ServiceWorker: Implement navigate() method in WindowClient (chromium side).

content/browser/service_worker/service_worker_version.cc

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/browser/service_worker/service_worker_version.h"
 
 #include <map>
 #include <string>
 
 #include "base/command_line.h"
@@ skipping 159 matching lines @@
     ServiceWorkerStatusCode status) {
   callback.Run(status, false /* accept_connection */);
 }
 
 void RunErrorSendStashedPortsCallback(
     const ServiceWorkerVersion::SendStashedPortsCallback& callback,
     ServiceWorkerStatusCode status) {
   callback.Run(status, std::vector<int>());
 }
 
-using WindowOpenedCallback = base::Callback<void(int, int)>;
+using OpenURLCallback = base::Callback<void(int, int)>;
 
-// The WindowOpenedObserver class is a WebContentsObserver that will wait for a
-// new Window's WebContents to be initialized, run the |callback| passed to its
-// constructor then self destroy.
+// The OpenURLObserver class is a WebContentsObserver that will wait for a
+// WebContents to be initialized, run the |callback| passed to its constructor
+// then self destroy.
 // The callback will receive the process and frame ids. If something went wrong
 // those will be (kInvalidUniqueID, MSG_ROUTING_NONE).
 // The callback will be called in the IO thread.
-class WindowOpenedObserver : public WebContentsObserver {
+class OpenURLObserver : public WebContentsObserver {
  public:
-  WindowOpenedObserver(WebContents* web_contents,
-                       const WindowOpenedCallback& callback)
-    : WebContentsObserver(web_contents),
-      callback_(callback)
-  {}
+  OpenURLObserver(WebContents* web_contents, const OpenURLCallback& callback)
+      : WebContentsObserver(web_contents), callback_(callback) {}
 
   void DidCommitProvisionalLoadForFrame(
       RenderFrameHost* render_frame_host,
       const GURL& validated_url,
       ui::PageTransition transition_type) override {
     DCHECK(web_contents());
 
     if (render_frame_host != web_contents()->GetMainFrame())
       return;
 
@@ skipping 17 matching lines @@
     DCHECK(web_contents());
 
     BrowserThread::PostTask(BrowserThread::IO, FROM_HERE,
                             base::Bind(callback_,
                                        render_process_id,
                                        render_frame_id));
     Observe(nullptr);
     base::MessageLoop::current()->DeleteSoon(FROM_HERE, this);
   }
 
-  const WindowOpenedCallback callback_;
+  const OpenURLCallback callback_;
 
-  DISALLOW_COPY_AND_ASSIGN(WindowOpenedObserver);
+  DISALLOW_COPY_AND_ASSIGN(OpenURLObserver);
 };
 
-void DidOpenURL(const WindowOpenedCallback& callback,
-                WebContents* web_contents) {
+void DidOpenURL(const OpenURLCallback& callback, WebContents* web_contents) {
   DCHECK(web_contents);
 
-  new WindowOpenedObserver(web_contents, callback);
+  new OpenURLObserver(web_contents, callback);
+}
+
+void NavigateClientOnUI(const GURL& url,
+                        const GURL& script_url,
+                        int process_id,
+                        int frame_id,
+                        const OpenURLCallback& callback) {
+  DCHECK_CURRENTLY_ON(BrowserThread::UI);
+
+  RenderFrameHost* render_frame_host =
+      RenderFrameHost::FromID(process_id, frame_id);
+  WebContents* web_contents =
+      WebContents::FromRenderFrameHost(render_frame_host);
+
+  if (!render_frame_host || !web_contents) {
+    BrowserThread::PostTask(
+        BrowserThread::IO, FROM_HERE,
+        base::Bind(callback, ChildProcessHost::kInvalidUniqueID,
+                   MSG_ROUTING_NONE));
+    return;
+  }
+
+  OpenURLParams params(
+      url, Referrer::SanitizeForRequest(
+               url, Referrer(script_url, blink::WebReferrerPolicyDefault)),
+      CURRENT_TAB, ui::PAGE_TRANSITION_AUTO_TOPLEVEL,
+      true /* is_renderer_initiated */);
+  web_contents->OpenURL(params);
+  DidOpenURL(callback, web_contents);
 }
 
 void OpenWindowOnUI(
     const GURL& url,
     const GURL& script_url,
     int process_id,
     const scoped_refptr<ServiceWorkerContextWrapper>& context_wrapper,
-    const WindowOpenedCallback& callback) {
+    const OpenURLCallback& callback) {
   DCHECK_CURRENTLY_ON(BrowserThread::UI);
 
   BrowserContext* browser_context = context_wrapper->storage_partition()
       ? context_wrapper->storage_partition()->browser_context()
       : nullptr;
   // We are shutting down.
   if (!browser_context)
     return;
 
