Chromium Code Reviews
|
|
Chromium Code Reviews
Issue
2151323003:
Add a check for mismatching URL and origin in the renderer process. (Closed)
|
Created:
4 years, 5 months ago by nasko Modified:
4 years, 5 months ago Reviewers:
Charlie Reis CC:
chromium-reviews, mlamouri+watch-content_chromium.org, nasko+codewatch_chromium.org, jam, creis+watch_chromium.org, darin-cc_chromium.org, site-isolation-reviews_chromium.org Base URL:
https://chromium.googlesource.com/chromium/src.git@master Target Ref:
refs/pending/heads/master Project:
chromium Visibility:
Public. |
DescriptionAdd a check for mismatching URL and origin in the renderer process.
The renderer process kills with reason RFH_INVALID_ORIGIN_ON_COMMIT are
checking parameters passed from the renderer process. However, we are
lacking a bunch of information since it is in the browser process and
it is hard to reason about what the state was in the renderer.
We can also try to implement similar checking in the renderer process,
so we can catch these mismatches closer to where we have more data.
This CL implements some of the checks performed browser side, but
it is a set that should catch the majority of the cases we have seen
in crash reports.
BUG=628677
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_site_isolation
Committed: https://crrev.com/0be4d34d5c65243b03d4fc6469a78b32eb1403c0
Cr-Commit-Position: refs/heads/master@{#406145}
Patch Set 1 #
Total comments: 2
Patch Set 2 : Remove TODO to remove :) #Patch Set 3 : Add checks for unique origin and --disable-web-security #Patch Set 4 : Format. #
Total comments: 2
Patch Set 5 : Add allow_universal_access_from_file_urls check. #Patch Set 6 : Add a test to exercise allow_universal_access_from_file_urls #
Total comments: 2
Patch Set 7 : Add liveness check. #Patch Set 8 : Disable the test on Mac, until more debugging can be done. #
Messages
Total messages: 37 (23 generated)
creis@chromium.org changed reviewers: + creis@chromium.org
https://codereview.chromium.org/2151323003/diff/1/content/renderer/render_fra... File content/renderer/render_frame_impl.cc (right): https://codereview.chromium.org/2151323003/diff/1/content/renderer/render_fra... content/renderer/render_frame_impl.cc:4777: // https://crbug.com/628677 is understood. Why not leave it in? :) Seems like it could help catch future bugs, if this is never expected to be hit.
https://codereview.chromium.org/2151323003/diff/1/content/renderer/render_fra... File content/renderer/render_frame_impl.cc (right): https://codereview.chromium.org/2151323003/diff/1/content/renderer/render_fra... content/renderer/render_frame_impl.cc:4777: // https://crbug.com/628677 is understood. On 2016/07/15 17:49:18, Charlie Reis wrote: > Why not leave it in? :) Seems like it could help catch future bugs, if this is > never expected to be hit. Sure :).
Description was changed from ========== Add a check for mismatching URL and origin in the renderer process. The renderer process kills with reason RFH_INVALID_ORIGIN_ON_COMMIT are checking parameters passed from the renderer process. However, we are lacking a bunch of information since it is in the browser process and it is hard to reason about what the state was in the renderer. We can also try to implement similar checking in the renderer process, so we can catch these mismatches closer to where we have more data. This CL implements one of the many checks performed browser side, but it is the one that should catch the majority of the cases we have seen in crash reports. BUG=628677 ========== to ========== Add a check for mismatching URL and origin in the renderer process. The renderer process kills with reason RFH_INVALID_ORIGIN_ON_COMMIT are checking parameters passed from the renderer process. However, we are lacking a bunch of information since it is in the browser process and it is hard to reason about what the state was in the renderer. We can also try to implement similar checking in the renderer process, so we can catch these mismatches closer to where we have more data. This CL implements some of the checks performed browser side, but it is a set that should catch the majority of the cases we have seen in crash reports. BUG=628677 ==========
The CQ bit was checked by nasko@chromium.org to run a CQ dry run
Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
The CQ bit was unchecked by commit-bot@chromium.org
Dry run: This issue passed the CQ dry run.
Hey Charlie, Can you review the CL at this time? It is properly formatted and passed all tryjobs. Thanks! Nasko
https://codereview.chromium.org/2151323003/diff/60001/content/renderer/render... File content/renderer/render_frame_impl.cc (right): https://codereview.chromium.org/2151323003/diff/60001/content/renderer/render... content/renderer/render_frame_impl.cc:4777: render_view_->GetWebkitPreferences().web_security_enabled) { Ah, good point. We'll need to skip the check for file URLs when prefs.allow_universal_access_from_file_urls is true, too, or we'll get a bunch of Android WebView crash reports. We're basically encoding RFHI::CanCommitOrigin into here, but I think I'm ok with that. Maybe put a reference to that method in the comment above?
https://codereview.chromium.org/2151323003/diff/60001/content/renderer/render... File content/renderer/render_frame_impl.cc (right): https://codereview.chromium.org/2151323003/diff/60001/content/renderer/render... content/renderer/render_frame_impl.cc:4777: render_view_->GetWebkitPreferences().web_security_enabled) { On 2016/07/15 20:33:17, Charlie Reis wrote: > Ah, good point. We'll need to skip the check for file URLs when > prefs.allow_universal_access_from_file_urls is true, too, or we'll get a bunch > of Android WebView crash reports. Such check added. However, all tests passed before I added it, so it indicates that we probably have no test coverage for this :(. > We're basically encoding RFHI::CanCommitOrigin into here, but I think I'm ok > with that. Maybe put a reference to that method in the comment above? Done. Yeah, it isn't nice, but we need it to at least diagnose the kills. We can decide whether we want to keep it longer term later on.
