OOPIF: Handle cross-site frames being blocked by X-Frame-Options or CSP.

content/browser/frame_host/render_frame_host_impl.cc

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/browser/frame_host/render_frame_host_impl.h"
 
 #include <utility>
 
 #include "base/bind.h"
 #include "base/containers/hash_tables.h"
@@ skipping 532 matching lines @@
                         OnDidAccessInitialDocument)
     IPC_MESSAGE_HANDLER(FrameHostMsg_DidChangeOpener, OnDidChangeOpener)
     IPC_MESSAGE_HANDLER(FrameHostMsg_DidChangeName, OnDidChangeName)
     IPC_MESSAGE_HANDLER(FrameHostMsg_EnforceStrictMixedContentChecking,
                         OnEnforceStrictMixedContentChecking)
     IPC_MESSAGE_HANDLER(FrameHostMsg_DidAssignPageId, OnDidAssignPageId)
     IPC_MESSAGE_HANDLER(FrameHostMsg_DidChangeSandboxFlags,
                         OnDidChangeSandboxFlags)
     IPC_MESSAGE_HANDLER(FrameHostMsg_DidChangeFrameOwnerProperties,
                         OnDidChangeFrameOwnerProperties)
+    IPC_MESSAGE_HANDLER(FrameHostMsg_BlockedLoad, OnBlockedLoad)
     IPC_MESSAGE_HANDLER(FrameHostMsg_UpdateTitle, OnUpdateTitle)
     IPC_MESSAGE_HANDLER(FrameHostMsg_UpdateEncoding, OnUpdateEncoding)
     IPC_MESSAGE_HANDLER(FrameHostMsg_BeginNavigation,
                         OnBeginNavigation)
     IPC_MESSAGE_HANDLER(FrameHostMsg_DispatchLoad, OnDispatchLoad)
     IPC_MESSAGE_HANDLER(FrameHostMsg_TextSurroundingSelectionResponse,
                         OnTextSurroundingSelectionResponse)
     IPC_MESSAGE_HANDLER(AccessibilityHostMsg_Events, OnAccessibilityEvents)
     IPC_MESSAGE_HANDLER(AccessibilityHostMsg_LocationChanges,
                         OnAccessibilityLocationChanges)
@@ skipping 946 matching lines @@
   // These properties only affect the RenderFrame and live in its parent
   // (HTMLFrameOwnerElement). Therefore, we do not need to notify this frame's
   // proxies.
   RenderFrameHost* child_rfh = child->current_frame_host();
   if (child_rfh->GetSiteInstance() != GetSiteInstance()) {
     child_rfh->Send(new FrameMsg_SetFrameOwnerProperties(
         child_rfh->GetRoutingID(), frame_owner_properties));
   }
 }
 
+void RenderFrameHostImpl::OnBlockedLoad() {
+  // When a frame is blocked by X-Frame-Options or CSP frame-ancestors, the
+  // blocked frame needs to get a unique origin, which ensures that it
+  // appears as a normal cross-origin document, and is the desired behavior
+  // according to spec: https://www.w3.org/TR/CSP2/#directive-frame-ancestors
+  // This sets the unique origin on both the browser and renderer sides.  The
+  // IPC to renderer may be required when a cross-process subframe is blocked,
+  // since the blocking currently occurs in the pending RenderFrame, but the
+  // actual blocked frame will be left in the current RenderFrame in a
+  // different process.
+  //
+  // TODO(mkwst, alexmos): This will probably be called directly rather than
+  // from an renderer IPC once X-Frame-Options and CSP enforcement moves to the
+  // browser process (https://crbug.com/555418).
+  frame_tree_node_->SetCurrentOrigin(url::Origin());
+
+  if (this == frame_tree_node_->render_manager()->pending_frame_host()) {
+    RenderFrameHost* current_rfh = frame_tree_node_->current_frame_host();
+    current_rfh->Send(new FrameMsg_BlockedLoad(current_rfh->GetRoutingID()));
+  }
+}
+
 void RenderFrameHostImpl::OnUpdateTitle(
     const base::string16& title,
     blink::WebTextDirection title_direction) {
   // This message should only be sent for top-level frames.
   if (frame_tree_node_->parent())
     return;
 
   if (title.length() > kMaxTitleChars) {
     NOTREACHED() << "Renderer sent too many characters in title.";
     return;
@@ skipping 21 matching lines @@
       frame_tree_node(), validated_params, begin_params, body);
 }
 
 void RenderFrameHostImpl::OnDispatchLoad() {
   CHECK(SiteIsolationPolicy::AreCrossProcessFramesPossible());
   // Only frames with an out-of-process parent frame should be sending this
   // message.
   RenderFrameProxyHost* proxy =
       frame_tree_node()->render_manager()->GetProxyToParent();
   if (!proxy) {
+    // A valid special case where the proxy won't exist occurs when a frame
+    // gets blocked due to X-Frame-Options or CSP while it is still pending.
+    // (The proxy in the parent isn't created until commit.)  In that case, it
+    // is ok to ignore this load event dispatch, since it will be done as part
+    // of forwarding the blocked notification (see
+    // FrameMsg_CancelLoadAfterXFrameOptionsOrCSPDenied).
+    //
+    // TODO(mkwst, alexmos): This won't be necessary once X-Frame-Options and
+    // CSP enforcement moves to the browser process (https://crbug.com/555418).
+    if (this != frame_tree_node_->current_frame_host())
+      return;
+
     bad_message::ReceivedBadMessage(GetProcess(),
                                     bad_message::RFH_NO_PROXY_TO_PARENT);
     return;
   }
-
   proxy->Send(new FrameMsg_DispatchLoad(proxy->GetRoutingID()));
 }
 
 RenderWidgetHostViewBase* RenderFrameHostImpl::GetViewForAccessibility() {
   return static_cast<RenderWidgetHostViewBase*>(
       frame_tree_node_->IsMainFrame()
           ? render_view_host_->GetWidget()->GetView()
           : frame_tree_node_->frame_tree()
                 ->GetMainFrame()
                 ->render_view_host_->GetWidget()
@@ skipping 1024 matching lines @@
   *dst = src;
 
   if (src.routing_id != -1)
     dst->tree_id = RoutingIDToAXTreeID(src.routing_id);
 
   if (src.parent_routing_id != -1)
     dst->parent_tree_id = RoutingIDToAXTreeID(src.parent_routing_id);
 }
 
 }  // namespace content