Generate origins from nonces for sandboxed frames in browser process [chromium/src : main]

0 views
Skip to first unread message

Rakina Zata Amni (Gerrit)

unread,
Jan 29, 2026, 10:18:49 AMJan 29
to Monica Chintala, Liang Zhao, Chromium LUCI CQ, chromium...@chromium.org, Nate Chapin, edg...@microsoft.com, alexmo...@chromium.org, blink-re...@chromium.org, blink-re...@chromium.org, blink-revi...@chromium.org, blink-...@chromium.org, creis...@chromium.org, gavinp...@chromium.org, loading...@chromium.org, navigation...@chromium.org
Attention needed from Liang Zhao and Monica Chintala

Rakina Zata Amni added 4 comments

Patchset-level comments
File-level comment, Patchset 16 (Latest):
Rakina Zata Amni . resolved

Thanks!

File content/browser/renderer_host/render_frame_host_impl.cc
Line 5516, Patchset 16 (Latest): if (new_frame_should_be_sandboxed) {
Rakina Zata Amni . unresolved

Can you please protect this (and other paths if needed) behind a killswitch flag so that we can turn it off easily in case there are some bugs found in the wild?

Line 10113, Patchset 16 (Latest): } else {
// For non-sandboxed windows, derive a new opaque origin from creator.
sandbox_new_window_origin =
sandbox_new_window_origin.DeriveNewOpaqueOrigin();
Rakina Zata Amni . unresolved

What if we don't send an origin for the non-sandboxed case? Also why is the non-sandboxed case also opaque?

File content/common/render_message_filter.mojom
Line 17, Patchset 16 (Latest): mojo_base.mojom.UnguessableToken? sandbox_origin_token;
Rakina Zata Amni . unresolved

Let's add some comments here since this one isn't needed for routing

Open in Gerrit

Related details

Attention is currently required from:
  • Liang Zhao
  • Monica Chintala
Submit Requirements:
  • requirement satisfiedCode-Coverage
  • requirement is not satisfiedCode-Owners
  • requirement is not satisfiedCode-Review
  • requirement is not satisfiedNo-Unresolved-Comments
  • requirement is not satisfiedReview-Enforcement
Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
Gerrit-MessageType: comment
Gerrit-Project: chromium/src
Gerrit-Branch: main
Gerrit-Change-Id: I3e30cbcc57fdd49be1c41c0eaf54c5f9d299e434
Gerrit-Change-Number: 7233315
Gerrit-PatchSet: 16
Gerrit-Owner: Monica Chintala <moni...@microsoft.com>
Gerrit-Reviewer: Liang Zhao <lz...@microsoft.com>
Gerrit-Reviewer: Monica Chintala <moni...@microsoft.com>
Gerrit-Reviewer: Rakina Zata Amni <rak...@chromium.org>
Gerrit-CC: Nate Chapin <jap...@chromium.org>
Gerrit-Attention: Liang Zhao <lz...@microsoft.com>
Gerrit-Attention: Monica Chintala <moni...@microsoft.com>
Gerrit-Comment-Date: Thu, 29 Jan 2026 15:18:19 +0000
Gerrit-HasComments: Yes
Gerrit-Has-Labels: No
satisfied_requirement
unsatisfied_requirement
open
diffy

Monica Chintala (Gerrit)

unread,
Feb 5, 2026, 12:59:02 AMFeb 5
to AyeAye, Liang Zhao, Rakina Zata Amni, Chromium LUCI CQ, chromium...@chromium.org, Nate Chapin, kinuko...@chromium.org, edg...@microsoft.com, alexmo...@chromium.org, blink-re...@chromium.org, blink-re...@chromium.org, blink-revi...@chromium.org, blink-...@chromium.org, creis...@chromium.org, gavinp...@chromium.org, loading...@chromium.org, navigation...@chromium.org
Attention needed from Liang Zhao and Rakina Zata Amni

Monica Chintala voted and added 3 comments

Votes added by Monica Chintala

Commit-Queue+1

3 comments

File content/browser/renderer_host/render_frame_host_impl.cc
Line 5516, Patchset 16: if (new_frame_should_be_sandboxed) {
Rakina Zata Amni . unresolved

Can you please protect this (and other paths if needed) behind a killswitch flag so that we can turn it off easily in case there are some bugs found in the wild?

