Chromium Code Reviews Chromium Code Reviews
Issue 8409006:
Take script URLs into account when applying script content settings. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "chrome/renderer/content_settings_observer.h" | 5 #include "chrome/renderer/content_settings_observer.h" |
| 6 | 6 |
| 7 #include "chrome/common/render_messages.h" | 7 #include "chrome/common/render_messages.h" |
| 8 #include "chrome/common/url_constants.h" | 8 #include "chrome/common/url_constants.h" |
| 9 #include "content/public/renderer/navigation_state.h" | 9 #include "content/public/renderer/navigation_state.h" |
| 10 #include "content/public/renderer/render_view.h" | 10 #include "content/public/renderer/render_view.h" |
| (...skipping 41 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 52 | 52 |
| 53 GURL GetOriginOrURL(const WebFrame* frame) { | 53 GURL GetOriginOrURL(const WebFrame* frame) { |
| 54 WebString top_origin = frame->top()->document().securityOrigin().toString(); | 54 WebString top_origin = frame->top()->document().securityOrigin().toString(); |
| 55 // The the |top_origin| is unique ("null") e.g., for file:// URLs. Use the | 55 // The the |top_origin| is unique ("null") e.g., for file:// URLs. Use the |
| 56 // document URL as the primary URL in those cases. | 56 // document URL as the primary URL in those cases. |
| 57 if (top_origin == "null") | 57 if (top_origin == "null") |
| 58 return frame->document().url(); | 58 return frame->document().url(); |
| 59 return GURL(top_origin); | 59 return GURL(top_origin); |
| 60 } | 60 } |
| 61 | 61 |
| 62 ContentSetting GetContentSettingFromRules( | |
| 63 const ContentSettingsForOneType& rules, | |
| 64 const GURL& primary_url, | |
| 65 const GURL& secondary_url) { | |
| 66 ContentSettingsForOneType::const_iterator it; | |
| 67 for (it = rules.begin(); it != rules.end(); ++it) { | |
| 68 if (it->primary_pattern.Matches(primary_url) && | |
| 69 it->secondary_pattern.Matches(secondary_url)) { | |
| 70 return it->setting; | |
| 71 } | |
| 72 } | |
| 73 return CONTENT_SETTING_DEFAULT; | |
|
jochen (gone - plz use gerrit)
2011/11/03 15:55:09
what if the default is to block all images?
marja
2011/11/03 16:28:39
Ahh, I should've put NOTREACHED() here but I forgo
| |
| 74 } | |
| 75 | |
| 62 } // namespace | 76 } // namespace |
| 63 | 77 |
| 64 ContentSettingsObserver::ContentSettingsObserver( | 78 ContentSettingsObserver::ContentSettingsObserver( |
| 65 content::RenderView* render_view) | 79 content::RenderView* render_view) |
| 66 : content::RenderViewObserver(render_view), | 80 : content::RenderViewObserver(render_view), |
| 67 content::RenderViewObserverTracker<ContentSettingsObserver>(render_view), | 81 content::RenderViewObserverTracker<ContentSettingsObserver>(render_view), |
| 68 default_content_settings_(NULL), | 82 default_content_settings_(NULL), |
| 69 image_setting_rules_(NULL), | 83 content_setting_rules_(NULL), |
| 70 plugins_temporarily_allowed_(false) { | 84 plugins_temporarily_allowed_(false) { |
| 71 ClearBlockedContentSettings(); | 85 ClearBlockedContentSettings(); |
| 72 } | 86 } |
| 73 | 87 |
| 74 ContentSettingsObserver::~ContentSettingsObserver() { | 88 ContentSettingsObserver::~ContentSettingsObserver() { |
| 75 } | 89 } |
| 76 | 90 |
| 77 void ContentSettingsObserver::SetContentSettings( | 91 void ContentSettingsObserver::SetContentSettings( |
| 78 const ContentSettings& settings) { | 92 const ContentSettings& settings) { |
| 79 current_content_settings_ = settings; | 93 current_content_settings_ = settings; |
| 80 } | 94 } |
| 81 | 95 |
| 82 void ContentSettingsObserver::SetDefaultContentSettings( | 96 void ContentSettingsObserver::SetDefaultContentSettings( |
| 83 const ContentSettings* settings) { | 97 const ContentSettings* settings) { |
| 84 default_content_settings_ = settings; | 98 default_content_settings_ = settings; |
| 85 } | 99 } |
| 86 | 100 |
| 87 void ContentSettingsObserver::SetImageSettingRules( | 101 void ContentSettingsObserver::SetContentSettingRules( |
