Prevent cross-site pages when --site-per-process is passed

content/browser/renderer_host/resource_loader.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/browser/renderer_host/resource_loader.h"
 
 #include "base/message_loop.h"
 #include "base/time.h"
 #include "content/browser/child_process_security_policy_impl.h"
 #include "content/browser/renderer_host/doomed_resource_handler.h"
@@ skipping 193 matching lines @@
       !ChildProcessSecurityPolicyImpl::GetInstance()->
           CanRequestURL(info->GetChildID(), new_url)) {
     VLOG(1) << "Denied unauthorized request for "
             << new_url.possibly_invalid_spec();
 
     // Tell the renderer that this request was disallowed.
     Cancel();
     return;
   }
 
+  // This will block all of the Cross-site redirect for Sub_Frame.
+  // TODO(irobert): We should allow the following case:
+  // Iframe page (a.com/svrRedirect.php) in page (a.com/index.html)
+  // do the server-side redirect to page (b.com/svrRedirect.php) which
+  // eventually redirect the iframe back to page (a.com/static.html).
+  // Since server-side redirect does not load the page into the render
+  // process, we are safe in this situation and should allow it.
+  //
+  // But we need to block the following case:
+  // Iframe page (a.com/svrRedirect.php) in page (a.com/index.html)
+  // do the server-side redirect to page (b.com/clientRedirect.php) which
+  // eventually redirect the iframe back to page (a.com/static.html).
+  // Since client-side redirect DOES load the page into the render
+  // process, we should block it.

[Charlie Reis, 2012/11/29 22:00:54]

This comment is correct.  That makes me think we should not include this check
here.

We probably only need a single CanLoadPage check when the response starts, as
long as there's a way to cancel it there.  I've been alluding to
CrossSiteResourceHandler::OnResponseStarted, which is when we know a page will
be delivered to the renderer.  CrossSiteResourceHandlers are only created for
certain requests, though, so we'd probably want to put the check in someplace
that calls that.  I'd suggest setting a breakpoint there, doing a cross-process
navigation, and then looking at the call stack to find an appropriate place. 
Feel free to ask me in person if you get that stack in a debugger.

+  if (!ChildProcessSecurityPolicyImpl::GetInstance()->
+          CanLoadPage(info->GetChildID(), new_url,
+                      info->GetResourceType())) {
+    // Tell the renderer that this request was disallowed.
+    Cancel();
+    return;
+  }
+
   delegate_->DidReceiveRedirect(this, new_url);
 
   if (delegate_->HandleExternalProtocol(this, new_url)) {
     // The request is complete so we can remove it.
     CancelAndIgnore();
     return;
   }
 
   scoped_refptr<ResourceResponse> response(new ResourceResponse());
   PopulateResourceResponse(request_.get(), response);
@@ skipping 349 matching lines @@
     // we resume.
     deferred_stage_ = DEFERRED_FINISH;
   }
 }
 
 void ResourceLoader::CallDidFinishLoading() {
   delegate_->DidFinishLoading(this);
 }
 
 }  // namespace content