Fixing iframe jank in the local omnibox popup.

chrome/browser/search/suggestion_source.cc

+// Copyright 2013 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "chrome/browser/search/suggestion_source.h"
+
+#include "base/json/string_escape.h"
+#include "base/logging.h"
+#include "base/memory/ref_counted_memory.h"
+#include "base/string_util.h"
+#include "base/stringprintf.h"
+#include "base/strings/string_piece.h"
+#include "chrome/browser/profiles/profile.h"
+#include "chrome/browser/search/search.h"
+#include "chrome/common/url_constants.h"
+#include "content/public/common/content_client.h"
+#include "googleurl/src/gurl.h"
+#include "grit/browser_resources.h"
+#include "net/base/url_util.h"
+#include "net/url_request/url_request.h"
+#include "ui/base/layout.h"
+
+namespace {
+const char kLoaderHtmlPath[] = "/loader.html";
+const char kLoaderJSPath[] = "/loader.js";
+const char kResultHtmlPath[] = "/result.html";
+const char kResultJSPath[] = "/result.js";
+const char kOriginParam[] = "origin";
+}  // namespace
+
+SuggestionSource::SuggestionSource() {
+}
+
+SuggestionSource::~SuggestionSource() {
+}
+
+std::string SuggestionSource::GetSource() {
+  return chrome::kChromeSearchSuggestionHost;
+}
+
+void SuggestionSource::StartDataRequest(
+    const std::string& path_and_query,
+    bool is_incognito,
+    const content::URLDataSource::GotDataCallback& callback) {
+  std::string path(GURL(chrome::kChromeSearchSuggestionURL +
+                        path_and_query).path());
+  if (path == kLoaderHtmlPath)
+    SendResource(IDR_OMNIBOX_RESULT_LOADER_HTML, callback);
+  else if (path == kLoaderJSPath)
+    SendJSWithOrigin(IDR_OMNIBOX_RESULT_LOADER_JS, path_and_query, callback);
+  else if (path == kResultHtmlPath)
+    SendResource(IDR_OMNIBOX_RESULT_HTML, callback);
+  else if (path == kResultJSPath)
+    SendJSWithOrigin(IDR_OMNIBOX_RESULT_JS, path_and_query, callback);
+  else
+    callback.Run(NULL);
+}
+
+void SuggestionSource::SendResource(
+    int resource_id,
+    const content::URLDataSource::GotDataCallback& callback) {
+  scoped_refptr<base::RefCountedStaticMemory> response(
+      content::GetContentClient()->GetDataResourceBytes(resource_id));
+  callback.Run(response);
+}
+
+void SuggestionSource::SendJSWithOrigin(
+    int resource_id,
+    const std::string& path_and_query,
+    const content::URLDataSource::GotDataCallback& callback) {
+  // Expect an &origin param which gives the origin of embedding page. This
+  // param is always set by the renderer for requests to this host.

[palmer, 2013/04/09 00:26:15]

We assume renderers are untrustworthy.

[Jered, 2013/04/09 01:18:58]

What does that mean in the context of this code?

[Jered, 2013/04/09 03:24:24]

I updated the comment. ChromeContentRendererClient is a strange animal, some
kind of singleton created from MainDelegate to herd renderers, but I don't think
in a render process. Anyway I added some extra validation here.

The main goal of plumbing this origin all around is just to ensure that
evil.adnetwork.example.com, also iframed on instant.page.example.com and thus in
the same Instant render process, can't display suggestion iframes.

[palmer, 2013/04/09 19:09:55]

A compromised renderer could set an incorrect/malicious origin, and the browser
might make security decisions based on that. Obviously, a compromised origin is
already a problem, but we hope that even bad renderers cannot confuse the
browser.

[Jered, 2013/04/09 21:59:38]

An alternative approach here would be to check the postMessage origin against a
whitelist of allowed origins. These would include *.google.tld$, the local
omnibox popup origin, and --instant-url if it is set to enable local developers
to see suggestions. This would most easily be formulated as a regular expression
passed into the JS, but I'm happy to do this in any way. Would you prefer that
approach?

Another alternative is to divine from the browser what the Instant URL for the
renderer requesting this resource should have been. This is tricky because that
state is controlled by preferences which may have since changed, and may reside
in some far flung corner of another process somewhere, and so would have to get
here asynchronously before this request does.

I'm happy to do whatever is best here of course.

+  std::string origin;
+  if (!net::GetValueForKeyInQuery(
+          GURL(chrome::kChromeSearchSuggestionURL + path_and_query),
+          kOriginParam, &origin)) {
+    callback.Run(NULL);
+    return;
+  }
+
+  std::string js_escaped_origin;
+  base::JsonDoubleQuote(origin, false, &js_escaped_origin);
+  base::StringPiece template_js =
+      content::GetContentClient()->GetDataResource(resource_id,
+                                                   ui::SCALE_FACTOR_NONE);
+  std::string response(base::StringPrintf(template_js.as_string().c_str(),
+                                          js_escaped_origin.c_str()));
+  callback.Run(base::RefCountedString::TakeString(&response));
+}
+
+std::string SuggestionSource::GetMimeType(
+    const std::string& path_and_query) const {
+  std::string path(GURL(chrome::kChromeSearchSuggestionURL +
+                        path_and_query).path());
+  if (path == kLoaderHtmlPath || path == kResultHtmlPath)
+    return "text/html";
+  if (path == kLoaderJSPath || path == kResultJSPath)
+    return "application/javascript";
+  return "";
+}
+
+bool SuggestionSource::ShouldServiceRequest(
+    const net::URLRequest* request) const {
+  const std::string& path = request->url().path();
+  return request->url().SchemeIs(chrome::kChromeSearchScheme) &&
+      request->url().host() == chrome::kChromeSearchSuggestionHost &&
+      (path == kLoaderHtmlPath || path == kLoaderJSPath ||
+       path == kResultHtmlPath || path == kResultJSPath);
+}
+
+bool SuggestionSource::ShouldDenyXFrameOptions() const {
+  return false;
+}