Cache Storage: restrict access to secure origins (Chromium-side)

content/browser/cache_storage/cache_storage_dispatcher_host.cc

Index: content/browser/cache_storage/cache_storage_dispatcher_host.cc
diff --git a/content/browser/cache_storage/cache_storage_dispatcher_host.cc b/content/browser/cache_storage/cache_storage_dispatcher_host.cc
index 77bc33fb397095bbc62860e3de875de931f57cb4..84f28c896bd1b112416c9187092a061fd43f67fa 100644
--- a/content/browser/cache_storage/cache_storage_dispatcher_host.cc
+++ b/content/browser/cache_storage/cache_storage_dispatcher_host.cc
@@ -15,6 +15,7 @@
 #include "content/browser/cache_storage/cache_storage_manager.h"
 #include "content/common/cache_storage/cache_storage_messages.h"
 #include "content/public/browser/content_browser_client.h"
+#include "content/public/common/origin_util.h"
 #include "storage/browser/blob/blob_data_handle.h"
 #include "third_party/WebKit/public/platform/WebServiceWorkerCacheError.h"
 
@@ -43,6 +44,10 @@ blink::WebServiceWorkerCacheError ToWebServiceWorkerCacheError(
   return blink::WebServiceWorkerCacheErrorNotImplemented;
 }
 
+bool OriginCanAccessCacheStorage(const GURL& url) {
+  return IsOriginSecure(url);

[jsbell, 2015/06/19 20:29:12]

The Blink side uses:

ExecutionContext::isPrivilegedContext()

... which (per
https://w3c.github.io/webappsec/specs/powerfulfeatures/#settings-secure) lets
through things like localhost, "file", and things like the New Tab Page - a
broader net than what's allowed here. This results in checks that pass on the
Blink side but fail here, causing the renderer to be terminated.

Is there a better check to use here, or do we need to restrict the Blink side
with documentOrigin->isSecure() as well? If so... are we overly restrictive
relative to the spec?

[palmer, 2015/06/26 20:57:29]

IsOriginSecure should/does also allow localhost, file, and so on.

 40 bool IsOriginSecure(const GURL& url) {
 41   if (url.SchemeIsCryptographic() || url.SchemeIsFile())
 42     return true;
 43 
 44   if (url.SchemeIsFileSystem() && url.inner_url() &&
 45       IsOriginSecure(*url.inner_url())) {
 46     return true;
 47   }
 48 
 49   std::string hostname = url.HostNoBrackets();
 50   if (net::IsLocalhost(hostname))
 51     return true;
 52 
 53   if (ContainsKey(g_trustworthy_whitelist.Get().schemes(), url.scheme()))
 54     return true;
 55 
 56   if (ContainsKey(g_trustworthy_whitelist.Get().origins(), url.GetOrigin()))
 57     return true;
 58 
 59   return false;
 60 }

And see also its unit test.

In any case, the Blink-side check is kind of like doing input validation in the
client-side JavaScript: a performance optimization, possibly a usability aid,
but not a security boundary. The security boundary is here, and I think it's
correct.

+}
+
 }  // namespace
 
 CacheStorageDispatcherHost::CacheStorageDispatcherHost()
@@ -104,6 +109,10 @@ void CacheStorageDispatcherHost::OnCacheStorageHas(
     const GURL& origin,
     const base::string16& cache_name) {
   TRACE_EVENT0("CacheStorage", "CacheStorageDispatcherHost::OnCacheStorageHas");
+  if (!OriginCanAccessCacheStorage(origin)) {
+    bad_message::ReceivedBadMessage(this, bad_message::CSDH_INVALID_ORIGIN);
+    return;
+  }
   context_->cache_manager()->HasCache(
       origin, base::UTF16ToUTF8(cache_name),
       base::Bind(&CacheStorageDispatcherHost::OnCacheStorageHasCallback, this,
@@ -117,6 +126,10 @@ void CacheStorageDispatcherHost::OnCacheStorageOpen(
     const base::string16& cache_name) {
   TRACE_EVENT0("CacheStorage",
                "CacheStorageDispatcherHost::OnCacheStorageOpen");
+  if (!OriginCanAccessCacheStorage(origin)) {
+    bad_message::ReceivedBadMessage(this, bad_message::CSDH_INVALID_ORIGIN);
+    return;
+  }
   context_->cache_manager()->OpenCache(
       origin, base::UTF16ToUTF8(cache_name),
       base::Bind(&CacheStorageDispatcherHost::OnCacheStorageOpenCallback, this,
@@ -130,6 +143,10 @@ void CacheStorageDispatcherHost::OnCacheStorageDelete(
     const base::string16& cache_name) {
   TRACE_EVENT0("CacheStorage",
                "CacheStorageDispatcherHost::OnCacheStorageDelete");
+  if (!OriginCanAccessCacheStorage(origin)) {
+    bad_message::ReceivedBadMessage(this, bad_message::CSDH_INVALID_ORIGIN);
+    return;
+  }
   context_->cache_manager()->DeleteCache(
       origin, base::UTF16ToUTF8(cache_name),
       base::Bind(&CacheStorageDispatcherHost::OnCacheStorageDeleteCallback,
@@ -141,6 +158,10 @@ void CacheStorageDispatcherHost::OnCacheStorageKeys(int thread_id,
                                                     const GURL& origin) {
   TRACE_EVENT0("CacheStorage",
                "CacheStorageDispatcherHost::OnCacheStorageKeys");
+  if (!OriginCanAccessCacheStorage(origin)) {
+    bad_message::ReceivedBadMessage(this, bad_message::CSDH_INVALID_ORIGIN);
+    return;
+  }
   context_->cache_manager()->EnumerateCaches(
       origin,
       base::Bind(&CacheStorageDispatcherHost::OnCacheStorageKeysCallback, this,
@@ -155,7 +176,10 @@ void CacheStorageDispatcherHost::OnCacheStorageMatch(
     const CacheStorageCacheQueryParams& match_params) {
   TRACE_EVENT0("CacheStorage",
                "CacheStorageDispatcherHost::OnCacheStorageMatch");
-
+  if (!OriginCanAccessCacheStorage(origin)) {
+    bad_message::ReceivedBadMessage(this, bad_message::CSDH_INVALID_ORIGIN);
+    return;
+  }
   scoped_ptr<ServiceWorkerFetchRequest> scoped_request(
       new ServiceWorkerFetchRequest(request.url, request.method,
                                     request.headers, request.referrer,