OOPIF: Handle cross-site frames being blocked by X-Frame-Options or CSP.

content/browser/frame_host/render_frame_host_impl.cc

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/browser/frame_host/render_frame_host_impl.h"
 
 #include <utility>
 
 #include "base/bind.h"
 #include "base/containers/hash_tables.h"
@@ skipping 532 matching lines @@
                         OnDidAccessInitialDocument)
     IPC_MESSAGE_HANDLER(FrameHostMsg_DidChangeOpener, OnDidChangeOpener)
     IPC_MESSAGE_HANDLER(FrameHostMsg_DidChangeName, OnDidChangeName)
     IPC_MESSAGE_HANDLER(FrameHostMsg_EnforceStrictMixedContentChecking,
                         OnEnforceStrictMixedContentChecking)
     IPC_MESSAGE_HANDLER(FrameHostMsg_DidAssignPageId, OnDidAssignPageId)
     IPC_MESSAGE_HANDLER(FrameHostMsg_DidChangeSandboxFlags,
                         OnDidChangeSandboxFlags)
     IPC_MESSAGE_HANDLER(FrameHostMsg_DidChangeFrameOwnerProperties,
                         OnDidChangeFrameOwnerProperties)
+    IPC_MESSAGE_HANDLER(FrameHostMsg_DidCancelLoadAfterXFrameOptionsOrCSPDenied,
+                        OnDidCancelLoadAfterXFrameOptionsOrCSPDenied)
     IPC_MESSAGE_HANDLER(FrameHostMsg_UpdateTitle, OnUpdateTitle)
     IPC_MESSAGE_HANDLER(FrameHostMsg_UpdateEncoding, OnUpdateEncoding)
     IPC_MESSAGE_HANDLER(FrameHostMsg_BeginNavigation,
                         OnBeginNavigation)
     IPC_MESSAGE_HANDLER(FrameHostMsg_DispatchLoad, OnDispatchLoad)
     IPC_MESSAGE_HANDLER(FrameHostMsg_TextSurroundingSelectionResponse,
                         OnTextSurroundingSelectionResponse)
     IPC_MESSAGE_HANDLER(AccessibilityHostMsg_Events, OnAccessibilityEvents)
     IPC_MESSAGE_HANDLER(AccessibilityHostMsg_LocationChanges,
                         OnAccessibilityLocationChanges)
@@ skipping 946 matching lines @@
   // These properties only affect the RenderFrame and live in its parent
   // (HTMLFrameOwnerElement). Therefore, we do not need to notify this frame's
   // proxies.
   RenderFrameHost* child_rfh = child->current_frame_host();
   if (child_rfh->GetSiteInstance() != GetSiteInstance()) {
     child_rfh->Send(new FrameMsg_SetFrameOwnerProperties(
         child_rfh->GetRoutingID(), frame_owner_properties));
   }
 }
 
+void RenderFrameHostImpl::OnDidCancelLoadAfterXFrameOptionsOrCSPDenied() {
+  // When a frame is blocked by X-Frame-Options or CSP frame-ancestors, the
+  // (empty) blocked frame needs to get a unique origin, which ensures that it
+  // appears as a normal cross-origin document, and is the desired behavior
+  // according to spec: https://www.w3.org/TR/CSP2/#directive-frame-ancestors
+  // This sets the unique origin on both the browser and renderer sides.  The
+  // IPC to renderer may be required when a cross-process subframe is blocked,
+  // since the blocking currently occurs in the pending RenderFrame, but the
+  // actual blocked (empty) frame will be left in the current RenderFrame in a
+  // different process.
+  //
+  // TODO(mkwst, alexmos): This will probably be called directly rather than
+  // from an renderer IPC once X-Frame-Options and CSP enforcement moves to the
+  // browser process (https://crbug.com/555418).
+  frame_tree_node_->SetCurrentOrigin(url::Origin());

[alexmos, 2016/02/25 21:59:12]

I think this matters in default Chrome even without --site-per-process, so I
always send this IPC and do this.  Previously, we would've returned the last
committed origin for a blocked frame, whereas I think it's more correct to
return a unique origin, which would match Blink's behavior.

[Charlie Reis, 2016/02/26 01:13:22]

Acknowledged.

+
+  if (this == frame_tree_node_->render_manager()->pending_frame_host()) {
+    RenderFrameHost* current_rfh = frame_tree_node_->current_frame_host();
+    current_rfh->Send(new FrameMsg_CancelLoadAfterXFrameOptionsOrCSPDenied(
+        current_rfh->GetRoutingID()));
+  }
+}
+
 void RenderFrameHostImpl::OnUpdateTitle(
     const base::string16& title,
     blink::WebTextDirection title_direction) {
   // This message should only be sent for top-level frames.
   if (frame_tree_node_->parent())
     return;
 
   if (title.length() > kMaxTitleChars) {
     NOTREACHED() << "Renderer sent too many characters in title.";
     return;
@@ skipping 21 matching lines @@
       frame_tree_node(), validated_params, begin_params, body);
 }
 
 void RenderFrameHostImpl::OnDispatchLoad() {
   CHECK(SiteIsolationPolicy::AreCrossProcessFramesPossible());
   // Only frames with an out-of-process parent frame should be sending this
   // message.
   RenderFrameProxyHost* proxy =
       frame_tree_node()->render_manager()->GetProxyToParent();
   if (!proxy) {
+    // A valid special case where the proxy won't exist occurs when a frame
+    // gets blocked due to X-Frame-Options or CSP while it is still pending.
+    // (The proxy in the parent isn't created until commit.)  In that case, it
+    // is ok to ignore this load event dispatch, since it will be done as part
+    // of forwarding the blocked notification (see
+    // FrameMsg_CancelLoadAfterXFrameOptionsOrCSPDenied).
+    //
+    // TODO(mkwst, alexmos): This won't be necessary once X-Frame-Options and
+    // CSP enforcement moves to the browser process (https://crbug.com/555418).
+    if (this != frame_tree_node_->current_frame_host())

[alexmos, 2016/02/25 21:59:12]

This is pretty ugly, but I tried to detect whether or not to send this IPC from
Blink in the blocked case, and I thought that was even uglier.  At least this is
in one place and easy to rip out once we're done with 555418.  Also, dispatching
loads on <iframe> elements can now probably be done together with forwarding
DidStopLoading, as opposed to this separate IPC, in which case this function
will disappear entirely (but this is probably best left to a separate CL).

[Charlie Reis, 2016/02/26 21:26:41]

Acknowledged.

+      return;
+
     bad_message::ReceivedBadMessage(GetProcess(),
                                     bad_message::RFH_NO_PROXY_TO_PARENT);
     return;
   }
-
   proxy->Send(new FrameMsg_DispatchLoad(proxy->GetRoutingID()));
 }
 
 RenderWidgetHostViewBase* RenderFrameHostImpl::GetViewForAccessibility() {
   return static_cast<RenderWidgetHostViewBase*>(
       frame_tree_node_->IsMainFrame()
           ? render_view_host_->GetWidget()->GetView()
           : frame_tree_node_->frame_tree()
                 ->GetMainFrame()
                 ->render_view_host_->GetWidget()
@@ skipping 1024 matching lines @@
   *dst = src;
 
   if (src.routing_id != -1)
     dst->tree_id = RoutingIDToAXTreeID(src.routing_id);
 
   if (src.parent_routing_id != -1)
     dst->parent_tree_id = RoutingIDToAXTreeID(src.parent_routing_id);
 }
 
 }  // namespace content