New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 899788 link

Starred by 2 users
Status: Available
Owner: ----
Cc:
creis@chromium.org
alex...@chromium.org
nasko@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac , Fuchsia
Pri: 3
Type: Bug



Sign in to add a comment

Improve RenderProcessHost::FilterURL

Project Member Reported by nasko@chromium.org, Oct 29 
Currently, the implementation of RenderProcessHost::FilterURL rewrites any incoming URL that is not valid for the process into "about:blank". This was chosen as we cannot completely ignore IPC messages in the case of invalid URLs, so rewriting using something that should be "safe" was implemented.
This rewriting logic, however, makes it a bit harder to diagnose failures and determine whether about:blank commits for example were result of failure detected in FilterURL or just a regular about:blank navigation. Since the latter has numerous edge cases and implies lots of special handling, it will be useful to distinguish somehow failures from successes.

In general, when we block content from loading, such as failing CSP check or XFO check, we replace the URL with "data:," which is an opaque origin, so it is inaccessible from other documents. We should try to do the same with FilterURL, as there isn't as much special casing for data: URLs as there are for about:blank.

We can also do an incremental first step of appending a reference fragment to the about:blank URL generated by FilterURL, so it can be diagnosed more easily in bug and crash reports.
Project Member

Comment 1 by bugdroid1@chromium.org, Oct 29 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/413468f8e2196ea59444399c517a3a6b72fa86c3

commit 413468f8e2196ea59444399c517a3a6b72fa86c3
Author: Nasko Oskov <nasko@chromium.org>
Date: Mon Oct 29 23:22:01 2018

Add #blocked suffix to about:blank URLs output from FilterURL.

RenderProcessHost::FilterURL performs some security checks whether the
URL coming from the renderer process is a valid one. In some cases it
rewrites the URL to about:blank to avoid committing URL that is not
valid for the renderer process.

This CL adds a #blocked reference fragment to the URL, so it is easier
to spot when this logic has taken effect and distinguish it from regular
navigations to about:blank URLs.

Bug: 866549, 899788
Change-Id: I35052fdec361e18fb081bcae4a19b3bf697d46a7
Reviewed-on: https://chromium-review.googlesource.com/c/1300395
Reviewed-by: Alex Moshchuk <alexmos@chromium.org>
Reviewed-by: Dmitry Gozman <dgozman@chromium.org>
Reviewed-by: Tommy Li <tommycli@chromium.org>
Reviewed-by: Avi Drissman <avi@chromium.org>
Reviewed-by: Charlie Reis <creis@chromium.org>
Commit-Queue: Nasko Oskov <nasko@chromium.org>
Cr-Commit-Position: refs/heads/master@{#603683}
[modify] https://crrev.com/413468f8e2196ea59444399c517a3a6b72fa86c3/chrome/browser/browser_about_handler.cc
[modify] https://crrev.com/413468f8e2196ea59444399c517a3a6b72fa86c3/chrome/browser/pdf/pdf_extension_test.cc
[modify] https://crrev.com/413468f8e2196ea59444399c517a3a6b72fa86c3/chrome/browser/ui/blocked_content/popup_blocker_browsertest.cc
[modify] https://crrev.com/413468f8e2196ea59444399c517a3a6b72fa86c3/components/url_formatter/url_fixer.cc
[modify] https://crrev.com/413468f8e2196ea59444399c517a3a6b72fa86c3/components/url_formatter/url_fixer_unittest.cc
[modify] https://crrev.com/413468f8e2196ea59444399c517a3a6b72fa86c3/content/browser/blob_storage/blob_url_browsertest.cc
[modify] https://crrev.com/413468f8e2196ea59444399c517a3a6b72fa86c3/content/browser/download/download_browsertest.cc
[modify] https://crrev.com/413468f8e2196ea59444399c517a3a6b72fa86c3/content/browser/renderer_host/render_process_host_impl.cc
[modify] https://crrev.com/413468f8e2196ea59444399c517a3a6b72fa86c3/content/browser/renderer_host/render_view_host_unittest.cc
[modify] https://crrev.com/413468f8e2196ea59444399c517a3a6b72fa86c3/content/browser/security_exploit_browsertest.cc
[modify] https://crrev.com/413468f8e2196ea59444399c517a3a6b72fa86c3/content/browser/web_contents/web_contents_impl_unittest.cc
[modify] https://crrev.com/413468f8e2196ea59444399c517a3a6b72fa86c3/content/public/common/url_constants.cc
[modify] https://crrev.com/413468f8e2196ea59444399c517a3a6b72fa86c3/content/public/common/url_constants.h
[modify] https://crrev.com/413468f8e2196ea59444399c517a3a6b72fa86c3/headless/lib/headless_web_contents_browsertest.cc

Comment 2 by nasko@chromium.org, Nov 2

Cc: nasko@chromium.org
Owner: ----
Status: Available (was: Started)
I will not be working on moving FilterURL to some form of data: URL, so assigning myself.

Sign in to add a comment