| OLD | NEW |
|---|
| 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #ifndef CONTENT_BROWSER_CHILD_PROCESS_SECURITY_POLICY_H_ | 5 #ifndef CONTENT_BROWSER_CHILD_PROCESS_SECURITY_POLICY_H_ |
| 6 #define CONTENT_BROWSER_CHILD_PROCESS_SECURITY_POLICY_H_ | 6 #define CONTENT_BROWSER_CHILD_PROCESS_SECURITY_POLICY_H_ |
| 7 | 7 |
| 8 #pragma once | 8 #pragma once |
| 9 | 9 |
| 10 #include <map> | 10 #include <map> |
| 11 #include <set> | 11 #include <set> |
| 12 #include <string> | 12 #include <string> |
| 13 | 13 |
| 14 #include "base/basictypes.h" | 14 #include "base/basictypes.h" |
| 15 #include "base/gtest_prod_util.h" | 15 #include "base/gtest_prod_util.h" |
| 16 #include "base/memory/singleton.h" | 16 #include "base/memory/singleton.h" |
| 17 #include "base/synchronization/lock.h" | 17 #include "base/synchronization/lock.h" |
| 18 #include "content/common/content_export.h" | 18 #include "content/common/content_export.h" |
| 19 | 19 |
| 20 class FilePath; | 20 class FilePath; |
| 21 class GURL; | 21 class GURL; |
| 22 | 22 |
| 23 namespace net { |
| 24 |
| 25 class URLRequestJobFactory; |
| 26 |
| 27 } // namespace net |
| 28 |
| 23 // The ChildProcessSecurityPolicy class is used to grant and revoke security | 29 // The ChildProcessSecurityPolicy class is used to grant and revoke security |
| 24 // capabilities for child processes. For example, it restricts whether a child | 30 // capabilities for child processes. For example, it restricts whether a child |
| 25 // process is permitted to load file:// URLs based on whether the process | 31 // process is permitted to load file:// URLs based on whether the process |
| 26 // has ever been commanded to load file:// URLs by the browser. | 32 // has ever been commanded to load file:// URLs by the browser. |
| 27 // | 33 // |
| 28 // ChildProcessSecurityPolicy is a singleton that may be used on any thread. | 34 // ChildProcessSecurityPolicy is a singleton that may be used on any thread. |
| 29 // | 35 // |
| 30 class CONTENT_EXPORT ChildProcessSecurityPolicy { | 36 class CONTENT_EXPORT ChildProcessSecurityPolicy { |
| 31 public: | 37 public: |
| 32 // Object can only be created through GetInstance() so the constructor is | 38 // Object can only be created through GetInstance() so the constructor is |
| 33 // private. | 39 // private. |
| 34 ~ChildProcessSecurityPolicy(); | 40 ~ChildProcessSecurityPolicy(); |
| 35 | 41 |
| 36 // There is one global ChildProcessSecurityPolicy object for the entire | 42 // There is one global ChildProcessSecurityPolicy object for the entire |
| 37 // browser process. The object returned by this method may be accessed on | 43 // browser process. The object returned by this method may be accessed on |
| 38 // any thread. | 44 // any thread. |
| 39 static ChildProcessSecurityPolicy* GetInstance(); | 45 static ChildProcessSecurityPolicy* GetInstance(); |
| 40 | 46 |
| 41 // Web-safe schemes can be requested by any child process. Once a web-safe | 47 // Web-safe schemes can be requested by any child process. Once a web-safe |
| 42 // scheme has been registered, any child process can request URLs with | 48 // scheme has been registered, any child process can request URLs with |
| 43 // that scheme. There is no mechanism for revoking web-safe schemes. | 49 // that scheme. There is no mechanism for revoking web-safe schemes. |
| 44 void RegisterWebSafeScheme(const std::string& scheme); | 50 void RegisterWebSafeScheme(const std::string& scheme); |
| 45 | 51 |
| 46 // Returns true iff |scheme| has been registered as a web-safe scheme. | 52 // Returns true iff |scheme| has been registered as a web-safe scheme. |
| 47 bool IsWebSafeScheme(const std::string& scheme); | 53 bool IsWebSafeScheme(const std::string& scheme) const; |
| 48 | 54 |
| 49 // Pseudo schemes are treated differently than other schemes because they | 55 // Pseudo schemes are treated differently than other schemes because they |
| 50 // cannot be requested like normal URLs. There is no mechanism for revoking | 56 // cannot be requested like normal URLs. There is no mechanism for revoking |
| 51 // pseudo schemes. | 57 // pseudo schemes. |
| 52 void RegisterPseudoScheme(const std::string& scheme); | 58 void RegisterPseudoScheme(const std::string& scheme); |
| 53 | 59 |
