Service Worker: Clients.openWindow() should allow opening x-origin URLs

content/browser/service_worker/service_worker_version.cc

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/browser/service_worker/service_worker_version.h"
 
 #include "base/command_line.h"
 #include "base/memory/ref_counted.h"
 #include "base/stl_util.h"
 #include "base/strings/string16.h"
@@ skipping 251 matching lines @@
       url, Referrer::SanitizeForRequest(
                url, Referrer(script_url, blink::WebReferrerPolicyDefault)),
       NEW_FOREGROUND_TAB, ui::PAGE_TRANSITION_AUTO_TOPLEVEL,
       true /* is_renderer_initiated */);
 
   GetContentClient()->browser()->OpenURL(
       browser_context, params,
       base::Bind(&DidOpenURL, callback));
 }
 
-void KillEmbeddedWorkerProcess(int process_id, ResultCode code) {
-  DCHECK_CURRENTLY_ON(BrowserThread::UI);
-
-  RenderProcessHost* render_process_host =
-      RenderProcessHost::FromID(process_id);
-  if (render_process_host->GetHandle() != base::kNullProcessHandle)
-    render_process_host->ReceivedBadMessage();
-}
-
 }  // namespace
 
 ServiceWorkerVersion::ServiceWorkerVersion(
     ServiceWorkerRegistration* registration,
     const GURL& script_url,
     int64 version_id,
     base::WeakPtr<ServiceWorkerContextCore> context)
     : version_id_(version_id),
       registration_id_(kInvalidServiceWorkerVersionId),
       script_url_(script_url),
@@ skipping 853 matching lines @@
   scoped_refptr<ServiceWorkerVersion> protect(this);
   callback->Run(SERVICE_WORKER_OK, accept_connection);
   RemoveCallbackAndStopIfDoomed(&cross_origin_connect_callbacks_, request_id);
 }
 
 void ServiceWorkerVersion::OnOpenWindow(int request_id, const GURL& url) {
   // Just abort if we are shutting down.
   if (!context_)
     return;
 
-  if (url.GetOrigin() != script_url_.GetOrigin()) {
-    // There should be a same origin check by Blink, if the request is still not
-    // same origin, the process might be compromised and should be eliminated.
-    DVLOG(1) << "Received a cross origin openWindow() request from a service "
-                "worker. Killing associated process.";
-    BrowserThread::PostTask(BrowserThread::UI, FROM_HERE,
-                            base::Bind(&KillEmbeddedWorkerProcess,
-                                       embedded_worker_->process_id(),
-                                       RESULT_CODE_KILLED_BAD_MESSAGE));
-    return;
-  }
-
   BrowserThread::PostTask(
       BrowserThread::UI, FROM_HERE,
       base::Bind(&OpenWindowOnUI,
                  url,
                  script_url_,
                  embedded_worker_->process_id(),
                  make_scoped_refptr(context_->wrapper()),
                  base::Bind(&ServiceWorkerVersion::DidOpenWindow,
                             weak_factory_.GetWeakPtr(),
-                            request_id)));
+                            request_id,
+                            url)));

[jsbell, 2015/03/06 16:59:36]

I agree this matches the spec, but it's a little weird. An on-origin request
could end up redirecting to an off-origin location. An off-origin request could
end up redirecting to an on-origin - even controlled - location. 

[jungkees, 2015/03/09 05:53:01]

Filed: https://github.com/slightlyoff/ServiceWorker/issues/646

It seems the document's address after navigation with redirects is set to the
original request's url, though.
(https://html.spec.whatwg.org/multipage/browsers.html#set-the-document's-address)

 }
 
 void ServiceWorkerVersion::DidOpenWindow(int request_id,
+                                         const GURL& url,
                                          int render_process_id,
                                          int render_frame_id) {
   DCHECK_CURRENTLY_ON(BrowserThread::IO);
 
   if (running_status() != RUNNING)
     return;
 
   if (render_process_id == ChildProcessHost::kInvalidUniqueID &&
       render_frame_id == MSG_ROUTING_NONE) {
     embedded_worker_->SendMessage(ServiceWorkerMsg_OpenWindowError(request_id));
     return;
   }
 
   for (const auto& it : controllee_map_) {
     const ServiceWorkerProviderHost* provider_host = it.first;
     if (provider_host->process_id() != render_process_id ||
         provider_host->frame_id() != render_frame_id) {
       continue;
     }
 
     // it.second is the client_id associated with the provider_host.
     provider_host->GetClientInfo(
         base::Bind(&ServiceWorkerVersion::OnOpenWindowFinished,
-                   weak_factory_.GetWeakPtr(), request_id, it.second));
+                   weak_factory_.GetWeakPtr(), request_id, url, it.second));
     return;
   }
 
   // If here, it means that no provider_host was found, in which case, the
   // renderer should still be informed that the window was opened.
-  OnOpenWindowFinished(request_id, 0, ServiceWorkerClientInfo());
+  OnOpenWindowFinished(request_id, url, 0, ServiceWorkerClientInfo());
 }
 
 void ServiceWorkerVersion::OnOpenWindowFinished(
     int request_id,
+    const GURL& url,
     int client_id,
     const ServiceWorkerClientInfo& client_info) {
   DCHECK_CURRENTLY_ON(BrowserThread::IO);
 
   if (running_status() != RUNNING)
     return;
 
   ServiceWorkerClientInfo client(client_info);
 
   // If the |client_info| is empty, it means that the opened window wasn't
   // controlled but the action still succeeded. The renderer process is
   // expecting an empty client in such case.
   if (!client.IsEmpty())
     client.client_id = client_id;
 
   embedded_worker_->SendMessage(ServiceWorkerMsg_OpenWindowResponse(
-      request_id, client));
+      request_id, url, client));
 }
 
 void ServiceWorkerVersion::OnSetCachedMetadata(const GURL& url,
                                                const std::vector<char>& data) {
   int64 callback_id = base::TimeTicks::Now().ToInternalValue();
   TRACE_EVENT_ASYNC_BEGIN1("ServiceWorker",
                            "ServiceWorkerVersion::OnSetCachedMetadata",
                            callback_id, "URL", url.spec());
   script_cache_map_.WriteMetadata(
       url, data, base::Bind(&ServiceWorkerVersion::OnSetCachedMetadataFinished,
@@ skipping 261 matching lines @@
     int request_id) {
   callbacks->Remove(request_id);
   if (is_doomed_) {
     // The stop should be already scheduled, but try to stop immediately, in
     // order to release worker resources soon.
     StopWorkerIfIdle();
   }
 }
 
 }  // namespace content