Fix for "chrome://" links in PDFs.

content/browser/child_process_security_policy_impl.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/browser/child_process_security_policy_impl.h"
 
+#include <utility>
+
 #include "base/command_line.h"
 #include "base/files/file_path.h"
 #include "base/logging.h"
 #include "base/metrics/histogram.h"
 #include "base/stl_util.h"
 #include "base/strings/string_util.h"
 #include "content/browser/plugin_process_host.h"
 #include "content/browser/site_instance_impl.h"
 #include "content/common/site_isolation_policy.h"
 #include "content/public/browser/child_process_data.h"
@@ skipping 68 matching lines @@
     }
     UMA_HISTOGRAM_COUNTS("ChildProcessSecurityPolicy.PerChildFilePermissions",
                          file_permissions_.size());
   }
 
   // Grant permission to request URLs with the specified scheme.
   void GrantScheme(const std::string& scheme) {
     scheme_policy_[scheme] = true;
   }
 
+  // Grant permission to request URLs with both the specified scheme and host.
+  void GrantSchemeHost(const std::string& scheme, const std::string& host) {
+    scheme_host_policy_[std::make_pair(scheme, host)] = true;
+  }
+
   // Revoke permission to request URLs with the specified scheme.
   void RevokeScheme(const std::string& scheme) {
     scheme_policy_[scheme] = false;
   }
 
+  // Revoke permission to request URLs with both the specified scheme and host.
+  void RevokeSchemeHost(const std::string& scheme, const std::string& host) {

[Charlie Reis, 2015/09/22 17:38:15]

We shouldn't introduce new methods until they're needed.

[paulmeyer, 2015/09/22 22:13:57]

I was thinking the same thing, though RevokeScheme is exactly the same situation
(it is not currently used). Should I also remove RevokeScheme?

[Charlie Reis, 2015/09/23 00:07:15]

Not in this CL.  We can probably remove it as dead code separately.

[paulmeyer, 2015/09/23 17:03:53]

Acknowledged.

+    scheme_host_policy_[std::make_pair(scheme, host)] = false;
+  }
+
   // Grant certain permissions to a file.
   void GrantPermissionsForFile(const base::FilePath& file, int permissions) {
     base::FilePath stripped = file.StripTrailingSeparators();
     file_permissions_[stripped] |= permissions;
     UMA_HISTOGRAM_COUNTS("ChildProcessSecurityPolicy.FilePermissionPathLength",
                          stripped.value().size());
   }
 
   // Grant navigation to a file but not the file:// scheme in general.
   void GrantRequestOfSpecificFile(const base::FilePath &file) {
@@ skipping 51 matching lines @@
   void RevokeReadRawCookies() {
     can_read_raw_cookies_ = false;
   }
 
   void GrantPermissionForMidiSysEx() {
     can_send_midi_sysex_ = true;
   }
 
   // Determine whether permission has been granted to commit |url|.
   bool CanCommitURL(const GURL& url) {
-    // Having permission to a scheme implies permssion to all of its URLs.
-    SchemeMap::const_iterator judgment(scheme_policy_.find(url.scheme()));
-    if (judgment != scheme_policy_.end())
-      return judgment->second;
+    // Check for permission for specific scheme and host.
+    SchemeHostMap::const_iterator scheme_host_judgment(
+        scheme_host_policy_.find(std::make_pair(url.scheme(), url.host())));
+    if (scheme_host_judgment != scheme_host_policy_.end())
+      return scheme_host_judgment->second;
+
+    // Otherwise, having permission to a scheme implies permission to all of its
+    // URLs.
+    SchemeMap::const_iterator scheme_judgment(
+        scheme_policy_.find(url.scheme()));
+    if (scheme_judgment != scheme_policy_.end())
+      return scheme_judgment->second;
 
