[Backport] CVE-2024-9966: Inappropriate implementation in Navigations

antosart · mibrunin · commit 41183a7029dc · 2024-10-21T07:47:02.000Z
Cherry-pick of patch originally reviewed on https://chromium-review.googlesource.com/c/chromium/src/+/5860536: Don't store PolicyContainerPolicies of error pages in history We should never reload the policies of an error page from history, since that might end up taking precedence over stricter policies inherited from the parent/initiator. Bug: 364773822 Change-Id: I903dd11d8f7e771e1f8bc9dc640690da92d61177 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5860536 Reviewed-by: Charlie Reis <creis@chromium.org> Commit-Queue: Antonio Sartori <antoniosartori@chromium.org> Cr-Commit-Position: refs/heads/main@{#1355730} Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/597928 Reviewed-by: Michal Klocek <michal.klocek@qt.io>
diff --git a/chromium/content/browser/renderer_host/navigation_controller_impl.cc b/chromium/content/browser/renderer_host/navigation_controller_impl.cc
@@ -1826,6 +1826,7 @@ void NavigationControllerImpl::UpdateNavigationEntryDetails(
       params.method, params.post_id, nullptr /* blob_url_loader_factory */,
       ComputePolicyContainerPoliciesForFrameEntry(
           rfh, request && request->IsSameDocument(),
+          request ? request->DidEncounterError() : false,
           request ? request->common_params().url : params.url));
 
   if (rfh->GetParent()) {
@@ -2288,6 +2289,7 @@ void NavigationControllerImpl::RendererDidNavigateNewSubframe(
   }
   std::unique_ptr<PolicyContainerPolicies> policy_container_policies =
       ComputePolicyContainerPoliciesForFrameEntry(rfh, is_same_document,
+                                                  request->DidEncounterError(),
                                                   request->GetURL());
   bool protect_url_in_navigation_api = false;
   if (is_same_document) {
@@ -4474,7 +4476,14 @@ std::unique_ptr<PolicyContainerPolicies>
 NavigationControllerImpl::ComputePolicyContainerPoliciesForFrameEntry(
     RenderFrameHostImpl* rfh,
     bool is_same_document,
+    bool navigation_encountered_error,
     const GURL& url) {
+  if (navigation_encountered_error) {
+    // We should never reload the policy container of an error page from
+    // history, see https://crbug.com/364773822.
+    return nullptr;
+  }
+
   if (is_same_document) {
     DCHECK(GetLastCommittedEntry());
     FrameNavigationEntry* previous_frame_entry =
diff --git a/chromium/content/browser/renderer_host/navigation_controller_impl.h b/chromium/content/browser/renderer_host/navigation_controller_impl.h
@@ -835,6 +835,7 @@ class CONTENT_EXPORT NavigationControllerImpl : public NavigationController {
   std::unique_ptr<PolicyContainerPolicies>
   ComputePolicyContainerPoliciesForFrameEntry(RenderFrameHostImpl* rfh,
                                               bool is_same_document,
+                                              bool navigation_encountered_error,
                                               const GURL& url);
 
   // Adds details from a committed navigation to `entry` and the
