Skip to content

Commit 57afa98

Browse files
creismibrunin
creis
authored and
mibrunin
committed
[Backport] CVE-2025-0447: Inappropriate implementation in Navigation
Cherry-pick of patch originally reviewed on https://chromium-review.googlesource.com/c/chromium/src/+/5973403: Filter any URLs passed to the "redirect blocked" dialogs. The framebusting mitigation from https://crbug.com/40084719 can block subframes from navigating the main frame cross-origin without a user gesture. However, the dialog allows the user to manually proceed to the URL if desired. This URL was not adequately filtered before, allowing chrome:// and other privileged URLs to be used even if the renderer could not nomrally navigate to them. This CL adds the necessary filtering, which should apply to both the desktop and Android dialogs. Bug: 375550814 Change-Id: Icd518a869a06ad982767386d5d7a1528e6179e6c Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5973403 Reviewed-by: Patrick Monette <[email protected]> Reviewed-by: Nate Chapin <[email protected]> Reviewed-by: Andy Paicu <[email protected]> Reviewed-by: Liam Brady <[email protected]> Auto-Submit: Charlie Reis <[email protected]> Commit-Queue: Charlie Reis <[email protected]> Cr-Commit-Position: refs/heads/main@{#1377807} Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/619215 Reviewed-by: Anu Aliyas <[email protected]>
1 parent 27545e3 commit 57afa98

File tree

1 file changed

+9
-1
lines changed

1 file changed

+9
-1
lines changed

chromium/content/browser/renderer_host/render_frame_host_impl.cc

Lines changed: 9 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -6955,10 +6955,18 @@ void RenderFrameHostImpl::DidBlockNavigation(
69556955
const GURL& blocked_url,
69566956
const GURL& initiator_url,
69576957
blink::mojom::NavigationBlockedReason reason) {
6958+
// Do not allow renderers to show off-limits URLs in the blocked dialog.
6959+
GURL validated_blocked_url = blocked_url;
6960+
GURL validated_initiator_url = initiator_url;
6961+
RenderProcessHost* process = GetProcess();
6962+
process->FilterURL(/*empty_allowed=*/false, &validated_blocked_url);
6963+
process->FilterURL(/*empty_allowed=*/false, &validated_initiator_url);
6964+
69586965
// Cross-origin navigations are not allowed in prerendering so we can not
69596966
// reach here while prerendering.
69606967
DCHECK_NE(lifecycle_state(), LifecycleStateImpl::kPrerendering);
6961-
delegate_->OnDidBlockNavigation(blocked_url, initiator_url, reason);
6968+
delegate_->OnDidBlockNavigation(validated_blocked_url,
6969+
validated_initiator_url, reason);
69626970
}
69636971

69646972
void RenderFrameHostImpl::DidChangeLoadProgress(double load_progress) {

0 commit comments

Comments
 (0)