Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(186)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: content/browser/web_contents/render_view_host_manager.cc

Issue 12086109: Prevent bindings escalation on an existing NavigationEntry. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: Created 7 years, 10 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« content/browser/web_contents/navigation_entry_impl.h ('K') | « content/browser/web_contents/navigation_entry_impl.cc ('k') | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "content/browser/web_contents/render_view_host_manager.h" 5 #include "content/browser/web_contents/render_view_host_manager.h"
6 6
7 #include <utility> 7 #include <utility>
8 8
9 #include "base/command_line.h" 9 #include "base/command_line.h"
10 #include "base/logging.h" 10 #include "base/logging.h"
11 #include "content/browser/devtools/render_view_devtools_agent_host.h" 11 #include "content/browser/devtools/render_view_devtools_agent_host.h"
12 #include "content/browser/renderer_host/render_process_host_impl.h" 12 #include "content/browser/renderer_host/render_process_host_impl.h"
13 #include "content/browser/renderer_host/render_view_host_factory.h" 13 #include "content/browser/renderer_host/render_view_host_factory.h"
14 #include "content/browser/renderer_host/render_view_host_impl.h" 14 #include "content/browser/renderer_host/render_view_host_impl.h"
15 #include "content/browser/site_instance_impl.h" 15 #include "content/browser/site_instance_impl.h"
16 #include "content/browser/web_contents/interstitial_page_impl.h" 16 #include "content/browser/web_contents/interstitial_page_impl.h"
17 #include "content/browser/web_contents/navigation_controller_impl.h" 17 #include "content/browser/web_contents/navigation_controller_impl.h"
18 #include "content/browser/web_contents/navigation_entry_impl.h" 18 #include "content/browser/web_contents/navigation_entry_impl.h"
19 #include "content/browser/webui/web_ui_impl.h" 19 #include "content/browser/webui/web_ui_impl.h"
20 #include "content/common/view_messages.h" 20 #include "content/common/view_messages.h"
21 #include "content/port/browser/render_widget_host_view_port.h" 21 #include "content/port/browser/render_widget_host_view_port.h"
22 #include "content/public/browser/content_browser_client.h" 22 #include "content/public/browser/content_browser_client.h"
23 #include "content/public/browser/notification_service.h" 23 #include "content/public/browser/notification_service.h"
24 #include "content/public/browser/notification_types.h" 24 #include "content/public/browser/notification_types.h"
25 #include "content/public/browser/user_metrics.h"
25 #include "content/public/browser/web_contents_view.h" 26 #include "content/public/browser/web_contents_view.h"
26 #include "content/public/browser/web_ui_controller.h" 27 #include "content/public/browser/web_ui_controller.h"
27 #include "content/public/browser/web_ui_controller_factory.h" 28 #include "content/public/browser/web_ui_controller_factory.h"
28 #include "content/public/common/content_switches.h" 29 #include "content/public/common/content_switches.h"
29 #include "content/public/common/url_constants.h" 30 #include "content/public/common/url_constants.h"
30 31
31 namespace content { 32 namespace content {
32 33
33 RenderViewHostManager::RenderViewHostManager( 34 RenderViewHostManager::RenderViewHostManager(
34 RenderViewHostDelegate* render_view_delegate, 35 RenderViewHostDelegate* render_view_delegate,
(...skipping 776 matching lines...) Expand 10 before | Expand all | Expand 10 after
811 // This will possibly create (set to NULL) a Web UI object for the pending 812 // This will possibly create (set to NULL) a Web UI object for the pending
812 // page. We'll use this later to give the page special access. This must 813 // page. We'll use this later to give the page special access. This must
813 // happen before the new renderer is created below so it will get bindings. 814 // happen before the new renderer is created below so it will get bindings.
814 // It must also happen after the above conditional call to CancelPending(), 815 // It must also happen after the above conditional call to CancelPending(),
815 // otherwise CancelPending may clear the pending_web_ui_ and the page will 816 // otherwise CancelPending may clear the pending_web_ui_ and the page will
816 // not have its bindings set appropriately. 817 // not have its bindings set appropriately.
817 pending_web_ui_.reset( 818 pending_web_ui_.reset(
818 delegate_->CreateWebUIForRenderManager(entry.GetURL())); 819 delegate_->CreateWebUIForRenderManager(entry.GetURL()));
819 pending_and_current_web_ui_.reset(); 820 pending_and_current_web_ui_.reset();
820 821
822 // If this is an existing NavigationEntry, make sure we're not granting it
823 // different bindings than it had before. If so, note it and don't give it
824 // any bindings, to avoid a potential privilege escalation.