     // file:// URLs are more granular.  The child may have been given
     // permission to a specific file but not the file:// scheme in general.
     if (url.SchemeIs(url::kFileScheme)) {
       base::FilePath path;
       if (net::FileURLToFilePath(url, &path))
         return ContainsKey(request_file_set_, path);
     }
 
     return false;  // Unmentioned schemes are disallowed.
@@ skipping 50 matching lines @@
   bool can_read_raw_cookies() const {
     return can_read_raw_cookies_;
   }
 
   bool can_send_midi_sysex() const {
     return can_send_midi_sysex_;
   }
 
  private:
   typedef std::map<std::string, bool> SchemeMap;
+  typedef std::map<std::pair<std::string, std::string>, bool> SchemeHostMap;
 
   typedef int FilePermissionFlags;  // bit-set of base::File::Flags
   typedef std::map<base::FilePath, FilePermissionFlags> FileMap;
   typedef std::map<std::string, FilePermissionFlags> FileSystemMap;
   typedef std::set<base::FilePath> FileSet;
 
   // Maps URL schemes to whether permission has been granted or revoked:
   //   |true| means the scheme has been granted.
   //   |false| means the scheme has been revoked.
   // If a scheme is not present in the map, then it has never been granted
   // or revoked.
   SchemeMap scheme_policy_;
 
+  // Maps URL (scheme, host) pairs to whether permission has been granted or
+  // revoked:
+  //   |true| means the (scheme, host) pair has been granted.
+  //   |false| means the (scheme, host) pair has been revoked.
+  // If a (scheme, host) pair is not present in the map, then it has never been
+  // granted or revoked.

[Charlie Reis, 2015/09/22 17:38:15]

This seems overly complicated if we don't have any code that does revocation.

It seems easier to just have a set of GURLs or Origins (e.g., chrome://favicon),
similar to FileSet.

[paulmeyer, 2015/09/22 22:13:57]

Okay, I'll use a set of origins.

+  //
+  // For schemes that are present in both |scheme_policy_| and
+  // |scheme_host_policy_|, the permission set for specific hosts within a
+  // scheme in |scheme_host_polcy_| will be respected first, followed by the

[Charlie Reis, 2015/09/22 17:38:15]

This also seems overly complicated.  If we aren't doing revocation, then there's
no reason to check the schemes+hosts before checking schemes.  If a full scheme
is granted, that should imply that all hosts in it are granted.

[paulmeyer, 2015/09/22 22:13:57]

Done.

+  // general permission for the scheme in |scheme_policy_| for all other hosts
+  // within that scheme.
+  SchemeHostMap scheme_host_policy_;
+
   // The set of files the child process is permited to upload to the web.
   FileMap file_permissions_;
 
   // The set of files the child process is permitted to load.
   FileSet request_file_set_;
 
   int enabled_bindings_;
 
   bool can_read_raw_cookies_;
 
@@ skipping 239 matching lines @@
                                                  const std::string& scheme) {
   base::AutoLock lock(lock_);
 
   SecurityStateMap::iterator state = security_state_.find(child_id);
   if (state == security_state_.end())
     return;
 
   state->second->GrantScheme(scheme);
 }
 
+void ChildProcessSecurityPolicyImpl::GrantSchemeHost(int child_id,
+                                                     const std::string& scheme,
+                                                     const std::string& host) {
+  base::AutoLock lock(lock_);
+
+  SecurityStateMap::iterator state = security_state_.find(child_id);
+  if (state == security_state_.end())
+    return;
+
+  state->second->GrantSchemeHost(scheme, host);
+}
+
 void ChildProcessSecurityPolicyImpl::GrantWebUIBindings(int child_id) {
   base::AutoLock lock(lock_);
 
   SecurityStateMap::iterator state = security_state_.find(child_id);
   if (state == security_state_.end())
     return;
 
   state->second->GrantBindings(BINDINGS_POLICY_WEB_UI);
 
   // Web UI bindings need the ability to request chrome: URLs.
@@ skipping 311 matching lines @@
   base::AutoLock lock(lock_);
 
   SecurityStateMap::iterator state = security_state_.find(child_id);
   if (state == security_state_.end())
     return false;
 
   return state->second->can_send_midi_sysex();
 }
 
 }  // namespace content