Remove opener URLs from CreateNewWindowParams.
Now that this message is serviced on the UI thread, we can use the
real values there, which are more trustworthy anyway. This fixes
bug 674307.
BUG=466297,674307
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_site_isolation
Review-Url: https://codereview.chromium.org/2837683002
Cr-Commit-Position: refs/heads/master@{#466796}
diff --git a/content/browser/frame_host/render_frame_host_impl.cc b/content/browser/frame_host/render_frame_host_impl.cc
index ad8c146e..293e2851 100644
--- a/content/browser/frame_host/render_frame_host_impl.cc
+++ b/content/browser/frame_host/render_frame_host_impl.cc
@@ -2445,12 +2445,16 @@
bool no_javascript_access = false;
+ // Filter out URLs that this process cannot request.
+ GetProcess()->FilterURL(false, ¶ms->target_url);
+
// Ignore creation when sent from a frame that's not current or created.
bool can_create_window =
frame_tree_node_->current_frame_host() == this && render_frame_created_ &&
GetContentClient()->browser()->CanCreateWindow(
- this, params->opener_url, params->opener_top_level_frame_url,
- params->opener_security_origin, params->window_container_type,
+ this, last_committed_url(),
+ frame_tree_node_->frame_tree()->GetMainFrame()->last_committed_url(),
+ last_committed_origin_.GetURL(), params->window_container_type,
params->target_url, params->referrer, params->frame_name,
params->disposition, *params->features, params->user_gesture,
params->opener_suppressed, &no_javascript_access);
@@ -2509,19 +2513,8 @@
DCHECK(IsRenderFrameLive());
- // Actually validate the params and create the window.
- mojom::CreateNewWindowParamsPtr validated_params(params.Clone());
- GetProcess()->FilterURL(false, &validated_params->target_url);
-
- // TODO(nick): http://crbug.com/674307 |opener_url|, |opener_security_origin|,
- // and |opener_top_level_frame_url| should not be parameters; we can just use
- // last_committed_url(), etc. Of these, |opener_top_level_frame_url| is
- // particularly egregious, since an oopif isn't expected to know its top URL.
- GetProcess()->FilterURL(false, &validated_params->opener_url);
- GetProcess()->FilterURL(true, &validated_params->opener_security_origin);
-
delegate_->CreateNewWindow(this, render_view_route_id, main_frame_route_id,
- main_frame_widget_route_id, *validated_params,
+ main_frame_widget_route_id, *params,
cloned_namespace.get());
// If we did not create a WebContents to host the renderer-created
diff --git a/content/browser/security_exploit_browsertest.cc b/content/browser/security_exploit_browsertest.cc
index d1596705..cf003bfe0 100644
--- a/content/browser/security_exploit_browsertest.cc
+++ b/content/browser/security_exploit_browsertest.cc
@@ -268,7 +268,8 @@
RenderFrameHostImpl* opener =
static_cast<RenderFrameHostImpl*>(pending_rvh->GetMainFrame());
- mojom::CreateNewWindowParamsPtr params;
+ mojom::CreateNewWindowParamsPtr params = mojom::CreateNewWindowParams::New();
+ params->target_url = GURL("about:blank");
opener->CreateNewWindow(std::move(params),
base::Bind([](mojom::CreateNewWindowReplyPtr) {}));
// If the above operation doesn't cause a crash, the test has succeeded!
diff --git a/content/browser/web_contents/web_contents_impl.cc b/content/browser/web_contents/web_contents_impl.cc
index d9457e9..661b4db 100644
--- a/content/browser/web_contents/web_contents_impl.cc
+++ b/content/browser/web_contents/web_contents_impl.cc
@@ -2099,8 +2099,8 @@
!delegate_->ShouldCreateWebContents(
this, source_site_instance, render_view_route_id, main_frame_route_id,
main_frame_widget_route_id, params.window_container_type,
- params.opener_url, params.frame_name, params.target_url, partition_id,
- session_storage_namespace)) {
+ opener->GetLastCommittedURL(), params.frame_name, params.target_url,
+ partition_id, session_storage_namespace)) {
// Note: even though we're not creating a WebContents here, it could have
// been created by the embedder so ensure that the RenderFrameHost is
// properly initialized.
