wpt icon indicating copy to clipboard operation
wpt copied to clipboard

Published 20 hours ago verified publisher icon web-platform-tests

Implement BI swapping for COOP: restrict-properties.

Open chromium-wpt-export-bot opened this issue 3 years ago • 0 comments

This is the main process model patch for COOP: restrict-properties. COOP: restrict-properties is a new COOP value that enables entire pages to restrict properties they expose/are exposed. Because it targets entire pages, it does not require OOPIF to function properly. Setting COOP: restrict-properties and COEP grants cross-origin isolation. COOP: restrict-properties is gated by the kCoopRestrictProperties feature flag.

We implement this behavior by isolating such pages in their own BrowsingInstance, while preserving limited scriptability to other "related" BrowsingInstances. Each COOP: restrict-properties BrowsingInstance only contains SiteInstances with the defined nonce, and process sharing for SiteInstances with different nonces is not allowed. We also store an "original browsing instance" to fully stay in line with the desired behavior. Details are a bit lengthy, see here: https://docs.google.com/document/d/1XhfUoEBh2Bqwc-RDqlOy_CQDamVuTNcd2WCHaq7BeEM/edit#heading=h.jttutig1yo6g

This patch does the browser side support:

  • Create a restrict-properties nonce in the NavigationRequest and pass it into WebExposedIsolationInfo when COOP: rp is used. This ensures no process reuse takes place for SiteInstances with different nonces.
  • DetermineSiteInstanceForURL() is modified to record the original BrowsingInstance and store it in the SiteInstanceDescriptor for later use. This requires exposing the BrowsingInstance itself to the RenderFrameHostManager, which was avoided before.
  • The original BrowsingInstance is added as a member to BrowsingInstance. It is retrieved and initially set from SiteInstanceImpl.
  • When the CoopSwapResult indicates that we need to swap but preserve a relationship, we first verify that we do not need to hard swap for security reason (e.g. WebUI or view-source) and we store in the NavigationRequest the fact that we want to preserve the relationship. We use this information to create cross BrowsingInstance proxies.
  • A WPT verifying the behavior of the BrowsingInstance restore.

Following this patch, and since we do not yet have any cross-origin access restrictions on the renderer side, we only rely on fragile mechanisms in the Browser process. Replicated state access will not be prevented, but most functions that go through RenderFrameProxyHost should be blocked, including postMessage(), close().

Bug: 1221127 Change-Id: Ided02f006c6e6c21a040751e7f3b91a24b632f9c Reviewed-on: https://chromium-review.googlesource.com/3810558 WPT-Export-Revision: 4f4830744d2c6932031917974b6c6dd5f7b0e6ca

chromium-wpt-export-bot avatar Aug 09 '22 16:08 chromium-wpt-export-bot