Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(676)

Unified Diff: mojo/application/public/interfaces/shell.mojom

Issue 1244233002: Allow trusted brokers to restrict connections for spawned applications to whitelisted applications … (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: . Created 5 years, 5 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
Index: mojo/application/public/interfaces/shell.mojom
diff --git a/mojo/application/public/interfaces/shell.mojom b/mojo/application/public/interfaces/shell.mojom
index 3e3cd373a1843989ee040efff85a063d517a91a0..3a313dd485148180697db538c8f538cc7fd68ebd 100644
--- a/mojo/application/public/interfaces/shell.mojom
+++ b/mojo/application/public/interfaces/shell.mojom
@@ -7,25 +7,40 @@ module mojo;
import "mojo/application/public/interfaces/service_provider.mojom";
import "network/public/interfaces/url_loader.mojom";
+// Specifies a whitelist of applications and services an application can connect
+// to. Connections to applications not explicitly specified here as a key are
+// rejected. Connections to services not specified in an application's allowed
+// interfaces value are not made.
+// A "*" value as the only key in an otherwise empty map means the application
+// may connect to any other application.
+// A "*" value as the only string in an otherwise empty array of interface names
+// means the application may connect to any service in that application.
+// An empty interface name array means the application may not connect to any
+// services exposed by the application it is connecting to.
+struct CapabilityFilter {
+ map<string, array<string>> filter;
+};
+
// An interface through which a Mojo application may communicate with the Mojo
// system and request connections to other applications.
interface Shell {
- // Establishes a connection with another application (located at
- // |request->url|) through which the calling application and the other
- // application may request services from one another. |application_url| is a
- // URLRequest in case this is called for an HTTP navigation, in which case
- // HTTP specific information like POST data, referrer header etc... needed.
+ // Establishes a connection with another application ("target application")
+ // (located at |request->url|) through which the calling application and the
+ // target application may request services from one another.
+ // |application_url| is a URLRequest in case this is called for an HTTP
+ // navigation, in which case HTTP specific information like POST data,
+ // referrer header etc... needed.
//
- // If the calling application would like to request services from the other
+ // If the calling application would like to request services from the target
// application, it should pass a valid interface request in the |services|
- // parameter (i.e. one containing a valid message pipe endpoint). If the other
- // application does not wish to offer services, it may either not bind an
- // implementation to the interface request, or else bind an implementation
+ // parameter (i.e. one containing a valid message pipe endpoint). If the
+ // target application does not wish to offer services, it may either not bind
+ // an implementation to the interface request, or else bind an implementation
// that will reject some or all service requests.
//
- // If the calling application would like to offer services to the other
+ // If the calling application would like to offer services to the target
// application, it should pass a bound interface through the
- // |exposed_services| parameter. The other application may then request
+ // |exposed_services| parameter. The target application may then request
// services through that interface.
//
// At least one of |services| or |exposed_services| should be valid/bound in
@@ -35,9 +50,16 @@ interface Shell {
// "mojo:{service}", it is up to the Mojo shell to select an appropriate
// application for the service. Currently, the shell does this based on the
// value of its --origin flag.
+ //
+ // |filter| is a whitelist of application URLs and services that the target
+ // application is permitted to connect to. See documentation for
+ // CapabilityFilter above. Note also that this parameter may be NULL, which
+ // has the same meaning as allowing the target application to connect to
+ // any application and service.
ConnectToApplication(URLRequest application_url,
ServiceProvider&? services,
- ServiceProvider? exposed_services);
+ ServiceProvider? exposed_services,
+ CapabilityFilter? filter);
// When there are no more instantiated services in an application, it should
// start its shutdown process by calling this method. Additionally, it should

Powered by Google App Engine
This is Rietveld 408576698