Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(105)

Unified Diff: content/browser/renderer_host/resource_dispatcher_host_impl.cc

Issue 11416121: Prevent cross-site pages when --site-per-process is passed (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: Fix Iframe Redirect Flaw Created 8 years, 1 month ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
Index: content/browser/renderer_host/resource_dispatcher_host_impl.cc
diff --git a/content/browser/renderer_host/resource_dispatcher_host_impl.cc b/content/browser/renderer_host/resource_dispatcher_host_impl.cc
index 111edc5a9fdabf7eed215daf838f2d97c91f399b..cb224bd12fa7e21fa6be90249f4fac6f94077070 100644
--- a/content/browser/renderer_host/resource_dispatcher_host_impl.cc
+++ b/content/browser/renderer_host/resource_dispatcher_host_impl.cc
@@ -168,6 +168,14 @@ bool ShouldServiceRequest(ProcessType process_type,
return false;
}
+ if (!policy->CanLoadPage(child_id, request_data.url,
+ request_data.resource_type)) {
+ VLOG(1) << "Denied unauthorized request for "
+ << request_data.url.possibly_invalid_spec()
+ << "because --site-per-process flag is used.";
+ return false;
+ }
Charlie Reis 2012/11/29 22:00:54 This looks good, but I wonder if it's the right pl
+
// Check if the renderer is permitted to upload the requested files.
if (request_data.request_body) {
const std::vector<ResourceRequestBody::Element>* uploads =
@@ -526,6 +534,7 @@ net::Error ResourceDispatcherHostImpl::BeginDownload(
}
request->set_load_flags(request->load_flags() | extra_load_flags);
// Check if the renderer is permitted to request the requested URL.
+ // TODO(irobert): Should we call CanRequestPage for download request?
irobert 2012/11/28 22:50:41 I think you have already answered this question. W
Charlie Reis 2012/11/29 22:00:54 Correct. We only want to block cross-site pages f
if (!ChildProcessSecurityPolicyImpl::GetInstance()->
CanRequestURL(child_id, url)) {
VLOG(1) << "Denied unauthorized download request for "

Powered by Google App Engine
This is Rietveld 408576698