Issue 303793003: Make mixed content checking and CSP aware of RemoteFrames

Issue 303793003: Make mixed content checking and CSP aware of RemoteFrames (Closed)

Created:
6 years, 6 months ago by kenrb

Modified:
6 years, 6 months ago

Reviewers:
Tom Sepez, Mike West, dcheng

CC:
blink-reviews, sof, eae+blinkwatch, blink-reviews-dom_chromium.org, dglazkov+blink, gavinp+loader_chromium.org, Nate Chapin, rwlbuis, site-isolation-reviews_chromium.org

Base URL:
https://chromium.googlesource.com/chromium/blink.git@master

Visibility:
Public.

More Reviews

Description

Make mixed content checking and CSP aware of RemoteFrames This CL is stubbing Blink security features that operate on frames across origins, so that they can deal with RemoteFrames being in the FrameTree. They will not yet work with cross-process frames because there is not enough information in most cases, but this allows us to put the frame infrastructure in place before we implement cross-process information sharing to correct the relevant behavior. BUG=346764 R=mkwst@chromium.org Committed: https://src.chromium.org/viewvc/blink?view=rev&revision=175084

Patch Set 1 #

Total comments: 12

Patch Set 2 : Improved comments #

Total comments: 1

Created: 6 years, 6 months ago

Download [raw] [tar.bz2]

	Unified diffs	Side-by-side diffs	Delta from patch set	Stats (+59 lines, -34 lines)			Patch
M	Source/core/dom/Document.h	View		3 chunks	+3 lines, -2 lines	0 comments	Download
M	Source/core/dom/Document.cpp	View	1	8 chunks	+22 lines, -12 lines	0 comments	Download
M	Source/core/fetch/ResourceFetcher.cpp	View		2 chunks	+14 lines, -8 lines	0 comments	Download
M	Source/core/frame/Location.cpp	View		1 chunk	+5 lines, -2 lines	0 comments	Download
M	Source/core/frame/csp/CSPDirectiveList.cpp	View		1 chunk	+3 lines, -2 lines	1 comment	Download
M	Source/core/loader/DocumentLoader.cpp	View		1 chunk	+3 lines, -2 lines	0 comments	Download
M	Source/core/loader/FrameLoader.cpp	View		3 chunks	+9 lines, -6 lines	0 comments	Download

Messages

Total messages: 16 (0 generated)

Expand Messages | Collapse Messages

kenrb

Tom: this is an intermediate change for making CSP and mixed content checking work with ...

6 years, 6 months ago (2014-05-28 17:57:59 UTC) #1

dcheng

Given that we need SandboxFlags and SecurityOrigin, I wonder if it makes sense to just ...

6 years, 6 months ago (2014-05-28 22:37:19 UTC) #3

Mike West

This looks pretty reasonable, thanks! What web-visible impact will it have today? Do we already ...

6 years, 6 months ago (2014-05-29 09:47:41 UTC) #4

kenrb

Thanks for the review, Mike. In the current state of things, RemoteFrames are not instantiated ...

6 years, 6 months ago (2014-05-29 13:38:40 UTC) #5

Thanks for the review, Mike.

In the current state of things, RemoteFrames are not instantiated under any
circumstance, because we don't have enough code infrastructure in place for
things to interact with them without crashing. We are hoping to change that
soon, in which case they will exist when running with the --site-per-process
flag. Until then, out-of-process iframes are implemented using LocalFrames with
blank documents.

Right now every feature that operates across cross-origin iframes is broken when
we run with --site-per-process, and that won't change when we get RemoteFrames
in use, but at that point we can start working with feature owners to get these
fixed. The FIXMEs are intended to call out the specific things that we are
missing. Any help you might want to give to getting these resolved over the next
2-3 months would be appreciated. :)

https://codereview.chromium.org/303793003/diff/1/Source/core/dom/Document.cpp
File Source/core/dom/Document.cpp (right):

https://codereview.chromium.org/303793003/diff/1/Source/core/dom/Document.cpp...
Source/core/dom/Document.cpp:2943: if (!isSandboxed(SandboxTopNavigation) &&
targetFrame == m_frame->tree().top())
On 2014/05/29 09:47:41, Mike West wrote:
> Sandboxing flags will be moving up to Frame as well, correct?