| 88 const ContentSettingsForOneType* image_setting_rules) { | 102 const RendererContentSettingRules* content_setting_rules) { |
| 89 image_setting_rules_ = image_setting_rules; | 103 content_setting_rules_ = content_setting_rules; |
| 90 } | 104 } |
| 91 | 105 |
| 92 ContentSetting ContentSettingsObserver::GetContentSetting( | 106 ContentSetting ContentSettingsObserver::GetContentSetting( |
| 93 ContentSettingsType type) { | 107 ContentSettingsType type) { |
| 94 // Don't call this for plug-ins. | 108 // Don't call this for plug-ins. |
| 95 DCHECK_NE(CONTENT_SETTINGS_TYPE_PLUGINS, type); | 109 DCHECK_NE(CONTENT_SETTINGS_TYPE_PLUGINS, type); |
| 96 return current_content_settings_.settings[type]; | 110 return current_content_settings_.settings[type]; |
| 97 } | 111 } |
| 98 | 112 |
| 99 void ContentSettingsObserver::DidBlockContentType( | 113 void ContentSettingsObserver::DidBlockContentType( |
| (...skipping 25 matching lines...) Expand all Loading... | |
| 125 } | 139 } |
| 126 | 140 |
| 127 void ContentSettingsObserver::DidCommitProvisionalLoad( | 141 void ContentSettingsObserver::DidCommitProvisionalLoad( |
| 128 WebFrame* frame, bool is_new_navigation) { | 142 WebFrame* frame, bool is_new_navigation) { |
| 129 if (frame->parent()) | 143 if (frame->parent()) |
| 130 return; // Not a top-level navigation. | 144 return; // Not a top-level navigation. |
| 131 | 145 |
| 132 NavigationState* state = NavigationState::FromDataSource(frame->dataSource()); | 146 NavigationState* state = NavigationState::FromDataSource(frame->dataSource()); |
| 133 if (!state->was_within_same_page()) { | 147 if (!state->was_within_same_page()) { |
| 134 // Clear "block" flags for the new page. This needs to happen before any of | 148 // Clear "block" flags for the new page. This needs to happen before any of |
| 135 // allowScripts(), allowImage(), allowPlugins() is called for the new page | 149 // |AllowScript()|, |AllowScriptFromSource()|, |AllowImage()|, or |
| 136 // so that these functions can correctly detect that a piece of content | 150 // |AllowPlugins()| is called for the new page so that these functions can |
| 137 // flipped from "not blocked" to "blocked". | 151 // correctly detect that a piece of content flipped from "not blocked" to |
| 152 // "blocked". | |
| 138 ClearBlockedContentSettings(); | 153 ClearBlockedContentSettings(); |
| 139 plugins_temporarily_allowed_ = false; | 154 plugins_temporarily_allowed_ = false; |
| 140 } | 155 } |
| 141 | 156 |
| 142 GURL url = frame->document().url(); | 157 GURL url = frame->document().url(); |
| 143 | 158 |
| 144 if (frame->document().securityOrigin().toString() == "null" && | 159 if (frame->document().securityOrigin().toString() == "null" && |
| 145 !url.SchemeIs(chrome::kFileScheme)) { | 160 !url.SchemeIs(chrome::kFileScheme)) { |
| 146 // The Frame has a unique security origin. Instead of granting the frame | 161 // The Frame has a unique security origin. Instead of granting the frame |
| 147 // privileges based on it's URL, we fall back to the default content | 162 // privileges based on it's URL, we fall back to the default content |
| (...skipping 62 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 210 return result; | 225 return result; |
| 211 } | 226 } |
| 212 | 227 |
| 213 bool ContentSettingsObserver::AllowImage(WebFrame* frame, | 228 bool ContentSettingsObserver::AllowImage(WebFrame* frame, |
| 214 bool enabled_per_settings, | 229 bool enabled_per_settings, |
| 215 const WebURL& image_url) { | 230 const WebURL& image_url) { |
| 216 if (IsWhitelistedForContentSettings(frame)) | 231 if (IsWhitelistedForContentSettings(frame)) |
| 217 return true; | 232 return true; |
| 218 | 233 |
| 219 bool allow = enabled_per_settings; | 234 bool allow = enabled_per_settings; |
| 220 const GURL& primary_url = GetOriginOrURL(frame); | 235 if (content_setting_rules_ && |
| 221 GURL secondary_url(image_url); | |
| 222 if (image_setting_rules_ && | |
| 223 enabled_per_settings) { | 236 enabled_per_settings) { |
|
jochen (gone - plz use gerrit)
2011/11/03 15:55:09
nit. doesn't this fit into one line?
