diff options
author | Michael BrĂ¼ning <michael.bruning@qt.io> | 2019-03-29 16:19:09 +0100 |
---|---|---|
committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2019-03-29 16:26:45 +0000 |
commit | 43c92056fabd9f0f733ba8b70523ad21c301670c (patch) | |
tree | 6a12d869c36b102ed78eb01c5c5ff1d02d6c4bb5 | |
parent | dd6863f4aea45b3217cf78ca3130097e9ed8c63e (diff) | |
download | qtwebengine-chromium-43c92056fabd9f0f733ba8b70523ad21c301670c.tar.gz |
FIXUP: [Backport] CVE-2019-5802
Several changes did not match the old state and were too large to
be backported as well.
Change-Id: Ie53fc211db08df9400829aae0a1126c7b1ded57e
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
4 files changed, 12 insertions, 9 deletions
diff --git a/chromium/content/browser/frame_host/navigation_controller_impl.cc b/chromium/content/browser/frame_host/navigation_controller_impl.cc index ea4250efdc2..c4df800e558 100644 --- a/chromium/content/browser/frame_host/navigation_controller_impl.cc +++ b/chromium/content/browser/frame_host/navigation_controller_impl.cc @@ -2099,7 +2099,6 @@ void NavigationControllerImpl::NavigateFromFrameProxy( params.started_from_context_menu = false; /* params.navigation_ui_data: skip */ /* params.input_start: skip */ - params.was_activated = WasActivatedOption::kUnknown; std::unique_ptr<NavigationRequest> request = CreateNavigationRequestFromLoadParams( @@ -2715,6 +2714,7 @@ NavigationControllerImpl::CreateNavigationRequestFromLoadParams( bool override_user_agent, bool should_replace_current_entry, bool has_user_gesture, + NavigationDownloadPolicy download_policy, ReloadType reload_type, const NavigationEntryImpl& entry, FrameNavigationEntry* frame_entry) { @@ -2788,8 +2788,11 @@ NavigationControllerImpl::CreateNavigationRequestFromLoadParams( navigation_start, params.load_type == LOAD_TYPE_HTTP_POST ? "POST" : "GET", params.post_data, base::Optional<SourceLocation>(), - params.started_from_context_menu, has_user_gesture, InitiatorCSPInfo(), - params.input_start); + CSPDisposition::CHECK, + params.started_from_context_menu, has_user_gesture, + std::vector<ContentSecurityPolicy>() /* initiator_csp */, + CSPSource() /* initiator_self_source */ + ); RequestNavigationParams request_params( override_user_agent, params.redirect_chain, common_params.url, @@ -2807,8 +2810,6 @@ NavigationControllerImpl::CreateNavigationRequestFromLoadParams( } #endif - request_params.was_activated = params.was_activated; - // A form submission may happen here if the navigation is a renderer-initiated // form submission that took the OpenURL path. scoped_refptr<network::ResourceRequestBody> request_body = params.post_data; @@ -2891,7 +2892,7 @@ NavigationControllerImpl::CreateNavigationRequestFromEntry( // Create the NavigationParams based on |entry| and |frame_entry|. CommonNavigationParams common_params = entry.ConstructCommonNavigationParams( *frame_entry, request_body, dest_url, dest_referrer, navigation_type, - previews_state, navigation_start, base::TimeTicks() /* input_start */); + previews_state, navigation_start); // TODO(clamy): |intended_as_new_entry| below should always be false once // Reload no longer leads to this being called for a pending NavigationEntry diff --git a/chromium/content/browser/frame_host/navigation_request.cc b/chromium/content/browser/frame_host/navigation_request.cc index a7ca9fe4cda..fbee81d5070 100644 --- a/chromium/content/browser/frame_host/navigation_request.cc +++ b/chromium/content/browser/frame_host/navigation_request.cc @@ -69,6 +69,7 @@ #include "third_party/blink/public/common/frame/sandbox_flags.h" #include "third_party/blink/public/platform/resource_request_blocked_reason.h" #include "third_party/blink/public/platform/web_feature.mojom.h" +#include "third_party/blink/public/platform/web_feature.mojom-blink.h" #include "third_party/blink/public/platform/web_mixed_content_context_type.h" #include "url/url_constants.h" @@ -289,7 +290,7 @@ std::unique_ptr<NavigationRequest> NavigationRequest::CreateBrowserInitiated( std::unique_ptr<NavigationUIData> navigation_ui_data) { // TODO(arthursonzogni): Form submission with the "GET" method is possible. // This is not currently handled here. - bool is_form_submission = !!request_body; + bool is_form_submission = !!post_body; base::Optional<url::Origin> initiator = frame_tree_node->IsMainFrame() @@ -1083,7 +1084,7 @@ void NavigationRequest::OnResponseStarted( navigation_handle_->WillProcessResponse( render_frame_host, response->head.headers.get(), response->head.connection_info, response->head.socket_address, ssl_info_, - request_id, common_params_.should_replace_current_entry, is_download,_ + request_id, common_params_.should_replace_current_entry, is_download_, is_stream, base::Bind(&NavigationRequest::OnWillProcessResponseChecksComplete, base::Unretained(this))); diff --git a/chromium/content/public/browser/content_browser_client.h b/chromium/content/public/browser/content_browser_client.h index bd230a28c4f..90beb86ae31 100644 --- a/chromium/content/public/browser/content_browser_client.h +++ b/chromium/content/public/browser/content_browser_client.h @@ -48,6 +48,7 @@ #include "storage/browser/quota/quota_manager.h" #include "third_party/blink/public/common/associated_interfaces/associated_interface_registry.h" #include "third_party/blink/public/mojom/page/page_visibility_state.mojom.h" +#include "third_party/blink/public/platform/web_feature.mojom.h" #include "third_party/blink/public/web/window_features.mojom.h" #include "ui/base/page_transition_types.h" #include "ui/base/window_open_disposition.h" diff --git a/chromium/third_party/blink/renderer/core/exported/local_frame_client_impl.cc b/chromium/third_party/blink/renderer/core/exported/local_frame_client_impl.cc index c6aade11151..9a867da8900 100644 --- a/chromium/third_party/blink/renderer/core/exported/local_frame_client_impl.cc +++ b/chromium/third_party/blink/renderer/core/exported/local_frame_client_impl.cc @@ -519,7 +519,7 @@ NavigationPolicy LocalFrameClientImpl::DecidePolicyForNavigation( navigation_info.replaces_current_history_item = replaces_current_history_item; navigation_info.is_client_redirect = is_client_redirect; navigation_info.blocking_downloads_in_sandbox_enabled = - RuntimeEnabledFeatures::BlockingDownloadsInSandboxEnabled() + RuntimeEnabledFeatures::BlockingDownloadsInSandboxEnabled(); navigation_info.triggering_event_info = triggering_event_info; navigation_info.should_check_main_world_content_security_policy = should_check_main_world_content_security_policy == |