Validate the Origin HTTP header in the browser process.

content/browser/loader/resource_dispatcher_host_impl.cc

Index: content/browser/loader/resource_dispatcher_host_impl.cc
diff --git a/content/browser/loader/resource_dispatcher_host_impl.cc b/content/browser/loader/resource_dispatcher_host_impl.cc
index 2fe2443130d966e1b97051833d6322879646cdfd..ba9f88ebce1f0acca80ca0e79df7128fb885f592 100644
--- a/content/browser/loader/resource_dispatcher_host_impl.cc
+++ b/content/browser/loader/resource_dispatcher_host_impl.cc
@@ -275,7 +275,9 @@ void SetReferrerForRequest(net::URLRequest* request, const Referrer& referrer) {
 bool ShouldServiceRequest(int process_type,
                           int child_id,
                           const ResourceHostMsg_Request& request_data,
-                          storage::FileSystemContext* file_system_context) {
+                          const net::HttpRequestHeaders& headers,
+                          ResourceMessageFilter* filter,
+                          ResourceContext* resource_context) {
   if (process_type == PROCESS_TYPE_PLUGIN)
     return true;
 
@@ -289,6 +291,21 @@ bool ShouldServiceRequest(int process_type,
     return false;
   }
 
+  // Check if the renderer is using an illegal Origin header.  If so, kill it.
+  std::string origin_string;
+  bool has_origin = headers.GetHeader("Origin", &origin_string) &&
+                    origin_string != "null";
+  if (has_origin) {
+    GURL origin(origin_string);
+    if (!policy->CanCommitURL(child_id, origin) ||
+        GetContentClient()->browser()->IsIllegalOrigin(resource_context,
+                                                       child_id, origin)) {
+      VLOG(1) << "Killed renderer for illegal origin: " << origin_string;
+      bad_message::ReceivedBadMessage(filter, bad_message::RDH_INVALID_ORIGIN);

[nasko, 2015/08/14 22:14:43]

nit: It will be good to be consistent in illegal vs invalid. It seems that the
bad_message constant is better off being RDH_ILLEGAL_ORIGIN, since illegal is a
superset of invalid.

[Charlie Reis, 2015/08/14 23:23:32]

Done.  (I was trying to be consistent with other constants in bad_message, but
there's not a strong reason to do that.)

+      return false;
+    }
+  }
+
   // Check if the renderer is permitted to upload the requested files.
   if (request_data.request_body.get()) {
     const std::vector<ResourceRequestBody::Element>* uploads =
@@ -303,7 +320,7 @@ bool ShouldServiceRequest(int process_type,
       }
       if (iter->type() == ResourceRequestBody::Element::TYPE_FILE_FILESYSTEM) {
         storage::FileSystemURL url =
-            file_system_context->CrackURL(iter->filesystem_url());
+            filter->file_system_context()->CrackURL(iter->filesystem_url());
         if (!policy->CanReadFileSystemFile(child_id, url)) {
           NOTREACHED() << "Denied unauthorized upload of "
                        << iter->filesystem_url().spec();
@@ -1172,9 +1189,14 @@ void ResourceDispatcherHostImpl::BeginRequest(
   // http://crbug.com/90971
   CHECK(ContainsKey(active_resource_contexts_, resource_context));
 
+  // Parse the headers before calling ShouldServiceRequest, so that they are
+  // available to be validated.
+  net::HttpRequestHeaders headers;
+  headers.AddHeadersFromString(request_data.headers);
+
   if (is_shutdown_ ||
-      !ShouldServiceRequest(process_type, child_id, request_data,
-                            filter_->file_system_context())) {
+      !ShouldServiceRequest(process_type, child_id, request_data, headers,
+                            filter_, resource_context)) {
     AbortRequestBeforeItStarts(filter_, sync_result, request_id);
     return;
   }
@@ -1206,8 +1228,6 @@ void ResourceDispatcherHostImpl::BeginRequest(
   const Referrer referrer(request_data.referrer, request_data.referrer_policy);
   SetReferrerForRequest(new_request.get(), referrer);
 
-  net::HttpRequestHeaders headers;
-  headers.AddHeadersFromString(request_data.headers);
   new_request->SetExtraRequestHeaders(headers);
 
   storage::BlobStorageContext* blob_context =