1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
|
// Copyright 2020 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "content/browser/security/coop/cross_origin_opener_policy_status.h"
#include <utility>
#include "base/feature_list.h"
#include "base/time/time.h"
#include "content/browser/renderer_host/frame_tree_node.h"
#include "content/browser/renderer_host/navigation_request.h"
#include "content/browser/renderer_host/render_frame_host_delegate.h"
#include "content/browser/security/coop/cross_origin_opener_policy_access_report_manager.h"
#include "services/network/public/cpp/cross_origin_opener_policy.h"
#include "services/network/public/cpp/features.h"
#include "services/network/public/cpp/is_potentially_trustworthy.h"
#include "services/network/public/mojom/network_context.mojom.h"
#include "third_party/blink/public/common/origin_trials/trial_token_validator.h"
namespace content {
// This function returns whether the BrowsingInstance should change following
// COOP rules defined in:
// https://gist.github.com/annevk/6f2dd8c79c77123f39797f6bdac43f3e#changes-to-navigation
//
// The SiteInstance selection model heavily relies on this function to be
// correct, and documents these assumptions, many of which would crash the
// browser if incorrect. In particular, it assumes that returning a value of
// true means that the current browsing context group will NOT be found suitable
// for reuse, as that would effectively mean no swap has happened.
bool ShouldSwapBrowsingInstanceForCrossOriginOpenerPolicy(
network::mojom::CrossOriginOpenerPolicyValue initiator_coop,
const url::Origin& initiator_origin,
bool is_navigation_from_initial_empty_document,
network::mojom::CrossOriginOpenerPolicyValue destination_coop,
const url::Origin& destination_origin) {
using network::mojom::CrossOriginOpenerPolicyValue;
switch (initiator_coop) {
case CrossOriginOpenerPolicyValue::kUnsafeNone:
switch (destination_coop) {
case CrossOriginOpenerPolicyValue::kUnsafeNone:
return false;
case CrossOriginOpenerPolicyValue::kSameOriginAllowPopups:
case CrossOriginOpenerPolicyValue::kSameOrigin:
case CrossOriginOpenerPolicyValue::kSameOriginPlusCoep:
case CrossOriginOpenerPolicyValue::kNoopenerAllowPopups:
return true;
}
// "same-origin-allow-popups" is used to stay in the same BrowsingInstance
// despite COOP mismatch during the first navigation the popup.
case CrossOriginOpenerPolicyValue::kSameOriginAllowPopups:
switch (destination_coop) {
case CrossOriginOpenerPolicyValue::kUnsafeNone:
return !is_navigation_from_initial_empty_document;
case CrossOriginOpenerPolicyValue::kSameOriginAllowPopups:
return !initiator_origin.IsSameOriginWith(destination_origin);
case CrossOriginOpenerPolicyValue::kSameOrigin:
case CrossOriginOpenerPolicyValue::kSameOriginPlusCoep:
case CrossOriginOpenerPolicyValue::kNoopenerAllowPopups:
return true;
}
case CrossOriginOpenerPolicyValue::kNoopenerAllowPopups:
switch (destination_coop) {
case CrossOriginOpenerPolicyValue::kUnsafeNone:
return false;
case CrossOriginOpenerPolicyValue::kNoopenerAllowPopups:
return (is_navigation_from_initial_empty_document ||
!initiator_origin.IsSameOriginWith(destination_origin));
case CrossOriginOpenerPolicyValue::kSameOriginAllowPopups:
case CrossOriginOpenerPolicyValue::kSameOrigin:
case CrossOriginOpenerPolicyValue::kSameOriginPlusCoep:
return true;
}
// "same-origin" requires that both policies and origin match.