marja
2011/11/03 16:28:39
Done.
| |
| 224 ContentSettingsForOneType::const_iterator it; | 237 const GURL& primary_url = GetOriginOrURL(frame); |
| 225 for (it = image_setting_rules_->begin(); | 238 GURL secondary_url(image_url); |
| 226 it != image_setting_rules_->end(); ++it) { | 239 allow = (GetContentSettingFromRules( |
| 227 if (it->primary_pattern.Matches(primary_url) && | 240 content_setting_rules_->image_rules, |
| 228 it->secondary_pattern.Matches(secondary_url)) { | 241 primary_url, secondary_url) != CONTENT_SETTING_BLOCK); |
| 229 allow = (it->setting != CONTENT_SETTING_BLOCK); | |
| 230 break; | |
| 231 } | |
| 232 } | |
| 233 } | 242 } |
| 234 | 243 |
| 235 if (!allow) | 244 if (!allow) |
| 236 DidBlockContentType(CONTENT_SETTINGS_TYPE_IMAGES, std::string()); | 245 DidBlockContentType(CONTENT_SETTINGS_TYPE_IMAGES, std::string()); |
| 237 return allow; | 246 return allow; |
| 238 } | 247 } |
| 239 | 248 |
| 240 bool ContentSettingsObserver::AllowIndexedDB(WebFrame* frame, | 249 bool ContentSettingsObserver::AllowIndexedDB(WebFrame* frame, |
| 241 const WebString& name, | 250 const WebString& name, |
| 242 const WebSecurityOrigin& origin) { | 251 const WebSecurityOrigin& origin) { |
| 243 if (frame->document().securityOrigin().isEmpty() || | 252 if (frame->document().securityOrigin().isEmpty() || |
| 244 frame->top()->document().securityOrigin().isEmpty()) | 253 frame->top()->document().securityOrigin().isEmpty()) |
| 245 return false; // Uninitialized document. | 254 return false; // Uninitialized document. |
| 246 | 255 |
| 247 bool result = false; | 256 bool result = false; |
| 248 Send(new ChromeViewHostMsg_AllowIndexedDB( | 257 Send(new ChromeViewHostMsg_AllowIndexedDB( |
| 249 routing_id(), GURL(frame->document().securityOrigin().toString()), | 258 routing_id(), GURL(frame->document().securityOrigin().toString()), |
| 250 GURL(frame->top()->document().securityOrigin().toString()), | 259 GURL(frame->top()->document().securityOrigin().toString()), |
| 251 name, &result)); | 260 name, &result)); |
| 252 return result; | 261 return result; |
| 253 } | 262 } |
| 254 | 263 |
| 255 bool ContentSettingsObserver::AllowPlugins(WebFrame* frame, | 264 bool ContentSettingsObserver::AllowPlugins(WebFrame* frame, |
| 256 bool enabled_per_settings) { | 265 bool enabled_per_settings) { |
| 257 return enabled_per_settings; | 266 return enabled_per_settings; |
| 258 } | 267 } |
| 259 | 268 |
| 260 bool ContentSettingsObserver::AllowScript(WebFrame* frame, | 269 bool ContentSettingsObserver::AllowScript(WebFrame* frame, |
| 261 bool enabled_per_settings) { | 270 bool enabled_per_settings) { |
| 262 if (enabled_per_settings && | 271 if (!enabled_per_settings) |
| 263 AllowContentType(CONTENT_SETTINGS_TYPE_JAVASCRIPT)) { | 272 return false; |
| 264 return true; | |
| 265 } | |
| 266 | |