Monica Chintala

Added a feature flag kUseSandboxTokenForOriginDerivation in blink that to be used here and in DocumentLoader to handle any regressions.


// For non-sandboxed windows, derive a new opaque origin from creator.
sandbox_new_window_origin =
sandbox_new_window_origin.DeriveNewOpaqueOrigin();
Rakina Zata Amni . unresolved

What if we don't send an origin for the non-sandboxed case? Also why is the non-sandboxed case also opaque?

Monica Chintala

Good question, added in the comment section on its usage at sandbox_origin_token in CreateNewWindow.

  // Sandbox origin token handling for popups:
// Normally sandboxed popups token is pre-generated by
// SetOriginDependentStateOfNewFrame(). Popups that escape sandbox (CSP
// "sandbox" + "allow-popups-to-escape-sandbox"):
// - Browser sees no sandbox flags, so GetSandboxOriginToken() is empty
// - Renderer still inherits CSP sandbox flags and will create opaque origin
// - So generate a new token here as fallback
File content/common/render_message_filter.mojom
Line 17, Patchset 16: mojo_base.mojom.UnguessableToken? sandbox_origin_token;
Rakina Zata Amni . resolved

Let's add some comments here since this one isn't needed for routing

Monica Chintala

Done

Open in Gerrit

Related details

Attention is currently required from:
  • Liang Zhao
  • Rakina Zata Amni
Submit Requirements:
  • requirement satisfiedCode-Coverage
  • requirement is not satisfiedCode-Owners
  • requirement is not satisfiedCode-Review
  • requirement is not satisfiedNo-Unresolved-Comments
  • requirement is not satisfiedReview-Enforcement
Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
Gerrit-MessageType: comment
Gerrit-Project: chromium/src
Gerrit-Branch: main
Gerrit-Change-Id: I3e30cbcc57fdd49be1c41c0eaf54c5f9d299e434
Gerrit-Change-Number: 7233315
Gerrit-PatchSet: 19
Gerrit-Owner: Monica Chintala <moni...@microsoft.com>
Gerrit-Reviewer: Liang Zhao <lz...@microsoft.com>
Gerrit-Reviewer: Monica Chintala <moni...@microsoft.com>
Gerrit-Reviewer: Rakina Zata Amni <rak...@chromium.org>
Gerrit-CC: Nate Chapin <jap...@chromium.org>
Gerrit-Attention: Liang Zhao <lz...@microsoft.com>
Gerrit-Attention: Rakina Zata Amni <rak...@chromium.org>
Gerrit-Comment-Date: Thu, 05 Feb 2026 05:58:52 +0000
Gerrit-HasComments: Yes
Gerrit-Has-Labels: Yes
Comment-In-Reply-To: Rakina Zata Amni <rak...@chromium.org>
satisfied_requirement
unsatisfied_requirement
open
diffy

Rakina Zata Amni (Gerrit)

unread,
Feb 13, 2026, 4:52:58 AM (7 days ago) Feb 13
to Monica Chintala, AyeAye, Liang Zhao, Chromium LUCI CQ, chromium...@chromium.org, Nate Chapin, ipc-securi...@chromium.org, kinuko...@chromium.org, edg...@microsoft.com, alexmo...@chromium.org, blink-re...@chromium.org, blink-re...@chromium.org, blink-revi...@chromium.org, blink-...@chromium.org, creis...@chromium.org, gavinp...@chromium.org, loading...@chromium.org, navigation...@chromium.org
Attention needed from Liang Zhao and Monica Chintala

Rakina Zata Amni added 2 comments

File content/browser/renderer_host/render_frame_host_impl.cc
Line 5516, Patchset 16: if (new_frame_should_be_sandboxed) {
Rakina Zata Amni . resolved

Can you please protect this (and other paths if needed) behind a killswitch flag so that we can turn it off easily in case there are some bugs found in the wild?

Monica Chintala

Added a feature flag kUseSandboxTokenForOriginDerivation in blink that to be used here and in DocumentLoader to handle any regressions.

