Prevent cross-site pages when --site-per-process is passed

content/browser/child_process_security_policy_impl.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/browser/child_process_security_policy_impl.h"
 
 #include "base/command_line.h"
 #include "base/file_path.h"
 #include "base/logging.h"
 #include "base/metrics/histogram.h"
@@ skipping 149 matching lines @@
         if (file_permissions_.find(current_path) != file_permissions_.end())
           return (file_permissions_[current_path] & permissions) == permissions;
       }
       last_path = current_path;
       current_path = current_path.DirName();
     }
 
     return false;
   }
 
+  bool CanLoadPage(const GURL& gurl){
+    if (origin_lock_.is_empty())
+      return true;
+    // TODO(creis): We must pass the valid browser_context to convert hosted
+    // apps URLs.  Currently, hosted apps cannot set cookies in this mode.

[Charlie Reis, 2012/11/29 22:00:54]

nit: s/set cookies/be loaded/

[irobert, 2012/12/01 00:02:48]

Done.

+    // See http://crbug.com/160576.
+    GURL site_gurl = SiteInstanceImpl::GetSiteForURL(NULL, gurl);
+    return origin_lock_ == site_gurl;
+  }
+
   bool CanAccessCookiesForOrigin(const GURL& gurl) {
     if (origin_lock_.is_empty())
       return true;
     // TODO(creis): We must pass the valid browser_context to convert hosted
     // apps URLs.  Currently, hosted apps cannot set cookies in this mode.
     // See http://crbug.com/160576.
     GURL site_gurl = SiteInstanceImpl::GetSiteForURL(NULL, gurl);
     return origin_lock_ == site_gurl;
   }
 
@@ skipping 300 matching lines @@
 void ChildProcessSecurityPolicyImpl::RevokeReadRawCookies(int child_id) {
   base::AutoLock lock(lock_);
 
   SecurityStateMap::iterator state = security_state_.find(child_id);
   if (state == security_state_.end())
     return;
 
   state->second->RevokeReadRawCookies();
 }
 
+bool ChildProcessSecurityPolicyImpl::CanLoadPage(
+    int child_id, const GURL& url, ResourceType::Type resource_type) {

[Charlie Reis, 2012/11/29 22:00:54]

Style nit: Each argument should be on its own line if the whole thing doesn't
fit on one line.

[irobert, 2012/12/01 00:02:48]

Done.

+  // If --site-per-process flag is passed, we should enforce
+  // stronger security restrictions on page navigation.
+  if (CommandLine::ForCurrentProcess()->HasSwitch(switches::kSitePerProcess) &&
+      ResourceType::IsFrame(resource_type)) {
+    // TODO(irobert): This will break some WebUI page such as

[Charlie Reis, 2012/11/29 22:00:54]

nit: s/will break/currently breaks/

[irobert, 2012/12/01 00:02:48]

Done.

+    // "chrome://extensions/" (belongs to site chrome://chrome/) which
+    // will load an iframe for the page "chrome://uber-frame/"
+    // (belongs to site chrome://uber-frame/)

[Charlie Reis, 2012/11/29 22:00:54]

nit: End with period.

[irobert, 2012/12/01 00:02:48]

Done.

+    base::AutoLock lock(lock_);
+    SecurityStateMap::iterator state = security_state_.find(child_id);
+    if (state == security_state_.end())
+      return false;
+    return state->second->CanLoadPage(url);
+  }
+  return true;
+}
+
 bool ChildProcessSecurityPolicyImpl::CanRequestURL(
     int child_id, const GURL& url) {
   if (!url.is_valid())
     return false;  // Can't request invalid URLs.
 
   if (IsDisabledScheme(url.scheme()))
     return false; // The scheme is disabled by policy.
 
   if (IsWebSafeScheme(url.scheme()))
     return true;  // The scheme has been white-listed for every child process.
@@ skipping 166 matching lines @@
     int permission) {
   base::AutoLock lock(lock_);
 
   SecurityStateMap::iterator state = security_state_.find(child_id);
   if (state == security_state_.end())
     return false;
   return state->second->HasPermissionsForFileSystem(filesystem_id, permission);
 }
 
 }  // namespace content