The CQ bit was checked by nasko@chromium.org to run a CQ dry run
Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
LGTM, though I might recommend adding the test for universal file access in this CL. That condition is just complex enough that a test would be worthwhile (not to mention would have caught the bug in the earlier patch set).
The CQ bit was unchecked by commit-bot@chromium.org
Dry run: This issue passed the CQ dry run.
Description was changed from ========== Add a check for mismatching URL and origin in the renderer process. The renderer process kills with reason RFH_INVALID_ORIGIN_ON_COMMIT are checking parameters passed from the renderer process. However, we are lacking a bunch of information since it is in the browser process and it is hard to reason about what the state was in the renderer. We can also try to implement similar checking in the renderer process, so we can catch these mismatches closer to where we have more data. This CL implements some of the checks performed browser side, but it is a set that should catch the majority of the cases we have seen in crash reports. BUG=628677 ========== to ========== Add a check for mismatching URL and origin in the renderer process. The renderer process kills with reason RFH_INVALID_ORIGIN_ON_COMMIT are checking parameters passed from the renderer process. However, we are lacking a bunch of information since it is in the browser process and it is hard to reason about what the state was in the renderer. We can also try to implement similar checking in the renderer process, so we can catch these mismatches closer to where we have more data. This CL implements some of the checks performed browser side, but it is a set that should catch the majority of the cases we have seen in crash reports. BUG=628677 CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_site_isolation ==========
The CQ bit was checked by nasko@chromium.org to run a CQ dry run
Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
Awesome, thanks for the test! LGTM. https://codereview.chromium.org/2151323003/diff/100001/content/browser/frame_... File content/browser/frame_host/render_frame_host_manager_browsertest.cc (right): https://codereview.chromium.org/2151323003/diff/100001/content/browser/frame_... content/browser/frame_host/render_frame_host_manager_browsertest.cc:2825: EXPECT_EQ(2, web_contents->GetController().GetEntryCount()); Maybe verify that the renderer process is still live? (I'm guessing the entry count check was the part that failed, but that's a bit subtle.)
The CQ bit was checked by nasko@chromium.org
The patchset sent to the CQ was uploaded after l-g-t-m from creis@chromium.org Link to the patchset: https://codereview.chromium.org/2151323003/#ps120001 (title: "Add liveness check.")
https://codereview.chromium.org/2151323003/diff/100001/content/browser/frame_... File content/browser/frame_host/render_frame_host_manager_browsertest.cc (right): https://codereview.chromium.org/2151323003/diff/100001/content/browser/frame_... content/browser/frame_host/render_frame_host_manager_browsertest.cc:2825: EXPECT_EQ(2, web_contents->GetController().GetEntryCount()); On 2016/07/15 22:30:40, Charlie Reis wrote: > Maybe verify that the renderer process is still live? (I'm guessing the entry > count check was the part that failed, but that's a bit subtle.) Done.
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
The CQ bit was unchecked by commit-bot@chromium.org
Try jobs failed on following builders: mac_chromium_rel_ng on master.tryserver.chromium.mac (JOB_FAILED, http://build.chromium.org/p/tryserver.chromium.mac/builders/mac_chromium_rel_...)
The CQ bit was checked by nasko@chromium.org to run a CQ dry run
Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
The CQ bit was unchecked by commit-bot@chromium.org
Dry run: Try jobs failed on following builders: win_chromium_rel_ng on master.tryserver.chromium.win (JOB_FAILED, http://build.chromium.org/p/tryserver.chromium.win/builders/win_chromium_rel_...)
The CQ bit was checked by nasko@chromium.org
The patchset sent to the CQ was uploaded after l-g-t-m from creis@chromium.org Link to the patchset: https://codereview.chromium.org/2151323003/#ps140001 (title: "Disable the test on Mac, until more debugging can be done.")
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
Message was sent while issue was closed.
Committed patchset #8 (id:140001)
Message was sent while issue was closed.
CQ bit was unchecked.
Message was sent while issue was closed.
Description was changed from ========== Add a check for mismatching URL and origin in the renderer process. The renderer process kills with reason RFH_INVALID_ORIGIN_ON_COMMIT are checking parameters passed from the renderer process. However, we are lacking a bunch of information since it is in the browser process and it is hard to reason about what the state was in the renderer. We can also try to implement similar checking in the renderer process, so we can catch these mismatches closer to where we have more data. This CL implements some of the checks performed browser side, but it is a set that should catch the majority of the cases we have seen in crash reports. BUG=628677 CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_site_isolation ========== to ========== Add a check for mismatching URL and origin in the renderer process. The renderer process kills with reason RFH_INVALID_ORIGIN_ON_COMMIT are checking parameters passed from the renderer process. However, we are lacking a bunch of information since it is in the browser process and it is hard to reason about what the state was in the renderer. We can also try to implement similar checking in the renderer process, so we can catch these mismatches closer to where we have more data. This CL implements some of the checks performed browser side, but it is a set that should catch the majority of the cases we have seen in crash reports. BUG=628677 CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_site_isolation Committed: https://crrev.com/0be4d34d5c65243b03d4fc6469a78b32eb1403c0 Cr-Commit-Position: refs/heads/master@{#406145} ==========
Message was sent while issue was closed.
Patchset 8 (id:??) landed as https://crrev.com/0be4d34d5c65243b03d4fc6469a78b32eb1403c0 Cr-Commit-Position: refs/heads/master@{#406145} |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
