[Backport] CVE-2024-9966: Inappropriate implementation in Navigations

Cherry-pick of patch originally reviewed on https://chromium-review.googlesource.com/c/chromium/src/+/5860536: Don't store PolicyContainerPolicies of error pages in history We should never reload the policies of an error page from history, since that might end up taking precedence over stricter policies inherited from the parent/initiator. Bug: 364773822 Change-Id: I903dd11d8f7e771e1f8bc9dc640690da92d61177 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5860536 Reviewed-by: Charlie Reis <[email protected]> Commit-Queue: Antonio Sartori <[email protected]> Cr-Commit-Position: refs/heads/main@{#1355730} Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/597928 Reviewed-by: Michal Klocek <[email protected]>
qt · Oct 21, 2024 · 41183a7 · 41183a7
1 parent 20c9c03
commit 41183a7
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 0 deletions.
diff --git a/chromium/content/browser/renderer_host/navigation_controller_impl.cc b/chromium/content/browser/renderer_host/navigation_controller_impl.cc
@@ -1826,6 +1826,7 @@ void NavigationControllerImpl::UpdateNavigationEntryDetails(
       params.method, params.post_id, nullptr /* blob_url_loader_factory */,
       ComputePolicyContainerPoliciesForFrameEntry(
           rfh, request && request->IsSameDocument(),
+          request ? request->DidEncounterError() : false,
           request ? request->common_params().url : params.url));
 
   if (rfh->GetParent()) {
@@ -2288,6 +2289,7 @@ void NavigationControllerImpl::RendererDidNavigateNewSubframe(
   }
   std::unique_ptr<PolicyContainerPolicies> policy_container_policies =
       ComputePolicyContainerPoliciesForFrameEntry(rfh, is_same_document,
+                                                  request->DidEncounterError(),
                                                   request->GetURL());
   bool protect_url_in_navigation_api = false;
   if (is_same_document) {
@@ -4474,7 +4476,14 @@ std::unique_ptr<PolicyContainerPolicies>
 NavigationControllerImpl::ComputePolicyContainerPoliciesForFrameEntry(
     RenderFrameHostImpl* rfh,
     bool is_same_document,
+    bool navigation_encountered_error,
     const GURL& url) {
+  if (navigation_encountered_error) {
+    // We should never reload the policy container of an error page from
+    // history, see https://crbug.com/364773822.
+    return nullptr;
+  }
+
   if (is_same_document) {
     DCHECK(GetLastCommittedEntry());
     FrameNavigationEntry* previous_frame_entry =

diff --git a/chromium/content/browser/renderer_host/navigation_controller_impl.h b/chromium/content/browser/renderer_host/navigation_controller_impl.h
@@ -835,6 +835,7 @@ class CONTENT_EXPORT NavigationControllerImpl : public NavigationController {
   std::unique_ptr<PolicyContainerPolicies>
   ComputePolicyContainerPoliciesForFrameEntry(RenderFrameHostImpl* rfh,
                                               bool is_same_document,
+                                              bool navigation_encountered_error,
                                               const GURL& url);
 
   // Adds details from a committed navigation to `entry` and the