Rakina Zata Amni

Acknowledged

Line 10113, Patchset 16: } else {
// For non-sandboxed windows, derive a new opaque origin from creator.
sandbox_new_window_origin =
sandbox_new_window_origin.DeriveNewOpaqueOrigin();
Rakina Zata Amni . unresolved

What if we don't send an origin for the non-sandboxed case? Also why is the non-sandboxed case also opaque?

Monica Chintala

Good question, added in the comment section on its usage at sandbox_origin_token in CreateNewWindow.

  // Sandbox origin token handling for popups:
// Normally sandboxed popups token is pre-generated by
// SetOriginDependentStateOfNewFrame(). Popups that escape sandbox (CSP
// "sandbox" + "allow-popups-to-escape-sandbox"):
// - Browser sees no sandbox flags, so GetSandboxOriginToken() is empty
// - Renderer still inherits CSP sandbox flags and will create opaque origin
// - So generate a new token here as fallback
Rakina Zata Amni

Hmm that is an interesting case of browser <> renderer discrepancy. Is there a test that covers this? Does the browser-side calculated origin differ than the renderer-side origin in that case then?

Open in Gerrit

Related details

Attention is currently required from:
  • Liang Zhao
  • Monica Chintala
Submit Requirements:
  • requirement satisfiedCode-Coverage
  • requirement is not satisfiedCode-Owners
  • requirement is not satisfiedCode-Review
  • requirement is not satisfiedNo-Unresolved-Comments
  • requirement is not satisfiedReview-Enforcement
Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
Gerrit-MessageType: comment
Gerrit-Project: chromium/src
Gerrit-Branch: main
Gerrit-Change-Id: I3e30cbcc57fdd49be1c41c0eaf54c5f9d299e434
Gerrit-Change-Number: 7233315
Gerrit-PatchSet: 22
Gerrit-Owner: Monica Chintala <moni...@microsoft.com>
Gerrit-Reviewer: Liang Zhao <lz...@microsoft.com>
Gerrit-Reviewer: Monica Chintala <moni...@microsoft.com>
Gerrit-Reviewer: Rakina Zata Amni <rak...@chromium.org>
Gerrit-CC: Nate Chapin <jap...@chromium.org>
Gerrit-Attention: Liang Zhao <lz...@microsoft.com>
Gerrit-Attention: Monica Chintala <moni...@microsoft.com>
Gerrit-Comment-Date: Fri, 13 Feb 2026 09:52:36 +0000
Gerrit-HasComments: Yes
Gerrit-Has-Labels: No
Comment-In-Reply-To: Monica Chintala <moni...@microsoft.com>
satisfied_requirement
unsatisfied_requirement
open
diffy

Monica Chintala (Gerrit)

unread,
Feb 18, 2026, 6:14:07 PM (2 days ago) Feb 18
to AyeAye, Liang Zhao, Rakina Zata Amni, Chromium LUCI CQ, chromium...@chromium.org, Nate Chapin, ipc-securi...@chromium.org, kinuko...@chromium.org, edg...@microsoft.com, alexmo...@chromium.org, blink-re...@chromium.org, blink-re...@chromium.org, blink-revi...@chromium.org, blink-...@chromium.org, creis...@chromium.org, gavinp...@chromium.org, loading...@chromium.org, navigation...@chromium.org
Attention needed from Liang Zhao and Rakina Zata Amni

Monica Chintala added 1 comment

File content/browser/renderer_host/render_frame_host_impl.cc
Line 10113, Patchset 16: } else {
// For non-sandboxed windows, derive a new opaque origin from creator.
sandbox_new_window_origin =
sandbox_new_window_origin.DeriveNewOpaqueOrigin();
Rakina Zata Amni . unresolved

What if we don't send an origin for the non-sandboxed case? Also why is the non-sandboxed case also opaque?

Monica Chintala

Good question, added in the comment section on its usage at sandbox_origin_token in CreateNewWindow.

