Validate the Origin HTTP header in the browser process.

content/browser/child_process_security_policy_impl.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/browser/child_process_security_policy_impl.h"
 
 #include "base/command_line.h"
 #include "base/files/file_path.h"
 #include "base/logging.h"
 #include "base/metrics/histogram.h"
@@ skipping 148 matching lines @@
   }
 
   void RevokeReadRawCookies() {
     can_read_raw_cookies_ = false;
   }
 
   void GrantPermissionForMidiSysEx() {
     can_send_midi_sysex_ = true;
   }
 
-  // Determine whether permission has been granted to request |url|.
-  bool CanRequestURL(const GURL& url) {
+  // Determine whether permission has been granted to commit |url|.
+  bool CanCommitURL(const GURL& url) {
     // Having permission to a scheme implies permssion to all of its URLs.
     SchemeMap::const_iterator judgment(scheme_policy_.find(url.scheme()));
     if (judgment != scheme_policy_.end())
       return judgment->second;
 
     // file:// URLs are more granular.  The child may have been given
     // permission to a specific file but not the file:// scheme in general.
     if (url.SchemeIs(url::kFileScheme)) {
       base::FilePath path;
       if (net::FileURLToFilePath(url, &path))
@@ skipping 367 matching lines @@
     return;
 
   state->second->RevokeReadRawCookies();
 }
 
 bool ChildProcessSecurityPolicyImpl::CanRequestURL(
     int child_id, const GURL& url) {
   if (!url.is_valid())
     return false;  // Can't request invalid URLs.
 
-  if (IsWebSafeScheme(url.scheme()))
-    return true;  // The scheme has been white-listed for every child process.
-
   if (IsPseudoScheme(url.scheme())) {
     // There are a number of special cases for pseudo schemes.
 
     if (url.SchemeIs(kViewSourceScheme)) {
       // A view-source URL is allowed if the child process is permitted to
       // request the embedded URL. Careful to avoid pointless recursion.
       GURL child_url(url.GetContent());
       if (child_url.SchemeIs(kViewSourceScheme) &&
           url.SchemeIs(kViewSourceScheme))
           return false;
 
       return CanRequestURL(child_id, child_url);
     }
 
     if (base::LowerCaseEqualsASCII(url.spec(), url::kAboutBlankURL))
       return true;  // Every child process can request <about:blank>.
 
     // URLs like <about:memory> and <about:crash> shouldn't be requestable by
     // any child process.  Also, this case covers <javascript:...>, which should
     // be handled internally by the process and not kicked up to the browser.
     return false;
   }
 
-  if (!GetContentClient()->browser()->IsHandledURL(url) &&
-      !net::URLRequest::IsHandledURL(url)) {
-    return true;  // This URL request is destined for ShellExecute.
-  }
+  // If the process can commit the URL, it can request it.
+  if (CanCommitURL(child_id, url))
+    return true;
+
+  // Also allow URLs destined for ShellExecute and not the browser itself.
+  return !GetContentClient()->browser()->IsHandledURL(url) &&
+         !net::URLRequest::IsHandledURL(url);
+}
+
+bool ChildProcessSecurityPolicyImpl::CanCommitURL(int child_id,
+                                                  const GURL& url) {
+  if (!url.is_valid())
+    return false;  // Can't commit invalid URLs.
+
+  // Of all the pseudo schemes, only about:blank is allowed to commit.
+  if (IsPseudoScheme(url.scheme()))
+    return base::LowerCaseEqualsASCII(url.spec(), url::kAboutBlankURL);
+
+  // TODO(creis): Tighten this for Site Isolation, so that a URL from a site
+  // that is isolated can only be committed in a process dedicated to that site.
+  // CanRequestURL should still allow all web-safe schemes. See
+  // https://crbug.com/515309.
+  if (IsWebSafeScheme(url.scheme()))
+    return true;  // The scheme has been white-listed for every child process.
 
   {
     base::AutoLock lock(lock_);
 
     SecurityStateMap::iterator state = security_state_.find(child_id);
     if (state == security_state_.end())
       return false;
 
     // Otherwise, we consult the child process's security state to see if it is
-    // allowed to request the URL.
-    return state->second->CanRequestURL(url);
+    // allowed to commit the URL.
+    return state->second->CanCommitURL(url);
   }
 }
 
 bool ChildProcessSecurityPolicyImpl::CanReadFile(int child_id,
                                                  const base::FilePath& file) {
   return HasPermissionsForFile(child_id, file, READ_FILE_GRANT);
 }
 
 bool ChildProcessSecurityPolicyImpl::CanCreateReadWriteFile(
     int child_id,
@@ skipping 212 matching lines @@
   base::AutoLock lock(lock_);
 
   SecurityStateMap::iterator state = security_state_.find(child_id);
   if (state == security_state_.end())
     return false;
 
   return state->second->can_send_midi_sysex();
 }
 
 }  // namespace content