case CrossOriginOpenerPolicyValue::kSameOrigin:
case CrossOriginOpenerPolicyValue::kSameOriginPlusCoep:
return initiator_coop != destination_coop ||
!initiator_origin.IsSameOriginWith(destination_origin);
}
}
CrossOriginOpenerPolicyStatus::CrossOriginOpenerPolicyStatus(
NavigationRequest* navigation_request)
: navigation_request_(navigation_request),
frame_tree_node_(navigation_request->frame_tree_node()),
previous_document_rph_(navigation_request->frame_tree_node()
->current_frame_host()
->GetProcess()),
virtual_browsing_context_group_(frame_tree_node_->current_frame_host()
->virtual_browsing_context_group()),
soap_by_default_virtual_browsing_context_group_(
frame_tree_node_->current_frame_host()
->soap_by_default_virtual_browsing_context_group()),
is_navigation_from_initial_empty_document_(
frame_tree_node_->is_on_initial_empty_document()),
current_coop_(
frame_tree_node_->current_frame_host()->cross_origin_opener_policy()),
current_origin_(
frame_tree_node_->current_frame_host()->GetLastCommittedOrigin()),
current_url_(
frame_tree_node_->current_frame_host()->GetLastCommittedURL()),
is_navigation_source_(
navigation_request->common_params().initiator_origin.has_value() &&
navigation_request->common_params()
.initiator_origin->IsSameOriginWith(
frame_tree_node_->current_frame_host()
->GetLastCommittedOrigin())) {
// Use the URL of the opener for reporting purposes when doing an initial
// navigation in a popup.
// Note: the origin check is there to avoid leaking the URL of an opener that
// navigated in the meantime.
if (is_navigation_from_initial_empty_document_ &&
frame_tree_node_->opener() &&
frame_tree_node_->opener()
->current_frame_host()
->GetLastCommittedOrigin() == current_origin_) {
current_url_ =
frame_tree_node_->opener()->current_frame_host()->GetLastCommittedURL();
}
previous_document_rph_observation_.Observe(previous_document_rph_.get());
}
CrossOriginOpenerPolicyStatus::~CrossOriginOpenerPolicyStatus() {
ClearTransientReportingSources();
}
void CrossOriginOpenerPolicyStatus::RenderProcessExited(
content::RenderProcessHost* host,
const content::ChildProcessTerminationInfo& info) {
ClearTransientReportingSources();
}
void CrossOriginOpenerPolicyStatus::RenderProcessHostDestroyed(
content::RenderProcessHost* host) {
previous_document_rph_ = nullptr;
previous_document_rph_observation_.Reset();
}
std::optional<network::mojom::BlockedByResponseReason>
CrossOriginOpenerPolicyStatus::SanitizeResponse(
network::mojom::URLResponseHead* response) {
const GURL& response_url = navigation_request_->common_params().url;
SanitizeCoopHeaders(response_url, response);
network::CrossOriginOpenerPolicy& coop =
response->parsed_headers->cross_origin_opener_policy;
// Popups with a sandboxing flag, inherited from their opener, are not
// allowed to navigate to a document with a Cross-Origin-Opener-Policy that
// is not "unsafe-none". This ensures a COOP document does not inherit any
// property from an opener.
// https://gist.github.com/annevk/6f2dd8c79c77123f39797f6bdac43f3e
if (coop.value != network::mojom::CrossOriginOpenerPolicyValue::kUnsafeNone &&
(frame_tree_node_->pending_frame_policy().sandbox_flags !=
network::mojom::WebSandboxFlags::kNone)) {
// Blob and Filesystem documents' cross-origin-opener-policy values are
// defaulted to the default unsafe-none.
// Data documents can only be loaded on main documents through browser
// initiated navigations. These never inherit sandbox flags.
