[Backport] Security bug 961614 3/8

Fix UMA for mis-attributed requests made by HTML imports I relied on ResourceLoadObserver::DidStartRequest but it is not called when the fetcher is detached. Move the logic into ResourceFetcher to fix that. Bug: 961614 Change-Id: Id8ba7e5f445dd87adb556bd2771bceb094e643a4 Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
author: Yutaka Hirano <yhirano@chromium.org> 2019-09-10 12:51:35 +0000
committer: Michal Klocek <michal.klocek@qt.io> 2019-11-27 21:10:05 +0000
commit: b9718cd4aa014a35cd1f805063e5162b8177e6dd (patch)
tree: 2b9b2297276266a45b86138f8427e4dec3fcd022
parent: b1a56dab1820804d8fb5982596f2d25774642fe6 (diff)
download: qtwebengine-chromium-b9718cd4aa014a35cd1f805063e5162b8177e6dd.tar.gz
3 files changed, 19 insertions, 47 deletions
diff --git a/chromium/third_party/blink/renderer/core/dom/document.cc b/chromium/third_party/blink/renderer/core/dom/document.cc
index 580563f2c18..51242fd9c61 100644
--- a/chromium/third_party/blink/renderer/core/dom/document.cc
+++ b/chromium/third_party/blink/renderer/core/dom/document.cc
@@ -290,7 +290,6 @@
 #include "third_party/blink/renderer/platform/language.h"
 #include "third_party/blink/renderer/platform/loader/fetch/null_resource_fetcher_properties.h"
 #include "third_party/blink/renderer/platform/loader/fetch/resource_fetcher.h"
-#include "third_party/blink/renderer/platform/loader/fetch/resource_load_observer.h"
 #include "third_party/blink/renderer/platform/network/content_security_policy_parsers.h"
 #include "third_party/blink/renderer/platform/network/http_parsers.h"
 #include "third_party/blink/renderer/platform/network/network_state_notifier.h"
@@ -322,45 +321,6 @@ static WeakDocumentSet& liveDocumentSet();
 
 namespace blink {
 
-namespace {
-
-class ResourceLoadObserverForUnintentionalRequestsMadeByImportedDocument final
-    : public ResourceLoadObserver {
-  void DidStartRequest(const FetchParameters&, ResourceType type) override {
-    UMA_HISTOGRAM_ENUMERATION("HTMLImport.UnexpectedRequest", type);
-  }
-  void WillSendRequest(uint64_t identifier,
-                       const ResourceRequest&,
-                       const ResourceResponse& redirect_response,
-                       ResourceType,
-                       const FetchInitiatorInfo&) override {}
-  void DidChangePriority(uint64_t identifier,
-                         ResourceLoadPriority,
-                         int intra_priority_value) override {}
-  void DidReceiveResponse(uint64_t identifier,
-                          const ResourceRequest& request,
-                          const ResourceResponse& response,
-                          const Resource* resource,
-                          ResponseSource) override {}
-  void DidReceiveData(uint64_t identifier,
-                      base::span<const char> chunk) override {}
-  void DidReceiveTransferSizeUpdate(uint64_t identifier,
-                                    int transfer_size_diff) override {}
-  void DidDownloadToBlob(uint64_t identifier, BlobDataHandle*) override {}
-  void DidFinishLoading(uint64_t identifier,
-                        base::TimeTicks finish_time,
-                        int64_t encoded_data_length,
-                        int64_t decoded_body_length,
-                        bool should_report_corb_blocking) override {}
-  void DidFailLoading(const KURL&,
-                      uint64_t identifier,
-                      const ResourceError&,
-                      int64_t encoded_data_length,
-                      bool is_internal_request) override {}
-};
-
-}  // namespace
-
 using namespace html_names;
 
 class DocumentOutliveTimeReporter : public BlinkGCObserver {
@@ -1141,11 +1101,8 @@ Document::Document(const DocumentInit& initializer,
         GetTaskRunner(TaskType::kNetworking), nullptr /* loader_factory */));
 
