mojo/application/public/interfaces/shell.mojom - Issue 1244233002: Allow trusted brokers to restrict connections for spawned applications to whitelisted applications …

Side by Side Diff: mojo/application/public/interfaces/shell.mojom

Issue 1244233002: Allow trusted brokers to restrict connections for spawned applications to whitelisted applications … (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: . Created 5 years, 5 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
1 // Copyright 2014 The Chromium Authors. All rights reserved.	1 // Copyright 2014 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 module mojo;	5 module mojo;

6	6

7 import "mojo/application/public/interfaces/service_provider.mojom";	7 import "mojo/application/public/interfaces/service_provider.mojom";

8 import "network/public/interfaces/url_loader.mojom";	8 import "network/public/interfaces/url_loader.mojom";

9	9

	10 struct CapabilityFilter {

	11 map<string, array<string>> filter;

	12 };

	13

10 // An interface through which a Mojo application may communicate with the Mojo	14 // An interface through which a Mojo application may communicate with the Mojo

11 // system and request connections to other applications.	15 // system and request connections to other applications.

12 interface Shell {	16 interface Shell {

13 // Establishes a connection with another application (located at	17 // Establishes a connection with another application ("target application")

14 // \|request->url\|) through which the calling application and the other	18 // (located at \|request->url\|) through which the calling application and the

15 // application may request services from one another. \|application_url\| is a	19 // target application may request services from one another.

16 // URLRequest in case this is called for an HTTP navigation, in which case	20 // \|application_url\| is a URLRequest in case this is called for an HTTP

17 // HTTP specific information like POST data, referrer header etc... needed.	21 // navigation, in which case HTTP specific information like POST data,

	22 // referrer header etc... needed.

18 //	23 //

19 // If the calling application would like to request services from the other	24 // If the calling application would like to request services from the target

20 // application, it should pass a valid interface request in the \|services\|	25 // application, it should pass a valid interface request in the \|services\|

21 // parameter (i.e. one containing a valid message pipe endpoint). If the other	26 // parameter (i.e. one containing a valid message pipe endpoint). If the

22 // application does not wish to offer services, it may either not bind an	27 // target application does not wish to offer services, it may either not bind

23 // implementation to the interface request, or else bind an implementation	28 // an implementation to the interface request, or else bind an implementation

24 // that will reject some or all service requests.	29 // that will reject some or all service requests.

25 //	30 //

26 // If the calling application would like to offer services to the other	31 // If the calling application would like to offer services to the target

27 // application, it should pass a bound interface through the	32 // application, it should pass a bound interface through the

28 // \|exposed_services\| parameter. The other application may then request	33 // \|exposed_services\| parameter. The target application may then request

29 // services through that interface.	34 // services through that interface.

30 //	35 //

31 // At least one of \|services\| or \|exposed_services\| should be valid/bound in	36 // At least one of \|services\| or \|exposed_services\| should be valid/bound in

32 // the call.	37 // the call.

33 //	38 //

34 // If the \|application_url\| does not contain a domain, but is of the form	39 // If the \|application_url\| does not contain a domain, but is of the form

35 // "mojo:{service}", it is up to the Mojo shell to select an appropriate	40 // "mojo:{service}", it is up to the Mojo shell to select an appropriate

36 // application for the service. Currently, the shell does this based on the	41 // application for the service. Currently, the shell does this based on the

37 // value of its --origin flag.	42 // value of its --origin flag.

	43 //

	44 // \|filter\| is a whitelist of application URLs that the target application

	45 // is permitted to connect to, and for each permitted application a

	46 // corresponding set of services that may be exposed to the target

	47 // application. The purpose of this parameter is to limit the target

	48 // application's visibility of the full set of applications and services

	49 // available to trusted applications. If this value is null, no filtering is

	50 // specified and the target application can connect to all applications. If

	51 // any application entry in the mapping presents an empty set of services,
	yzshen1 2015/07/22 17:53:58 I feel that it is possible that the trusted broker I feel that it is possible that the trusted broker may allow an app A to connect to another app B, but disallow B to expose any interface to A. (For example, A exposes interfaces to B but not the other way around.) In that case, it seems natural to pass {"B" -> empty or null Array} into ConnectToApplication when launching A, meaning no interface allowed. I think we should have another way to express all allowed. Maybe we should use an Array containing a "*"?
	52 // that application may offer all its services to the target application.

38 ConnectToApplication(URLRequest application_url,	53 ConnectToApplication(URLRequest application_url,

39 ServiceProvider&? services,	54 ServiceProvider&? services,

40 ServiceProvider? exposed_services);	55 ServiceProvider? exposed_services,

	56 CapabilityFilter? filter);

41	57

42 // When there are no more instantiated services in an application, it should	58 // When there are no more instantiated services in an application, it should

43 // start its shutdown process by calling this method. Additionally, it should	59 // start its shutdown process by calling this method. Additionally, it should

44 // keep track of any new service requests that come in. The shell will then	60 // keep track of any new service requests that come in. The shell will then

45 // call Application::OnQuitRequested and start queueing new service requests.	61 // call Application::OnQuitRequested and start queueing new service requests.

46 // If the application didn't get any new service requests in the meantime, it	62 // If the application didn't get any new service requests in the meantime, it

47 // should call the callback with a true value. Otherwise it should call it	63 // should call the callback with a true value. Otherwise it should call it

48 // with false.	64 // with false.

49 QuitApplication();	65 QuitApplication();

50 };	66 };

OLD	NEW

« no previous file with comments | « mojo/application/public/interfaces/application.mojom ('k') | mojo/mojo_shell.gyp » ('j') | mojo/shell/application_instance.h » ('J')