1
    2
    3
    4
    5
    6
    7
    8
    9
   10
   11
   12
   13
   14
   15
   16
   17
   18
   19
   20
   21
   22
   23
   24
   25
   26
   27
   28
   29
   30
   31
   32
   33
   34
   35
   36
   37
   38
   39
   40
   41
   42
   43
   44
   45
   46
   47
   48
   49
   50
   51
   52
   53
   54
   55
   56
   57
   58
   59
   60
   61
   62
   63
   64
   65
   66
   67
   68
   69
   70
   71
   72
   73
   74
   75
   76
   77
   78
   79
   80
   81
   82
   83
   84
   85
   86
   87
   88
   89
   90
   91
   92
   93
   94
   95
   96
   97
   98
   99
  100
  101
  102
  103
  104
  105
  106
  107
  108
  109
  110
  111
  112
  113
  114
  115
  116
  117
  118
  119
  120
  121
  122
  123
  124
  125
  126
  127
  128
  129
  130
  131
  132
  133
  134
  135
  136
  137
  138
  139
  140
  141
  142
  143
  144
  145
  146
  147
  148
  149
  150
  151
  152
  153
  154
  155
  156
  157
  158
  159
  160
  161
  162
  163
  164
  165
  166
  167
  168
  169
  170
  171
  172
  173
  174
  175
  176
  177
  178
  179
  180
  181
  182
  183
  184
  185
  186
  187
  188
  189
  190
  191
  192
  193
  194
  195
  196
  197
  198
  199


content / browser / security / coop / cross_origin_opener_policy_status.h [blame]

// Copyright 2020 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#ifndef CONTENT_BROWSER_SECURITY_COOP_CROSS_ORIGIN_OPENER_POLICY_STATUS_H_
#define CONTENT_BROWSER_SECURITY_COOP_CROSS_ORIGIN_OPENER_POLICY_STATUS_H_

#include <memory>
#include <optional>

#include "base/memory/raw_ptr.h"
#include "base/scoped_observation.h"
#include "content/browser/security/coop/coop_swap_result.h"
#include "content/public/browser/render_process_host.h"
#include "content/public/browser/render_process_host_observer.h"
#include "services/network/public/cpp/cross_origin_opener_policy.h"
#include "services/network/public/mojom/blocked_by_response_reason.mojom.h"
#include "services/network/public/mojom/content_security_policy.mojom.h"
#include "services/network/public/mojom/url_response_head.mojom.h"

namespace net {
class IsolationInfo;
class NetworkAnonymizationKey;
}  // namespace net

namespace content {
class CrossOriginOpenerPolicyReporter;
class FrameTreeNode;
class NavigationRequest;
class StoragePartition;
struct ChildProcessTerminationInfo;

// Helper function that returns whether the BrowsingInstance should change
// following COOP rules defined in:
//
// https://gist.github.com/annevk/6f2dd8c79c77123f39797f6bdac43f3e#changes-to-navigation
CONTENT_EXPORT CoopSwapResult
ShouldSwapBrowsingInstanceForCrossOriginOpenerPolicy(
    network::mojom::CrossOriginOpenerPolicyValue initiator_coop,
    const url::Origin& initiator_origin,
    bool is_navigation_from_initial_empty_document,
    network::mojom::CrossOriginOpenerPolicyValue destination_coop,
    const url::Origin& destination_origin);

// Groups information used to apply COOP during navigations. This class will be
// used to trigger a number of mechanisms such as BrowsingInstance switch or
// reporting.
class CrossOriginOpenerPolicyStatus : public RenderProcessHostObserver {
 public:
  explicit CrossOriginOpenerPolicyStatus(NavigationRequest* navigation_request);
  ~CrossOriginOpenerPolicyStatus() override;

  // Sanitize the COOP header from the `response`.
  // Return an error, and swap browsing context group when COOP is used on
  // sandboxed popups.
  std::optional<network::mojom::BlockedByResponseReason> SanitizeResponse(
      network::mojom::URLResponseHead* response);

  // Called when receiving a redirect or the final response.
  void EnforceCOOP(
      const network::CrossOriginOpenerPolicy& response_coop,
      const url::Origin& response_origin,
      const net::NetworkAnonymizationKey& network_anonymization_key);

  // Force a browsing instance swap, even if the COOP rules do not require it.
  // Calling this function is safe because it can only tighten security.
  // This is used by _unfencedTop in fenced frames to ensure that navigations
  // leaving the fenced context create a new browsing instance.
  void ForceBrowsingInstanceSwap() {
    browsing_instance_swap_result_ = CoopSwapResult::kSwap;
  }

  CoopSwapResult browsing_instance_swap_result() const {
    return browsing_instance_swap_result_;
  }

  // The virtual browsing context group of the document to commit. Initially,
  // the navigation inherits the virtual browsing context group of the current
  // document. Updated when the report-only COOP of a response would result in
  // a browsing context group swap if enforced.
  int virtual_browsing_context_group() const {
    return virtual_browsing_context_group_;
  }

