Prevent leaking PDF data cross-origin

pdf/out_of_process_instance.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "pdf/out_of_process_instance.h"
 
 #include <algorithm>  // for min/max()
 #define _USE_MATH_DEFINES  // for M_PI
 #include <cmath>      // for log() and pow()
 #include <math.h>
@@ skipping 287 matching lines @@
   RemovePerInstanceObject(kPPPPdfInterface, this);
   // Explicitly reset the PDFEngine during destruction as it may call back into
   // this object.
   engine_.reset();
 }
 
 bool OutOfProcessInstance::Init(uint32_t argc,
                                 const char* argn[],
                                 const char* argv[]) {
   // Check if the PDF is being loaded in the PDF chrome extension. We only allow
-  // the plugin to be put into "full frame" mode when it is being loaded in the
-  // extension because this enables some features that we don't want pages
-  // abusing outside of the extension.
+  // the plugin to be loaded in the extension to avoid exposing sensitive APIs

[Sam McNally, 2015/08/25 03:11:20]

And print preview?

[raymes, 2015/08/25 04:02:23]

Done.

+  // directly to external websites.
   pp::Var document_url_var = pp::URLUtil_Dev::Get()->GetDocumentURL(this);
   std::string document_url = document_url_var.is_string() ?

[Sam McNally, 2015/08/25 03:11:20]

if (!document_url_var.is_string())
  return false;

[raymes, 2015/08/25 04:02:23]

Done.

       document_url_var.AsString() : std::string();
   std::string extension_url = std::string(kChromeExtension);
-  bool in_extension =
-      !document_url.compare(0, extension_url.size(), extension_url);
+  std::string print_preview_url = std::string(kChromePrint);
+  bool allowed =
+      !document_url.compare(0, extension_url.size(), extension_url) ||

[Sam McNally, 2015/08/25 03:11:20]

if (!base::StringPiece(document_url).starts_with(kChromeExtension) &&
    !base::StringPiece(document_url).starts_with(kChromePrint)) {
  return false;
}

[raymes, 2015/08/25 04:02:23]

Done.

+      !document_url.compare(0, print_preview_url.size(), print_preview_url);
 
-  if (in_extension) {
-    // Check if the plugin is full frame. This is passed in from JS.
-    for (uint32_t i = 0; i < argc; ++i) {
-      if (strcmp(argn[i], "full-frame") == 0) {
-        full_ = true;
-        break;
-      }
+  if (!allowed)
+    return false;
+
+  // Check if the plugin is full frame. This is passed in from JS.
+  for (uint32_t i = 0; i < argc; ++i) {
+    if (strcmp(argn[i], "full-frame") == 0) {
+      full_ = true;
+      break;
     }
   }
 
   // Only allow the plugin to handle find requests if it is full frame.
   if (full_)
     SetPluginToHandleFindRequests();
 
   // Send translated strings to the extension where they will be displayed.
   // TODO(raymes): It would be better to get these in the extension directly
   // through an API but no such API currently exists.
@@ skipping 1095 matching lines @@
     const pp::FloatPoint& scroll_offset) {
   float max_x = document_size_.width() * zoom_ - plugin_dip_size_.width();
   float x = std::max(std::min(scroll_offset.x(), max_x), 0.0f);
   float min_y = -top_toolbar_height_;
   float max_y = document_size_.height() * zoom_ - plugin_dip_size_.height();
   float y = std::max(std::min(scroll_offset.y(), max_y), min_y);
   return pp::FloatPoint(x, y);
 }
 
 }  // namespace chrome_pdf