diff options
author | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2019-05-02 13:58:18 +0200 |
---|---|---|
committer | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2019-05-03 15:11:47 +0000 |
commit | e8ef8db04d0db6d39b26c42f7a04578e31d09cd9 (patch) | |
tree | 9c18b562c44716ef789d96ad5758ec6cc80aeba0 /chromium/content/browser | |
parent | 9d1ab5b5187a2891a2e60900f0bb41db78819e02 (diff) | |
download | qtwebengine-chromium-e8ef8db04d0db6d39b26c42f7a04578e31d09cd9.tar.gz |
[Backport] Fix for CVE-2019-5823
Prevent WindowClient.navigate() from cancelling a browser-initiated navigation.
Otherwise, a service worker can prevent you from navigating where you
want to go via the omnibox.
Note: this is similar to WebContentsImpl::OnGoToEntryAtOffset() for
renderer-initiated history navigations.
Bug: 930154
Change-Id: I3a687ccc8ba4420d2369adb24f63c2702bdeeff1
Reviewed-on: https://chromium-review.googlesource.com/c/1477454
Commit-Queue: Matt Falkenhagen <falken@chromium.org>
Commit-Queue: Arthur Sonzogni <arthursonzogni@chromium.org>
Reviewed-by: Arthur Sonzogni <arthursonzogni@chromium.org>
Auto-Submit: Matt Falkenhagen <falken@chromium.org>
Cr-Commit-Position: refs/heads/master@{#633231}
Reviewed-by: Michael BrĂ¼ning <michael.bruning@qt.io>
Diffstat (limited to 'chromium/content/browser')
-rw-r--r-- | chromium/content/browser/service_worker/service_worker_client_utils.cc | 15 | ||||
-rw-r--r-- | chromium/content/browser/service_worker/service_worker_clients_api_browsertest.cc | 30 |
2 files changed, 44 insertions, 1 deletions
diff --git a/chromium/content/browser/service_worker/service_worker_client_utils.cc b/chromium/content/browser/service_worker/service_worker_client_utils.cc index 4a597a8c505..6221fca02b7 100644 --- a/chromium/content/browser/service_worker/service_worker_client_utils.cc +++ b/chromium/content/browser/service_worker/service_worker_client_utils.cc @@ -284,8 +284,21 @@ void NavigateClientOnUI(const GURL& url, return; } - int frame_tree_node_id = rfhi->frame_tree_node()->frame_tree_node_id(); + // Reject the navigate() call if there is an ongoing browser-initiated + // navigation. Not rejecting it would allow websites to prevent the user from + // navigating away. See https://crbug.com/930154. + NavigationRequest* ongoing_navigation_request = + rfhi->frame_tree_node()->frame_tree()->root()->navigation_request(); + if (ongoing_navigation_request && + ongoing_navigation_request->browser_initiated()) { + base::PostTaskWithTraits( + FROM_HERE, {BrowserThread::IO}, + base::BindOnce(std::move(callback), ChildProcessHost::kInvalidUniqueID, + MSG_ROUTING_NONE)); + return; + } + int frame_tree_node_id = rfhi->frame_tree_node()->frame_tree_node_id(); Navigator* navigator = rfhi->frame_tree_node()->navigator(); navigator->RequestOpenURL( rfhi, url, url::Origin::Create(script_url), false /* uses_post */, diff --git a/chromium/content/browser/service_worker/service_worker_clients_api_browsertest.cc b/chromium/content/browser/service_worker/service_worker_clients_api_browsertest.cc index 9710079da14..49c5279baaf 100644 --- a/chromium/content/browser/service_worker/service_worker_clients_api_browsertest.cc +++ b/chromium/content/browser/service_worker/service_worker_clients_api_browsertest.cc @@ -257,6 +257,36 @@ IN_PROC_BROWSER_TEST_F(ServiceWorkerClientsApiBrowserTest, EXPECT_EQ(title, title_watcher.WaitAndGetTitle()); } +// Tests a WindowClient.navigate() call during a browser-initiated navigation. +// Regression test for https://crbug.com/930154. +IN_PROC_BROWSER_TEST_F(ServiceWorkerClientsApiBrowserTest, + NavigateDuringBrowserNavigation) { + // Load a page that registers a service worker. + EXPECT_TRUE(NavigateToURL(shell(), + embedded_test_server()->GetURL( + "/service_worker/create_service_worker.html"))); + EXPECT_EQ("DONE", EvalJs(shell(), "register('client_api_worker.js');")); + + // Load the test page. + EXPECT_TRUE(NavigateToURL( + shell(), + embedded_test_server()->GetURL("/service_worker/request_navigate.html"))); + + // Start a browser-initiated navigation. + GURL url(embedded_test_server()->GetURL("/title1.html")); + TestNavigationManager navigation(shell()->web_contents(), url); + shell()->LoadURL(url); + EXPECT_TRUE(navigation.WaitForRequestStart()); + + // Have the service worker call client.navigate() to try to go to another + // URL. It should fail. + EXPECT_EQ("navigate failed", EvalJs(shell(), "requestToNavigate();")); + + // The browser-initiated navigation should finish. + navigation.WaitForNavigationFinished(); // Resume navigation. + EXPECT_TRUE(navigation.was_successful()); +} + // Tests a successful Clients.openWindow() call. IN_PROC_BROWSER_TEST_F(ServiceWorkerClientsApiBrowserTest, OpenWindow) { ActivatedServiceWorkerObserver observer; |