summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSina Firoozabadi <sinafirooz@google.com>2023-01-25 22:32:26 +0000
committerMichael BrĂ¼ning <michael.bruning@qt.io>2023-05-15 11:16:59 +0000
commit5c47db3ec605b98bb8609eec42ee6c95d4b435fb (patch)
tree1091698f459cb68f63b0e44dec72d560ef67c5aa
parent8c3bbeb42f76c6227e04ae662f3d3edf971b3e90 (diff)
downloadqtwebengine-chromium-5c47db3ec605b98bb8609eec42ee6c95d4b435fb.tar.gz
[Backport] CVE-2023-2462: Inappropriate implementation in Prompts (2/10)
Cherry-pick of patch originally reviewed on https://chromium-review.googlesource.com/c/chromium/src/+/4133535: Reject Web HID requests with an opaque origin The Web HID API tracks permissions using the origin of the top-level document in the frame tree. If this document has an opaque origin then there is no way to format the origin for display to the user in permission prompts or to write their decision in the preferences file. Access to the Web HID API from such contexts should therefore be blocked. Bug: 1375133 Change-Id: I7992b2886e882bbbb097b0460114f0a02a02e34f Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4133535 Reviewed-by: Reilly Grant <reillyg@chromium.org> Commit-Queue: Sina Firoozabadi <sinafirooz@chromium.org> Cr-Commit-Position: refs/heads/main@{#1097051} Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/476755 Reviewed-by: Michal Klocek <michal.klocek@qt.io>
-rw-r--r--chromium/third_party/blink/renderer/modules/hid/hid.cc27
1 files changed, 23 insertions, 4 deletions
diff --git a/chromium/third_party/blink/renderer/modules/hid/hid.cc b/chromium/third_party/blink/renderer/modules/hid/hid.cc
index 2239682bf50..92543c029fd 100644
--- a/chromium/third_party/blink/renderer/modules/hid/hid.cc
+++ b/chromium/third_party/blink/renderer/modules/hid/hid.cc
@@ -35,11 +35,28 @@ const char kFeaturePolicyBlocked[] =
// requirements for them to be served are met. Returns true if any conditions
// fail to be met, generating an appropriate exception as well. Otherwise,
// returns false to indicate the call should be allowed.
-bool ShouldBlockHidServiceCall(ExecutionContext* context,
+bool ShouldBlockHidServiceCall(LocalDOMWindow* window,
+ ExecutionContext* context,
ExceptionState& exception_state) {
if (!context) {
exception_state.ThrowDOMException(DOMExceptionCode::kNotSupportedError,
kContextGone);
+ return true;
+ }
+
+ // The security origin must match the one checked by the browser process.
+ // Service Workers do not use delegated permissions so we use their security
+ // origin directly.
+ DCHECK(context->IsWindow() || context->IsServiceWorkerGlobalScope());
+ auto* security_origin =
+ window
+ ? window->GetFrame()->Top()->GetSecurityContext()->GetSecurityOrigin()
+ : context->GetSecurityOrigin();
+
+ if (security_origin->IsOpaque()) {
+ exception_state.ThrowSecurityError(
+ "Access to the WebHID API is denied from contexts where the top-level "
+ "document has an opaque origin.");
} else if (!context->IsFeatureEnabled(
mojom::blink::PermissionsPolicyFeature::kHid,
ReportOptions::kReportOnFailure)) {
@@ -145,7 +162,8 @@ void HID::DeviceChanged(device::mojom::blink::HidDeviceInfoPtr device_info) {
ScriptPromise HID::getDevices(ScriptState* script_state,
ExceptionState& exception_state) {
- if (ShouldBlockHidServiceCall(GetExecutionContext(), exception_state)) {
+ if (ShouldBlockHidServiceCall(GetSupplementable()->DomWindow(),
+ GetExecutionContext(), exception_state)) {
return ScriptPromise();
}
@@ -163,14 +181,15 @@ ScriptPromise HID::requestDevice(ScriptState* script_state,
ExceptionState& exception_state) {
// requestDevice requires a window to satisfy the user activation requirement
// and to show a chooser dialog.
- const auto* window = GetSupplementable()->DomWindow();
+ auto* window = GetSupplementable()->DomWindow();
if (!window) {
exception_state.ThrowDOMException(DOMExceptionCode::kNotSupportedError,
kContextGone);
return ScriptPromise();
}
- if (ShouldBlockHidServiceCall(GetExecutionContext(), exception_state)) {
+ if (ShouldBlockHidServiceCall(window, GetExecutionContext(),
+ exception_state)) {
return ScriptPromise();
}