Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(293)

Side by Side Diff: content/browser/child_process_security_policy_impl.cc

Issue 11416121: Prevent cross-site pages when --site-per-process is passed (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: Fix Redirect Bug and Tests Created 8 years ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "content/browser/child_process_security_policy_impl.h" 5 #include "content/browser/child_process_security_policy_impl.h"
6 6
7 #include "base/command_line.h" 7 #include "base/command_line.h"
8 #include "base/file_path.h" 8 #include "base/file_path.h"
9 #include "base/logging.h" 9 #include "base/logging.h"
10 #include "base/metrics/histogram.h" 10 #include "base/metrics/histogram.h"
(...skipping 149 matching lines...) Expand 10 before | Expand all | Expand 10 after
160 if (file_permissions_.find(current_path) != file_permissions_.end()) 160 if (file_permissions_.find(current_path) != file_permissions_.end())
161 return (file_permissions_[current_path] & permissions) == permissions; 161 return (file_permissions_[current_path] & permissions) == permissions;
162 } 162 }
163 last_path = current_path; 163 last_path = current_path;
164 current_path = current_path.DirName(); 164 current_path = current_path.DirName();
165 } 165 }
166 166
167 return false; 167 return false;
168 } 168 }
169 169
170 bool CanLoadPage(const GURL& gurl){
171 if (origin_lock_.is_empty())
172 return true;
173 // TODO(creis): We must pass the valid browser_context to convert hosted
174 // apps URLs. Currently, hosted apps cannot be loaded in this mode.
175 // See http://crbug.com/160576.
176 GURL site_gurl = SiteInstanceImpl::GetSiteForURL(NULL, gurl);
177 return origin_lock_ == site_gurl;
178 }
179
170 bool CanAccessCookiesForOrigin(const GURL& gurl) { 180 bool CanAccessCookiesForOrigin(const GURL& gurl) {
171 if (origin_lock_.is_empty()) 181 if (origin_lock_.is_empty())
172 return true; 182 return true;
173 // TODO(creis): We must pass the valid browser_context to convert hosted 183 // TODO(creis): We must pass the valid browser_context to convert hosted
174 // apps URLs. Currently, hosted apps cannot set cookies in this mode. 184 // apps URLs. Currently, hosted apps cannot set cookies in this mode.
175 // See http://crbug.com/160576. 185 // See http://crbug.com/160576.
176 GURL site_gurl = SiteInstanceImpl::GetSiteForURL(NULL, gurl); 186 GURL site_gurl = SiteInstanceImpl::GetSiteForURL(NULL, gurl);
177 return origin_lock_ == site_gurl; 187 return origin_lock_ == site_gurl;
178 } 188 }
179 189
(...skipping 300 matching lines...) Expand 10 before | Expand all | Expand 10 after
480 void ChildProcessSecurityPolicyImpl::RevokeReadRawCookies(int child_id) { 490 void ChildProcessSecurityPolicyImpl::RevokeReadRawCookies(int child_id) {
481 base::AutoLock lock(lock_); 491 base::AutoLock lock(lock_);
482 492
483 SecurityStateMap::iterator state = security_state_.find(child_id); 493 SecurityStateMap::iterator state = security_state_.find(child_id);
484 if (state == security_state_.end()) 494 if (state == security_state_.end())
485 return; 495 return;
486 496
487 state->second->RevokeReadRawCookies(); 497 state->second->RevokeReadRawCookies();
488 } 498 }
489 499
500 bool ChildProcessSecurityPolicyImpl::CanLoadPage(
501 int child_id,
502 const GURL& url,
503 ResourceType::Type resource_type) {
504 // If --site-per-process flag is passed, we should enforce
505 // stronger security restrictions on page navigation.
506 if (CommandLine::ForCurrentProcess()->HasSwitch(switches::kSitePerProcess) &&
507 ResourceType::IsFrame(resource_type)) {
508 // TODO(irobert): This currently breaks some WebUI page such as
509 // "chrome://extensions/" (belongs to site chrome://chrome/) which
510 // will load an iframe for the page "chrome://uber-frame/"
511 // (belongs to site chrome://uber-frame/).
512 base::AutoLock lock(lock_);
513 SecurityStateMap::iterator state = security_state_.find(child_id);
514 if (state == security_state_.end())
515 return false;
516 return state->second->CanLoadPage(url);
517 }
518 return true;
519 }
520
490 bool ChildProcessSecurityPolicyImpl::CanRequestURL( 521 bool ChildProcessSecurityPolicyImpl::CanRequestURL(
491 int child_id, const GURL& url) { 522 int child_id, const GURL& url) {
492 if (!url.is_valid()) 523 if (!url.is_valid())
493 return false; // Can't request invalid URLs. 524 return false; // Can't request invalid URLs.
494 525
495 if (IsDisabledScheme(url.scheme())) 526 if (IsDisabledScheme(url.scheme()))
496 return false; // The scheme is disabled by policy. 527 return false; // The scheme is disabled by policy.
497 528
498 if (IsWebSafeScheme(url.scheme())) 529 if (IsWebSafeScheme(url.scheme()))
499 return true; // The scheme has been white-listed for every child process. 530 return true; // The scheme has been white-listed for every child process.
(...skipping 166 matching lines...) Expand 10 before | Expand all | Expand 10 after
666 int permission) { 697 int permission) {
667 base::AutoLock lock(lock_); 698 base::AutoLock lock(lock_);
668 699
669 SecurityStateMap::iterator state = security_state_.find(child_id); 700 SecurityStateMap::iterator state = security_state_.find(child_id);
670 if (state == security_state_.end()) 701 if (state == security_state_.end())
671 return false; 702 return false;
672 return state->second->HasPermissionsForFileSystem(filesystem_id, permission); 703 return state->second->HasPermissionsForFileSystem(filesystem_id, permission);
673 } 704 }
674 705
675 } // namespace content 706 } // namespace content
OLDNEW

Powered by Google App Engine
This is Rietveld 408576698