   RenderProcessHost* render_process_host =
@@ skipping 948 matching lines @@
     IPC_MESSAGE_HANDLER(ServiceWorkerHostMsg_OpenWindow,
                         OnOpenWindow)
     IPC_MESSAGE_HANDLER(ServiceWorkerHostMsg_SetCachedMetadata,
                         OnSetCachedMetadata)
     IPC_MESSAGE_HANDLER(ServiceWorkerHostMsg_ClearCachedMetadata,
                         OnClearCachedMetadata)
     IPC_MESSAGE_HANDLER(ServiceWorkerHostMsg_PostMessageToClient,
                         OnPostMessageToClient)
     IPC_MESSAGE_HANDLER(ServiceWorkerHostMsg_FocusClient,
                         OnFocusClient)
+    IPC_MESSAGE_HANDLER(ServiceWorkerHostMsg_NavigateClient, OnNavigateClient)
     IPC_MESSAGE_HANDLER(ServiceWorkerHostMsg_SkipWaiting,
                         OnSkipWaiting)
     IPC_MESSAGE_HANDLER(ServiceWorkerHostMsg_ClaimClients,
                         OnClaimClients)
     IPC_MESSAGE_HANDLER(ServiceWorkerHostMsg_Pong, OnPongFromWorker)
     IPC_MESSAGE_HANDLER(ServiceWorkerHostMsg_StashMessagePort,
                         OnStashMessagePort)
     IPC_MESSAGE_UNHANDLED(handled = false)
   IPC_END_MESSAGE_MAP()
   return handled;
@@ skipping 442 matching lines @@
   if (running_status() != RUNNING)
     return;
 
   ServiceWorkerClientInfo client_info(client);
   client_info.client_uuid = client_uuid;
 
   embedded_worker_->SendMessage(ServiceWorkerMsg_FocusClientResponse(
       request_id, client_info));
 }
 
+void ServiceWorkerVersion::OnNavigateClient(int request_id,
+                                            const std::string& client_uuid,
+                                            const GURL& url) {
+  if (!context_)
+    return;
+
+  TRACE_EVENT2("ServiceWorker", "ServiceWorkerVersion::OnNavigateClient",
+               "Request id", request_id, "Client id", client_uuid);
+
+  if (!url.is_valid()) {
+    DVLOG(1) << "Received unexpected invalid URL from renderer process.";
+    BrowserThread::PostTask(
+        BrowserThread::UI, FROM_HERE,
+        base::Bind(&KillEmbeddedWorkerProcess, embedded_worker_->process_id(),
+                   RESULT_CODE_KILLED_BAD_MESSAGE));
+    return;
+  }
+
+  // Reject requests for URLs that the process is not allowed to access. It's
+  // possible to receive such requests since the renderer-side checks are
+  // slightly different. For example, the view-source scheme will not be
+  // filtered out by Blink.
+  if (!ChildProcessSecurityPolicyImpl::GetInstance()->CanRequestURL(
+          embedded_worker_->process_id(), url)) {
+    embedded_worker_->SendMessage(ServiceWorkerMsg_NavigateClientError(
+        request_id, url.spec() + " cannot navigate."));
+    return;
+  }
+
+  ServiceWorkerProviderHost* provider_host =
+      context_->GetProviderHostByClientID(client_uuid);
+  if (!provider_host || provider_host->active_version() != this) {
+    embedded_worker_->SendMessage(ServiceWorkerMsg_NavigateClientError(
+        request_id, url.spec() + " cannot navigate."));
+    return;
+  }
+
+  BrowserThread::PostTask(
+      BrowserThread::UI, FROM_HERE,
+      base::Bind(&NavigateClientOnUI, url, script_url_,
+                 provider_host->process_id(), provider_host->frame_id(),
+                 base::Bind(&ServiceWorkerVersion::DidNavigateClient,
+                            weak_factory_.GetWeakPtr(), request_id)));
+}
+
+void ServiceWorkerVersion::DidNavigateClient(int request_id,
+                                             int render_process_id,
+                                             int render_frame_id) {
+  DCHECK_CURRENTLY_ON(BrowserThread::IO);
+
+  if (running_status() != RUNNING)
+    return;
+
+  if (render_process_id == ChildProcessHost::kInvalidUniqueID &&
+      render_frame_id == MSG_ROUTING_NONE) {
+    embedded_worker_->SendMessage(ServiceWorkerMsg_NavigateClientError(
+        request_id, "Something went wrong while trying to navigate client."));
+    return;
+  }
+
+  for (auto it =
+           context_->GetClientProviderHostIterator(script_url_.GetOrigin());
+       !it->IsAtEnd(); it->Advance()) {
+    ServiceWorkerProviderHost* provider_host = it->GetProviderHost();
+    if (provider_host->process_id() != render_process_id ||
+        provider_host->frame_id() != render_frame_id) {
+      continue;
+    }
+    provider_host->GetWindowClientInfo(base::Bind(
+        &ServiceWorkerVersion::OnNavigateClientFinished,
+        weak_factory_.GetWeakPtr(), request_id, provider_host->client_uuid()));
+    return;
+  }
+
+  OnNavigateClientFinished(request_id, std::string(),
+                           ServiceWorkerClientInfo());
+}
+
+void ServiceWorkerVersion::OnNavigateClientFinished(
+    int request_id,
+    const std::string& client_uuid,
+    const ServiceWorkerClientInfo& client_info) {
+  DCHECK_CURRENTLY_ON(BrowserThread::IO);
+
+  if (running_status() != RUNNING)
+    return;
+
+  ServiceWorkerClientInfo client(client_info);
+
+  // If the |client_info| is empty, it means that the navigated client wasn't
+  // controlled but the action still succeeded. The renderer process is
+  // expecting an empty client in such case.
+  if (!client.IsEmpty())
+    client.client_uuid = client_uuid;

