Account for origin corner cases during AutoSubframe navigations.

content/browser/frame_host/navigation_controller_impl.cc

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 /*
  * Copyright (C) 2006, 2007, 2008, 2009 Apple Inc. All rights reserved.
  * Copyright (C) 2008 Nokia Corporation and/or its subsidiary(-ies)
  * Copyright (C) 2008, 2009 Torch Mobile Inc. All rights reserved.
  *     (http://www.torchmobile.com/)
  *
@@ skipping 69 matching lines @@
 #include "content/public/common/content_constants.h"
 #include "content/public/common/content_features.h"
 #include "media/base/mime_util.h"
 #include "net/base/escape.h"
 #include "skia/ext/platform_canvas.h"
 #include "url/url_constants.h"
 
 namespace content {
 namespace {
 
+// Determine if the current page and the destination page could belong to the
+// same origin, in the given |rfh|.  This is useful in cases like in-page
+// navigations that can't be cross-origin, but may look cross-origin at first
+// glance in some cases (e.g., about:blank to a web URL, or file:// to web URL
+// when universal access is granted to files).
+//
+// To resolve these, we can use url::Origin to ensure the actual origin isn't
+// changing.  However, we also fall back to GURL::GetOrigin() to let a current
+// and destination unique origin return true, since unique url::Origins don't
+// appear equal to themselves.
+//
+// TODO(creis): Clarify that this shouldn't be used to determine script access.
+bool CouldBeSameOrigin(const GURL& current_url,
+                       const url::Origin& current_origin,
+                       const GURL& dest_url,
+                       const url::Origin& dest_origin,
+                       const WebPreferences& prefs) {
+  // We don't care if web security is disabled.
+  if (!prefs.web_security_enabled)
+    return true;
+
+  // File URLs may have been granted universal access to any URL.
+  if (prefs.allow_universal_access_from_file_urls &&
+      current_origin.scheme() == url::kFileScheme)
+    return true;
+
+  // It's possible for the URLs to look different but the url::Origins to match,
+  // such as when about:blank inherits its origin from a web page.
+  if (current_origin == dest_origin)
+    return true;
+
+  // For unique origins like data: URLs, they won't appear equal to themselves.
+  //
+  // TODO(creis): Data URLs to/from about:blank, which fail url::Origin check.
+  // TODO(creis): Other unique origins that can do in-page, like data->data.
+  // TODO(creis): This is bad for sandboxed iframe URLs.  Only return true if
+  // both url::Origins are unique.  Test this.
+  //if (current_url.GetOrigin() == dest_url.GetOrigin())
+  if (current_origin.unique() && dest_origin.unique())
+    return true;
+
+  return false;
+}
+
 // Invoked when entries have been pruned, or removed. For example, if the
 // current entries are [google, digg, yahoo], with the current entry google,
 // and the user types in cnet, then digg and yahoo are pruned.
 void NotifyPrunedEntries(NavigationControllerImpl* nav_controller,
                          bool from_front,
                          int count) {
   PrunedDetails details;
   details.from_front = from_front;
   details.count = count;
   NotificationService::current()->Notify(
@@ skipping 1199 matching lines @@
 
     // If the |nav_entry_id| is non-zero and matches an existing entry, this is
     // a history auto" navigation.  Update the last committed index accordingly.
     // If we don't recognize the |nav_entry_id|, it might be either a pending
     // entry for a transfer or a recently pruned entry.  We'll handle it below.
     if (entry_index != -1 && entry_index != last_committed_entry_index_) {
       // Make sure that a subframe commit isn't changing the main frame's
       // origin. Otherwise the renderer process may be confused, leading to a
       // URL spoof. We can't check the path since that may change
       // (https://crbug.com/373041).
-      if (GetLastCommittedEntry()->GetURL().GetOrigin() !=
-          GetEntryAtIndex(entry_index)->GetURL().GetOrigin()) {
+//      RenderFrameHostImpl* main_frame =
+//          delegate_->GetFrameTree()->root()->current_frame_host();
+      GURL dest_top_url = GetEntryAtIndex(entry_index)->GetURL();
+      GURL current_top_url = GetLastCommittedEntry()->GetURL();
+      GURL blank_url(url::kAboutBlankURL);
+      url::Origin current_origin =
+          delegate_->GetFrameTree()->root()->current_origin();
+
+      // Allow about:blank to be the current or destination origin, beyond the
+      // other checks in CouldBeSameOrigin.  We can't verify the about:blank
+      // cases any more strictly, since we don't know the destination origin.
+      // TODO(creis): If we track url::Origin on NavigationEntry, we might be
+      // able to call IsUrlInPageNavigation here instead, to share code.
+      bool could_be_same_origin =
+          dest_top_url == blank_url ||
+          // TODO(creis): This part isn't needed, due to the constructed origin.
+          //(current_top_url == blank_url &&
+          // dest_top_url.GetOrigin() == GURL(current_origin.Serialize())) ||
+          CouldBeSameOrigin(current_top_url, current_origin,
+                            dest_top_url, url::Origin(dest_top_url),
+                            rfh->GetRenderViewHost()->GetWebkitPreferences());
+      if (!could_be_same_origin) {
         bad_message::ReceivedBadMessage(rfh->GetProcess(),
                                         bad_message::NC_AUTO_SUBFRAME);
       }
 
       // TODO(creis): Update the FrameNavigationEntry in --site-per-process.
       last_committed_entry_index_ = entry_index;
       DiscardNonCommittedEntriesInternal();
       return true;
     }
   }
@@ skipping 69 matching lines @@
     // might Blink say that a navigation is in-page yet there be no last-
     // committed entry?
     if (!last_committed)
       return false;
     last_committed_url = last_committed->GetURL();
   }
 
   WebPreferences prefs = rfh->GetRenderViewHost()->GetWebkitPreferences();
   const url::Origin& committed_origin =
       rfhi->frame_tree_node()->current_origin();
-  bool is_same_origin = last_committed_url.is_empty() ||
+  bool is_same_origin = CouldBeSameOrigin(last_committed_url, committed_origin,
+                                          url, origin, prefs);
+                        /*last_committed_url.is_empty() ||
                         // TODO(japhet): We should only permit navigations
                         // originating from about:blank to be in-page if the
                         // about:blank is the first document that frame loaded.
                         // We don't have sufficient information to identify
                         // that case at the moment, so always allow about:blank
                         // for now.
                         last_committed_url == GURL(url::kAboutBlankURL) ||
                         last_committed_url.GetOrigin() == url.GetOrigin() ||
                         committed_origin == origin ||
                         !prefs.web_security_enabled ||
                         (prefs.allow_universal_access_from_file_urls &&
-                         committed_origin.scheme() == url::kFileScheme);
+                         committed_origin.scheme() == url::kFileScheme);*/
   if (!is_same_origin && renderer_says_in_page) {
     bad_message::ReceivedBadMessage(rfh->GetProcess(),
                                     bad_message::NC_IN_PAGE_NAVIGATION);
   }
   return is_same_origin && renderer_says_in_page;
 }
 
 void NavigationControllerImpl::CopyStateFrom(
     const NavigationController& temp) {
   const NavigationControllerImpl& source =
@@ skipping 644 matching lines @@
     }
   }
 }
 
 void NavigationControllerImpl::SetGetTimestampCallbackForTest(
     const base::Callback<base::Time()>& get_timestamp_callback) {
   get_timestamp_callback_ = get_timestamp_callback;
 }
 
 }  // namespace content