Prevent cross-site pages when --site-per-process is passed

content/browser/child_process_security_policy_impl.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/browser/child_process_security_policy_impl.h"
 
 #include "base/command_line.h"
 #include "base/file_path.h"
 #include "base/logging.h"
 #include "base/metrics/histogram.h"
@@ skipping 48 matching lines @@
         fileapi::IsolatedContext::GetInstance();
     for (FileSystemMap::iterator iter = filesystem_permissions_.begin();
          iter != filesystem_permissions_.end();
          ++iter) {
       isolated_context->RemoveReference(iter->first);
     }
     UMA_HISTOGRAM_COUNTS("ChildProcessSecurityPolicy.PerChildFilePermissions",
                          file_permissions_.size());
   }
 
+  bool CanLoadIframe(const GURL& gurl){
+    if (origin_lock_.is_empty())
+      return true;
+    GURL site_gurl = SiteInstanceImpl::GetSiteForURL(NULL, gurl);

[Charlie Reis, 2012/11/28 18:58:26]

Please add the same TODO as in CanAccessCookiesForOrigin, since passing NULL
here breaks hosted apps.

[irobert, 2012/11/28 22:50:41]

Done.

+    return origin_lock_ == site_gurl;
+  }
+
   // Grant permission to request URLs with the specified scheme.
   void GrantScheme(const std::string& scheme) {
     scheme_policy_[scheme] = true;
   }
 
   // Revoke permission to request URLs with the specified scheme.
   void RevokeScheme(const std::string& scheme) {
     scheme_policy_[scheme] = false;
   }
 
@@ skipping 402 matching lines @@
   base::AutoLock lock(lock_);
 
   SecurityStateMap::iterator state = security_state_.find(child_id);
   if (state == security_state_.end())
     return;
 
   state->second->RevokeReadRawCookies();
 }
 
 bool ChildProcessSecurityPolicyImpl::CanRequestURL(
-    int child_id, const GURL& url) {
+    int child_id, const GURL& url, ResourceType::Type resource_type) {
   if (!url.is_valid())
     return false;  // Can't request invalid URLs.
 
   if (IsDisabledScheme(url.scheme()))
     return false; // The scheme is disabled by policy.
 
+  // If --enable-strict-site-isolation flag is passed,

[Charlie Reis, 2012/11/28 18:58:26]

--site-per-process

[irobert, 2012/11/28 22:50:41]

Done.

+  // we should enforce stronger security restrictions on page navigation.
+  //
+  // TODO: This will break some WebUI page such as "chrome://extensions/"

[Charlie Reis, 2012/11/28 18:58:26]

nit: TODO(irobert):

Also, move the TODO comment inside the if, and end with a period.

[irobert, 2012/11/28 22:50:41]

Done.

+  // page (belongs to site chrome://chrome/) which loads an iframe for
+  // the page "chrome://uber-frame/" (belongs to site chrome://uber-frame/)
+  if (CommandLine::ForCurrentProcess()->HasSwitch(
+          switches::kEnableStrictSiteIsolation) &&

[Charlie Reis, 2012/11/28 18:58:26]

kSitePerProcess

[irobert, 2012/11/28 22:50:41]

Done.

+      (resource_type == ResourceType::MAIN_FRAME ||
+       resource_type == ResourceType::SUB_FRAME)) {

[Charlie Reis, 2012/11/28 18:58:26]

Looks like there's a ResourceType::IsFrame(resource_type) for doing this check. 
We should use that, since that will help if there's ever another type added to
that list.

[irobert, 2012/11/28 22:50:41]

Done.

+    base::AutoLock lock(lock_);
+    SecurityStateMap::iterator state = security_state_.find(child_id);
+    if (state == security_state_.end())
+      return false;
+    if (!state->second->CanLoadIframe(url))

[Charlie Reis, 2012/11/28 18:58:26]

CanLoadIframe isn't an accurate name, if we're also using it for MAIN_FRAME
requests.  How about CanLoadPage?

[irobert, 2012/11/28 22:50:41]

Done.

+      return false;
+  }
+
   if (IsWebSafeScheme(url.scheme()))
     return true;  // The scheme has been white-listed for every child process.
 
   if (IsPseudoScheme(url.scheme())) {
     // There are a number of special cases for pseudo schemes.
 
     if (url.SchemeIs(chrome::kViewSourceScheme)) {
       // A view-source URL is allowed if the child process is permitted to
       // request the embedded URL. Careful to avoid pointless recursion.
       GURL child_url(url.path());
       if (child_url.SchemeIs(chrome::kViewSourceScheme) &&
           url.SchemeIs(chrome::kViewSourceScheme))
           return false;
 
-      return CanRequestURL(child_id, child_url);
+      return CanRequestURL(child_id, child_url, resource_type);
     }
 
     if (LowerCaseEqualsASCII(url.spec(), chrome::kAboutBlankURL))
       return true;  // Every child process can request <about:blank>.
 
     // URLs like <about:memory> and <about:crash> shouldn't be requestable by
     // any child process.  Also, this case covers <javascript:...>, which should
     // be handled internally by the process and not kicked up to the browser.
     return false;
   }
@@ skipping 143 matching lines @@
     int permission) {
   base::AutoLock lock(lock_);
 
   SecurityStateMap::iterator state = security_state_.find(child_id);
   if (state == security_state_.end())
     return false;
   return state->second->HasPermissionsForFileSystem(filesystem_id, permission);
 }
 
 }  // namespace content