chore: cherry-pick e246871765f5 from chromium #23040
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Worker: Stop passing creator's origin for starting a dedicated worker
This CL makes DedicatedWorkerHostFactoryImpl use its
|parent_execution_origin_| (renamed to |creator_origin| by this CL) for
starting a dedicated worker instead of an origin passed from a renderer
process.
This was not feasible before because |parent_execution_origin_| is
provided from parent's |RenderFrameHostImpl::last_committed_origin_|
that is set during navigation commit. Worker creation IPC from the
renderer to browser could race with navigation commit, and could see the
wrong last committed origin.
Now this is feasible. This is because worker creation IPC is now tied
with RenderFrameHostImpl's BrowserInterfaceBroker that is re-bound
during navigation commit[*]. This ensures that worker creation requests
issued before the navigation commit are discarded by the previous
BrowserInterfaceBroker, and new requests via the new
BrowserInterfaceBroker are scoped to the new last committed origin.
[*] The call path between binding BrowserInterfaceBroker and updating
the last committed origin is as follows. These are synchronously done.
https://source.chromium.org/chromium/chromium/src/+/master:content/browser/frame_host/render_frame_host_impl.cc;l=7489;drc=d54ee0c3d25dfc644282b50c5f57e23b7ab4dda4?originalUrl=https:%2F%2Fcs.chromium.org%2F
-> RenderFrameHostImpl::DidCommitNavigationInternal()
-> NavigatorImpl::DidNavigate()
-> RenderFrameHostImpl::DidNavigate()
-> RenderFrameHostImpl::SetLastCommittedOrigin()
Change-Id: Id69c3d66e50aa8cbb7fee520a1479b28970de1c6
Bug: 906991, 1030909
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1971660
Reviewed-by: Daniel Cheng dcheng@chromium.org
Reviewed-by: Matt Falkenhagen falken@chromium.org
Commit-Queue: Hiroki Nakagawa nhiroki@chromium.org
Cr-Commit-Position: refs/heads/master@{#748127}
Notes: Security: backported fix for site isolation bypass in dedicated workers.