Generate origins from nonces for sandboxed iframes in browser process [chromium/src : main]

0 views
Skip to first unread message

Monica Chintala (Gerrit)

unread,
Dec 7, 2025, 6:10:05 PM (9 days ago) Dec 7
to Liang Zhao, Rakina Zata Amni, Chromium LUCI CQ, chromium...@chromium.org, Nate Chapin, alexmo...@chromium.org, blink-re...@chromium.org, blink-re...@chromium.org, blink-revi...@chromium.org, blink-...@chromium.org, creis...@chromium.org, gavinp...@chromium.org, loading...@chromium.org, navigation...@chromium.org
Attention needed from Liang Zhao and Rakina Zata Amni

Monica Chintala added 1 comment

Patchset-level comments
File-level comment, Patchset 7 (Latest):
Monica Chintala . resolved

I’ve split the CLs as discussed. PTAL!

Open in Gerrit

Related details

Attention is currently required from:
  • Liang Zhao
  • Rakina Zata Amni
Submit Requirements:
  • requirement satisfiedCode-Coverage
  • requirement is not satisfiedCode-Owners
  • requirement is not satisfiedCode-Review
  • requirement is not satisfiedReview-Enforcement
Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
Gerrit-MessageType: comment
Gerrit-Project: chromium/src
Gerrit-Branch: main
Gerrit-Change-Id: I3e30cbcc57fdd49be1c41c0eaf54c5f9d299e434
Gerrit-Change-Number: 7233315
Gerrit-PatchSet: 7
Gerrit-Owner: Monica Chintala <moni...@microsoft.com>
Gerrit-Reviewer: Liang Zhao <lz...@microsoft.com>
Gerrit-Reviewer: Monica Chintala <moni...@microsoft.com>
Gerrit-Reviewer: Rakina Zata Amni <rak...@chromium.org>
Gerrit-CC: Nate Chapin <jap...@chromium.org>
Gerrit-Attention: Liang Zhao <lz...@microsoft.com>
Gerrit-Attention: Rakina Zata Amni <rak...@chromium.org>
Gerrit-Comment-Date: Sun, 07 Dec 2025 23:09:55 +0000
Gerrit-HasComments: Yes
Gerrit-Has-Labels: No
satisfied_requirement
unsatisfied_requirement
open
diffy

Rakina Zata Amni (Gerrit)

unread,
Dec 15, 2025, 7:22:36 PM (yesterday) Dec 15
to Monica Chintala, Liang Zhao, Chromium LUCI CQ, chromium...@chromium.org, Nate Chapin, alexmo...@chromium.org, blink-re...@chromium.org, blink-re...@chromium.org, blink-revi...@chromium.org, blink-...@chromium.org, creis...@chromium.org, gavinp...@chromium.org, loading...@chromium.org, navigation...@chromium.org
Attention needed from Liang Zhao and Monica Chintala

Rakina Zata Amni added 2 comments

Patchset-level comments
Rakina Zata Amni . resolved

Thanks and sorry for the delay, finally had the time to take a look at all three together.

File content/browser/renderer_host/render_frame_host_impl.cc
Line 5472, Patchset 7 (Latest): // from the creator origin. This should only happen for renderer-initiated
// CreateNewWindow cases.
Rakina Zata Amni . unresolved

Do you have a repro for this? Is it not possible to cover this case? How do these cases get their various other tokens then?

Open in Gerrit

Related details

Attention is currently required from:
  • Liang Zhao
  • Monica Chintala
Submit Requirements:
    • requirement satisfiedCode-Coverage
    • requirement is not satisfiedCode-Owners
    • requirement is not satisfiedCode-Review
    • requirement is not satisfiedNo-Unresolved-Comments
    • requirement is not satisfiedReview-Enforcement
    Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
    Gerrit-MessageType: comment
    Gerrit-Project: chromium/src
    Gerrit-Branch: main
    Gerrit-Change-Id: I3e30cbcc57fdd49be1c41c0eaf54c5f9d299e434
    Gerrit-Change-Number: 7233315
    Gerrit-PatchSet: 7
    Gerrit-Owner: Monica Chintala <moni...@microsoft.com>
    Gerrit-Reviewer: Liang Zhao <lz...@microsoft.com>
    Gerrit-Reviewer: Monica Chintala <moni...@microsoft.com>
    Gerrit-Reviewer: Rakina Zata Amni <rak...@chromium.org>
    Gerrit-CC: Nate Chapin <jap...@chromium.org>
    Gerrit-Attention: Liang Zhao <lz...@microsoft.com>
    Gerrit-Attention: Monica Chintala <moni...@microsoft.com>
    Gerrit-Comment-Date: Tue, 16 Dec 2025 00:22:00 +0000
    Gerrit-HasComments: Yes
    Gerrit-Has-Labels: No
    satisfied_requirement
    unsatisfied_requirement
    open
    diffy

