|
|
Created:
4 years, 2 months ago by Łukasz Anforowicz Modified:
4 years, 1 month ago CC:
chromium-reviews, loading-reviews_chromium.org, jam, darin-cc_chromium.org, Randy Smith (Not in Mondays), mmenke, site-isolation-reviews_chromium.org Target Ref:
refs/pending/heads/master Project:
chromium Visibility:
Public. |
DescriptionExtra browser-side validation of transferred_request_child_id / request_id.
BUG=656179
Committed: https://crrev.com/1f59c2aac5f896e23613af618fbe8444a63911f8
Cr-Commit-Position: refs/heads/master@{#427510}
Patch Set 1 : Adding extra browser-side checks (expecting test failures at this point). #Patch Set 2 : Rebasing... #Patch Set 3 : Tighten renderer-side checks (this should make the bots green again). #Patch Set 4 : Fixing incorrect conflict resolution in content/browser/bad_message.h #
Total comments: 2
Patch Set 5 : Rebasing... (renumbering bad_message.h) #
Messages
Total messages: 41 (30 generated)
The CQ bit was checked by lukasza@chromium.org to run a CQ dry run
Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
The CQ bit was unchecked by commit-bot@chromium.org
Dry run: Try jobs failed on following builders: mac_chromium_compile_dbg_ng on master.tryserver.chromium.mac (JOB_FAILED, http://build.chromium.org/p/tryserver.chromium.mac/builders/mac_chromium_comp...) mac_chromium_rel_ng on master.tryserver.chromium.mac (JOB_FAILED, http://build.chromium.org/p/tryserver.chromium.mac/builders/mac_chromium_rel_...)
The CQ bit was checked by lukasza@chromium.org to run a CQ dry run
Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
Patchset #2 (id:20001) has been deleted
The CQ bit was unchecked by commit-bot@chromium.org
Dry run: Try jobs failed on following builders: ios-device on master.tryserver.chromium.mac (JOB_FAILED, http://build.chromium.org/p/tryserver.chromium.mac/builders/ios-device/builds...) ios-simulator on master.tryserver.chromium.mac (JOB_FAILED, http://build.chromium.org/p/tryserver.chromium.mac/builders/ios-simulator/bui...) mac_chromium_compile_dbg_ng on master.tryserver.chromium.mac (JOB_FAILED, http://build.chromium.org/p/tryserver.chromium.mac/builders/mac_chromium_comp...) mac_chromium_rel_ng on master.tryserver.chromium.mac (JOB_FAILED, http://build.chromium.org/p/tryserver.chromium.mac/builders/mac_chromium_rel_...)
The CQ bit was checked by lukasza@chromium.org to run a CQ dry run
Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
The CQ bit was unchecked by lukasza@chromium.org
Patchset #3 (id:60001) has been deleted
The CQ bit was checked by lukasza@chromium.org to run a CQ dry run
Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
The CQ bit was unchecked by commit-bot@chromium.org
Dry run: Try jobs failed on following builders: cast_shell_linux on master.tryserver.chromium.linux (JOB_FAILED, http://build.chromium.org/p/tryserver.chromium.linux/builders/cast_shell_linu...)
The CQ bit was checked by lukasza@chromium.org to run a CQ dry run
Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
The CQ bit was checked by lukasza@chromium.org to run a CQ dry run
lukasza@chromium.org changed reviewers: + creis@chromium.org
Charlie, can you take a look please? Even without any extra tests, the bots were red in patchset #2 (i.e. without corresponding renderer-side change to avoid sending transferred_request_xxx, the new browser-side renderer kills would kick in). Therefore, I think the changes have sufficient test coverage as-is. This is great, as I wasn't really looking forward to adding a fragile, implementation-coupled unit test (or a browser test that influences timing / race between navigational-vs-subresource requests in the renderer). The bots are green in patchset #3 (after adding renderer-side code to avoid sending transferred_request_xxx for non-navigational requests), but I've realized a mistake in rebasing/merging bad_message.h, so I've respun tryjobs on patchset #4 as well.
Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
The CQ bit was unchecked by commit-bot@chromium.org
Dry run: This issue passed the CQ dry run.
Sorry for the delay-- this LGTM! Sanity check: If I understand correctly, the renderer kills before the RenderFrameImpl change were because subresources (in a page that transferred) were tacking the transfer IDs onto their requests?
