[Backport] CVE-2024-11110: Inappropriate implementation in Blink

Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/5961018:
Make GetCacheIdentifier() respect GetSkipServiceWorker().

M126 merge issues:
  third_party/blink/renderer/platform/loader/fetch/resource_fetcher.cc:
    RequestResource()/CreateResourceForLoading(): The kScopeMemoryCachePerContext
    feature check isn't present in the original CL.

Since the current GetCacheIdentifier() ignores GetSkipServiceWorker(),
GetCacheIdentifier() returns ServiceWorkerId even if GetSkipServiceWorker()
is true if the ServiceWorker has a fetch handler.

To make the isolated world respected as an isolated world, the cache
identifier should not be shared with a page under a ServiceWorker control.

Bug: 372512079, 373263969
Change-Id: Idd2d8900f2f720e0a4dc9837e2eb56474c60b587
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5961018
Commit-Queue: Yoshisato Yanagisawa <[email protected]>
Cr-Commit-Position: refs/heads/main@{#1376006}
(cherry picked from commit 75f322ad1f64c0bc56fa77ab877b48d72cdb903c)
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/607609
Reviewed-by: Anu Aliyas <[email protected]>

Author: yoshisatoyanagisawa

chromium/third_party/blink/renderer/core/html/parser/html_srcset_parser.cc

@@ -413,7 +413,7 @@ static unsigned AvoidDownloadIfHigherDensityResourceIsInCache(
     KURL url = document->CompleteURL(
         StripLeadingAndTrailingHTMLSpaces(image_candidates[i]->Url()));
     if (MemoryCache::Get()->ResourceForURL(
-            url, document->Fetcher()->GetCacheIdentifier(url)) ||
+            url, document->Fetcher()->GetCacheIdentifier(url, /*skip_service_worker=*/false)) ||
         url.ProtocolIsData())
       return i;
   }

chromium/third_party/blink/renderer/core/inspector/inspector_network_agent.cc

@@ -2315,7 +2315,8 @@ bool InspectorNetworkAgent::FetchResourceContent(Document* document,
   Resource* cached_resource = document->Fetcher()->CachedResource(url);
   if (!cached_resource) {
     cached_resource = MemoryCache::Get()->ResourceForURL(
-        url, document->Fetcher()->GetCacheIdentifier(url));
+        url, document->Fetcher()->GetCacheIdentifier(
+                 url, /*skip_service_worker=*/false));
   }
   if (cached_resource && InspectorPageAgent::CachedResourceContent(
                              cached_resource, content, base64_encoded)) {

chromium/third_party/blink/renderer/core/inspector/inspector_page_agent.cc

@@ -167,7 +167,8 @@ Resource* CachedResource(LocalFrame* frame,
   Resource* cached_resource = document->Fetcher()->CachedResource(url);
   if (!cached_resource) {
     cached_resource = MemoryCache::Get()->ResourceForURL(
-        url, document->Fetcher()->GetCacheIdentifier(url));
+        url, document->Fetcher()->GetCacheIdentifier(
+                 url, /*skip_service_worker=*/false));
   }
   if (!cached_resource)
     cached_resource = loader->ResourceForURL(url);

chromium/third_party/blink/renderer/core/loader/image_loader.cc

@@ -741,7 +741,8 @@ bool ImageLoader::ShouldLoadImmediately(const KURL& url) const {
   // content when style recalc is over and DOM mutation is allowed again.
   if (!url.IsNull()) {
     Resource* resource = MemoryCache::Get()->ResourceForURL(
-        url, element_->GetDocument().Fetcher()->GetCacheIdentifier(url));
+        url, element_->GetDocument().Fetcher()->GetCacheIdentifier(
+                 url, /*skip_service_worker=*/false));
 
     if (resource && !resource->ErrorOccurred() &&
         CanReuseFromListOfAvailableImages(

