Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(206)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: content/browser/child_process_security_policy_impl.cc

Issue 1144253003: Remove --enable-strict-site-isolation (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Charlie's fixes Created 5 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « content/browser/child_process_security_policy_impl.h ('k') | content/browser/loader/resource_dispatcher_host_impl.cc » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "content/browser/child_process_security_policy_impl.h" 5 #include "content/browser/child_process_security_policy_impl.h"
6 6
7 #include "base/command_line.h" 7 #include "base/command_line.h"
8 #include "base/files/file_path.h" 8 #include "base/files/file_path.h"
9 #include "base/logging.h" 9 #include "base/logging.h"
10 #include "base/metrics/histogram.h" 10 #include "base/metrics/histogram.h"
(...skipping 217 matching lines...) Expand 10 before | Expand all | Expand 10 after
228 bool CanAccessCookiesForOrigin(const GURL& gurl) { 228 bool CanAccessCookiesForOrigin(const GURL& gurl) {
229 if (origin_lock_.is_empty()) 229 if (origin_lock_.is_empty())
230 return true; 230 return true;
231 // TODO(creis): We must pass the valid browser_context to convert hosted 231 // TODO(creis): We must pass the valid browser_context to convert hosted
232 // apps URLs. Currently, hosted apps cannot set cookies in this mode. 232 // apps URLs. Currently, hosted apps cannot set cookies in this mode.
233 // See http://crbug.com/160576. 233 // See http://crbug.com/160576.
234 GURL site_gurl = SiteInstanceImpl::GetSiteForURL(NULL, gurl); 234 GURL site_gurl = SiteInstanceImpl::GetSiteForURL(NULL, gurl);
235 return origin_lock_ == site_gurl; 235 return origin_lock_ == site_gurl;
236 } 236 }
237 237
238 bool CanSendCookiesForOrigin(const GURL& gurl) {
239 // We only block cross-site cookies on network requests if the
240 // --enable-strict-site-isolation flag is passed. This is expected to break
241 // compatibility with many sites. The similar --site-per-process flag only
242 // blocks JavaScript access to cross-site cookies (in
243 // CanAccessCookiesForOrigin).
244 const base::CommandLine& command_line =
245 *base::CommandLine::ForCurrentProcess();
246 if (!command_line.HasSwitch(switches::kEnableStrictSiteIsolation))
247 return true;
248
249 if (origin_lock_.is_empty())
250 return true;
251 // TODO(creis): We must pass the valid browser_context to convert hosted
252 // apps URLs. Currently, hosted apps cannot set cookies in this mode.
253 // See http://crbug.com/160576.
254 GURL site_gurl = SiteInstanceImpl::GetSiteForURL(NULL, gurl);
255 return origin_lock_ == site_gurl;
256 }
257
258 void LockToOrigin(const GURL& gurl) { 238 void LockToOrigin(const GURL& gurl) {
259 origin_lock_ = gurl; 239 origin_lock_ = gurl;
260 } 240 }
261 241
262 bool has_web_ui_bindings() const { 242 bool has_web_ui_bindings() const {
263 return enabled_bindings_ & BINDINGS_POLICY_WEB_UI; 243 return enabled_bindings_ & BINDINGS_POLICY_WEB_UI;
264 } 244 }
265 245
266 bool can_read_raw_cookies() const { 246 bool can_read_raw_cookies() const {
267 return can_read_raw_cookies_; 247 return can_read_raw_cookies_;
(...skipping 547 matching lines...) Expand 10 before | Expand all | Expand 10 after
815 795
816 bool ChildProcessSecurityPolicyImpl::CanAccessCookiesForOrigin( 796 bool ChildProcessSecurityPolicyImpl::CanAccessCookiesForOrigin(
817 int child_id, const GURL& gurl) { 797 int child_id, const GURL& gurl) {
818 base::AutoLock lock(lock_); 798 base::AutoLock lock(lock_);
819 SecurityStateMap::iterator state = security_state_.find(child_id); 799 SecurityStateMap::iterator state = security_state_.find(child_id);
820 if (state == security_state_.end()) 800 if (state == security_state_.end())
821 return false; 801 return false;
822 return state->second->CanAccessCookiesForOrigin(gurl); 802 return state->second->CanAccessCookiesForOrigin(gurl);
823 } 803 }
824 804
825 bool ChildProcessSecurityPolicyImpl::CanSendCookiesForOrigin(int child_id,
826 const GURL& gurl) {
827 for (PluginProcessHostIterator iter; !iter.Done(); ++iter) {
828 if (iter.GetData().id == child_id) {
829 if (iter.GetData().process_type == PROCESS_TYPE_PLUGIN) {
830 // NPAPI plugin processes are unsandboxed and so are trusted. Plugins
831 // can make request to any origin.
832 return true;
833 }
834 break;
835 }
836 }
837
838 base::AutoLock lock(lock_);
839 SecurityStateMap::iterator state = security_state_.find(child_id);
840 if (state == security_state_.end())
841 return false;
842 return state->second->CanSendCookiesForOrigin(gurl);
843 }
844
845 void ChildProcessSecurityPolicyImpl::LockToOrigin(int child_id, 805 void ChildProcessSecurityPolicyImpl::LockToOrigin(int child_id,
846 const GURL& gurl) { 806 const GURL& gurl) {
847 // "gurl" can be currently empty in some cases, such as file://blah. 807 // "gurl" can be currently empty in some cases, such as file://blah.
848 DCHECK(SiteInstanceImpl::GetSiteForURL(NULL, gurl) == gurl); 808 DCHECK(SiteInstanceImpl::GetSiteForURL(NULL, gurl) == gurl);
849 base::AutoLock lock(lock_); 809 base::AutoLock lock(lock_);
850 SecurityStateMap::iterator state = security_state_.find(child_id); 810 SecurityStateMap::iterator state = security_state_.find(child_id);
851 DCHECK(state != security_state_.end()); 811 DCHECK(state != security_state_.end());
852 state->second->LockToOrigin(gurl); 812 state->second->LockToOrigin(gurl);
853 } 813 }
854 814
(...skipping 32 matching lines...) Expand 10 before | Expand all | Expand 10 after
887 base::AutoLock lock(lock_); 847 base::AutoLock lock(lock_);
888 848
889 SecurityStateMap::iterator state = security_state_.find(child_id); 849 SecurityStateMap::iterator state = security_state_.find(child_id);
890 if (state == security_state_.end()) 850 if (state == security_state_.end())
891 return false; 851 return false;
892 852
893 return state->second->can_send_midi_sysex(); 853 return state->second->can_send_midi_sysex();
894 } 854 }
895 855
896 } // namespace content 856 } // namespace content
OLDNEW
« no previous file with comments | « content/browser/child_process_security_policy_impl.h ('k') | content/browser/loader/resource_dispatcher_host_impl.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698