  // Sandbox origin token handling for popups:
// Normally sandboxed popups token is pre-generated by
// SetOriginDependentStateOfNewFrame(). Popups that escape sandbox (CSP
// "sandbox" + "allow-popups-to-escape-sandbox"):
// - Browser sees no sandbox flags, so GetSandboxOriginToken() is empty
// - Renderer still inherits CSP sandbox flags and will create opaque origin
// - So generate a new token here as fallback
Rakina Zata Amni

Hmm that is an interesting case of browser <> renderer discrepancy. Is there a test that covers this? Does the browser-side calculated origin differ than the renderer-side origin in that case then?

Monica Chintala

OpenSandboxedDocumentInUnsandboxedPopupFromCSPSandboxedDocument is the test that covers this exact scenario, and yes, the browser-side origin will differ from the renderer-side origin in that case. The browser computes a non-opaque origin while the renderer creates an opaque one from the inherited CSP.

// Frame: not sandboxed
EXPECT_EQ(kNone, foo_root->effective_frame_policy().sandbox_flags);
// Document: sandboxed (from inherited CSP)
EXPECT_EQ(expected_flags, foo_root->current_frame_host()->active_sandbox_flags());

OpenUnsandboxedPopupFromSandboxedFrame and OpenSandboxedDocumentInUnsandboxedPopupFromCSPSandboxedDocument are the other related tests

Open in Gerrit

Related details

Attention is currently required from:
  • Liang Zhao
  • Rakina Zata Amni
Submit Requirements:
  • requirement satisfiedCode-Coverage
  • requirement is not satisfiedCode-Owners
  • requirement is not satisfiedCode-Review
  • requirement is not satisfiedNo-Unresolved-Comments
  • requirement is not satisfiedReview-Enforcement
Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
Gerrit-MessageType: comment
Gerrit-Project: chromium/src
Gerrit-Branch: main
Gerrit-Change-Id: I3e30cbcc57fdd49be1c41c0eaf54c5f9d299e434
Gerrit-Change-Number: 7233315
Gerrit-PatchSet: 23
Gerrit-Owner: Monica Chintala <moni...@microsoft.com>
Gerrit-Reviewer: Liang Zhao <lz...@microsoft.com>
Gerrit-Reviewer: Monica Chintala <moni...@microsoft.com>
Gerrit-Reviewer: Rakina Zata Amni <rak...@chromium.org>
Gerrit-CC: Nate Chapin <jap...@chromium.org>
Gerrit-Attention: Liang Zhao <lz...@microsoft.com>
Gerrit-Attention: Rakina Zata Amni <rak...@chromium.org>
Gerrit-Comment-Date: Wed, 18 Feb 2026 23:13:57 +0000
satisfied_requirement
unsatisfied_requirement
open
diffy

Monica Chintala (Gerrit)

unread,
Feb 18, 2026, 7:34:13 PM (2 days ago) Feb 18
to Chromium IPC Reviews, Kenneth Russell, AyeAye, Liang Zhao, Rakina Zata Amni, Chromium LUCI CQ, chromium...@chromium.org, Nate Chapin, ipc-securi...@chromium.org, kinuko...@chromium.org, edg...@microsoft.com, alexmo...@chromium.org, blink-re...@chromium.org, blink-re...@chromium.org, blink-revi...@chromium.org, blink-...@chromium.org, creis...@chromium.org, gavinp...@chromium.org, loading...@chromium.org, navigation...@chromium.org
Attention needed from Chromium IPC Reviews, Kenneth Russell, Liang Zhao and Rakina Zata Amni

Monica Chintala added 1 comment

Patchset-level comments
File-level comment, Patchset 24 (Latest):
Monica Chintala . resolved

chrome-ipc-reviews@ Can I get your review on mojom file changes when you get a chance, thanks!
kbr@ Can I get the review on feature files, thanks!

