[Backport] CVE-2023-2462: Inappropriate implementation in Prompts (3/10)

Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/4112689:
Reject Web Serial requests with an opaque origin

The Web Serial API tracks permissions using the origin of the top-level
document in the frame tree. If this document has an opaque origin then
there is no way to format the origin for display to the user in
permission prompts or to write their decision in the preferences file.

Access to the Web Serial API from such contexts should therefore be
blocked.

Bug: 1375133
Change-Id: I4552ae74d480aa8df9ff93527fc85618bc03b947
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4112689
Reviewed-by: Reilly Grant <reillyg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1112561}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/476756
Reviewed-by: Michal Klocek <michal.klocek@qt.io>

1 files changed, 47 insertions, 21 deletions

diff --git a/chromium/third_party/blink/renderer/modules/serial/serial.cc b/chromium/third_party/blink/renderer/modules/serial/serial.cc
index 42aa725be84..a6209a07ad3 100644
--- a/chromium/third_party/blink/renderer/modules/serial/serial.cc
+++ b/chromium/third_party/blink/renderer/modules/serial/serial.cc
@@ -21,6 +21,7 @@
 #include "third_party/blink/renderer/core/execution_context/navigator_base.h"
 #include "third_party/blink/renderer/core/frame/local_dom_window.h"
 #include "third_party/blink/renderer/core/frame/local_frame.h"
+#include "third_party/blink/renderer/core/workers/worker_global_scope.h"
 #include "third_party/blink/renderer/modules/event_target_modules_names.h"
 #include "third_party/blink/renderer/modules/serial/serial_port.h"
 #include "third_party/blink/renderer/platform/heap/garbage_collected.h"
@@ -41,6 +42,48 @@ String TokenToString(const base::UnguessableToken& token) {
                         token.GetLowForSerialization());
 }
 
+// Carries out basic checks for the web-exposed APIs, to make sure the minimum
+// requirements for them to be served are met. Returns true if any conditions
+// fail to be met, generating an appropriate exception as well. Otherwise,
+// returns false to indicate the call should be allowed.
+bool ShouldBlockSerialServiceCall(LocalDOMWindow* window,
+                                  ExecutionContext* context,
+                                  ExceptionState& exception_state) {
+  if (!context) {
+    exception_state.ThrowDOMException(DOMExceptionCode::kNotSupportedError,
+                                      kContextGone);
+    return true;
+  }
+
+  // Rejects if the top-level frame has an opaque origin.
+  const SecurityOrigin* security_origin = nullptr;
+  if (context->IsWindow()) {
+    security_origin =
+        window->GetFrame()->Top()->GetSecurityContext()->GetSecurityOrigin();
+  } else if (context->IsDedicatedWorkerGlobalScope()) {
+    security_origin = static_cast<WorkerGlobalScope*>(context)
+                          ->top_level_frame_security_origin();
+  } else {
+    NOTREACHED();
+  }
+
+  if (security_origin->IsOpaque()) {
+    exception_state.ThrowSecurityError(
+        "Access to the Web Serial API is denied from contexts where the "
+        "top-level document has an opaque origin.");
+    return true;
+  }
+
+  if (!context->IsFeatureEnabled(
+          mojom::blink::PermissionsPolicyFeature::kSerial,
+          ReportOptions::kReportOnFailure)) {
+    exception_state.ThrowSecurityError(kFeaturePolicyBlocked);
+    return true;
+  }
+
+  return false;
+}
+
 }  // namespace
 
 const char Serial::kSupplementName[] = "Serial";
@@ -85,17 +128,8 @@ void Serial::OnPortRemoved(mojom::blink::SerialPortInfoPtr port_info) {
 
 ScriptPromise Serial::getPorts(ScriptState* script_state,
                                ExceptionState& exception_state) {
-  auto* context = GetExecutionContext();
-  if (!context) {
-    exception_state.ThrowDOMException(DOMExceptionCode::kNotSupportedError,
-                                      kContextGone);
-    return ScriptPromise();
-  }
-
-  if (!context->IsFeatureEnabled(
-          mojom::blink::PermissionsPolicyFeature::kSerial,
-          ReportOptions::kReportOnFailure)) {
-    exception_state.ThrowSecurityError(kFeaturePolicyBlocked);
+  if (ShouldBlockSerialServiceCall(GetSupplementable()->DomWindow(),
+                                   GetExecutionContext(), exception_state)) {
     return ScriptPromise();
   }
 
@@ -112,16 +146,8 @@ ScriptPromise Serial::getPorts(ScriptState* script_state,
 ScriptPromise Serial::requestPort(ScriptState* script_state,
                                   const SerialPortRequestOptions* options,
                                   ExceptionState& exception_state) {
-  if (!DomWindow()) {
-    exception_state.ThrowDOMException(DOMExceptionCode::kNotSupportedError,
-                                      kContextGone);
-    return ScriptPromise();
-  }
-
-  if (!GetExecutionContext()->IsFeatureEnabled(
-          mojom::blink::PermissionsPolicyFeature::kSerial,
-          ReportOptions::kReportOnFailure)) {
-    exception_state.ThrowSecurityError(kFeaturePolicyBlocked);
+  if (ShouldBlockSerialServiceCall(GetSupplementable()->DomWindow(),
+                                   GetExecutionContext(), exception_state)) {
     return ScriptPromise();
   }