diff options
| author | Sina Firoozabadi <sinafirooz@google.com> | 2023-03-08 02:29:36 +0000 |
|---|---|---|
| committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2023-05-15 11:35:20 +0000 |
| commit | 21de567539039a1926389eaf3bcda55e34855587 (patch) | |
| tree | 3583034be00e48bd8ee996813b49a28e70584ceb | |
| parent | 8b5a3aefa3110817e6e94647df785fb3de7eaf23 (diff) | |
| download | qtwebengine-chromium-21de567539039a1926389eaf3bcda55e34855587.tar.gz | |
[Backport] CVE-2023-2462: Inappropriate implementation in Prompts (6/10)
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/4114125:
Drop Web Bluetooth mojoms from a renderer process of an opaque origin
The Web Bluetooth API tracks permissions using the origin of the
top-level document in the frame tree. If a document has an opaque origin
then the requests to access Web Bluetooth get rejected on renderer side.
To add a second layer of security in case of the renderer process being
compromised, responding to the Web Bluetooth mojoms from such renderer
process should be avoided.
Disable-Rts: True
Bug: 1375133
Change-Id: Icbc6da4127e9c10f659d43e64cd5d7d1e207d02f
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4114125
Reviewed-by: Reilly Grant <reillyg@chromium.org>
Commit-Queue: Sina Firoozabadi <sinafirooz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1114352}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/476759
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
| -rw-r--r-- | chromium/content/browser/bluetooth/web_bluetooth_service_impl.cc | 10 | ||||
| -rw-r--r-- | chromium/content/browser/bluetooth/web_bluetooth_service_impl.h | 2 |
2 files changed, 10 insertions, 2 deletions
diff --git a/chromium/content/browser/bluetooth/web_bluetooth_service_impl.cc b/chromium/content/browser/bluetooth/web_bluetooth_service_impl.cc index b26cdf38400..edb28b7b3e7 100644 --- a/chromium/content/browser/bluetooth/web_bluetooth_service_impl.cc +++ b/chromium/content/browser/bluetooth/web_bluetooth_service_impl.cc @@ -84,7 +84,7 @@ constexpr char kScanClientNameRequestLeScan[] = "Web Bluetooth requestLeScan()"; // The renderer performs its own checks so a request that gets to the browser // process indicates some failure to check for fenced frames. const char kFencedFrameError[] = - "Use Web Bluetooth API is blocked in a fenced frame tree."; + "Use of Web Bluetooth API is blocked in a <fencedframe> tree."; blink::mojom::WebBluetoothResult TranslateGATTErrorAndRecord( GattErrorCode error_code, @@ -529,6 +529,14 @@ WebBluetoothServiceImpl* WebBluetoothServiceImpl::Create( return nullptr; } + if (render_frame_host->GetOutermostMainFrame() + ->GetLastCommittedOrigin() + .opaque()) { + mojo::ReportBadMessage( + "Web Bluetooth is not allowed from an opaque origin."); + return nullptr; + } + return new WebBluetoothServiceImpl(*render_frame_host, std::move(receiver)); } diff --git a/chromium/content/browser/bluetooth/web_bluetooth_service_impl.h b/chromium/content/browser/bluetooth/web_bluetooth_service_impl.h index 8cbb9ac0bf9..9d6a90d1c3c 100644 --- a/chromium/content/browser/bluetooth/web_bluetooth_service_impl.h +++ b/chromium/content/browser/bluetooth/web_bluetooth_service_impl.h @@ -57,7 +57,7 @@ bool HasValidFilter( std::vector<blink::mojom::WebBluetoothLeScanFilterPtr>>& filters); // Implementation of Mojo WebBluetoothService located in -// third_party/WebKit/public/platform/modules/bluetooth. +// third_party/blink/renderer/modules/bluetooth. // It handles Web Bluetooth API requests coming from Blink / renderer // process and uses the platform abstraction of device/bluetooth. // WebBluetoothServiceImpl is not thread-safe and should be created on the |