diff options
author | Rayan Kanso <rayankans@google.com> | 2022-06-07 13:13:36 +0000 |
---|---|---|
committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2022-08-08 15:23:49 +0000 |
commit | 232367711b07476515a3a58c869b2f31046c93a1 (patch) | |
tree | 6f59166ac2a25f60c382a8d106f576f5be38a1bf /chromium/content | |
parent | ab704233c9ef10135ec6b8dd472e868d5f05bf50 (diff) | |
download | qtwebengine-chromium-232367711b07476515a3a58c869b2f31046c93a1.tar.gz |
[Backport] CVE-2022-2610: Insufficient policy enforcement in Background Fetch
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/3693143:
[BackgroundFetch] Don't expose URL chain in case of CO redirect
Bug: 1278255
Change-Id: If853327b853e29792e5c8d1dfaeecf21d6fec004
Reviewed-by: Susanne Westphal <swestphal@google.com>
Commit-Queue: Rayan Kanso <rayankans@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1011409}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
Diffstat (limited to 'chromium/content')
-rw-r--r-- | chromium/content/browser/background_fetch/storage/mark_request_complete_task.cc | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/chromium/content/browser/background_fetch/storage/mark_request_complete_task.cc b/chromium/content/browser/background_fetch/storage/mark_request_complete_task.cc index 9036ec9a922..76cc94dd0ea 100644 --- a/chromium/content/browser/background_fetch/storage/mark_request_complete_task.cc +++ b/chromium/content/browser/background_fetch/storage/mark_request_complete_task.cc @@ -103,6 +103,8 @@ void MarkRequestCompleteTask::StoreResponse(base::OnceClosure done_closure) { BackgroundFetchCrossOriginFilter filter( registration_id_.storage_key().origin(), *request_info_); if (!filter.CanPopulateBody()) { + // Don't expose the initial URL in case of cross-origin redirects. + response_->url_list.resize(1); failure_reason_ = proto::BackgroundFetchRegistration::FETCH_ERROR; // No point writing the response to the cache since it won't be exposed. CreateAndStoreCompletedRequest(std::move(done_closure)); |