Kill renderers for bad password forms in --site-per-process.

components/password_manager/content/browser/content_password_manager_driver.cc

Index: components/password_manager/content/browser/content_password_manager_driver.cc
diff --git a/components/password_manager/content/browser/content_password_manager_driver.cc b/components/password_manager/content/browser/content_password_manager_driver.cc
index ffaf3ac58cef509fbd55ecf7b772da1167bec703..179d6ca7bbfc66a253cc505a066db73031a89ff3 100644
--- a/components/password_manager/content/browser/content_password_manager_driver.cc
+++ b/components/password_manager/content/browser/content_password_manager_driver.cc
@@ -7,12 +7,15 @@
 #include "components/autofill/content/common/autofill_messages.h"
 #include "components/autofill/core/common/form_data.h"
 #include "components/autofill/core/common/password_form.h"
+#include "components/password_manager/content/browser/bad_message.h"
 #include "components/password_manager/content/browser/content_password_manager_driver_factory.h"
 #include "components/password_manager/core/browser/password_manager_client.h"
 #include "content/public/browser/browser_context.h"
+#include "content/public/browser/child_process_security_policy.h"
 #include "content/public/browser/navigation_details.h"
 #include "content/public/browser/navigation_entry.h"
 #include "content/public/browser/render_frame_host.h"
+#include "content/public/browser/render_process_host.h"
 #include "content/public/browser/render_view_host.h"
 #include "content/public/browser/site_instance.h"
 #include "content/public/browser/web_contents.h"
@@ -151,23 +154,33 @@ bool ContentPasswordManagerDriver::HandleMessage(const IPC::Message& message) {
 
 void ContentPasswordManagerDriver::OnPasswordFormsParsed(
     const std::vector<autofill::PasswordForm>& forms) {
+  for (const auto& form : forms)
+    if (!CheckChildProcessSecurityPolicy(form.origin))
+      return;
   GetPasswordManager()->OnPasswordFormsParsed(this, forms);
 }
 
 void ContentPasswordManagerDriver::OnPasswordFormsRendered(
     const std::vector<autofill::PasswordForm>& visible_forms,
     bool did_stop_loading) {
+  for (const auto& form : visible_forms)
+    if (!CheckChildProcessSecurityPolicy(form.origin))
+      return;
   GetPasswordManager()->OnPasswordFormsRendered(this, visible_forms,
                                                 did_stop_loading);
 }
 
 void ContentPasswordManagerDriver::OnPasswordFormSubmitted(
     const autofill::PasswordForm& password_form) {
+  if (!CheckChildProcessSecurityPolicy(password_form.origin))
+    return;
   GetPasswordManager()->OnPasswordFormSubmitted(this, password_form);
 }
 
 void ContentPasswordManagerDriver::OnFocusedPasswordFormFound(
     const autofill::PasswordForm& password_form) {
+  if (!CheckChildProcessSecurityPolicy(password_form.origin))
+    return;
   GetPasswordManager()->OnPasswordFormForceSaveRequested(this, password_form);
 }
 
@@ -183,13 +196,31 @@ void ContentPasswordManagerDriver::DidNavigateFrame(
 
 void ContentPasswordManagerDriver::OnInPageNavigation(
     const autofill::PasswordForm& password_form) {
+  if (!CheckChildProcessSecurityPolicy(password_form.origin))
+    return;
   GetPasswordManager()->OnInPageNavigation(this, password_form);
 }
 
 void ContentPasswordManagerDriver::OnPasswordNoLongerGenerated(
     const autofill::PasswordForm& password_form) {
+  if (!CheckChildProcessSecurityPolicy(password_form.origin))
+    return;
   GetPasswordManager()->SetHasGeneratedPasswordForForm(this, password_form,
                                                        false);
 }
 
+bool ContentPasswordManagerDriver::CheckChildProcessSecurityPolicy(
+    const GURL& url) {
+  content::ChildProcessSecurityPolicy* policy =
+      content::ChildProcessSecurityPolicy::GetInstance();
+  if (!policy->CanAccessDataForOrigin(render_frame_host_->GetProcess()->GetID(),
+                                      url)) {
+    bad_message::ReceivedBadMessage(render_frame_host_->GetProcess(),
+                                    bad_message::CPMD_BAD_ORIGIN);

[ncarter (slow), 2015/07/07 22:18:32]

Usually we've used a different bad_message reason for each incoming IPC message
type. The idea being, if we ever do see these fail in practice, it'll give us
more information to use to track down the underlying problem.

WDYT about passing a BadMessageReason enum (e.g. FORM_SUBMITTED_BAD_ORIGIN) to
this function?

[lfg, 2015/07/08 15:31:47]

Done.

+    return false;
+  }
+
+  return true;
+}
+
 }  // namespace password_manager