     if (imports_controller_) {
-      // We don't expect the fetcher to be used, so add a ResourceLoadObserver
-      // which counts such unexpected use.
-      fetcher_->SetResourceLoadObserver(
-          MakeGarbageCollected<
-              ResourceLoadObserverForUnintentionalRequestsMadeByImportedDocument>());
+      // We don't expect the fetcher to be used, so count such unexpected use.
+      fetcher_->SetShouldLogRequestAsInvalidInImportedDocument();
     }
   }
   DCHECK(fetcher_);
diff --git a/chromium/third_party/blink/renderer/platform/loader/fetch/resource_fetcher.cc b/chromium/third_party/blink/renderer/platform/loader/fetch/resource_fetcher.cc
index 77ca7a74c0b..c7a591fbbbd 100644
--- a/chromium/third_party/blink/renderer/platform/loader/fetch/resource_fetcher.cc
+++ b/chromium/third_party/blink/renderer/platform/loader/fetch/resource_fetcher.cc
@@ -578,7 +578,8 @@ ResourceFetcher::ResourceFetcher(const ResourceFetcherInit& init)
       auto_load_images_(true),
       images_enabled_(true),
       allow_stale_resources_(false),
-      image_fetched_(false) {
+      image_fetched_(false),
+      should_log_request_as_invalid_in_imported_document_(false) {
   stale_while_revalidate_enabled_ =
       RuntimeEnabledFeatures::StaleWhileRevalidateEnabledByRuntimeFlag();
   InstanceCounters::IncrementCounter(InstanceCounters::kResourceFetcherCounter);
@@ -948,6 +949,13 @@ Resource* ResourceFetcher::RequestResource(FetchParameters& params,
                                            ResourceClient* client) {
   base::AutoReset<bool> r(&is_in_request_resource_, true);
 
+  if (should_log_request_as_invalid_in_imported_document_) {
+    DCHECK(properties_->IsDetached());
+    // We don't expect the fetcher to be used, so count such unexpected use.
+    UMA_HISTOGRAM_ENUMERATION("HTMLImport.UnexpectedRequest",
+                              factory.GetType());
+  }
+
   // If detached, we do very early return here to skip all processing below.
   if (properties_->IsDetached()) {
     return ResourceForBlockedRequest(
diff --git a/chromium/third_party/blink/renderer/platform/loader/fetch/resource_fetcher.h b/chromium/third_party/blink/renderer/platform/loader/fetch/resource_fetcher.h
index 8def1628b91..e48d1a1867b 100644
--- a/chromium/third_party/blink/renderer/platform/loader/fetch/resource_fetcher.h
+++ b/chromium/third_party/blink/renderer/platform/loader/fetch/resource_fetcher.h
@@ -128,6 +128,7 @@ class PLATFORM_EXPORT ResourceFetcher
   }
   // This must be called right after construction.
   void SetResourceLoadObserver(ResourceLoadObserver* observer) {
+    DCHECK(!IsDetached());
     DCHECK(!resource_load_observer_);
     resource_load_observer_ = observer;
   }
@@ -269,6 +270,10 @@ class PLATFORM_EXPORT ResourceFetcher
                                speculative_preload_type, is_link_preload);
   }
 
+  void SetShouldLogRequestAsInvalidInImportedDocument() {
+    should_log_request_as_invalid_in_imported_document_ = true;
+  }
+
  private:
   friend class ResourceCacheValidationSuppressor;
   enum class StopFetchingTarget {
@@ -417,12 +422,14 @@ class PLATFORM_EXPORT ResourceFetcher
   // This is not in the bit field below because we want to use AutoReset.
   bool is_in_request_resource_ = false;
 
-  // 27 bits left
+  // 26 bits left
   bool auto_load_images_ : 1;
   bool images_enabled_ : 1;
   bool allow_stale_resources_ : 1;
   bool image_fetched_ : 1;
   bool stale_while_revalidate_enabled_ : 1;
+  // for https://crbug.com/961614
+  bool should_log_request_as_invalid_in_imported_document_ : 1;
 
   static constexpr uint32_t kKeepaliveInflightBytesQuota = 64 * 1024;
author	Yutaka Hirano <yhirano@chromium.org>	2019-09-10 12:51:35 +0000
committer	Michal Klocek <michal.klocek@qt.io>	2019-11-27 21:10:05 +0000
commit	b9718cd4aa014a35cd1f805063e5162b8177e6dd (patch)
tree	2b9b2297276266a45b86138f8427e4dec3fcd022
parent	b1a56dab1820804d8fb5982596f2d25774642fe6 (diff)
download	qtwebengine-chromium-b9718cd4aa014a35cd1f805063e5162b8177e6dd.tar.gz