[Backport] CVE-2023-2462: Inappropriate implementation in Prompts (2/10)

Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/4133535:
Reject Web HID requests with an opaque origin

The Web HID API tracks permissions using the origin of the top-level document in the frame tree. If this document has an opaque origin then there is no way to format the origin for display to the user in permission prompts or to write their decision in the preferences file.

Access to the Web HID API from such contexts should therefore be blocked.

Bug: 1375133
Change-Id: I7992b2886e882bbbb097b0460114f0a02a02e34f
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4133535
Reviewed-by: Reilly Grant <reillyg@chromium.org>
Commit-Queue: Sina Firoozabadi <sinafirooz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1097051}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/476755
Reviewed-by: Michal Klocek <michal.klocek@qt.io>

1 files changed, 23 insertions, 4 deletions

diff --git a/chromium/third_party/blink/renderer/modules/hid/hid.cc b/chromium/third_party/blink/renderer/modules/hid/hid.cc
index 2239682bf50..92543c029fd 100644
--- a/chromium/third_party/blink/renderer/modules/hid/hid.cc
+++ b/chromium/third_party/blink/renderer/modules/hid/hid.cc
@@ -35,11 +35,28 @@ const char kFeaturePolicyBlocked[] =
 // requirements for them to be served are met. Returns true if any conditions
 // fail to be met, generating an appropriate exception as well. Otherwise,
 // returns false to indicate the call should be allowed.
-bool ShouldBlockHidServiceCall(ExecutionContext* context,
+bool ShouldBlockHidServiceCall(LocalDOMWindow* window,
+                               ExecutionContext* context,
                                ExceptionState& exception_state) {
   if (!context) {
     exception_state.ThrowDOMException(DOMExceptionCode::kNotSupportedError,
                                       kContextGone);
+    return true;
+  }
+
+  // The security origin must match the one checked by the browser process.
+  // Service Workers do not use delegated permissions so we use their security
+  // origin directly.
+  DCHECK(context->IsWindow() || context->IsServiceWorkerGlobalScope());
+  auto* security_origin =
+      window
+          ? window->GetFrame()->Top()->GetSecurityContext()->GetSecurityOrigin()
+          : context->GetSecurityOrigin();
+
+  if (security_origin->IsOpaque()) {
+    exception_state.ThrowSecurityError(
+        "Access to the WebHID API is denied from contexts where the top-level "
+        "document has an opaque origin.");
   } else if (!context->IsFeatureEnabled(
                  mojom::blink::PermissionsPolicyFeature::kHid,
                  ReportOptions::kReportOnFailure)) {
@@ -145,7 +162,8 @@ void HID::DeviceChanged(device::mojom::blink::HidDeviceInfoPtr device_info) {
 
 ScriptPromise HID::getDevices(ScriptState* script_state,
                               ExceptionState& exception_state) {
-  if (ShouldBlockHidServiceCall(GetExecutionContext(), exception_state)) {
+  if (ShouldBlockHidServiceCall(GetSupplementable()->DomWindow(),
+                                GetExecutionContext(), exception_state)) {
     return ScriptPromise();
   }
 
@@ -163,14 +181,15 @@ ScriptPromise HID::requestDevice(ScriptState* script_state,
                                  ExceptionState& exception_state) {
   // requestDevice requires a window to satisfy the user activation requirement
   // and to show a chooser dialog.
-  const auto* window = GetSupplementable()->DomWindow();
+  auto* window = GetSupplementable()->DomWindow();
   if (!window) {
     exception_state.ThrowDOMException(DOMExceptionCode::kNotSupportedError,
                                       kContextGone);
     return ScriptPromise();
   }
 
-  if (ShouldBlockHidServiceCall(GetExecutionContext(), exception_state)) {
+  if (ShouldBlockHidServiceCall(window, GetExecutionContext(),
+                                exception_state)) {
     return ScriptPromise();
   }