Prevent cross-site pages when --site-per-process is passed

content/browser/renderer_host/resource_dispatcher_host_impl.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 // See http://dev.chromium.org/developers/design-documents/multi-process-resource-loading
 
 #include "content/browser/renderer_host/resource_dispatcher_host_impl.h"
 
 #include <set>
 #include <vector>
@@ skipping 150 matching lines @@
   ChildProcessSecurityPolicyImpl* policy =
       ChildProcessSecurityPolicyImpl::GetInstance();
 
   // Check if the renderer is permitted to request the requested URL.
   if (!policy->CanRequestURL(child_id, request_data.url)) {
     VLOG(1) << "Denied unauthorized request for "
             << request_data.url.possibly_invalid_spec();
     return false;
   }
 
+  if (!policy->CanLoadPage(child_id, request_data.url,
+                           request_data.resource_type)) {
+    VLOG(1) << "Denied unauthorized request for "
+            << request_data.url.possibly_invalid_spec()
+            << "because --site-per-process flag is used.";
+    return false;
+  }

[Charlie Reis, 2012/11/29 22:00:54]

This looks good, but I wonder if it's the right place for it.  I'm guessing it
would prevent cross-site downloads?

+
   // Check if the renderer is permitted to upload the requested files.
   if (request_data.request_body) {
     const std::vector<ResourceRequestBody::Element>* uploads =
         request_data.request_body->elements();
     std::vector<ResourceRequestBody::Element>::const_iterator iter;
     for (iter = uploads->begin(); iter != uploads->end(); ++iter) {
       if (iter->type() == ResourceRequestBody::Element::TYPE_FILE &&
           !policy->CanReadFile(child_id, iter->path())) {
         NOTREACHED() << "Denied unauthorized upload of "
                      << iter->path().value();
@@ skipping 338 matching lines @@
     // validating the entry if present.
     if (request->get_upload() != NULL)
       extra_load_flags |= net::LOAD_ONLY_FROM_CACHE;
     else
       extra_load_flags |= net::LOAD_PREFERRING_CACHE;
   } else {
     extra_load_flags |= net::LOAD_DISABLE_CACHE;
   }
   request->set_load_flags(request->load_flags() | extra_load_flags);
   // Check if the renderer is permitted to request the requested URL.
+  // TODO(irobert): Should we call CanRequestPage for download request?

[irobert, 2012/11/28 22:50:41]

I think you have already answered this question. We should allow X-site
download.

[Charlie Reis, 2012/11/29 22:00:54]

Correct.  We only want to block cross-site pages from being delivered to the
renderer process.  Anything that happens in the mean time (server redirects,
downloads, etc) should be allowed.

   if (!ChildProcessSecurityPolicyImpl::GetInstance()->
           CanRequestURL(child_id, url)) {
     VLOG(1) << "Denied unauthorized download request for "
             << url.possibly_invalid_spec();
     return CallbackAndReturn(started_callback, net::ERR_ACCESS_DENIED);
   }
 
   request_id_--;
 
   const net::URLRequestContext* request_context = context->GetRequestContext();
@@ skipping 1181 matching lines @@
 
   return i->second.get();
 }
 
 ResourceLoader* ResourceDispatcherHostImpl::GetLoader(int child_id,
                                                       int request_id) const {
   return GetLoader(GlobalRequestID(child_id, request_id));
 }
 
 }  // namespace content