chromium/third_party/blink/renderer/core/testing/internals.cc

@@ -883,8 +883,8 @@ bool Internals::isLoading(const String& url) {
   if (!document_)
     return false;
   const KURL full_url = document_->CompleteURL(url);
-  const String cache_identifier =
-      document_->Fetcher()->GetCacheIdentifier(full_url);
+  const String cache_identifier = document_->Fetcher()->GetCacheIdentifier(
+      full_url, /*skip_service_worker=*/false);
   Resource* resource =
       MemoryCache::Get()->ResourceForURL(full_url, cache_identifier);
   // We check loader() here instead of isLoading(), because a multipart
@@ -896,8 +896,8 @@ bool Internals::isLoadingFromMemoryCache(const String& url) {
   if (!document_)
     return false;
   const KURL full_url = document_->CompleteURL(url);
-  const String cache_identifier =
-      document_->Fetcher()->GetCacheIdentifier(full_url);
+  const String cache_identifier = document_->Fetcher()->GetCacheIdentifier(
+      full_url, /*skip_service_worker=*/false);
   Resource* resource =
       MemoryCache::Get()->ResourceForURL(full_url, cache_identifier);
   return resource && resource->GetStatus() == ResourceStatus::kCached;

chromium/third_party/blink/renderer/platform/loader/fetch/resource_fetcher.cc

@@ -860,7 +860,8 @@ Resource* ResourceFetcher::CreateResourceForStaticData(
   if (!archive_ && factory.GetType() == ResourceType::kRaw)
     return nullptr;
 
-  const String cache_identifier = GetCacheIdentifier(url);
+  const String cache_identifier = GetCacheIdentifier(
+      url, params.GetResourceRequest().GetSkipServiceWorker());
   // Most off-main-thread resource fetches use Resource::kRaw and don't reach
   // this point, but off-main-thread module fetches might.
   if (IsMainThread()) {
@@ -1347,7 +1348,10 @@ Resource* ResourceFetcher::RequestResource(FetchParameters& params,
         resource = nullptr;
       } else {
         resource = MemoryCache::Get()->ResourceForURL(
-            params.Url(), GetCacheIdentifier(params.Url()));
+            params.Url(),
+            GetCacheIdentifier(
+                params.Url(),
+                params.GetResourceRequest().GetSkipServiceWorker()));
       }
       if (resource) {
         policy = DetermineRevalidationPolicy(resource_type, params, *resource,
@@ -1604,7 +1608,8 @@ Resource* ResourceFetcher::CreateResourceForLoading(
     const FetchParameters& params,
     const ResourceFactory& factory) {
   const String cache_identifier =
-      GetCacheIdentifier(params.GetResourceRequest().Url());
+      GetCacheIdentifier(params.GetResourceRequest().Url(),
+                         params.GetResourceRequest().GetSkipServiceWorker());
   if (!base::FeatureList::IsEnabled(
           blink::features::kScopeMemoryCachePerContext)) {
     DCHECK(!IsMainThread() || params.IsStaleRevalidation() ||
@@ -2605,9 +2610,11 @@ void ResourceFetcher::UpdateAllImageResourcePriorities() {
   to_be_removed.clear();
 }
 
-String ResourceFetcher::GetCacheIdentifier(const KURL& url) const {
-  if (properties_->GetControllerServiceWorkerMode() !=
-      mojom::ControllerServiceWorkerMode::kNoController) {
+String ResourceFetcher::GetCacheIdentifier(const KURL& url,
+                                           bool skip_service_worker) const {
+  if (!skip_service_worker &&
+      properties_->GetControllerServiceWorkerMode() !=
+          mojom::ControllerServiceWorkerMode::kNoController) {
     return String::Number(properties_->ServiceWorkerId());
   }
 

chromium/third_party/blink/renderer/platform/loader/fetch/resource_fetcher.h

@@ -260,7 +260,11 @@ class PLATFORM_EXPORT ResourceFetcher
                          uint32_t inflight_keepalive_bytes);
   blink::mojom::ControllerServiceWorkerMode IsControlledByServiceWorker() const;
 
-  String GetCacheIdentifier(const KURL& url) const;
+  // Returns a cache identifier for MemoryCache.
+  // `url` is used for finding a matching WebBundle.
+  // If `skip_service_worker` is true, the identifier won't be a ServiceWorker's
+  // identifier to keep the cache separated.
+  String GetCacheIdentifier(const KURL& url, bool skip_service_worker) const;
 
   // If `url` exists as a resource in a subresource bundle in this frame,
   // returns its UnguessableToken; otherwise, returns absl::nullopt.