Those come off of the HTMLFrameOwnerElement. dcheng@ has a CL that is
refactoring that a little bit to make it easier to 'export' the parts of it that
will be needed by child frames in another process. That includes sandbox flags.

https://codereview.chromium.org/303793003/diff/1/Source/core/dom/Document.cpp...
Source/core/dom/Document.cpp:2986: // If targetFrame is a RemoteFrame then it is
a different origin.
On 2014/05/29 09:47:41, Mike West wrote:
> True, but that doesn't mean that canAccessAncestor would return false today.
> SecurityOrigins can be flagged with "universal access", for example, which
would
> make the 'canAccess' fall in 'canAccessAncestor' true.

Good point. I have added a TODO to reflect that.

https://codereview.chromium.org/303793003/diff/1/Source/core/dom/Document.cpp...
Source/core/dom/Document.cpp:3001: // RemoteFrames always have different
origins.
On 2014/05/29 09:47:41, Mike West wrote:
> Same comment regarding canAccess as above; different origins doesn't always
mean
> no access.

Comment changed.

https://codereview.chromium.org/303793003/diff/1/Source/core/dom/Document.cpp...
Source/core/dom/Document.cpp:3246: // Srcdoc documents must be local within the
containing frame.
On 2014/05/29 09:47:41, Mike West wrote:
> Perhaps you could add `ASSERT(frame->isLocal())` to document this
precondition?

That will implicitly happen in the last stage of this change. Right now
frame->tree().parent() still returns a LocalFrame pointer, because too many call
sites still assume that. The cast macros don't allow casting a LocalFrame
pointer to a LocalFrame pointer (i.e. toLocalFrame(localFrame)), so I can't add
casts to lines like this yet. The cast macros does contain an ASSERT for type
correctness.

https://codereview.chromium.org/303793003/diff/1/Source/core/dom/Document.cpp...
Source/core/dom/Document.cpp:4850: if (m_frame && m_frame->tree().parent() &&
m_frame->tree().parent()->isLocalFrame() &&
(shouldInheritSecurityOriginFromOwner(m_url) || isPluginDocument()))
On 2014/05/29 09:47:41, Mike West wrote:
> Why does my parent need to be a local frame for this inheritance to work?

I probably should have mentioned this when I put the CL up, but the same
explanation as above. The check is there because m_frame->tree().parent() will
soon need to have a toLocalFrame() cast, because RemoteFrames don't have
documents. I don't know how we are going to do CSP inheritance across processes
yet.

https://codereview.chromium.org/303793003/diff/1/Source/core/frame/csp/CSPDir...
File Source/core/frame/csp/CSPDirectiveList.cpp (right):

https://codereview.chromium.org/303793003/diff/1/Source/core/frame/csp/CSPDir...
Source/core/frame/csp/CSPDirectiveList.cpp:97: if (!current->isLocalFrame() ||
!directive->allows(toLocalFrame(current)->document()->url()))
On 2014/05/29 09:47:41, Mike West wrote:
> This will block loading any page that sets a frame-ancestor directive if it's
> somewhere nested in a chain that includes a RemoteFrame. Do we create those
> today, or will those only pop up in an OOP world?

RemoteFrames will only be used behind a flag until we are ready to launch this
feature.

Mike West

Got it. Sounds reasonable; the FIXMEs scare me a little bit, but I'm TOTALLY SURE ...

6 years, 6 months ago (2014-05-29 15:31:06 UTC) #6

commit-bot: I haz the power

CQ is trying da patch. Follow status at https://chromium-status.appspot.com/cq/kenrb@chromium.org/303793003/20001

6 years, 6 months ago (2014-05-29 15:36:24 UTC) #10

commit-bot: I haz the power

CQ is trying da patch. Follow status at https://chromium-status.appspot.com/cq/kenrb@chromium.org/303793003/20001

6 years, 6 months ago (2014-05-29 20:53:41 UTC) #13

dcheng

For similar changes for HTMLFrameOwnerElement, I've failed open for now (because otherwise we'd never load ...

6 years, 6 months ago (2014-05-29 21:45:27 UTC) #14

kenrb

In general I think you are right, but I would prefer to fail closed on ...

6 years, 6 months ago (2014-05-29 22:23:14 UTC) #15

Message was sent while issue was closed.

Change committed as 175084

Expand Messages | Collapse Messages