Open in Gerrit

Related details

Attention is currently required from:
  • Chromium IPC Reviews
  • Kenneth Russell
  • Liang Zhao
  • Rakina Zata Amni
Submit Requirements:
  • requirement satisfiedCode-Coverage
  • requirement is not satisfiedCode-Owners
  • requirement is not satisfiedCode-Review
  • requirement is not satisfiedNo-Unresolved-Comments
  • requirement is not satisfiedReview-Enforcement
Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
Gerrit-MessageType: comment
Gerrit-Project: chromium/src
Gerrit-Branch: main
Gerrit-Change-Id: I3e30cbcc57fdd49be1c41c0eaf54c5f9d299e434
Gerrit-Change-Number: 7233315
Gerrit-PatchSet: 24
Gerrit-Owner: Monica Chintala <moni...@microsoft.com>
Gerrit-Reviewer: Chromium IPC Reviews <chrome-ip...@google.com>
Gerrit-Reviewer: Kenneth Russell <k...@chromium.org>
Gerrit-Reviewer: Liang Zhao <lz...@microsoft.com>
Gerrit-Reviewer: Monica Chintala <moni...@microsoft.com>
Gerrit-Reviewer: Rakina Zata Amni <rak...@chromium.org>
Gerrit-CC: Nate Chapin <jap...@chromium.org>
Gerrit-Attention: Kenneth Russell <k...@chromium.org>
Gerrit-Attention: Liang Zhao <lz...@microsoft.com>
Gerrit-Attention: Chromium IPC Reviews <chrome-ip...@google.com>
Gerrit-Attention: Rakina Zata Amni <rak...@chromium.org>
Gerrit-Comment-Date: Thu, 19 Feb 2026 00:34:04 +0000
Gerrit-HasComments: Yes
Gerrit-Has-Labels: No
satisfied_requirement
unsatisfied_requirement
open
diffy

gwsq (Gerrit)

unread,
Feb 18, 2026, 7:37:56 PM (2 days ago) Feb 18
to Monica Chintala, Chromium IPC Reviews, Matthew Denton, Kenneth Russell, AyeAye, Liang Zhao, Rakina Zata Amni, Chromium LUCI CQ, chromium...@chromium.org, Nate Chapin, ipc-securi...@chromium.org, kinuko...@chromium.org, edg...@microsoft.com, alexmo...@chromium.org, blink-re...@chromium.org, blink-re...@chromium.org, blink-revi...@chromium.org, blink-...@chromium.org, creis...@chromium.org, gavinp...@chromium.org, loading...@chromium.org, navigation...@chromium.org
Attention needed from Kenneth Russell, Liang Zhao, Matthew Denton and Rakina Zata Amni

Message from gwsq

From googleclient/chrome/chromium_gwsq/ipc/config.gwsq:
IPC: mpde...@chromium.org

📎 It looks like you’re making a possibly security-sensitive change! 📎 IPC security review isn’t a rubberstamp, so your friendly security reviewer will need a fair amount of context to review your CL effectively. Please review your CL description and code comments to make sure they provide context for someone unfamiliar with your project/area. Pay special attention to where data comes from and which processes it flows between (and their privilege levels). Feel free to point your security reviewer at design docs, bugs, or other links if you can’t reasonably make a self-contained CL description. (Also see https://cbea.ms/git-commit/).

IPC reviewer(s): mpde...@chromium.org


Reviewer source(s):
mpde...@chromium.org is from context(googleclient/chrome/chromium_gwsq/ipc/config.gwsq)

Open in Gerrit

Related details

Attention is currently required from:
  • Kenneth Russell
  • Liang Zhao
  • Matthew Denton
  • Rakina Zata Amni
Submit Requirements:
  • requirement satisfiedCode-Coverage
  • requirement is not satisfiedCode-Owners
  • requirement is not satisfiedCode-Review
  • requirement is not satisfiedNo-Unresolved-Comments
  • requirement is not satisfiedReview-Enforcement
Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
Gerrit-MessageType: comment
Gerrit-Project: chromium/src
Gerrit-Branch: main
Gerrit-Change-Id: I3e30cbcc57fdd49be1c41c0eaf54c5f9d299e434
Gerrit-Change-Number: 7233315
Gerrit-PatchSet: 24
Gerrit-Owner: Monica Chintala <moni...@microsoft.com>
Gerrit-Reviewer: Kenneth Russell <k...@chromium.org>
Gerrit-Reviewer: Liang Zhao <lz...@microsoft.com>
Gerrit-Reviewer: Matthew Denton <mpde...@chromium.org>
Gerrit-Reviewer: Monica Chintala <moni...@microsoft.com>
Gerrit-Reviewer: Rakina Zata Amni <rak...@chromium.org>
Gerrit-CC: Chromium IPC Reviews <chrome-ip...@google.com>
Gerrit-CC: Nate Chapin <jap...@chromium.org>
Gerrit-CC: gwsq
Gerrit-Attention: Matthew Denton <mpde...@chromium.org>
Gerrit-Attention: Kenneth Russell <k...@chromium.org>
Gerrit-Attention: Liang Zhao <lz...@microsoft.com>
Gerrit-Attention: Rakina Zata Amni <rak...@chromium.org>
Gerrit-Comment-Date: Thu, 19 Feb 2026 00:37:51 +0000
Gerrit-HasComments: No
Gerrit-Has-Labels: No
satisfied_requirement
unsatisfied_requirement
open
diffy