DCHECK(!response_url.SchemeIsBlob());
DCHECK(!response_url.SchemeIsFileSystem());
DCHECK(!response_url.SchemeIs(url::kDataScheme));
// We should force a COOP browsing instance swap to avoid certain
// opener+error pages exploits, see https://crbug.com/1256823 and
// https://github.com/whatwg/html/issues/7345.
browsing_instance_swap_ = true;
virtual_browsing_context_group_ =
CrossOriginOpenerPolicyAccessReportManager::
NextVirtualBrowsingContextGroup();
return network::mojom::BlockedByResponseReason::
kCoopSandboxedIFrameCannotNavigateToCoopPage;
}
return std::nullopt;
}
void CrossOriginOpenerPolicyStatus::EnforceCOOP(
const network::CrossOriginOpenerPolicy& response_coop,
const url::Origin& response_origin,
const net::NetworkAnonymizationKey& network_anonymization_key) {
// COOP only applies to top level browsing contexts. Embedded content
// considered "top-level", that cannot always provide a separate process
// (Fenced frames) should not be able to specify their own COOP header value.
// Therefore we use IsOutermostMainFrame.
if (!frame_tree_node_->IsOutermostMainFrame()) {
return;
}
const GURL& response_url = navigation_request_->common_params().url;
const GURL& response_referrer_url =
navigation_request_->common_params().referrer->url;
StoragePartition* storage_partition = frame_tree_node_->current_frame_host()
->GetProcess()
->GetStoragePartition();
base::UnguessableToken navigation_request_reporting_source =
base::UnguessableToken::Create();
// Compute isolation info needed for setting Reporting-Endpoints before
// navigation commits.
net::IsolationInfo isolation_info_for_subresources =
frame_tree_node_->current_frame_host()
->ComputeIsolationInfoForSubresourcesForPendingCommit(
response_origin, navigation_request_->is_credentialless(),
navigation_request_->ComputeFencedFrameNonce());
DCHECK(!isolation_info_for_subresources.IsEmpty());
// Set up endpoint if response contains Reporting-Endpoints header.
SetReportingEndpoints(response_origin, storage_partition,
navigation_request_reporting_source,
isolation_info_for_subresources);
auto response_reporter = std::make_unique<CrossOriginOpenerPolicyReporter>(
storage_partition, response_url, response_referrer_url, response_coop,
navigation_request_reporting_source, network_anonymization_key);
CrossOriginOpenerPolicyReporter* previous_reporter =
use_current_document_coop_reporter_
? frame_tree_node_->current_frame_host()
->coop_access_report_manager()
->coop_reporter()
: coop_reporter_.get();
bool cross_origin_policy_swap =
ShouldSwapBrowsingInstanceForCrossOriginOpenerPolicy(
current_coop_.value, current_origin_,
is_navigation_from_initial_empty_document_, response_coop.value,
response_origin);
// Any mismatch in COOP during any step of the redirect chain will result in
// the whole navigation requiring a BrowsingInstance swap. Update the tracking
// of necessary browsing instance swap for the navigation based on the result
// of checking COOP for this step of the redirect chain.
browsing_instance_swap_ |= cross_origin_policy_swap;
// Both report only cases (navigation from and to document) use the following
// result, computing the need of a browsing context group swap based on both
// documents' report-only values.
bool report_only_coop_swap =
ShouldSwapBrowsingInstanceForCrossOriginOpenerPolicy(
current_coop_.report_only_value, current_origin_,
is_navigation_from_initial_empty_document_,
response_coop.report_only_value, response_origin);
bool navigating_to_report_only_coop_swap =
ShouldSwapBrowsingInstanceForCrossOriginOpenerPolicy(
current_coop_.value, current_origin_,
is_navigation_from_initial_empty_document_,
response_coop.report_only_value, response_origin);
bool navigating_from_report_only_coop_swap =
ShouldSwapBrowsingInstanceForCrossOriginOpenerPolicy(
current_coop_.report_only_value, current_origin_,
is_navigation_from_initial_empty_document_, response_coop.value,
response_origin);
bool has_other_window_in_browsing_context_group =
frame_tree_node_->current_frame_host()
->delegate()
->GetActiveTopLevelDocumentsInBrowsingContextGroup(
frame_tree_node_->current_frame_host())
.size() > 1;
// If this response's COOP causes a BrowsingInstance swap, report this to the
// previous COOP reporter and/or the COOP reporter of the response if they
// exist.