| 267 if (IsWhitelistedForContentSettings(frame)) | 273 if (IsWhitelistedForContentSettings(frame)) |
| 268 return true; | 274 return true; |
| 269 | 275 |
| 270 return false; // Other protocols fall through here. | 276 if (content_setting_rules_) { |
| 277 const GURL& primary_url = GetOriginOrURL(frame); | |
| 278 GURL secondary_url(frame->document().securityOrigin().toString()); | |
| 279 return (GetContentSettingFromRules( | |
| 280 content_setting_rules_->script_rules, | |
| 281 primary_url, secondary_url) != CONTENT_SETTING_BLOCK); | |
| 282 } | |
| 283 return true; | |
| 284 } | |
| 285 | |
| 286 bool ContentSettingsObserver::AllowScriptFromSource( | |
| 287 WebFrame* frame, | |
| 288 bool enabled_per_settings, | |
| 289 const WebKit::WebURL& script_url) { | |
| 290 if (!enabled_per_settings) | |
| 291 return false; | |
| 292 if (IsWhitelistedForContentSettings(frame)) | |
| 293 return true; | |
| 294 | |
| 295 if (content_setting_rules_) { | |
| 296 const GURL& primary_url = GetOriginOrURL(frame); | |
| 297 GURL secondary_url(script_url); | |
| 298 return (GetContentSettingFromRules( | |
| 299 content_setting_rules_->script_rules, | |
| 300 primary_url, secondary_url) != CONTENT_SETTING_BLOCK); | |
| 301 } | |
| 302 return true; | |
| 271 } | 303 } |
| 272 | 304 |
| 273 bool ContentSettingsObserver::AllowStorage(WebFrame* frame, bool local) { | 305 bool ContentSettingsObserver::AllowStorage(WebFrame* frame, bool local) { |
| 274 if (frame->document().securityOrigin().isEmpty() || | 306 if (frame->document().securityOrigin().isEmpty() || |
| 275 frame->top()->document().securityOrigin().isEmpty()) | 307 frame->top()->document().securityOrigin().isEmpty()) |
| 276 return false; // Uninitialized document. | 308 return false; // Uninitialized document. |
| 277 bool result = false; | 309 bool result = false; |
| 278 | 310 |
| 279 StoragePermissionsKey key( | 311 StoragePermissionsKey key( |
| 280 GURL(frame->document().securityOrigin().toString()), local); | 312 GURL(frame->document().securityOrigin().toString()), local); |
| (...skipping 34 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 315 // CONTENT_SETTING_ASK is only valid for cookies. | 347 // CONTENT_SETTING_ASK is only valid for cookies. |
| 316 return current_content_settings_.settings[settings_type] != | 348 return current_content_settings_.settings[settings_type] != |
| 317 CONTENT_SETTING_BLOCK; | 349 CONTENT_SETTING_BLOCK; |
| 318 } | 350 } |
| 319 | 351 |
| 320 void ContentSettingsObserver::ClearBlockedContentSettings() { | 352 void ContentSettingsObserver::ClearBlockedContentSettings() { |
| 321 for (size_t i = 0; i < arraysize(content_blocked_); ++i) | 353 for (size_t i = 0; i < arraysize(content_blocked_); ++i) |
| 322 content_blocked_[i] = false; | 354 content_blocked_[i] = false; |
| 323 cached_storage_permissions_.clear(); | 355 cached_storage_permissions_.clear(); |
| 324 } | 356 } |
| OLD | NEW |
