[Backport] CVE-2023-2462: Inappropriate implementation in Prompts (4/10)

Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/4307819:
Reland "Add top level frame security origin in GlobalWorkerScope"

This reverts commit a1497e151b9c0fa094a48a6cb97c235abd41c8df.

Reason for revert: Fixed the failure of https://ci.chromium.org/ui/p/chromium/builders/ci/linux-ubsan-vptr/21391/overview.

Original change's description:
> Revert "Add top level frame security origin in GlobalWorkerScope"
>
> Revert submission 4112689
>
> Reason for revert: suspect for introducing test failures for
> DedicatedWorkerTest.TopLevelFrameSecurityOrigin, for example
> https://ci.chromium.org/ui/p/chromium/builders/ci/linux-ubsan-vptr/21391/overview
>
> Reverted changes: /q/submissionid:4112689
>
> Change-Id: I5d9f05f031f312c4e37d908e5d112f5289ba30bc
> Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4307115
> Commit-Queue: Mikel Astiz <mastiz@chromium.org>
> Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
> Owners-Override: Mikel Astiz <mastiz@google.com>
> Cr-Commit-Position: refs/heads/main@{#1112817}

Change-Id: I759b90d7b56ab28a43a550bdd940e6765da09c23
Bug: 1375133
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4307819
Reviewed-by: Hiroki Nakagawa <nhiroki@chromium.org>
Commit-Queue: Jack Hsieh <chengweih@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1113254}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/476757
Reviewed-by: Michal Klocek <michal.klocek@qt.io>

7 files changed, 74 insertions, 11 deletions

diff --git a/chromium/third_party/blink/renderer/core/loader/empty_clients.h b/chromium/third_party/blink/renderer/core/loader/empty_clients.h
index ba841a41c13..6985c25369c 100644
--- a/chromium/third_party/blink/renderer/core/loader/empty_clients.h
+++ b/chromium/third_party/blink/renderer/core/loader/empty_clients.h
@@ -253,6 +253,34 @@ class CORE_EXPORT EmptyChromeClient : public ChromeClient {
   const display::ScreenInfos empty_screen_infos_{display::ScreenInfo()};
 };
 
+class EmptyWebWorkerFetchContext : public WebWorkerFetchContext {
+ public:
+  void SetTerminateSyncLoadEvent(base::WaitableEvent*) override {}
+  void InitializeOnWorkerThread(AcceptLanguagesWatcher*) override {}
+  WebURLLoaderFactory* GetURLLoaderFactory() override { return nullptr; }
+  std::unique_ptr<WebURLLoaderFactory> WrapURLLoaderFactory(
+      CrossVariantMojoRemote<network::mojom::URLLoaderFactoryInterfaceBase>
+          url_loader_factory) override {
+    return nullptr;
+  }
+  void WillSendRequest(WebURLRequest&) override {}
+  blink::mojom::ControllerServiceWorkerMode GetControllerServiceWorkerMode()
+      const override {
+    return mojom::ControllerServiceWorkerMode::kNoController;
+  }
+  net::SiteForCookies SiteForCookies() const override {
+    return net::SiteForCookies();
+  }
+  absl::optional<WebSecurityOrigin> TopFrameOrigin() const override {
+    return absl::nullopt;
+  }
+  blink::WebString GetAcceptLanguages() const override { return ""; }
+  void SetIsOfflineMode(bool is_offline_mode) override {}
+  bool IsDedicatedWorkerOrSharedWorkerFetchContext() const override {
+    return true;
+  }
+};
+
 class CORE_EXPORT EmptyLocalFrameClient : public LocalFrameClient {
  public:
   EmptyLocalFrameClient() = default;
@@ -412,6 +440,10 @@ class CORE_EXPORT EmptyLocalFrameClient : public LocalFrameClient {
 
   Frame* FindFrame(const AtomicString& name) const override;
 
+  scoped_refptr<WebWorkerFetchContext> CreateWorkerFetchContext() override {
+    return base::MakeRefCounted<EmptyWebWorkerFetchContext>();
+  }
+
  protected:
   // Not owned
   WebTextCheckClient* text_check_client_;
diff --git a/chromium/third_party/blink/renderer/core/workers/dedicated_worker.cc b/chromium/third_party/blink/renderer/core/workers/dedicated_worker.cc
index f4dd76c0de2..6fa59c4ebf6 100644
--- a/chromium/third_party/blink/renderer/core/workers/dedicated_worker.cc
+++ b/chromium/third_party/blink/renderer/core/workers/dedicated_worker.cc
@@ -55,6 +55,7 @@
 #include "third_party/blink/renderer/platform/loader/fetch/resource_fetcher.h"
 #include "third_party/blink/renderer/platform/loader/fetch/resource_fetcher_properties.h"
 #include "third_party/blink/renderer/platform/loader/fetch/url_loader/dedicated_or_shared_worker_fetch_context_impl.h"
+#include "third_party/blink/renderer/platform/weborigin/security_origin.h"
 #include "third_party/blink/renderer/platform/weborigin/security_policy.h"
 #include "third_party/blink/renderer/platform/wtf/casting.h"
 
