Restricting redirects to chrome:

content/browser/child_process_security_policy.cc

 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/browser/child_process_security_policy.h"
 
 #include "base/file_path.h"
 #include "base/logging.h"
 #include "base/platform_file.h"
 #include "base/stl_util.h"
@@ skipping 118 matching lines @@
   // We know about these schemes and believe them to be safe.
   RegisterWebSafeScheme(chrome::kHttpScheme);
   RegisterWebSafeScheme(chrome::kHttpsScheme);
   RegisterWebSafeScheme(chrome::kFtpScheme);
   RegisterWebSafeScheme(chrome::kDataScheme);
   RegisterWebSafeScheme("feed");
   RegisterWebSafeScheme(chrome::kExtensionScheme);
   RegisterWebSafeScheme(chrome::kBlobScheme);
   RegisterWebSafeScheme(chrome::kFileSystemScheme);
 
+  // The following Web UI schemes are only accessible by children with with
+  // WebUI bindings.
+  RegisterWebUIScheme(chrome::kChromeUIScheme);

[abarth-chromium, 2011/09/19 06:46:39]

In the past, access to this scheme happened naturally because we navigated
render processes to chrome: URLs when we added the WebUI bindings.  Does this
mean we're granting WebUI bindings to URLs that lack the chrome: scheme?

+
   // We know about the following pseudo schemes and treat them specially.
   RegisterPseudoScheme(chrome::kAboutScheme);
   RegisterPseudoScheme(chrome::kJavaScriptScheme);
   RegisterPseudoScheme(chrome::kViewSourceScheme);
 }
 
 ChildProcessSecurityPolicy::~ChildProcessSecurityPolicy() {
   web_safe_schemes_.clear();
   pseudo_schemes_.clear();
   STLDeleteContainerPairSecondPointers(security_state_.begin(),
@@ skipping 36 matching lines @@
 
   web_safe_schemes_.insert(scheme);
 }
 
 bool ChildProcessSecurityPolicy::IsWebSafeScheme(const std::string& scheme) {
   base::AutoLock lock(lock_);
 
   return (web_safe_schemes_.find(scheme) != web_safe_schemes_.end());
 }
 
+void ChildProcessSecurityPolicy::RegisterWebUIScheme(
+    const std::string& scheme) {
+  base::AutoLock lock(lock_);
+  DCHECK(webui_schemes_.count(scheme) == 0) << "Adds schemes at most once.";
+  DCHECK(web_safe_schemes_.count(scheme) == 0) << "WebUI schemes not web-safe.";
+
+  webui_schemes_.insert(scheme);
+}
+
+bool ChildProcessSecurityPolicy::IsWebUIScheme(const std::string& scheme) {
+    base::AutoLock lock(lock_);
+
+    return (webui_schemes_.find(scheme) != webui_schemes_.end());
+}
+
 void ChildProcessSecurityPolicy::RegisterPseudoScheme(
     const std::string& scheme) {
   base::AutoLock lock(lock_);
   DCHECK(pseudo_schemes_.count(scheme) == 0) << "Add schemes at most once.";
   DCHECK(web_safe_schemes_.count(scheme) == 0) <<
       "Pseudo implies not web-safe.";
 
   pseudo_schemes_.insert(scheme);
 }
 
@@ skipping 137 matching lines @@
 
   state->second->RevokeReadRawCookies();
 }
 
 bool ChildProcessSecurityPolicy::CanRequestURL(
     int child_id, const GURL& url) {
   if (!url.is_valid())
     return false;  // Can't request invalid URLs.
 
   if (IsDisabledScheme(url.scheme()))
-    return false; // The scheme is disabled by policy.
+    return false;  // The scheme is disabled by policy.
 
   if (IsWebSafeScheme(url.scheme()))
     return true;  // The scheme has been white-listed for every child process.
 
   if (IsPseudoScheme(url.scheme())) {
     // There are a number of special cases for pseudo schemes.
 
     if (url.SchemeIs(chrome::kViewSourceScheme)) {
       // A view-source URL is allowed if the child process is permitted to
       // request the embedded URL. Careful to avoid pointless recursion.
@@ skipping 23 matching lines @@
     SecurityStateMap::iterator state = security_state_.find(child_id);
     if (state == security_state_.end())
       return false;
 
     // Otherwise, we consult the child process's security state to see if it is
     // allowed to request the URL.
     return state->second->CanRequestURL(url);
   }
 }
 
+bool ChildProcessSecurityPolicy::CanRedirectURL(
+    int child_id, const GURL& url) {
+  return CanRequestURL(child_id, url) && !IsWebUIScheme(url.scheme());

[abarth-chromium, 2011/09/19 06:46:39]

If you can request a URL, why can't you redirect to it?  I suspect you're trying
to solve this problem at the wrong layer.

The ChildProcessSecurityPolicy is only meant to be a line of defense against a
compromised rendering engine.  If a render process CanRequestURL, then that
process can navigate itself to that URL and there's no security to be gained by
blocking redirects.

+}
+
 bool ChildProcessSecurityPolicy::CanReadFile(int child_id,
                                              const FilePath& file) {
   return HasPermissionsForFile(child_id, file, kReadFilePermissions);
 }
 
 bool ChildProcessSecurityPolicy::CanReadDirectory(int child_id,
                                                   const FilePath& directory) {
   return HasPermissionsForFile(child_id,
                                directory,
                                kEnumerateDirectoryPermissions);
@@ skipping 55 matching lines @@
   security_state_[child_id] = new SecurityState();
 }
 
 bool ChildProcessSecurityPolicy::ChildProcessHasPermissionsForFile(
     int child_id, const FilePath& file, int permissions) {
   SecurityStateMap::iterator state = security_state_.find(child_id);
   if (state == security_state_.end())
     return false;
   return state->second->HasPermissionsForFile(file, permissions);
 }