Generate origins from nonces for sandboxed frames in render process [chromium/src : main]

0 views

Skip to first unread message

Rakina Zata Amni (Gerrit)

unread,

Jan 29, 2026, 10:18:51 AM (yesterday) Jan 29

to Monica Chintala, Liang Zhao, Chromium LUCI CQ, chromium...@chromium.org, Nate Chapin, edg...@microsoft.com, alexmo...@chromium.org, blink-re...@chromium.org, blink-re...@chromium.org, blink-revi...@chromium.org, blink-...@chromium.org, creis...@chromium.org, gavinp...@chromium.org, loading...@chromium.org, navigation...@chromium.org

Attention needed from Liang Zhao and Monica Chintala

Rakina Zata Amni added 4 comments

File content/renderer/render_frame_impl.cc

Line 5718, Patchset 29 (Latest): navigation_params->sandbox_origin_token =

Rakina Zata Amni . unresolved

Is this needed if we're just going to reuse the same origin / the current origin?

File third_party/blink/renderer/core/loader/document_loader.cc

Line 2382, Patchset 29 (Latest): } else if (sandbox_origin_token_.has_value()) {

Rakina Zata Amni . unresolved

We want to make sure we never reuse the token after the creation, even for other commits using the same DocumentLoader. I wonder if we can save this as a unique_ptr all the way from FrameRoutingInfo and just take the value at creation?

File third_party/blink/renderer/core/loader/frame_loader.cc

Line 263, Patchset 29 (Latest): if (((policy_container->GetPolicies().sandbox_flags &

Rakina Zata Amni . unresolved

nit: remove extra parentheses?

Line 265, Patchset 23:

       network::mojom::blink::WebSandboxFlags::kNone)) {
    if (sandbox_origin_token.has_value()) {
      navigation_params->sandbox_origin_token = sandbox_origin_token;
    }
    navigation_params->origin_to_commit =
        WebSecurityOrigin(sandbox_new_window_origin);

Rakina Zata Amni . unresolved

Is it possible to check that only one of `sandbox_origin_token`, `sandbox_new_window_origin`, `origin_to_commit` is set? Also I wonder if it's possible to also just pass in a `sandbox_origin_token` for the `sandbox_new_window_origin` case to reduce the amount of different params. So we pass a token in the CreateNewWindowReply instead of an origin, and create the origin in DocumentLoader, same as the iframe case. But maybe we won't have the correct precursor?

Monica Chintala

Updated the code to check sandbox_origin_token or sandbox_main_frame_origin (changed param name from sandbox_new_window_origin) as one of it should exist.
For other question, yes we will be losing the precursors info in that case so had to use sandbox_new_window_origin param for that case.

Rakina Zata Amni

Thanks, just to check on the precursor -- do you know if it's not possible to get the owner origin from the owner document here? https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/renderer/core/loader/document_loader.cc;l=2836;drc=eda3daef3fdb7666dd1e521a0490c2eafbde5921

I thought that would be set correctly since we'll get here synchronously from when the window is created from the opener, then we can derive the opaque origin using the owner document as base + just passing in a token, just like the iframe case?

Open in Gerrit

Related details

Attention is currently required from:

Liang Zhao
Monica Chintala

Submit Requirements:

Code-Coverage
Code-Owners
Code-Review
No-Unresolved-Comments
Review-Enforcement

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

satisfied_requirement

unsatisfied_requirement

open

diffy

Reply all

Reply to author

Forward

0 new messages