@@ -438,10 +439,9 @@ BeginFrameProviderParams CreateBeginFrameProviderParams(
   // itself later.
   BeginFrameProviderParams begin_frame_provider_params;
   if (auto* window = DynamicTo<LocalDOMWindow>(execution_context)) {
-    LocalFrame* frame = window->GetFrame();
-    if (frame) {
-      WebFrameWidgetImpl* widget =
-          WebLocalFrameImpl::FromFrame(frame)->LocalRootFrameWidget();
+    auto* web_local_frame = WebLocalFrameImpl::FromFrame(window->GetFrame());
+    if (web_local_frame) {
+      WebFrameWidgetImpl* widget = web_local_frame->LocalRootFrameWidget();
       begin_frame_provider_params.parent_frame_sink_id =
           widget->GetFrameSinkId();
     }
@@ -464,6 +464,7 @@ DedicatedWorker::CreateGlobalScopeCreationParams(
   ExecutionContext* execution_context = GetExecutionContext();
   scoped_refptr<base::SingleThreadTaskRunner>
       agent_group_scheduler_compositor_task_runner;
+  const SecurityOrigin* top_level_frame_security_origin;
 
   if (auto* window = DynamicTo<LocalDOMWindow>(execution_context)) {
     // When the main thread creates a new DedicatedWorker.
@@ -477,6 +478,8 @@ DedicatedWorker::CreateGlobalScopeCreationParams(
             ->ToFrameScheduler()
             ->GetAgentGroupScheduler()
             ->CompositorTaskRunner();
+    top_level_frame_security_origin =
+        window->GetFrame()->Top()->GetSecurityContext()->GetSecurityOrigin();
   } else {
     // When a DedicatedWorker creates another DedicatedWorker (nested worker).
     WorkerGlobalScope* worker_global_scope =
@@ -486,8 +489,11 @@ DedicatedWorker::CreateGlobalScopeCreationParams(
     settings = WorkerSettings::Copy(worker_global_scope->GetWorkerSettings());
     agent_group_scheduler_compositor_task_runner =
         worker_global_scope->GetAgentGroupSchedulerCompositorTaskRunner();
+    top_level_frame_security_origin =
+        worker_global_scope->top_level_frame_security_origin();
   }
   DCHECK(agent_group_scheduler_compositor_task_runner);
+  DCHECK(top_level_frame_security_origin);
 
   mojom::blink::ScriptType script_type =
       (options_->type() == script_type_names::kClassic)
@@ -516,7 +522,8 @@ DedicatedWorker::CreateGlobalScopeCreationParams(
       execution_context->CrossOriginIsolatedCapability(),
       execution_context->IsolatedApplicationCapability(),
       /*interface_registry=*/nullptr,
-      std::move(agent_group_scheduler_compositor_task_runner));
+      std::move(agent_group_scheduler_compositor_task_runner),
+      top_level_frame_security_origin);
 }
 
 scoped_refptr<WebWorkerFetchContext>
@@ -543,8 +550,7 @@ DedicatedWorker::CreateWebWorkerFetchContext() {
       static_cast<WorkerFetchContext&>(scope->Fetcher()->Context());
 
   return factory_client_->CloneWorkerFetchContext(
-      To<DedicatedOrSharedWorkerFetchContextImpl>(
-          worker_fetch_context.GetWebWorkerFetchContext()),
+      worker_fetch_context.GetWebWorkerFetchContext(),
       scope->GetTaskRunner(TaskType::kNetworking));
 }
 
diff --git a/chromium/third_party/blink/renderer/core/workers/dedicated_worker.h b/chromium/third_party/blink/renderer/core/workers/dedicated_worker.h
index 2d8f68b4bf8..630e796b3a8 100644
--- a/chromium/third_party/blink/renderer/core/workers/dedicated_worker.h
+++ b/chromium/third_party/blink/renderer/core/workers/dedicated_worker.h
@@ -124,6 +124,8 @@ class CORE_EXPORT DedicatedWorker final
   void Trace(Visitor*) const override;
 
