[Patch 3 of 6] Split out content/child's SiteIsolationPolicy into two new classes.

content/child/site_isolation_policy.cc

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/child/site_isolation_policy.h"
 
 #include "base/basictypes.h"
 #include "base/command_line.h"
 #include "base/lazy_instance.h"
 #include "base/logging.h"
 #include "base/metrics/histogram.h"
 #include "base/strings/string_util.h"
 #include "content/public/common/content_switches.h"
 #include "content/public/common/resource_response_info.h"
 #include "net/base/registry_controlled_domains/registry_controlled_domain.h"
 #include "net/http/http_response_headers.h"
 
 using base::StringPiece;
 
 namespace content {
 
 namespace {
 
-// The cross-site document blocking/UMA data collection is deactivated by
-// default, and only activated in renderer processes.
-static bool g_policy_enabled = false;
+// The gathering of UMA stats for site isolation is deactivated by default, and
+// only activated in renderer processes.
+static bool g_stats_gathering_enabled = false;
 
 // MIME types
 const char kTextHtml[] = "text/html";
 const char kTextXml[] = "text/xml";
 const char xAppRssXml[] = "application/rss+xml";
 const char kAppXml[] = "application/xml";
 const char kAppJson[] = "application/json";
 const char kTextJson[] = "text/json";
 const char kTextXjson[] = "text/x-json";
 const char kTextPlain[] = "text/plain";
@@ skipping 87 matching lines @@
   IncrementHistogramCount(bucket_prefix + ".NotBlocked");
   if (sniffed_as_js)
     IncrementHistogramCount(bucket_prefix + ".NotBlocked.MaybeJS");
 }
 
 }  // namespace
 
 SiteIsolationResponseMetaData::SiteIsolationResponseMetaData() {
 }
 
-void SiteIsolationPolicy::SetPolicyEnabled(bool enabled) {
-  g_policy_enabled = enabled;
+void SiteIsolationStatsGatherer::SetEnabled(bool enabled) {
+  g_stats_gathering_enabled = enabled;
 }
 
 linked_ptr<SiteIsolationResponseMetaData>
-SiteIsolationPolicy::OnReceivedResponse(const GURL& frame_origin,
-                                        const GURL& response_url,
-                                        ResourceType resource_type,
-                                        int origin_pid,
-                                        const ResourceResponseInfo& info) {
-  if (!g_policy_enabled)
+SiteIsolationStatsGatherer::OnReceivedResponse(
+    const GURL& frame_origin,
+    const GURL& response_url,
+    ResourceType resource_type,
+    int origin_pid,
+    const ResourceResponseInfo& info) {
+  if (!g_stats_gathering_enabled)
     return linked_ptr<SiteIsolationResponseMetaData>();
 
   // if |origin_pid| is non-zero, it means that this response is for a plugin
   // spawned from this renderer process. We exclude responses for plugins for
   // now, but eventually, we're going to make plugin processes directly talk to
   // the browser process so that we don't apply cross-site document blocking to
   // them.
   if (origin_pid)
     return linked_ptr<SiteIsolationResponseMetaData>();
 
   UMA_HISTOGRAM_COUNTS("SiteIsolation.AllResponses", 1);
 
   // See if this is for navigation. If it is, don't block it, under the
   // assumption that we will put it in an appropriate process.
   if (IsResourceTypeFrame(resource_type))
     return linked_ptr<SiteIsolationResponseMetaData>();
 
-  if (!IsBlockableScheme(response_url))
+  if (!CrossSiteDocumentClassifier::IsBlockableScheme(response_url))
     return linked_ptr<SiteIsolationResponseMetaData>();
 
-  if (IsSameSite(frame_origin, response_url))
+  if (CrossSiteDocumentClassifier::IsSameSite(frame_origin, response_url))
     return linked_ptr<SiteIsolationResponseMetaData>();
 
   SiteIsolationResponseMetaData::CanonicalMimeType canonical_mime_type =
-      GetCanonicalMimeType(info.mime_type);
+      CrossSiteDocumentClassifier::GetCanonicalMimeType(info.mime_type);
 
   if (canonical_mime_type == SiteIsolationResponseMetaData::Others)
     return linked_ptr<SiteIsolationResponseMetaData>();
 
   // Every CORS request should have the Access-Control-Allow-Origin header even
   // if it is preceded by a pre-flight request. Therefore, if this is a CORS
   // request, it has this header.  response.httpHeaderField() internally uses
   // case-insensitive matching for the header name.
   std::string access_control_origin;
 