[palmer, 2015/07/15 17:07:54]

I think you should validate that the UUID has the lexical structure that you
expect of a UUID (e.g. exactly 32 hex digits, or whatever). This string has just
crossed upward over a privilege boundary, and so requires extra scrutiny.

[zino, 2015/07/16 14:06:52]

Thank you for review.

If you're saying that we have to check the validation of the strings in IPC
communication,

The client_uuid has been assigned newly from provider host (from not renderer).

So, I don't think we need to check here.

Please correct me if I'm wrong :)

[palmer, 2015/07/16 18:28:05]

It looks like the provider host gets the UUID directly from the renderer in
|OnNavigateClient|, without first checking that the UUID makes sense. (Line
1735.)

Recall that the UUID comes to |OnNavigateClient| from an untrustworthy renderer:

 281 // Ask the browser to navigate a client (renderer->browser).
 282 IPC_MESSAGE_ROUTED3(ServiceWorkerHostMsg_NavigateClient,
 283                     int /* request_id */,
 284                     std::string /* uuid */,
 285                     GURL /* url */)

[zino, 2015/07/17 11:26:11]

Yes, the uuid is passed from the renderer but it is used in only
|OnNavigateClient| in order to get provider host.
The GetProviderHostByClientID() uses internally map data structure to find it.
So, if the string is invalid then |provider_host| will be null, then browser
sends NavigateErorr message to renderer.
I think it is the same with validation check.
In this case, do we need to check additionally?

FYI, the client_uuid in |OnNavigateClientFinished| is different from the
client_uuid in |OnNavigateClient|.

[palmer, 2015/07/20 23:15:32]

Yes, for a few reasons.

1. It's best to fail as soon as possible.

2. It's best to fail for a reason that is maximally related to the underlying
problem. For example, this code is good:

 1715   if (!url.is_valid()) {
 1716     DVLOG(1) << "Received unexpected invalid URL from renderer process.";

3. It's easy to write a function to validate UUIDs.

4. We don't want to let untrustworthy processes (in this case, renderers) fill a
privileged processes' memory with arbitrary strings of arbitrary size, when all
we needed was a string with a very tight lexical definition.
Different how? Where did it come from? We should validate all UUIDs at each
point that they cross a privilege boundary. (Then, and only then, other areas of
the code can trust that the value is valid.)

[zino, 2015/07/23 05:56:17]

Done. I added the validation check to |OnNavigateClient|. (using
base::IsValidGUID function)

On 2015/07/20 23:15:32, palmer wrote:
There is a difference between client_uuid[1] in |OnNavigateClient| and
client_uuid[2] in |OnNavigateClientFinished|.

[1] The first uuid comes from renderer in order to find a provider host.
[2] The client_uuid is created by base::GenerateGUID() when creating
     provider host on browser process. It's always exists in browser side.
     Also the provider host and the uuid are created newly after navigating.
     I mean the uuid didn't come from renderer. (It comes from browser.)

+
+  embedded_worker_->SendMessage(
+      ServiceWorkerMsg_NavigateClientResponse(request_id, client));
+}
+
 void ServiceWorkerVersion::OnSkipWaiting(int request_id) {
   skip_waiting_ = true;
   if (status_ != INSTALLED)
     return DidSkipWaiting(request_id);
 
   if (!context_)
     return;
   ServiceWorkerRegistration* registration =
       context_->GetLiveRegistration(registration_id_);
   if (!registration)
@@ skipping 506 matching lines @@
 
   streaming_url_request_jobs_.clear();
 
   FOR_EACH_OBSERVER(Listener, listeners_, OnRunningStateChanged(this));
 
   if (should_restart)
     StartWorkerInternal();
 }
 
 }  // namespace content