    Monica Chintala (Gerrit)

    unread,
    2:14 PM (8 hours ago) 2:14 PM
    to Liang Zhao, Rakina Zata Amni, Chromium LUCI CQ, chromium...@chromium.org, Nate Chapin, edg...@microsoft.com, alexmo...@chromium.org, blink-re...@chromium.org, blink-re...@chromium.org, blink-revi...@chromium.org, blink-...@chromium.org, creis...@chromium.org, gavinp...@chromium.org, loading...@chromium.org, navigation...@chromium.org
    Attention needed from Liang Zhao and Rakina Zata Amni

    Monica Chintala added 1 comment

    File content/browser/renderer_host/render_frame_host_impl.cc
    Line 5472, Patchset 7 (Latest): // from the creator origin. This should only happen for renderer-initiated
    // CreateNewWindow cases.
    Rakina Zata Amni . unresolved

    Do you have a repro for this? Is it not possible to cover this case? How do these cases get their various other tokens then?

    Monica Chintala

    SandboxViaInheritanceNavigationsToCoop
    SandboxFlagsSetForNewWindow
    CrossProcessPopupInheritsSandboxFlagsWithNoOpener

    Yes, these are the few test cases where popups are opened from iframe with sandbox flags and we've few other tests for the repro.

    Currently for opener scenario, frame/document/devtools tokens are generated uniquely when RenderFrameHostImpl is created here
    https://source.chromium.org/chromium/chromium/src/+/main:content/browser/renderer_host/render_frame_host_manager.cc;l=719;bpv=1;bpt=1?q=render_frame_host_manager.cc&ss=chromium%2Fchromium%2Fsrc

    To match with this, I used DeriveNewOpaqueOrigin that generates origin from random nonce (fallback to previous).

    If at all we want to cover this scenario we should look at generating the origin from renderer and pass it to browser process as CreateNewWindow is sync. And yes we should be doing this case separately similar to sandbox origin generation for iframes (design and impl changes) but given other tokens are uniquely created during renderframeimplhost creation I think it is fine to let the browser to generate origin uniquely here unlike sandbox iframes. what do you think?

    https://source.chromium.org/chromium/chromium/src/+/main:content/renderer/render_frame_impl.cc;l=6826?q=RenderFrameImpl&ss=chromium%2Fchromium%2Fsrc

    Open in Gerrit

    Related details

    Attention is currently required from:
    • Liang Zhao
    • Rakina Zata Amni
    Submit Requirements:
    • requirement satisfiedCode-Coverage
    • requirement is not satisfiedCode-Owners
    • requirement is not satisfiedCode-Review
    • requirement is not satisfiedNo-Unresolved-Comments
    • requirement is not satisfiedReview-Enforcement
    Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
    Gerrit-MessageType: comment
    Gerrit-Project: chromium/src
    Gerrit-Branch: main
    Gerrit-Change-Id: I3e30cbcc57fdd49be1c41c0eaf54c5f9d299e434
    Gerrit-Change-Number: 7233315
    Gerrit-PatchSet: 7
    Gerrit-Owner: Monica Chintala <moni...@microsoft.com>
    Gerrit-Reviewer: Liang Zhao <lz...@microsoft.com>
    Gerrit-Reviewer: Monica Chintala <moni...@microsoft.com>
    Gerrit-Reviewer: Rakina Zata Amni <rak...@chromium.org>
    Gerrit-CC: Nate Chapin <jap...@chromium.org>
    Gerrit-Attention: Liang Zhao <lz...@microsoft.com>
    Gerrit-Attention: Rakina Zata Amni <rak...@chromium.org>
    Gerrit-Comment-Date: Tue, 16 Dec 2025 19:14:45 +0000
    Gerrit-HasComments: Yes
    Gerrit-Has-Labels: No
    Comment-In-Reply-To: Rakina Zata Amni <rak...@chromium.org>
    satisfied_requirement
    unsatisfied_requirement
    open
    diffy
    Reply all
    Reply to author
    Forward
    0 new messages