[Backport] CVE-2025-5281: Inappropriate implementation in BFCache

lozy219 · Anu Aliyas · commit 87e3e7386bd8 · 2025-06-03T15:02:32.000Z
Manual cherry-pick of patch originally reviewed on https://chromium-review.googlesource.com/c/chromium/src/+/6550761: CCNS: make sure the cookie listener is added for prerendered document Previously the cookie listen is not added for the prerendered document because we only check IsInPrimaryMainFrame(), this will lead to serious security problem since we won't be notified when the cookie changes throughout the life time of that document. This CL fixes the check and update the browser test with prerendering case. Only a subset of the tests are updated but that should provide enough coverage for the scenarios we are caring about. Change-Id: Ia538f6f9e72c1096f1d0b4ed5ade7e2bd56e5523 Bug: 417215501 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6550761 Reviewed-by: Rakina Zata Amni <rakina@chromium.org> Commit-Queue: Mingyu Lei <leimy@chromium.org> Cr-Commit-Position: refs/heads/main@{#1462580} Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/648697 Reviewed-by: Anu Aliyas <anu.aliyas@qt.io> (cherry picked from commit eb9837f) Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/649947 Reviewed-by: Moss Heim <moss.heim@qt.io>
diff --git a/chromium/content/browser/renderer_host/navigation_request.cc b/chromium/content/browser/renderer_host/navigation_request.cc
@@ -2783,19 +2783,21 @@ bool NavigationRequest::ShouldAddCookieChangeListener() {
   // The `CookieChangeListener` will only be set up if all of these are true:
   // (1) the navigation's protocol is HTTP(s).
   // (2) we allow a document with `Cache-control: no-store` header to
-  // enter BFCache.
+  // enter back/forward.
   // (3) the navigation is neither a same-document navigation nor a page
   // activation, since in these cases, an existing `RenderFrameHost` will be
   // used, and it would already have an existing listener, so we should skip the
   // initialization.
-  // (4) the navigation is a primary main frame navigation, as the cookie
-  // change information will only be used in the inactive document control
-  // logic.
+  // (4) the navigation is a primary main frame navigation or it's for
+  // prerendering a main frame, as the cookie change information will only be
+  // used to determined if a page can be restored from back/forward cache, so
+  // subframe navigation can be ignored.
   return frame_tree_node_->navigator()
              .controller()
              .GetBackForwardCache()
              .should_allow_storing_pages_with_cache_control_no_store() &&
-         !IsPageActivation() && !IsSameDocument() && IsInPrimaryMainFrame() &&
+         !IsPageActivation() && !IsSameDocument() &&
+         (IsInPrimaryMainFrame() || IsInPrerenderedMainFrame()) &&
          common_params_->url.SchemeIsHTTPOrHTTPS();
 }
 