  private:
+  FRIEND_TEST_ALL_PREFIXES(DedicatedWorkerTest, TopLevelFrameSecurityOrigin);
+
   // Starts the worker.
   void Start();
   void ContinueStart(
diff --git a/chromium/third_party/blink/renderer/core/workers/global_scope_creation_params.cc b/chromium/third_party/blink/renderer/core/workers/global_scope_creation_params.cc
index c76cd892ea3..308caa97c3b 100644
--- a/chromium/third_party/blink/renderer/core/workers/global_scope_creation_params.cc
+++ b/chromium/third_party/blink/renderer/core/workers/global_scope_creation_params.cc
@@ -47,7 +47,8 @@ GlobalScopeCreationParams::GlobalScopeCreationParams(
     bool parent_isolated_application_capability,
     InterfaceRegistry* interface_registry,
     scoped_refptr<base::SingleThreadTaskRunner>
-        agent_group_scheduler_compositor_task_runner)
+        agent_group_scheduler_compositor_task_runner,
+    const SecurityOrigin* top_level_frame_security_origin)
     : script_url(script_url),
       script_type(script_type),
       global_scope_name(global_scope_name),
@@ -86,7 +87,11 @@ GlobalScopeCreationParams::GlobalScopeCreationParams(
           parent_isolated_application_capability),
       interface_registry(interface_registry),
       agent_group_scheduler_compositor_task_runner(
-          std::move(agent_group_scheduler_compositor_task_runner)) {
+          std::move(agent_group_scheduler_compositor_task_runner)),
+      top_level_frame_security_origin(
+          top_level_frame_security_origin
+              ? top_level_frame_security_origin->IsolatedCopy()
+              : nullptr) {
   this->inherited_trial_features =
       std::make_unique<Vector<OriginTrialFeature>>();
   if (inherited_trial_features) {
diff --git a/chromium/third_party/blink/renderer/core/workers/global_scope_creation_params.h b/chromium/third_party/blink/renderer/core/workers/global_scope_creation_params.h
index 4285f3cf9ab..21bad93cf1c 100644
--- a/chromium/third_party/blink/renderer/core/workers/global_scope_creation_params.h
+++ b/chromium/third_party/blink/renderer/core/workers/global_scope_creation_params.h
@@ -78,7 +78,8 @@ struct CORE_EXPORT GlobalScopeCreationParams final {
       bool parent_isolated_application_capability = false,
       InterfaceRegistry* interface_registry = nullptr,
       scoped_refptr<base::SingleThreadTaskRunner>
-          agent_group_scheduler_compositor_task_runner = nullptr);
+          agent_group_scheduler_compositor_task_runner = nullptr,
+      const SecurityOrigin* top_level_frame_security_origin = nullptr);
   GlobalScopeCreationParams(const GlobalScopeCreationParams&) = delete;
   GlobalScopeCreationParams& operator=(const GlobalScopeCreationParams&) =
       delete;
@@ -208,6 +209,11 @@ struct CORE_EXPORT GlobalScopeCreationParams final {
   // worker belongs to.
   scoped_refptr<base::SingleThreadTaskRunner>
       agent_group_scheduler_compositor_task_runner;
+
+  // The security origin of the top level frame associated with the worker. This
+  // can be used, for instance, to check if the top level frame has an opaque
+  // origin.
+  scoped_refptr<const SecurityOrigin> top_level_frame_security_origin;
 };
 
 }  // namespace blink
diff --git a/chromium/third_party/blink/renderer/core/workers/worker_global_scope.cc b/chromium/third_party/blink/renderer/core/workers/worker_global_scope.cc
index 7a30ea77d88..9f8795d5f8c 100644
--- a/chromium/third_party/blink/renderer/core/workers/worker_global_scope.cc
+++ b/chromium/third_party/blink/renderer/core/workers/worker_global_scope.cc
@@ -595,7 +595,9 @@ WorkerGlobalScope::WorkerGlobalScope(
       time_origin_(time_origin),
       font_selector_(MakeGarbageCollected<OffscreenFontSelector>(this)),
       script_eval_state_(ScriptEvalState::kPauseAfterFetch),
-      ukm_source_id_(creation_params->ukm_source_id) {
+      ukm_source_id_(creation_params->ukm_source_id),
+      top_level_frame_security_origin_(
+          std::move(creation_params->top_level_frame_security_origin)) {
   InstanceCounters::IncrementCounter(
       InstanceCounters::kWorkerGlobalScopeCounter);
 
diff --git a/chromium/third_party/blink/renderer/core/workers/worker_global_scope.h b/chromium/third_party/blink/renderer/core/workers/worker_global_scope.h
index aad65f005d3..c457e52d576 100644
--- a/chromium/third_party/blink/renderer/core/workers/worker_global_scope.h
+++ b/chromium/third_party/blink/renderer/core/workers/worker_global_scope.h
@@ -50,6 +50,7 @@
 #include "third_party/blink/renderer/platform/heap/garbage_collected.h"
 #include "third_party/blink/renderer/platform/loader/fetch/code_cache_host.h"
 #include "third_party/blink/renderer/platform/loader/fetch/url_loader/cached_metadata_handler.h"
+#include "third_party/blink/renderer/platform/weborigin/security_origin.h"
 #include "third_party/blink/renderer/platform/wtf/casting.h"
 #include "v8/include/v8-inspector.h"
 
@@ -252,6 +253,10 @@ class CORE_EXPORT WorkerGlobalScope
     return main_resource_identifier_;
   }
 
+  const SecurityOrigin* top_level_frame_security_origin() const {
+    return top_level_frame_security_origin_.get();
+  }
+
  protected:
   WorkerGlobalScope(std::unique_ptr<GlobalScopeCreationParams>,
                     WorkerThread*,
@@ -365,6 +370,11 @@ class CORE_EXPORT WorkerGlobalScope
   std::unique_ptr<CodeCacheHost> code_cache_host_;
 
   const ukm::SourceId ukm_source_id_;
+
+  // The security origin of the top level frame associated with the worker. This
+  // can be used, for instance, to check if the top level frame has an opaque
+  // origin.
+  scoped_refptr<const SecurityOrigin> top_level_frame_security_origin_;
 };
 
 template <>