825 if (pending_web_ui_.get() &&
826 !entry.GetContentState().empty() &&
827 pending_web_ui_->GetBindings() != entry.bindings()) {
828 RecordAction(UserMetricsAction("ProcessSwapBindingsMismatch_RVHM"));
829 pending_web_ui_.reset();
830 }
831
821 // Ensure that we have created RVHs for the new RVH's opener chain if 832 // Ensure that we have created RVHs for the new RVH's opener chain if
822 // we are staying in the same BrowsingInstance. This allows the pending RVH 833 // we are staying in the same BrowsingInstance. This allows the pending RVH
823 // to send cross-process script calls to its opener(s). 834 // to send cross-process script calls to its opener(s).
824 int opener_route_id = MSG_ROUTING_NONE; 835 int opener_route_id = MSG_ROUTING_NONE;
825 if (new_instance->IsRelatedSiteInstance(curr_instance)) { 836 if (new_instance->IsRelatedSiteInstance(curr_instance)) {
826 opener_route_id = 837 opener_route_id =
827 delegate_->CreateOpenerRenderViewsForRenderManager(new_instance); 838 delegate_->CreateOpenerRenderViewsForRenderManager(new_instance);
828 } 839 }
829 840
830 // Create a non-swapped-out pending RVH with the given opener and navigate 841 // Create a non-swapped-out pending RVH with the given opener and navigate
(...skipping 45 matching lines...) Expand 10 before | Expand all | Expand 10 after
876 render_view_host_->FirePageBeforeUnload(true); 887 render_view_host_->FirePageBeforeUnload(true);
877 888
878 return pending_render_view_host_; 889 return pending_render_view_host_;
879 } else { 890 } else {
880 if (ShouldReuseWebUI(curr_entry, &entry)) { 891 if (ShouldReuseWebUI(curr_entry, &entry)) {
881 pending_web_ui_.reset(); 892 pending_web_ui_.reset();
882 pending_and_current_web_ui_ = web_ui_->AsWeakPtr(); 893 pending_and_current_web_ui_ = web_ui_->AsWeakPtr();
883 } else { 894 } else {
884 pending_and_current_web_ui_.reset(); 895 pending_and_current_web_ui_.reset();
885 pending_web_ui_.reset( 896 pending_web_ui_.reset(
886 delegate_->CreateWebUIForRenderManager(entry.GetURL())); 897 delegate_->CreateWebUIForRenderManager(entry.GetURL()));
Charlie Reis 2013/02/04 06:03:40 Turns out we missed this case in the first patchse
887 } 898 }
888 899
889 if (pending_web_ui() && render_view_host_->IsRenderViewLive()) 900 if (pending_web_ui() && render_view_host_->IsRenderViewLive())
890 pending_web_ui()->GetController()->RenderViewReused(render_view_host_); 901 pending_web_ui()->GetController()->RenderViewReused(render_view_host_);
891 902
892 // The renderer can exit view source mode when any error or cancellation 903 // The renderer can exit view source mode when any error or cancellation
893 // happen. We must overwrite to recover the mode. 904 // happen. We must overwrite to recover the mode.
894 if (entry.IsViewSourceMode()) { 905 if (entry.IsViewSourceMode()) {
895 render_view_host_->Send( 906 render_view_host_->Send(
896 new ViewMsg_EnableViewSourceMode(render_view_host_->GetRoutingID())); 907 new ViewMsg_EnableViewSourceMode(render_view_host_->GetRoutingID()));
(...skipping 76 matching lines...) Expand 10 before | Expand all | Expand 10 after
973 RenderViewHostImpl* RenderViewHostManager::GetSwappedOutRenderViewHost( 984 RenderViewHostImpl* RenderViewHostManager::GetSwappedOutRenderViewHost(
974 SiteInstance* instance) { 985 SiteInstance* instance) {
975 RenderViewHostMap::iterator iter = swapped_out_hosts_.find(instance->GetId()); 986 RenderViewHostMap::iterator iter = swapped_out_hosts_.find(instance->GetId());
976 if (iter != swapped_out_hosts_.end()) 987 if (iter != swapped_out_hosts_.end())
977 return iter->second; 988 return iter->second;
978 989
979 return NULL; 990 return NULL;
980 } 991 }
981 992
982 } // namespace content 993 } // namespace content
OLDNEW
« content/browser/web_contents/navigation_entry_impl.h ('K') | « content/browser/web_contents/navigation_entry_impl.cc ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698