Kenneth Russell (Gerrit)

unread,
Feb 18, 2026, 8:44:18 PM (2 days ago) Feb 18
to Monica Chintala, Chromium IPC Reviews, Matthew Denton, AyeAye, Liang Zhao, Rakina Zata Amni, Chromium LUCI CQ, chromium...@chromium.org, Nate Chapin, ipc-securi...@chromium.org, kinuko...@chromium.org, edg...@microsoft.com, alexmo...@chromium.org, blink-re...@chromium.org, blink-re...@chromium.org, blink-revi...@chromium.org, blink-...@chromium.org, creis...@chromium.org, gavinp...@chromium.org, loading...@chromium.org, navigation...@chromium.org
Attention needed from Liang Zhao, Matthew Denton, Monica Chintala and Rakina Zata Amni

Kenneth Russell voted and added 1 comment

Votes added by Kenneth Russell

Code-Review+1

1 comment

Patchset-level comments
Kenneth Russell . resolved

`third_party/blink/public/common/features.{cc,h}` lgtm

Open in Gerrit

Related details

Attention is currently required from:
  • Liang Zhao
  • Matthew Denton
  • Monica Chintala
  • Rakina Zata Amni
Gerrit-Attention: Liang Zhao <lz...@microsoft.com>
Gerrit-Attention: Monica Chintala <moni...@microsoft.com>
Gerrit-Attention: Rakina Zata Amni <rak...@chromium.org>
Gerrit-Comment-Date: Thu, 19 Feb 2026 01:44:06 +0000
Gerrit-HasComments: Yes
Gerrit-Has-Labels: Yes
satisfied_requirement
unsatisfied_requirement
open
diffy

Matthew Denton (Gerrit)

unread,
Feb 19, 2026, 7:04:27 PM (17 hours ago) Feb 19
to Monica Chintala, Kenneth Russell, Chromium IPC Reviews, AyeAye, Liang Zhao, Rakina Zata Amni, Chromium LUCI CQ, chromium...@chromium.org, Nate Chapin, ipc-securi...@chromium.org, kinuko...@chromium.org, edg...@microsoft.com, alexmo...@chromium.org, blink-re...@chromium.org, blink-re...@chromium.org, blink-revi...@chromium.org, blink-...@chromium.org, creis...@chromium.org, gavinp...@chromium.org, loading...@chromium.org, navigation...@chromium.org
Attention needed from Kenneth Russell, Liang Zhao, Monica Chintala and Rakina Zata Amni

