Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(159)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: content/browser/service_worker/service_worker_dispatcher_host.cc

Issue 1256833004: Move Service Worker %2f validation logic from browser into Blink (3) (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Created 5 years, 4 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « no previous file | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2013 The Chromium Authors. All rights reserved. 1 // Copyright 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "content/browser/service_worker/service_worker_dispatcher_host.h" 5 #include "content/browser/service_worker/service_worker_dispatcher_host.h"
6 6
7 #include "base/logging.h" 7 #include "base/logging.h"
8 #include "base/profiler/scoped_tracker.h" 8 #include "base/profiler/scoped_tracker.h"
9 #include "base/strings/utf_string_conversions.h" 9 #include "base/strings/utf_string_conversions.h"
10 #include "base/trace_event/trace_event.h" 10 #include "base/trace_event/trace_event.h"
(...skipping 38 matching lines...) Expand 10 before | Expand all | Expand 10 after
49 49
50 bool AllOriginsMatch(const GURL& url_a, const GURL& url_b, const GURL& url_c) { 50 bool AllOriginsMatch(const GURL& url_a, const GURL& url_b, const GURL& url_c) {
51 return url_a.GetOrigin() == url_b.GetOrigin() && 51 return url_a.GetOrigin() == url_b.GetOrigin() &&
52 url_a.GetOrigin() == url_c.GetOrigin(); 52 url_a.GetOrigin() == url_c.GetOrigin();
53 } 53 }
54 54
55 bool OriginCanAccessServiceWorkers(const GURL& url) { 55 bool OriginCanAccessServiceWorkers(const GURL& url) {
56 return url.SchemeIsHTTPOrHTTPS() && IsOriginSecure(url); 56 return url.SchemeIsHTTPOrHTTPS() && IsOriginSecure(url);
57 } 57 }
58 58
59 bool ContainsDisallowedCharacter(const GURL& url) {
60 DCHECK(url.is_valid());
61
62 std::string path = url.path();
63 DCHECK(base::IsStringUTF8(path));
64
65 // We should avoid these escaped characters in the path component because
66 // these can be handled differently depending on server implementation.
67 if (path.find("%2f") != std::string::npos ||
68 path.find("%2F") != std::string::npos) {
69 return true;
70 }
71 if (path.find("%5c") != std::string::npos ||
72 path.find("%5C") != std::string::npos) {
73 return true;
74 }
75 return false;
76 }
77
59 bool CanRegisterServiceWorker(const GURL& document_url, 78 bool CanRegisterServiceWorker(const GURL& document_url,
60 const GURL& pattern, 79 const GURL& pattern,
61 const GURL& script_url) { 80 const GURL& script_url) {
62 DCHECK(document_url.is_valid()); 81 DCHECK(document_url.is_valid());
63 DCHECK(pattern.is_valid()); 82 DCHECK(pattern.is_valid());
64 DCHECK(script_url.is_valid()); 83 DCHECK(script_url.is_valid());
65 return AllOriginsMatch(document_url, pattern, script_url) && 84 return AllOriginsMatch(document_url, pattern, script_url) &&
66 OriginCanAccessServiceWorkers(document_url) && 85 OriginCanAccessServiceWorkers(document_url) &&
67 OriginCanAccessServiceWorkers(pattern) && 86 OriginCanAccessServiceWorkers(pattern) &&
68 OriginCanAccessServiceWorkers(script_url); 87 OriginCanAccessServiceWorkers(script_url);
(...skipping 256 matching lines...) Expand 10 before | Expand all | Expand 10 after
325 base::ASCIIToUTF16(kNoDocumentURLErrorMessage))); 344 base::ASCIIToUTF16(kNoDocumentURLErrorMessage)));
326 return; 345 return;
327 } 346 }
328 347
329 if (!CanRegisterServiceWorker( 348 if (!CanRegisterServiceWorker(
330 provider_host->document_url(), pattern, script_url)) { 349 provider_host->document_url(), pattern, script_url)) {
331 bad_message::ReceivedBadMessage(this, bad_message::SWDH_REGISTER_CANNOT); 350 bad_message::ReceivedBadMessage(this, bad_message::SWDH_REGISTER_CANNOT);
332 return; 351 return;
333 } 352 }
334 353
335 std::string error_message; 354 if (ContainsDisallowedCharacter(pattern) ||
336 if (ServiceWorkerUtils::ContainsDisallowedCharacter(pattern, script_url, 355 ContainsDisallowedCharacter(script_url)) {
nhiroki 2015/07/28 05:32:13 I'd prefer to reuse ServiceWorkerUtils::ContainsDi
337 &error_message)) { 356 bad_message::ReceivedBadMessage(this, bad_message::SWDH_REGISTER_CANNOT);
338 Send(new ServiceWorkerMsg_ServiceWorkerRegistrationError(
339 thread_id, request_id, WebServiceWorkerError::ErrorTypeSecurity,
340 base::ASCIIToUTF16(kServiceWorkerRegisterErrorPrefix) +
341 base::UTF8ToUTF16(error_message)));
342 return; 357 return;
343 } 358 }
344 359
345 if (!GetContentClient()->browser()->AllowServiceWorker( 360 if (!GetContentClient()->browser()->AllowServiceWorker(
346 pattern, provider_host->topmost_frame_url(), resource_context_, 361 pattern, provider_host->topmost_frame_url(), resource_context_,
347 render_process_id_, provider_host->frame_id())) { 362 render_process_id_, provider_host->frame_id())) {
348 Send(new ServiceWorkerMsg_ServiceWorkerRegistrationError( 363 Send(new ServiceWorkerMsg_ServiceWorkerRegistrationError(
349 thread_id, request_id, WebServiceWorkerError::ErrorTypeUnknown, 364 thread_id, request_id, WebServiceWorkerError::ErrorTypeUnknown,
350 base::ASCIIToUTF16(kServiceWorkerRegisterErrorPrefix) + 365 base::ASCIIToUTF16(kServiceWorkerRegisterErrorPrefix) +
351 base::ASCIIToUTF16(kUserDeniedPermissionMessage))); 366 base::ASCIIToUTF16(kUserDeniedPermissionMessage)));
(...skipping 864 matching lines...) Expand 10 before | Expand all | Expand 10 after
1216 if (!handle) { 1231 if (!handle) {
1217 bad_message::ReceivedBadMessage(this, 1232 bad_message::ReceivedBadMessage(this,
1218 bad_message::SWDH_TERMINATE_BAD_HANDLE); 1233 bad_message::SWDH_TERMINATE_BAD_HANDLE);
1219 return; 1234 return;
1220 } 1235 }
1221 handle->version()->StopWorker( 1236 handle->version()->StopWorker(
1222 base::Bind(&ServiceWorkerUtils::NoOpStatusCallback)); 1237 base::Bind(&ServiceWorkerUtils::NoOpStatusCallback));
1223 } 1238 }
1224 1239
1225 } // namespace content 1240 } // namespace content
OLDNEW
« no previous file with comments | « no previous file | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698