Chromium Code Reviews Chromium Code Reviews
Issue 11416121:
Prevent cross-site pages when --site-per-process is passed (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src| Index: content/browser/renderer_host/resource_loader.cc |
| diff --git a/content/browser/renderer_host/resource_loader.cc b/content/browser/renderer_host/resource_loader.cc |
| index be893d7c97440ff2068932fe1b17f50374fdd48b..f3f2effd500a5f71fd02d2cede419d4555ba7098 100644 |
| --- a/content/browser/renderer_host/resource_loader.cc |
| +++ b/content/browser/renderer_host/resource_loader.cc |
| @@ -303,6 +303,29 @@ void ResourceLoader::OnResponseStarted(net::URLRequest* unused) { |
| VLOG(1) << "OnResponseStarted: " << request_->url().spec(); |
| + // We should allow the following case: |
| + // Iframe page (a.com/svrRedirect.php) in page (a.com/index.html) |
| + // do the server-side redirect to page (b.com/svrRedirect.php) which |
| + // eventually redirect the iframe back to page (a.com/static.html). |
| + // Since server-side redirect does not load the page into the render |
| + // process, we are safe in this situation and should allow it. |
| + // |
| + // But we need to block the following case: |
| + // Iframe page (a.com/svrRedirect.php) in page (a.com/index.html) |
| + // do the server-side redirect to page (b.com/clientRedirect.php) which |
| + // eventually redirect the iframe back to page (a.com/static.html). |
| + // Since client-side redirect DOES load the page into the render |
| + // process, we should block it. |
|
Charlie Reis
2012/12/05 02:02:58
This is a nice comment but it's kind of out of pla
irobert
2012/12/05 19:00:03
Done.
|
| + ResourceRequestInfoImpl* info = GetRequestInfo(); |
| + ChildProcessSecurityPolicyImpl* policy = |
| + ChildProcessSecurityPolicyImpl::GetInstance(); |
| + if (!policy->CanLoadPage(info->GetChildID(), |
| + request_->url(), |
| + info->GetResourceType())) { |
| + Cancel(); |
| + return; |
| + } |
| + |
| if (!request_->status().is_success()) { |
| ResponseCompleted(); |
| return; |