   // We can use a case-insensitive header name for EnumerateHeader().
   info.headers->EnumerateHeader(NULL, "access-control-allow-origin",
                                 &access_control_origin);
-  if (IsValidCorsHeaderSet(frame_origin, response_url, access_control_origin))
+  if (CrossSiteDocumentClassifier::IsValidCorsHeaderSet(
+          frame_origin, response_url, access_control_origin))
     return linked_ptr<SiteIsolationResponseMetaData>();
 
   // Real XSD data collection starts from here.
   std::string no_sniff;
   info.headers->EnumerateHeader(NULL, "x-content-type-options", &no_sniff);
 
   linked_ptr<SiteIsolationResponseMetaData> resp_data(
       new SiteIsolationResponseMetaData);
   resp_data->frame_origin = frame_origin.spec();
   resp_data->response_url = response_url;
   resp_data->resource_type = resource_type;
   resp_data->canonical_mime_type = canonical_mime_type;
   resp_data->http_status_code = info.headers->response_code();
   resp_data->no_sniff = LowerCaseEqualsASCII(no_sniff, "nosniff");
 
   return resp_data;
 }
 
-bool SiteIsolationPolicy::OnReceivedFirstChunk(
+bool SiteIsolationStatsGatherer::OnReceivedFirstChunk(
     const linked_ptr<SiteIsolationResponseMetaData>& resp_data,
     const char* raw_data,
     int raw_length) {
-  if (!g_policy_enabled)
+  if (!g_stats_gathering_enabled)
     return false;
 
   DCHECK(resp_data.get());
 
   StringPiece data(raw_data, raw_length);
 
   // Record the length of the first received chunk of data to see if it's enough
   // for sniffing.
   UMA_HISTOGRAM_COUNTS("SiteIsolation.XSD.DataLength", raw_length);
 
   // Record the number of cross-site document responses with a specific mime
   // type (text/html, text/xml, etc).
   UMA_HISTOGRAM_ENUMERATION(
       "SiteIsolation.XSD.MimeType", resp_data->canonical_mime_type,
       SiteIsolationResponseMetaData::MaxCanonicalMimeType);
 
   // Store the result of cross-site document blocking analysis.
   bool would_block = false;
   bool sniffed_as_js = SniffForJS(data);
 
   // Record the number of responses whose content is sniffed for what its mime
   // type claims it to be. For example, we apply a HTML sniffer for a document
   // tagged with text/html here. Whenever this check becomes true, we'll block
   // the response.
   if (resp_data->canonical_mime_type != SiteIsolationResponseMetaData::Plain) {
     std::string bucket_prefix;
     bool sniffed_as_target_document = false;
     if (resp_data->canonical_mime_type == SiteIsolationResponseMetaData::HTML) {
       bucket_prefix = "SiteIsolation.XSD.HTML";
-      sniffed_as_target_document = SniffForHTML(data);
+      sniffed_as_target_document =
+          CrossSiteDocumentClassifier::SniffForHTML(data);
     } else if (resp_data->canonical_mime_type ==
                SiteIsolationResponseMetaData::XML) {
       bucket_prefix = "SiteIsolation.XSD.XML";
-      sniffed_as_target_document = SniffForXML(data);
+      sniffed_as_target_document =
+          CrossSiteDocumentClassifier::SniffForXML(data);
     } else if (resp_data->canonical_mime_type ==
                SiteIsolationResponseMetaData::JSON) {
       bucket_prefix = "SiteIsolation.XSD.JSON";
-      sniffed_as_target_document = SniffForJSON(data);
+      sniffed_as_target_document =
+          CrossSiteDocumentClassifier::SniffForJSON(data);
     } else {
       NOTREACHED() << "Not a blockable mime type: "
                    << resp_data->canonical_mime_type;
     }
 
     if (sniffed_as_target_document) {
       would_block = true;
       HistogramCountBlockedResponse(bucket_prefix, resp_data, false);
     } else {
       if (resp_data->no_sniff) {
         would_block = true;
         HistogramCountBlockedResponse(bucket_prefix, resp_data, true);
       } else {
         HistogramCountNotBlockedResponse(bucket_prefix, sniffed_as_js);
       }
     }
   } else {
     // This block is for plain text documents. We apply our HTML, XML,
     // and JSON sniffer to a text document in the order, and block it
     // if any of them succeeds in sniffing.
     std::string bucket_prefix;
-    if (SniffForHTML(data))
+    if (CrossSiteDocumentClassifier::SniffForHTML(data))
       bucket_prefix = "SiteIsolation.XSD.Plain.HTML";
-    else if (SniffForXML(data))
+    else if (CrossSiteDocumentClassifier::SniffForXML(data))
       bucket_prefix = "SiteIsolation.XSD.Plain.XML";
-    else if (SniffForJSON(data))
+    else if (CrossSiteDocumentClassifier::SniffForJSON(data))
       bucket_prefix = "SiteIsolation.XSD.Plain.JSON";
 
