github/electron
1
1
Fork 0
mirror of https://github.com/electron/electron.git synced 2026-01-09 15:38:08 -05:00
Code Issues Packages Projects Releases Wiki Activity
Files
48d0b09ad932aabc91ef072c862f3489202e40fd
electron/patches/chromium/fix_crash_loading_non-standard_schemes_in_iframes.patch
electron-roller[bot] 48d0b09ad9 chore: bump chromium to 113.0.5653.0 (main) (#37587) 
* chore: bump chromium in DEPS to 113.0.5653.0

* chore: update patches

* [Extensions c2s] Move HasActiveTabAndCanAccess() to //extensions

https://chromium-review.googlesource.com/c/chromium/src/+/4305558

* [Privacy Hub] Respecting ChromeOS geoloc setting

https://chromium-review.googlesource.com/c/chromium/src/+/4171824

* Add runtime DLLs to win_clang_x64 when needed

https://chromium-review.googlesource.com/c/chromium/src/+/4336228

* chore: fix lint

---------

Co-authored-by: electron-roller[bot] <84116207+electron-roller[bot]@users.noreply.github.com>
Co-authored-by: deepak1556 <hop2deep@gmail.com>
2023-03-16 19:03:53 +09:00

79 lines
4.0 KiB
Diff
Raw Blame History

From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Shelley Vohr <shelley.vohr@gmail.com>
Date: Mon, 29 Aug 2022 11:44:57 +0200
Subject: fix: crash loading non-standard schemes in iframes
This fixes a crash that occurs when loading non-standard schemes from
iframes or webviews. This was happening because
ChildProcessSecurityPolicyImpl::CanAccessDataForOrigin contains explicit
exceptions to allow built-in non-standard schemes, but does not check
for non-standard schemes registered by the embedder.
Upstream, https://bugs.chromium.org/p/chromium/issues/detail?id=1081397
contains several paths forward - here I chose to swap out the
CHECK in navigation_request.cc from policy->CanAccessDataForOrigin to
policy->CanCommitOriginAndUrl.
Upstreamed at https://chromium-review.googlesource.com/c/chromium/src/+/3856266.
diff --git a/content/browser/renderer_host/navigation_request.cc b/content/browser/renderer_host/navigation_request.cc
index ee847c685b75d48f942a78759ac3f8dd068ca104..0e1e0180739aef844581f3cfabe4c57db98cd4e4 100644
--- a/content/browser/renderer_host/navigation_request.cc
+++ b/content/browser/renderer_host/navigation_request.cc
@@ -7134,10 +7134,11 @@ NavigationRequest::GetOriginForURLLoaderFactoryAfterResponseWithDebugInfo() {
if (IsForMhtmlSubframe())
return origin_with_debug_info;
- int process_id = GetRenderFrameHost()->GetProcess()->GetID();
- auto* policy = ChildProcessSecurityPolicyImpl::GetInstance();
- CHECK(
- policy->CanAccessDataForOrigin(process_id, origin_with_debug_info.first));
+ CanCommitStatus can_commit = GetRenderFrameHost()->CanCommitOriginAndUrl(
+ origin_with_debug_info.first, GetURL(), IsSameDocument(), IsPdf(),
+ GetUrlInfo().is_sandboxed);
+ CHECK_EQ(CanCommitStatus::CAN_COMMIT_ORIGIN_AND_URL, can_commit);
+
return origin_with_debug_info;
}
diff --git a/content/browser/renderer_host/render_frame_host_impl.h b/content/browser/renderer_host/render_frame_host_impl.h
index 0c9248c558d0061d918139547d5d56347a4af7c7..18dcd085afdfa5bcbed07c5ef2b07f145e19479a 100644
--- a/content/browser/renderer_host/render_frame_host_impl.h
+++ b/content/browser/renderer_host/render_frame_host_impl.h
@@ -2882,6 +2882,17 @@ class CONTENT_EXPORT RenderFrameHostImpl
// last committed document.
CookieChangeListener::CookieChangeInfo GetCookieChangeInfo();
+ // Returns whether the given origin and URL is allowed to commit in the
+ // current RenderFrameHost. The |url| is used to ensure it matches the origin
+ // in cases where it is applicable. This is a more conservative check than
+ // RenderProcessHost::FilterURL, since it will be used to kill processes that
+ // commit unauthorized origins.
+ CanCommitStatus CanCommitOriginAndUrl(const url::Origin& origin,
+ const GURL& url,
+ bool is_same_document_navigation,
+ bool is_pdf,
+ bool is_sandboxed);
+
protected:
friend class RenderFrameHostFactory;
@@ -3205,17 +3216,6 @@ class CONTENT_EXPORT RenderFrameHostImpl
// relevant.
void ResetWaitingState();
- // Returns whether the given origin and URL is allowed to commit in the
- // current RenderFrameHost. The |url| is used to ensure it matches the origin
- // in cases where it is applicable. This is a more conservative check than
- // RenderProcessHost::FilterURL, since it will be used to kill processes that
- // commit unauthorized origins.
- CanCommitStatus CanCommitOriginAndUrl(const url::Origin& origin,
- const GURL& url,
- bool is_same_document_navigation,
- bool is_pdf,
- bool is_sandboxed);
-
// Returns whether a subframe navigation request should be allowed to commit
// to the current RenderFrameHost.
bool CanSubframeCommitOriginAndUrl(NavigationRequest* navigation_request);
Reference in New Issue View Git Blame Copy Permalink