AncestorThrottle: Short-circuit same origin check for frame load if websecurity is disabled

t-bashir-bs · t-bashir-bs · commit ffea8705ffd2 · 2025-02-27T14:38:49.000Z
diff --git a/patches/chromium/.patches b/patches/chromium/.patches
@@ -182,3 +182,4 @@ fix_nexus_fix_window_focus_management_for_vk_os-17597.patch
 fix_track_keyboard_focus_on_nexuswindowmanager_os-18564.patch
 fix_wayland_window_always_dispatch_keyevent_os-18589.patch
 fix_wayland_track_keyboard_focus_os-18548.patch
+os-17051_short-circuit_same_origin_check_for_frame_load_if.patch
diff --git a/patches/chromium/os-17051_short-circuit_same_origin_check_for_frame_load_if.patch b/patches/chromium/os-17051_short-circuit_same_origin_check_for_frame_load_if.patch
@@ -0,0 +1,35 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Tariq Bashir <120014322+t-bashir-bs@users.noreply.github.com>
+Date: Thu, 27 Feb 2025 14:29:55 +0000
+Subject: OS-17051: Short-circuit same origin check for frame load if
+ websecurity is disabled
+
+Disable the same origin check for frame loads if web security is disabled.
+This is to allow the loading of iframes from different origins when web
+security is disabled.
+
+This is a cherry pick of https://cam-gerrit.brightsign.info/c/qtwebengine-chromium/+/6236
+
+diff --git a/content/browser/renderer_host/ancestor_throttle.cc b/content/browser/renderer_host/ancestor_throttle.cc
+index d17a791b05bf59b64cdc055620560a3cf1d75b1b..19f7ee73fcdeefcbf6a1f756daa9a44f01624312 100644
+--- a/content/browser/renderer_host/ancestor_throttle.cc
++++ b/content/browser/renderer_host/ancestor_throttle.cc
+@@ -25,6 +25,7 @@
+ #include "content/public/browser/navigation_handle.h"
+ #include "content/public/browser/navigation_throttle.h"
+ #include "content/public/browser/storage_partition.h"
++#include "content/public/browser/web_contents.h"
+ #include "content/public/common/content_client.h"
+ #include "net/http/http_response_headers.h"
+ #include "services/network/public/cpp/content_security_policy/content_security_policy.h"
+@@ -253,7 +254,9 @@ AncestorThrottle::CheckResult AncestorThrottle::EvaluateXFrameOptions(
+       url::Origin current_origin =
+           url::Origin::Create(navigation_handle()->GetURL());
+       while (parent) {
+-        if (!parent->GetLastCommittedOrigin().IsSameOriginWith(
++        if ((!navigation_handle()->GetWebContents()
++             || navigation_handle()->GetWebContents()->GetOrCreateWebPreferences().web_security_enabled)
++            && !parent->GetLastCommittedOrigin().IsSameOriginWith(
+                 current_origin)) {
+           if (logging == LoggingDisposition::LOG_TO_CONSOLE)
+             ConsoleErrorXFrameOptions(disposition);