| 54 // Returns true iff |scheme| has been registered as pseudo scheme. | 60 // Returns true iff |scheme| has been registered as pseudo scheme. |
| 55 bool IsPseudoScheme(const std::string& scheme); | 61 bool IsPseudoScheme(const std::string& scheme) const; |
| 56 | 62 |
| 57 // Sets the list of disabled schemes. | 63 // Sets the list of disabled schemes. |
| 58 // URLs using these schemes won't be loaded at all. The previous list of | 64 // URLs using these schemes won't be loaded at all. The previous list of |
| 59 // schemes is overwritten. An empty |schemes| disables this feature. | 65 // schemes is overwritten. An empty |schemes| disables this feature. |
| 60 // Schemes listed as disabled take precedence over Web-safe schemes. | 66 // Schemes listed as disabled take precedence over Web-safe schemes. |
| 61 void RegisterDisabledSchemes(const std::set<std::string>& schemes); | 67 void RegisterDisabledSchemes(const std::set<std::string>& schemes); |
| 62 | 68 |
| 63 // Returns true iff |scheme| is listed as a disabled scheme. | 69 // Returns true iff |scheme| is listed as a disabled scheme. |
| 64 bool IsDisabledScheme(const std::string& scheme); | 70 bool IsDisabledScheme(const std::string& scheme) const; |
| 65 | 71 |
| 66 // Upon creation, child processes should register themselves by calling this | 72 // Upon creation, child processes should register themselves by calling this |
| 67 // this method exactly once. | 73 // this method exactly once. |
| 68 void Add(int child_id); | 74 void Add(int child_id); |
| 69 | 75 |
| 70 // Upon creation, worker thread child processes should register themselves by | 76 // Upon creation, worker thread child processes should register themselves by |
| 71 // calling this this method exactly once. Workers that are not shared will | 77 // calling this this method exactly once. Workers that are not shared will |
| 72 // inherit permissions from their parent renderer process identified with | 78 // inherit permissions from their parent renderer process identified with |
| 73 // |main_render_process_id|. | 79 // |main_render_process_id|. |
| 74 void AddWorker(int worker_child_id, int main_render_process_id); | 80 void AddWorker(int worker_child_id, int main_render_process_id); |
| (...skipping 33 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 108 void GrantWebUIBindings(int child_id); | 114 void GrantWebUIBindings(int child_id); |
| 109 | 115 |
| 110 // Grant the child process the ability to read raw cookies. | 116 // Grant the child process the ability to read raw cookies. |
| 111 void GrantReadRawCookies(int child_id); | 117 void GrantReadRawCookies(int child_id); |
| 112 | 118 |
| 113 // Revoke read raw cookies permission. | 119 // Revoke read raw cookies permission. |
| 114 void RevokeReadRawCookies(int child_id); | 120 void RevokeReadRawCookies(int child_id); |
| 115 | 121 |
| 116 // Before servicing a child process's request for a URL, the browser should | 122 // Before servicing a child process's request for a URL, the browser should |
| 117 // call this method to determine whether the process has the capability to | 123 // call this method to determine whether the process has the capability to |
| 118 // request the URL. | 124 // request the URL. Returns the true answer relative to the job_factory, |
| 119 bool CanRequestURL(int child_id, const GURL& url); | 125 // and requires that we are running on the IO thread, which is the only |
| 126 // place a true answer may be obtained. When not running on the IO thread, |
| 127 // we can get an approximate answer by omitting the JobFactory. This result |
| 128 // is relative to whatever tables are checked via ContentBrowserClient. |
| 129 bool CanRequestURL(int child_id, const GURL& url, |
| 130 const net::URLRequestJobFactory* job_factory) const; |
| 120 | 131 |
| 121 // Before servicing a child process's request to upload a file to the web, the | 132 // Before servicing a child process's request to upload a file to the web, the |
| 122 // browser should call this method to determine whether the process has the | 133 // browser should call this method to determine whether the process has the |
| 123 // capability to upload the requested file. | 134 // capability to upload the requested file. |
| 124 bool CanReadFile(int child_id, const FilePath& file); | 135 bool CanReadFile(int child_id, const FilePath& file); |
