should now be allowed to commit a different origin and request policy)

Comment 2 by alex...@chromium.org, Jun 8 2018

Blocking: 786673

Sign in to add a comment