On 2016/10/25 20:19:12, Charlie Reis wrote: > Sorry for the delay-- this LGTM! Thanks for reviewing. > Sanity check: If I understand correctly, the renderer kills before the > RenderFrameImpl change were because subresources (in a page that transferred) > were tacking the transfer IDs onto their requests? Yes - correct.
The CQ bit was checked by lukasza@chromium.org
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
mmenke@chromium.org changed reviewers: + mmenke@chromium.org
https://codereview.chromium.org/2442793002/diff/100001/content/browser/loader... File content/browser/loader/resource_dispatcher_host_impl.cc (right): https://codereview.chromium.org/2442793002/diff/100001/content/browser/loader... content/browser/loader/resource_dispatcher_host_impl.cc:1239: } Random drive-by question: How concerned are we about a compromised renderer stealing requests this way? If an attacker can guess a child_id and request_id (Latter isn't hard, if opening a new tab) of a new navigation that's currently transferring a request, can't it steal the request?
The CQ bit was unchecked by commit-bot@chromium.org
Try jobs failed on following builders: mac_chromium_compile_dbg_ng on master.tryserver.chromium.mac (JOB_FAILED, http://build.chromium.org/p/tryserver.chromium.mac/builders/mac_chromium_comp...) mac_chromium_rel_ng on master.tryserver.chromium.mac (JOB_FAILED, http://build.chromium.org/p/tryserver.chromium.mac/builders/mac_chromium_rel_...)
https://codereview.chromium.org/2442793002/diff/100001/content/browser/loader... File content/browser/loader/resource_dispatcher_host_impl.cc (right): https://codereview.chromium.org/2442793002/diff/100001/content/browser/loader... content/browser/loader/resource_dispatcher_host_impl.cc:1239: } On 2016/10/25 20:23:47, mmenke wrote: > Random drive-by question: How concerned are we about a compromised renderer > stealing requests this way? If an attacker can guess a child_id and request_id > (Latter isn't hard, if opening a new tab) of a new navigation that's currently > transferring a request, can't it steal the request? Yes, good point. Łukasz was asking about this the other day. I think we have some logic in RenderFrameHostManager that will only accept a commit if it comes from the expected pending RenderFrameHost, but that won't really defend against this (which happens earlier). Specifically, the response would be send to the first renderer that asks for it, and that would matter from a cross-site document blocking perspective for Site Isolation. We should file a bug to track that. Not sure if there's much impact today, though-- probably mainly for --site-per-process.
On 2016/10/25 20:30:08, Charlie Reis wrote: > https://codereview.chromium.org/2442793002/diff/100001/content/browser/loader... > File content/browser/loader/resource_dispatcher_host_impl.cc (right): > > https://codereview.chromium.org/2442793002/diff/100001/content/browser/loader... > content/browser/loader/resource_dispatcher_host_impl.cc:1239: } > On 2016/10/25 20:23:47, mmenke wrote: > > Random drive-by question: How concerned are we about a compromised renderer > > stealing requests this way? If an attacker can guess a child_id and > request_id > > (Latter isn't hard, if opening a new tab) of a new navigation that's currently > > transferring a request, can't it steal the request? > > Yes, good point. Łukasz was asking about this the other day. I think we have > some logic in RenderFrameHostManager that will only accept a commit if it comes > from the expected pending RenderFrameHost, but that won't really defend against > this (which happens earlier). Specifically, the response would be send to the > first renderer that asks for it, and that would matter from a cross-site > document blocking perspective for Site Isolation. > > We should file a bug to track that. Not sure if there's much impact today, > though-- probably mainly for --site-per-process. I've opened https://crbug.com/659299 to track this.
The CQ bit was checked by lukasza@chromium.org
The patchset sent to the CQ was uploaded after l-g-t-m from creis@chromium.org Link to the patchset: https://codereview.chromium.org/2442793002/#ps120001 (title: "Rebasing... (renumbering bad_message.h)")
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
Message was sent while issue was closed.
Committed patchset #5 (id:120001)
Message was sent while issue was closed.
Description was changed from ========== Extra browser-side validation of transferred_request_child_id / request_id. BUG=656179 ========== to ========== Extra browser-side validation of transferred_request_child_id / request_id. BUG=656179 Committed: https://crrev.com/1f59c2aac5f896e23613af618fbe8444a63911f8 Cr-Commit-Position: refs/heads/master@{#427510} ==========
Message was sent while issue was closed.
Patchset 5 (id:??) landed as https://crrev.com/1f59c2aac5f896e23613af618fbe8444a63911f8 Cr-Commit-Position: refs/heads/master@{#427510} |