Prevent leaking PDF data cross-origin

chrome/browser/resources/pdf/pdf.js

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 'use strict';
 
 /**
  * @return {number} Width of a scrollbar in pixels
  */
 function getScrollbarWidth() {
@@ skipping 77 matching lines @@
 /**
  * Creates a new PDFViewer. There should only be one of these objects per
  * document.
  * @constructor
  * @param {!BrowserApi} browserApi An object providing an API to the browser.
  */
 function PDFViewer(browserApi) {
   this.browserApi_ = browserApi;
   this.loadState_ = LoadState.LOADING;
   this.parentWindow_ = null;
+  this.parentOrigin_ = null;
 
   this.delayedScriptingMessages_ = [];
 
   this.isPrintPreview_ = this.browserApi_.getStreamInfo().originalUrl.indexOf(
                              'chrome://print') == 0;
   this.isMaterial_ = location.pathname.substring(1) === 'index-material.html';
 
   // The sizer element is placed behind the plugin element to cause scrollbars
   // to be displayed in the window. It is sized according to the document size
   // of the pdf and zoom level.
@@ skipping 605 matching lines @@
 
   /**
    * Handle a scripting message from outside the extension (typically sent by
    * PDFScriptingAPI in a page containing the extension) to interact with the
    * plugin.
    * @param {MessageObject} message the message to handle.
    */
   handleScriptingMessage: function(message) {
     if (this.parentWindow_ != message.source) {
       this.parentWindow_ = message.source;
+      this.parentOrigin_ = message.origin;
       // Ensure that we notify the embedder if the document is loaded.
       if (this.loadState_ != LoadState.LOADING)
         this.sendDocumentLoadedMessage_();
     }
 
     if (this.handlePrintPreviewScriptingMessage_(message))
       return;
 
     // Delay scripting messages from users of the scripting API until the
     // document is loaded. This simplifies use of the APIs.
@@ skipping 66 matching lines @@
     return false;
   },
 
   /**
    * @private
    * Send a scripting message outside the extension (typically to
    * PDFScriptingAPI in a page containing the extension).
    * @param {Object} message the message to send.
    */
   sendScriptingMessage_: function(message) {
-    if (this.parentWindow_)
-      this.parentWindow_.postMessage(message, '*');
+    if (this.parentWindow_ && this.parentOrigin_) {
+      var targetOrigin;
+      // Only send data back to the embedder if it is from the same origin,
+      // unless we're sending it to ourselves (which could happen in the case
+      // of tests). We also allow documentLoaded messages through as this won't
+      // leak important information.
+      if (this.parentOrigin_ == window.location.origin)
+        targetOrigin = this.parentOrigin_;
+      else if (message.type == 'documentLoaded')
+        targetOrigin = '*';
+      else
+        targetOrigin = this.browserApi_.getStreamInfo().originalUrl;
+      this.parentWindow_.postMessage(message, targetOrigin);
+
+      // Dispatch an event which can be hooked into for testing.
+      window.dispatchEvent(new CustomEvent('scripting-message-sent',

[Sam McNally, 2015/08/25 03:11:20]

Could you add an extra listener on the plugin object in tests instead of always
dispatching this event?

[raymes, 2015/08/25 04:02:23]

Done.

+          { 'detail': { 'target': this.parentWindow_, 'message': message } }));
+    }
   },
 
-
   /**
    * @type {Viewport} the viewport of the PDF viewer.
    */
   get viewport() {
     return this.viewport_;
   },
 
   /**
    * Each bookmark is an Object containing a:
    * - title
    * - page (optional)
    * - array of children (themselves bookmarks)
    * @type {Array} the top-level bookmarks of the PDF.
    */
   get bookmarks() {
     return this.bookmarks_;
   }
 };