Limit the maximum length of frame unique names

Desktop / Chromium - Daniel Cheng [chromium.org] - 9 August 2017 17:45 EDT

The unique name is a semi-stable identifier used to identify the target frame for back/forward and session restore. The original unique name generation algorithm included the browsing context name: unfortunately, certain sites use window.name to transport large amounts of data, causing session restore data to balloon in size.

The original plan was to strictly limit the length of unique names; however, ensuring backwards compatibility was complex and difficult to understand. Instead, this patch enforces a weaker guarantee: if a frame provides a hint for the unique name that is over 80 characters, hash the requested name and use the result as if it were the requested name instead. It's still possible to get fairly long names with deeply nested frames, but this should be a large improvement over the current situation with no limit at all.

Note that even the simpler version of this algorithm does not result in perfect backwards compatibility: a malicious page can intentionally pick browsing context names that only collide once the name is hashed. Since this only affects the page itself, the algorithm retains the current best effort collision avoidance strategy of picking a name that is unlikely to collide, without guaranteeing full collision resistance.

Browsing a small assortment of control pages shows that unique name length is reduced from an average of ~1260 characters to 70 characters. Note that this metric was originally implemented incorrectly: for the purpose of comparison, the new metric was recorded in the exact same way. Actual numbers in the field are probably somewhat lower than this.

Bug: 626202, 645123 Cq-Include-Trybots: master.tryserver.chromium.linux:linux_site_isolation Change-Id: I63c481feaf708c5e0d4087dafc8fcbf59b9091a6 Reviewed-on: https://chromium-review.googlesource.com/579031

6ca7f1c Limit the maximum length of frame unique names.
content/browser/frame_host/frame_tree_node.cc | 50 ++-
content/common/page_state_serialization.cc | 39 +-
content/common/page_state_serialization.h | 3 +
.../common/page_state_serialization_unittest.cc | 4 +
content/common/unique_name_helper.cc | 115 +++++-
content/common/unique_name_helper.h | 27 +-
content/common/unique_name_helper_unittest.cc | 411 +++++++++++++++++++++
content/renderer/render_frame_impl.cc | 2 +-
content/renderer/render_frame_impl.h | 2 +-
content/test/BUILD.gn | 1 +
content/test/data/page_state/serialized_v24.dat | 17 +
tools/metrics/histograms/histograms.xml | 54 +++
12 files changed, 705 insertions(+), 20 deletions(-)

Upstream: git.chromium.org


  • Share