Matthew Denton voted Code-Review+1

Code-Review+1
Open in Gerrit

Related details

Attention is currently required from:
  • Kenneth Russell
  • Liang Zhao
  • Monica Chintala
  • Rakina Zata Amni
Submit Requirements:
  • requirement satisfiedCode-Coverage
  • requirement is not satisfiedCode-Owners
  • requirement is not satisfiedCode-Review
  • requirement is not satisfiedNo-Unresolved-Comments
  • requirement is not satisfiedReview-Enforcement
Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
Gerrit-MessageType: comment
Gerrit-Project: chromium/src
Gerrit-Branch: main
Gerrit-Change-Id: I3e30cbcc57fdd49be1c41c0eaf54c5f9d299e434
Gerrit-Change-Number: 7233315
Gerrit-PatchSet: 25
Gerrit-Owner: Monica Chintala <moni...@microsoft.com>
Gerrit-Reviewer: Kenneth Russell <k...@chromium.org>
Gerrit-Reviewer: Liang Zhao <lz...@microsoft.com>
Gerrit-Reviewer: Matthew Denton <mpde...@chromium.org>
Gerrit-Reviewer: Monica Chintala <moni...@microsoft.com>
Gerrit-Reviewer: Rakina Zata Amni <rak...@chromium.org>
Gerrit-CC: Chromium IPC Reviews <chrome-ip...@google.com>
Gerrit-CC: Nate Chapin <jap...@chromium.org>
Gerrit-CC: gwsq
Gerrit-Attention: Kenneth Russell <k...@chromium.org>
Gerrit-Attention: Liang Zhao <lz...@microsoft.com>
Gerrit-Attention: Monica Chintala <moni...@microsoft.com>
Gerrit-Attention: Rakina Zata Amni <rak...@chromium.org>
Gerrit-Comment-Date: Fri, 20 Feb 2026 00:04:20 +0000
Gerrit-HasComments: No
Gerrit-Has-Labels: Yes
satisfied_requirement
unsatisfied_requirement
open
diffy

Rakina Zata Amni (Gerrit)

unread,
10:44 AM (1 hour ago) 10:44 AM
to Monica Chintala, Matthew Denton, Kenneth Russell, Chromium IPC Reviews, AyeAye, Liang Zhao, Chromium LUCI CQ, chromium...@chromium.org, Nate Chapin, ipc-securi...@chromium.org, kinuko...@chromium.org, edg...@microsoft.com, alexmo...@chromium.org, blink-re...@chromium.org, blink-re...@chromium.org, blink-revi...@chromium.org, blink-...@chromium.org, creis...@chromium.org, gavinp...@chromium.org, loading...@chromium.org, navigation...@chromium.org
Attention needed from Kenneth Russell, Liang Zhao and Monica Chintala

Rakina Zata Amni added 5 comments

Rakina Zata Amni . resolved

Thanks! I think we're really close now, just some suggestions

File content/browser/renderer_host/render_frame_host_impl.h
Line 2412, Patchset 25 (Latest): const base::UnguessableToken* GetSandboxOriginToken() {
return sandbox_origin_token_.get();
}

void ResetSandboxOriginToken() { sandbox_origin_token_.reset(); }
Rakina Zata Amni . unresolved

Is it possible to just take the `sandbox_origin_token_` / move the unique_ptr instead of doing it in two steps like this?

File content/browser/renderer_host/render_frame_host_impl.cc
Rakina Zata Amni

Oh I think there's a bug in `SetOriginDependentStateOfNewFrame()` actually! It should check the `active_sandbox_flags()` (which would be the document's actual sandbox state) on the RFH instead of the BrowsingContexState (which seems to only contain the "frame sandbox"). I made a quick fix for that and it seems to work when applied to your patch: crrev.com/c/7596676.

I think that needs to land separately though, and I don't want to block your CL on that if there turns out to be some discussions needed, so can you just file a bug for this and cc arthursonzogni@ and pmeuleman@ who were involved in some changes around that case (crrev.com/c/3643878)? And then please add a TODO to remove the special case.

File content/browser/renderer_host/render_view_host_impl.cc
Line 521, Patchset 25 (Latest): if (local_frame_params->policy_container &&
(local_frame_params->policy_container->policies->sandbox_flags &
network::mojom::WebSandboxFlags::kOrigin) !=
network::mojom::WebSandboxFlags::kNone) {
Rakina Zata Amni . unresolved

Do you need the check if you already nullcheck below?

File content/browser/renderer_host/render_widget_helper.h
Line 61, Patchset 25 (Latest): std::unique_ptr<base::UnguessableToken> sandbox_origin_token = nullptr);
Rakina Zata Amni . unresolved

This and the FrameTokens constructor only have one caller, so it seems like it doesn't need default values?

Open in Gerrit

Related details

Attention is currently required from:
  • Kenneth Russell
  • Liang Zhao
  • Monica Chintala
Gerrit-Comment-Date: Fri, 20 Feb 2026 15:43:45 +0000
Gerrit-HasComments: Yes
Gerrit-Has-Labels: No
satisfied_requirement
unsatisfied_requirement
open
diffy
Reply all
Reply to author
Forward
0 new messages