if (cross_origin_policy_swap) {
// Using current_origin_ instead of current_coop_.origin here because
// we only care about whether the actual origin has changed when determining
// whether to show previous URL.
if (has_other_window_in_browsing_context_group) {
if (response_origin.IsSameOriginWith(response_origin)) {
response_reporter->QueueNavigationToCOOPReport(
current_url_, current_origin_.IsSameOriginWith(response_origin),
false /* is_report_only */);
}
if (previous_reporter) {
previous_reporter->QueueNavigationAwayFromCOOPReport(
response_url, is_navigation_source_,
current_origin_.IsSameOriginWith(response_origin),
false /* is_report_only */);
}
}
}
// Compare the report-only values against the real values on the opposite side
// (from/to). If both report-only values match however, skip reports, as the
// website likely wants to deploy COOP on both pages and is not interested in
// these kind of reports.
bool virtual_browsing_instance_swap =
report_only_coop_swap && (navigating_from_report_only_coop_swap ||
navigating_to_report_only_coop_swap);
// If this response's report-only COOP would cause a BrowsingInstance swap,
// report this to the previous COOP reporter and/or the COOP reporter of the
// response if they exist.
if (virtual_browsing_instance_swap) {
if (has_other_window_in_browsing_context_group) {
if (response_origin.IsSameOriginWith(response_origin)) {
response_reporter->QueueNavigationToCOOPReport(
current_url_, current_origin_.IsSameOriginWith(response_origin),
true /* is_report_only */);
}
if (previous_reporter) {
previous_reporter->QueueNavigationAwayFromCOOPReport(
response_url, is_navigation_source_,
current_origin_.IsSameOriginWith(response_origin),
true /* is_report_only */);
}
}
}
if (browsing_instance_swap_ || virtual_browsing_instance_swap) {
virtual_browsing_context_group_ =
CrossOriginOpenerPolicyAccessReportManager::
NextVirtualBrowsingContextGroup();
}
// Check if a COOP of same-origin-allow-popups by default would result in a
// browsing context group switch.
if (ShouldSwapBrowsingInstanceForCrossOriginOpenerPolicy(
current_coop_.soap_by_default_value, current_origin_,
is_navigation_from_initial_empty_document_,
response_coop.soap_by_default_value, response_origin)) {
soap_by_default_virtual_browsing_context_group_ =
CrossOriginOpenerPolicyAccessReportManager::
NextVirtualBrowsingContextGroup();
}
// Finally, update the current COOP, origin and reporter to those of the
// response, now that it has been taken into account.
current_coop_ = response_coop;
current_origin_ = response_origin;
current_url_ = response_url;
coop_reporter_ = std::move(response_reporter);
// Once a response has been received, reports will be sent to the reporter of
// the last response received.
use_current_document_coop_reporter_ = false;
// Any subsequent response means this response was a redirect, and the source
// of the navigation to the subsequent response.
is_navigation_source_ = true;
}
void CrossOriginOpenerPolicyStatus::SetReportingEndpoints(
const url::Origin& response_origin,
StoragePartition* storage_partition,
const base::UnguessableToken& reporting_source,
const net::IsolationInfo& isolation_info) {
// Only process Reporting-Endpoints header for secure origin.
if (!GURL::SchemeIsCryptographic(response_origin.scheme()))
return;
if (!navigation_request_->response())
return;
if (!navigation_request_->response()->parsed_headers->reporting_endpoints)
return;
// Process Reporting-Endpoints header immediately before the document is
// loaded so COOP reports can be sent to response origin's configured
// endpoint. The configured endpoints should only be used to send COOP reports
// for this navigation and will be removed when the navigation finishes.
