CrossSiteResourceHandler: cancel request if the RFH is gone

content/browser/loader/cross_site_resource_handler.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/browser/loader/cross_site_resource_handler.h"
 
 #include <string>
 
 #include "base/bind.h"
 #include "base/command_line.h"
@@ skipping 68 matching lines @@
         params.global_request_id, cross_site_transferring_request.Pass(),
         params.transfer_url_chain, params.referrer,
         params.page_transition, params.should_replace_current_entry);
   } else if (leak_requests_for_testing_ && cross_site_transferring_request) {
     // Some unit tests expect requests to be leaked in this case, so they can
     // pass them along manually.
     cross_site_transferring_request->ReleaseRequest();
   }
 }
 
-// Returns whether a transfer is needed by doing a check on the UI thread.
-bool CheckNavigationPolicyOnUI(GURL real_url,
-                               int process_id,
-                               int render_frame_id) {
-  CHECK(SiteIsolationPolicy::AreCrossProcessFramesPossible());
-  RenderFrameHostImpl* rfh =
-      RenderFrameHostImpl::FromID(process_id, render_frame_id);
-  if (!rfh)
-    return false;
-
+// Determines whether a navigation to |dest_url| may be completed using an
+// existing RenderFrameHost, or whether transferring to a new RenderFrameHost
+// backed by a different render process is required. This is a security policy
+// check determined by the current site isolation mode, and must be done
+// before the resource at |dest_url| is delivered to |rfh|.
+//
+// When this function returns true for a subframe, an out-of-process iframe
+// must be created.
+//
+// TODO(nick): Move this function to RFHM.
+bool IsRendererTransferNeededForNavigation(RenderFrameHostImpl* rfh,
+                                           const GURL& dest_url) {
   // A transfer is not needed if the current SiteInstance doesn't yet have a
   // site.  This is the case for tests that use NavigateToURL.
   if (!rfh->GetSiteInstance()->HasSite())
     return false;
 
   // For now, GuestViews never transfer on cross-site navigations.
   WebContentsImpl* web_contents =
       static_cast<WebContentsImpl*>(WebContents::FromRenderFrameHost(rfh));
   if (web_contents->GetBrowserPluginGuest())
     return false;
 
   GURL effective_url = SiteInstanceImpl::GetEffectiveURL(
-      rfh->GetSiteInstance()->GetBrowserContext(), real_url);
+      rfh->GetSiteInstance()->GetBrowserContext(), dest_url);
 
   // TODO(nasko, nick): These following --site-per-process checks are
   // overly simplistic. Update them to match all the cases
   // considered by RenderFrameHostManager::DetermineSiteInstanceForURL.
   if (SiteInstance::IsSameWebSite(rfh->GetSiteInstance()->GetBrowserContext(),
                                   rfh->GetSiteInstance()->GetSiteURL(),
-                                  real_url)) {
+                                  dest_url)) {
     return false;  // The same site, no transition needed.
   }
 
   // The sites differ. If either one requires a dedicated process,
   // then a transfer is needed.
   return rfh->GetSiteInstance()->RequiresDedicatedProcess() ||
          SiteIsolationPolicy::DoesSiteRequireDedicatedProcess(effective_url);
 }
 
+// Returns whether a transfer is needed by doing a check on the UI thread.
+CrossSiteResourceHandler::NavigationDecision
+CheckNavigationPolicyOnUI(GURL real_url, int process_id, int render_frame_id) {
+  CHECK(SiteIsolationPolicy::AreCrossProcessFramesPossible());
+  RenderFrameHostImpl* rfh =
+      RenderFrameHostImpl::FromID(process_id, render_frame_id);
+
+  // Without a valid RFH against which to check, we must cancel the request,
+  // to prevent the resource at |url| from being delivered to a potentially
+  // unsuitable renderer process.
+  if (!rfh)
+    return CrossSiteResourceHandler::NavigationDecision::CANCEL_REQUEST;
+
+  if (IsRendererTransferNeededForNavigation(rfh, real_url))
+    return CrossSiteResourceHandler::NavigationDecision::TRANSFER_REQUIRED;
+  else
+    return CrossSiteResourceHandler::NavigationDecision::USE_EXISTING_RENDERER;
+}
+
 }  // namespace
 
 CrossSiteResourceHandler::CrossSiteResourceHandler(
     scoped_ptr<ResourceHandler> next_handler,
     net::URLRequest* request)
     : LayeredResourceHandler(request, next_handler.Pass()),
       has_started_response_(false),
       in_cross_site_transition_(false),
       completed_during_transition_(false),
       did_defer_(false),
@@ skipping 91 matching lines @@
   if (SiteIsolationPolicy::AreCrossProcessFramesPossible() &&
       !ChildProcessSecurityPolicyImpl::GetInstance()->HasWebUIBindings(
           info->GetChildID())) {
     return DeferForNavigationPolicyCheck(info, response, defer);
   }
 
   // No deferral needed. Pass the response through.
   return next_handler_->OnResponseStarted(response, defer);
 }
 
-void CrossSiteResourceHandler::ResumeOrTransfer(bool is_transfer) {
-  if (is_transfer) {
-    StartCrossSiteTransition(response_.get());
-  } else {
-    ResumeResponse();
+void CrossSiteResourceHandler::ResumeOrTransfer(NavigationDecision decision) {
+  switch (decision) {
+    case NavigationDecision::CANCEL_REQUEST:
+      // TODO(nick): What kind of cleanup do we need here?
+      controller()->Cancel();
+      break;
+    case NavigationDecision::USE_EXISTING_RENDERER:
+      ResumeResponse();
+      break;
+    case NavigationDecision::TRANSFER_REQUIRED:
+      StartCrossSiteTransition(response_.get());
+      break;
   }
 }
 
 bool CrossSiteResourceHandler::OnReadCompleted(int bytes_read, bool* defer) {
   CHECK(!in_cross_site_transition_);
   return next_handler_->OnReadCompleted(bytes_read, defer);
 }
 
 void CrossSiteResourceHandler::OnResponseCompleted(
     const net::URLRequestStatus& status,
@@ skipping 139 matching lines @@
     controller()->Resume();
   }
 }
 
 void CrossSiteResourceHandler::OnDidDefer() {
   did_defer_ = true;
   request()->LogBlockedBy("CrossSiteResourceHandler");
 }
 
 }  // namespace content