[Backport] Restrict the xss audit report URL to same origin

BUG=441275
R=tsepez@chromium.org,mkwst@chromium.org

Reviewed-on: https://chromium-review.googlesource.com/768367
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Reviewed-by: Mike West <mkwst@chromium.org>
Commit-Queue: Jochen Eisinger <jochen@chromium.org>
Cr-Commit-Position: refs/heads/master@{#516666}
(CVE-2018-6051)

Change-Id: I528f4f40ced3ae1dd8b852089aeb7079462fa2cf
Reviewed-by: Michal Klocek <michal.klocek@qt.io>

1 files changed, 7 insertions, 0 deletions

diff --git a/chromium/third_party/WebKit/Source/core/html/parser/XSSAuditor.cpp b/chromium/third_party/WebKit/Source/core/html/parser/XSSAuditor.cpp
index d9c414864bb..b393b513922 100644
--- a/chromium/third_party/WebKit/Source/core/html/parser/XSSAuditor.cpp
+++ b/chromium/third_party/WebKit/Source/core/html/parser/XSSAuditor.cpp
@@ -411,6 +411,13 @@ void XSSAuditor::Init(Document* document,
          xss_protection_header == kBlockReflectedXSS) &&
         !report_url.IsEmpty()) {
       xss_protection_report_url = document->CompleteURL(report_url);
+      if (!SecurityOrigin::Create(xss_protection_report_url)
+               ->IsSameSchemeHostPort(document->GetSecurityOrigin())) {
+        error_details =
+            "reporting URL is not same scheme, host, and port as page";
+        xss_protection_header = kReflectedXSSInvalid;
+        xss_protection_report_url = KURL();
+      }
       if (MixedContentChecker::IsMixedContent(document->GetSecurityOrigin(),
                                               xss_protection_report_url)) {
         error_details = "insecure reporting URL for secure page";