     if (bucket_prefix.size() > 0) {
       would_block = true;
       HistogramCountBlockedResponse(bucket_prefix, resp_data, false);
     } else if (resp_data->no_sniff) {
       would_block = true;
       HistogramCountBlockedResponse("SiteIsolation.XSD.Plain", resp_data, true);
     } else {
       HistogramCountNotBlockedResponse("SiteIsolation.XSD.Plain",
                                        sniffed_as_js);
     }
   }
 
   return would_block;
 }
 
 SiteIsolationResponseMetaData::CanonicalMimeType
-SiteIsolationPolicy::GetCanonicalMimeType(const std::string& mime_type) {
+CrossSiteDocumentClassifier::GetCanonicalMimeType(
+    const std::string& mime_type) {
   if (LowerCaseEqualsASCII(mime_type, kTextHtml)) {
     return SiteIsolationResponseMetaData::HTML;
   }
 
   if (LowerCaseEqualsASCII(mime_type, kTextPlain)) {
     return SiteIsolationResponseMetaData::Plain;
   }
 
   if (LowerCaseEqualsASCII(mime_type, kAppJson) ||
       LowerCaseEqualsASCII(mime_type, kTextJson) ||
       LowerCaseEqualsASCII(mime_type, kTextXjson)) {
     return SiteIsolationResponseMetaData::JSON;
   }
 
   if (LowerCaseEqualsASCII(mime_type, kTextXml) ||
       LowerCaseEqualsASCII(mime_type, xAppRssXml) ||
       LowerCaseEqualsASCII(mime_type, kAppXml)) {
     return SiteIsolationResponseMetaData::XML;
   }
 
   return SiteIsolationResponseMetaData::Others;
 }
 
-bool SiteIsolationPolicy::IsBlockableScheme(const GURL& url) {
+bool CrossSiteDocumentClassifier::IsBlockableScheme(const GURL& url) {
   // We exclude ftp:// from here. FTP doesn't provide a Content-Type
   // header which our policy depends on, so we cannot protect any
   // document from FTP servers.
   return url.SchemeIs(url::kHttpScheme) || url.SchemeIs(url::kHttpsScheme);
 }
 
-bool SiteIsolationPolicy::IsSameSite(const GURL& frame_origin,
-                                     const GURL& response_url) {
+bool CrossSiteDocumentClassifier::IsSameSite(const GURL& frame_origin,
+                                             const GURL& response_url) {
   if (!frame_origin.is_valid() || !response_url.is_valid())
     return false;
 
   if (frame_origin.scheme() != response_url.scheme())
     return false;
 
   // SameDomainOrHost() extracts the effective domains (public suffix plus one)
   // from the two URLs and compare them.
   return net::registry_controlled_domains::SameDomainOrHost(
       frame_origin, response_url,
       net::registry_controlled_domains::INCLUDE_PRIVATE_REGISTRIES);
 }
 
 // We don't use Webkit's existing CORS policy implementation since
 // their policy works in terms of origins, not sites. For example,
 // when frame is sub.a.com and it is not allowed to access a document
 // with sub1.a.com. But under Site Isolation, it's allowed.
-bool SiteIsolationPolicy::IsValidCorsHeaderSet(
+bool CrossSiteDocumentClassifier::IsValidCorsHeaderSet(
     const GURL& frame_origin,
     const GURL& website_origin,
     const std::string& access_control_origin) {
   // Many websites are sending back "\"*\"" instead of "*". This is
   // non-standard practice, and not supported by Chrome. Refer to
   // CrossOriginAccessControl::passesAccessControlCheck().
 
   // TODO(dsjang): * is not allowed for the response from a request
   // with cookies. This allows for more than what the renderer will
   // eventually be able to receive, so we won't see illegal cross-site
   // documents allowed by this. We have to find a way to see if this
   // response is from a cookie-tagged request or not in the future.
   if (access_control_origin == "*")
     return true;
 
   // TODO(dsjang): The CORS spec only treats a fully specified URL, except for
   // "*", but many websites are using just a domain for access_control_origin,
   // and this is blocked by Webkit's CORS logic here :
   // CrossOriginAccessControl::passesAccessControlCheck(). GURL is set
   // is_valid() to false when it is created from a URL containing * in the
   // domain part.
 