  // Used to keep track of browsing context group swaps that would happen if
  // COOP had a value of same-origin-allow-popups by default.
  int soap_by_default_virtual_browsing_context_group() const {
    return soap_by_default_virtual_browsing_context_group_;
  }

  // The COOP used when comparing to the COOP and origin of a response. At the
  // beginning of the navigation, it is the COOP of the current document. After
  // receiving any kind of response, including redirects, it is the COOP of the
  // last response.
  const network::CrossOriginOpenerPolicy& current_coop() const {
    return current_coop_;
  }

  const std::vector<base::UnguessableToken>&
  TransientReportingSourcesForTesting() {
    return transient_reporting_sources_;
  }

  std::unique_ptr<CrossOriginOpenerPolicyReporter> TakeCoopReporter();

  // Called when a RenderFrameHost has been created to use its process's
  // storage partition. Until then, the reporter uses the current process
  // storage partition.
  void UpdateReporterStoragePartition(StoragePartition* storage_partition);

 private:
  // If the process crashes/exited before CrossOriginOpenerPolicyStatus is
  // destructed, clean up transient reporting sources.
  void RenderProcessExited(RenderProcessHost* host,
                           const ChildProcessTerminationInfo& info) override;
  void RenderProcessHostDestroyed(RenderProcessHost* host) override;

  void SetReportingEndpoints(const url::Origin& response_origin,
                             StoragePartition* storage_partition,
                             const base::UnguessableToken& reporting_source,
                             const net::IsolationInfo& isolation_info);
  // Remove any transient Reporting-Endpoints endpoint created for COOP
  // reporting during navigation before the document loads.
  // There could be multiple due to redirect chains.
  void ClearTransientReportingSources();
  // Make sure COOP is relevant or clear the COOP headers.
  void SanitizeCoopHeaders(
      const GURL& response_url,
      network::mojom::URLResponseHead* response_head) const;

  // The NavigationRequest which owns this object.
  const raw_ptr<NavigationRequest> navigation_request_;

  // Tracks the FrameTreeNode in which this navigation is taking place.
  raw_ptr<const FrameTreeNode> frame_tree_node_;

  // Track the previous document's RenderProcessHost. This instance acquires
  // reporting endpoints from it, and will use it to release them in its
  // destructor.
  raw_ptr<RenderProcessHost> previous_document_rph_;
  base::ScopedObservation<RenderProcessHost, RenderProcessHostObserver>
      previous_document_rph_observation_{this};

  // Tracks whether the new document created by the navigation needs to be
  // created in a different BrowsingContext group. This is updated after every
  // redirect, and after receiving the final response.
  CoopSwapResult browsing_instance_swap_result_ = CoopSwapResult::kNoSwap;

  int virtual_browsing_context_group_;

  // Keeps track of browsing context group switches that would happen if COOP
  // had a value of same-origin-allow-popups-by-default.
  int soap_by_default_virtual_browsing_context_group_;

  // Whether this is a navigation away from the initial empty document. Note
  // that this might be false in case it happens on a initial empty document
  // whose input stream has been opened (e.g. due to document.open()), causing
  // it to no longer be considered as the initial empty document per the HTML
  // specification.
  // For more details, see FrameTreeNode::is_on_initial_empty_document() and
  // https://html.spec.whatwg.org/multipage/origin.html#browsing-context-group-switches-due-to-cross-origin-opener-policy:still-on-its-initial-about:blank-document
  const bool is_navigation_from_initial_empty_document_;

  network::CrossOriginOpenerPolicy current_coop_;

  // The origin used when comparing to the COOP and origin of a response. At
  // the beginning of the navigation, it is the origin of the current document.
  // After receiving any kind of response, including redirects, it is the origin
  // of the last response.
  url::Origin current_origin_;

  // The current URL, to use for reporting. At the beginning of the navigation,
  // it is the URL of the current document. After receiving any kind of
  // response, including redirects, it is the URL of the last response.
  GURL current_url_;

  // Indicates whether to use the reporter in the current RenderFrameHost to
  // send a report for a navigation away from a current response. If false, the
  // |coop_reporter| field from this CrossOriginOpenerPolicyStatus should be
  // used instead.
  bool use_current_document_coop_reporter_ = true;

  // The reporter currently in use by COOP.
  std::unique_ptr<CrossOriginOpenerPolicyReporter> coop_reporter_;

  // Transient reporting sources created for Reporting-Endpoints header during
  // this navigation before it fails or commits.
  std::vector<base::UnguessableToken> transient_reporting_sources_;

  // Whether the current context tracked by this CrossOriginOpenerPolicy is the
  // source of the current navigation. This is updated every time we receive a
  // redirect, as redirects are considered the source of the navigation to the
  // next URL.
  bool is_navigation_source_;
};

}  // namespace content

#endif  // CONTENT_BROWSER_SECURITY_COOP_CROSS_ORIGIN_OPENER_POLICY_STATUS_H_