| 125 | 136 |
| 126 // Before servicing a child process's request to enumerate a directory | 137 // Before servicing a child process's request to enumerate a directory |
| 127 // the browser should call this method to check for the capability. | 138 // the browser should call this method to check for the capability. |
| 128 bool CanReadDirectory(int child_id, const FilePath& directory); | 139 bool CanReadDirectory(int child_id, const FilePath& directory); |
| 129 | 140 |
| (...skipping 41 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 171 void AddChild(int child_id); | 182 void AddChild(int child_id); |
| 172 | 183 |
| 173 // Determines if certain permissions were granted for a file to given child | 184 // Determines if certain permissions were granted for a file to given child |
| 174 // process. |permissions| must be a bit-set of base::PlatformFileFlags. | 185 // process. |permissions| must be a bit-set of base::PlatformFileFlags. |
| 175 bool ChildProcessHasPermissionsForFile(int child_id, | 186 bool ChildProcessHasPermissionsForFile(int child_id, |
| 176 const FilePath& file, | 187 const FilePath& file, |
| 177 int permissions); | 188 int permissions); |
| 178 | 189 |
| 179 // You must acquire this lock before reading or writing any members of this | 190 // You must acquire this lock before reading or writing any members of this |
| 180 // class. You must not block while holding this lock. | 191 // class. You must not block while holding this lock. |
| 181 base::Lock lock_; | 192 mutable base::Lock lock_; |
| 182 | 193 |
| 183 // These schemes are white-listed for all child processes. This set is | 194 // These schemes are white-listed for all child processes. This set is |
| 184 // protected by |lock_|. | 195 // protected by |lock_|. |
| 185 SchemeSet web_safe_schemes_; | 196 SchemeSet web_safe_schemes_; |
| 186 | 197 |
| 187 // These schemes do not actually represent retrievable URLs. For example, | 198 // These schemes do not actually represent retrievable URLs. For example, |
| 188 // the the URLs in the "about" scheme are aliases to other URLs. This set is | 199 // the the URLs in the "about" scheme are aliases to other URLs. This set is |
| 189 // protected by |lock_|. | 200 // protected by |lock_|. |
| 190 SchemeSet pseudo_schemes_; | 201 SchemeSet pseudo_schemes_; |
| 191 | 202 |
| 192 // These schemes are disabled by policy, and child processes are always | 203 // These schemes are disabled by policy, and child processes are always |
| 193 // denied permission to request them. This overrides |web_safe_schemes_|. | 204 // denied permission to request them. This overrides |web_safe_schemes_|. |
| 194 // This set is protected by |lock_|. | 205 // This set is protected by |lock_|. |
| 195 SchemeSet disabled_schemes_; | 206 SchemeSet disabled_schemes_; |
| 196 | 207 |
| 197 // This map holds a SecurityState for each child process. The key for the | 208 // This map holds a SecurityState for each child process. The key for the |
| 198 // map is the ID of the ChildProcessHost. The SecurityState objects are | 209 // map is the ID of the ChildProcessHost. The SecurityState objects are |
| 199 // owned by this object and are protected by |lock_|. References to them must | 210 // owned by this object and are protected by |lock_|. References to them must |
| 200 // not escape this class. | 211 // not escape this class. |
| 201 SecurityStateMap security_state_; | 212 SecurityStateMap security_state_; |
| 202 | 213 |
| 203 // This maps keeps the record of which js worker thread child process | 214 // This maps keeps the record of which js worker thread child process |
| 204 // corresponds to which main js thread child process. | 215 // corresponds to which main js thread child process. |
| 205 WorkerToMainProcessMap worker_map_; | 216 WorkerToMainProcessMap worker_map_; |
| 206 | 217 |
| 207 DISALLOW_COPY_AND_ASSIGN(ChildProcessSecurityPolicy); | 218 DISALLOW_COPY_AND_ASSIGN(ChildProcessSecurityPolicy); |
| 208 }; | 219 }; |
| 209 | 220 |
| 210 #endif // CONTENT_BROWSER_CHILD_PROCESS_SECURITY_POLICY_H_ | 221 #endif // CONTENT_BROWSER_CHILD_PROCESS_SECURITY_POLICY_H_ |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 8588039:
Remove "open in new tab" items from context menu if the process doesn't (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src/