   GURL cors_origin(access_control_origin);
   return IsSameSite(frame_origin, cors_origin);
 }
 
 // This function is a slight modification of |net::SniffForHTML|.
-bool SiteIsolationPolicy::SniffForHTML(StringPiece data) {
+bool CrossSiteDocumentClassifier::SniffForHTML(StringPiece data) {
   // The content sniffer used by Chrome and Firefox are using "<!--"
   // as one of the HTML signatures, but it also appears in valid
   // JavaScript, considered as well-formed JS by the browser.  Since
   // we do not want to block any JS, we exclude it from our HTML
   // signatures. This can weaken our document block policy, but we can
   // break less websites.
   // TODO(dsjang): parameterize |net::SniffForHTML| with an option
   // that decides whether to include <!-- or not, so that we can
   // remove this function.
-  // TODO(dsjang): Once SiteIsolationPolicy is moved into the browser
+  // TODO(dsjang): Once CrossSiteDocumentClassifier is moved into the browser
   // process, we should do single-thread checking here for the static
   // initializer.
   static const StringPiece kHtmlSignatures[] = {
       StringPiece("<!DOCTYPE html"),  // HTML5 spec
       StringPiece("<script"),         // HTML5 spec, Mozilla
       StringPiece("<html"),           // HTML5 spec, Mozilla
       StringPiece("<head"),           // HTML5 spec, Mozilla
       StringPiece("<iframe"),         // Mozilla
       StringPiece("<h1"),             // Mozilla
       StringPiece("<div"),            // Mozilla
@@ skipping 25 matching lines @@
     if (offset == base::StringPiece::npos)
       break;
 
     // Proceed to the index next to the ending comment (-->).
     data.remove_prefix(offset + strlen(kEndComment));
   }
 
   return false;
 }
 
-bool SiteIsolationPolicy::SniffForXML(base::StringPiece data) {
+bool CrossSiteDocumentClassifier::SniffForXML(base::StringPiece data) {
   // TODO(dsjang): Chrome's mime_sniffer is using strncasecmp() for
   // this signature. However, XML is case-sensitive. Don't we have to
   // be more lenient only to block documents starting with the exact
   // string <?xml rather than <?XML ?
-  // TODO(dsjang): Once SiteIsolationPolicy is moved into the browser
+  // TODO(dsjang): Once CrossSiteDocumentClassifier is moved into the browser
   // process, we should do single-thread checking here for the static
   // initializer.
   static const StringPiece kXmlSignatures[] = {StringPiece("<?xml")};
   return MatchesSignature(data, kXmlSignatures, arraysize(kXmlSignatures));
 }
 
-bool SiteIsolationPolicy::SniffForJSON(base::StringPiece data) {
+bool CrossSiteDocumentClassifier::SniffForJSON(base::StringPiece data) {
   // TODO(dsjang): We have to come up with a better way to sniff
   // JSON. However, even RE cannot help us that much due to the fact
   // that we don't do full parsing.  This DFA starts with state 0, and
   // finds {, "/' and : in that order. We're avoiding adding a
   // dependency on a regular expression library.
   enum {
     kStartState,
     kLeftBraceState,
     kLeftQuoteState,
     kColonState,
@@ skipping 25 matching lines @@
         break;
       case kColonState:
       case kTerminalState:
         NOTREACHED();
         break;
     }
   }
   return state == kColonState;
 }
 
-bool SiteIsolationPolicy::SniffForJS(StringPiece data) {
-  // TODO(dsjang): This is a real hack. The only purpose of this function is to
-  // try to see if there's any possibility that this data can be JavaScript
-  // (superset of JS). This function will be removed once UMA stats are
-  // gathered.
-
-  // Search for "var " for JS detection.
+bool SiteIsolationStatsGatherer::SniffForJS(StringPiece data) {
+  // The purpose of this function is to try to see if there's any possibility
+  // that this data can be JavaScript (superset of JS). Search for "var " for JS
+  // detection. This is a real hack and should only be used for stats gathering.

[alexmos, 2015/06/11 20:17:47]

Wow, real hack indeed!

   return data.find("var ") != base::StringPiece::npos;
 }
 
 }  // namespace content