base::flat_map<std::string, std::string>& reporting_endpoints =
*(navigation_request_->response()->parsed_headers->reporting_endpoints);
if (reporting_endpoints.empty())
return;
storage_partition->GetNetworkContext()->SetDocumentReportingEndpoints(
reporting_source, response_origin, isolation_info, reporting_endpoints);
// Record the new reporting source.
transient_reporting_sources_.push_back(reporting_source);
}
void CrossOriginOpenerPolicyStatus::ClearTransientReportingSources() {
if (!previous_document_rph_ || transient_reporting_sources_.empty())
return;
StoragePartition* storage_partition =
previous_document_rph_->GetStoragePartition();
for (const base::UnguessableToken& reporting_source :
transient_reporting_sources_) {
storage_partition->GetNetworkContext()->SendReportsAndRemoveSource(
reporting_source);
}
}
std::unique_ptr<CrossOriginOpenerPolicyReporter>
CrossOriginOpenerPolicyStatus::TakeCoopReporter() {
return std::move(coop_reporter_);
}
void CrossOriginOpenerPolicyStatus::UpdateReporterStoragePartition(
StoragePartition* storage_partition) {
if (coop_reporter_)
coop_reporter_->set_storage_partition(storage_partition);
}
// We blank out the COOP headers in a number of situations.
// - When the headers were not sent over HTTPS.
// - For subframes.
// - When the feature is disabled.
// We also strip the "reporting" parts when the reporting feature is disabled
// for the |response_url|.
void CrossOriginOpenerPolicyStatus::SanitizeCoopHeaders(
const GURL& response_url,
network::mojom::URLResponseHead* response_head) const {
network::CrossOriginOpenerPolicy& coop =
response_head->parsed_headers->cross_origin_opener_policy;
network::AugmentCoopWithCoep(
&coop, response_head->parsed_headers->cross_origin_embedder_policy);
if (coop == network::CrossOriginOpenerPolicy())
return;
if (base::FeatureList::IsEnabled(
network::features::kCrossOriginOpenerPolicy) &&
// https://html.spec.whatwg.org/multipage#the-cross-origin-opener-policy-header
// ```
// 1. If reservedEnvironment is a non-secure context, then return
// "unsafe-none".
// ```
//
// https://html.spec.whatwg.org/multipage/webappapis.html#secure-contexts
// ```
// 2. If the result of Is url potentially trustworthy? given environment's
// top-level creation URL is "Potentially Trustworthy", then return true.
// ```
network::IsUrlPotentiallyTrustworthy(response_url) &&
// The COOP header must be ignored outside of the top-level context. It is
// removed as a defensive measure. Embedded content considered
// "top-level", that cannot always provide a separate process (Fenced
// frames, portals, etc.) should not be able to specify their own COOP
// header value. Therefore we use IsOutermostMainFrame.
frame_tree_node_->IsOutermostMainFrame()) {
return;
}
bool has_coop_header =
coop.value != network::mojom::CrossOriginOpenerPolicyValue::kUnsafeNone ||
coop.report_only_value !=
network::mojom::CrossOriginOpenerPolicyValue::kUnsafeNone ||
coop.reporting_endpoint || coop.report_only_reporting_endpoint;
coop = network::CrossOriginOpenerPolicy();
if (!network::IsUrlPotentiallyTrustworthy(response_url) && has_coop_header) {
navigation_request_->AddDeferredConsoleMessage(
blink::mojom::ConsoleMessageLevel::kError,
"The Cross-Origin-Opener-Policy header has been ignored, because "
"the URL's origin was untrustworthy. It was defined either in the "
"final response or a redirect. Please deliver the response using "
"the HTTPS protocol. You can also use the 'localhost' origin "
"instead. See "
"https://www.w3.org/TR/powerful-features/"
"#potentially-trustworthy-origin and "
"https://html.spec.whatwg.org/"
"#the-cross-origin-opener-policy-header.");
}
}
} // namespace content
|
