OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "content/browser/renderer_host/render_view_host_impl.h" | 5 #include "content/browser/renderer_host/render_view_host_impl.h" |
6 | 6 |
7 #include <set> | 7 #include <set> |
8 #include <string> | 8 #include <string> |
9 #include <utility> | 9 #include <utility> |
10 #include <vector> | 10 #include <vector> |
(...skipping 1184 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1195 main_frame_id_ = validated_params.frame_id; | 1195 main_frame_id_ = validated_params.frame_id; |
1196 } else { | 1196 } else { |
1197 // TODO(nasko): We plan to remove the usage of frame_id in navigation | 1197 // TODO(nasko): We plan to remove the usage of frame_id in navigation |
1198 // and move to routing ids. This is in place to ensure that a | 1198 // and move to routing ids. This is in place to ensure that a |
1199 // renderer is not misbehaving and sending us incorrect data. | 1199 // renderer is not misbehaving and sending us incorrect data. |
1200 DCHECK_EQ(main_frame_id_, validated_params.frame_id); | 1200 DCHECK_EQ(main_frame_id_, validated_params.frame_id); |
1201 } | 1201 } |
1202 } | 1202 } |
1203 RenderProcessHost* process = GetProcess(); | 1203 RenderProcessHost* process = GetProcess(); |
1204 | 1204 |
1205 // If the --site-per-process flag is passed, then the renderer process is | 1205 // Attempts to commit certain off-limits URL should be caught more strictly |
1206 // not allowed to request web pages from other sites than the one it is | 1206 // than our FilterURL checks below. If a renderer violates this policy, it |
1207 // dedicated to. | 1207 // should be killed. |
1208 // Kill the renderer process if it violates this policy. | 1208 if (!CanCommitURL(validated_params.url)) { |
1209 const CommandLine& command_line = *CommandLine::ForCurrentProcess(); | 1209 VLOG(1) << "Blocked URL " << validated_params.url.spec(); |
1210 if (command_line.HasSwitch(switches::kSitePerProcess) && | 1210 validated_params.url = GURL(chrome::kAboutBlankURL); |
1211 static_cast<SiteInstanceImpl*>(GetSiteInstance())->HasSite() && | 1211 RecordAction(UserMetricsAction("CanCommitURL_BlockedAndKilled")); |
1212 validated_params.url != GURL(chrome::kAboutBlankURL)) { | 1212 // Kills the process. |
1213 if (!SiteInstance::IsSameWebSite(GetSiteInstance()->GetBrowserContext(), | 1213 process->ReceivedBadMessage(); |
1214 GetSiteInstance()->GetSiteURL(), | |
1215 validated_params.url) || | |
1216 static_cast<SiteInstanceImpl*>(GetSiteInstance())-> | |
1217 HasWrongProcessForURL(validated_params.url)) { | |
1218 // TODO(nasko): Removed the actual kill process call until out-of-process | |
1219 // iframes is ready to go. | |
1220 } | |
1221 } | 1214 } |
1222 | 1215 |
1223 ChildProcessSecurityPolicyImpl* policy = | 1216 ChildProcessSecurityPolicyImpl* policy = |
1224 ChildProcessSecurityPolicyImpl::GetInstance(); | 1217 ChildProcessSecurityPolicyImpl::GetInstance(); |
1225 // Without this check, an evil renderer can trick the browser into creating | 1218 // Without this check, an evil renderer can trick the browser into creating |
1226 // a navigation entry for a banned URL. If the user clicks the back button | 1219 // a navigation entry for a banned URL. If the user clicks the back button |
1227 // followed by the forward button (or clicks reload, or round-trips through | 1220 // followed by the forward button (or clicks reload, or round-trips through |
1228 // session restore, etc), we'll think that the browser commanded the | 1221 // session restore, etc), we'll think that the browser commanded the |
1229 // renderer to load the URL and grant the renderer the privileges to request | 1222 // renderer to load the URL and grant the renderer the privileges to request |
1230 // the URL. To prevent this attack, we block the renderer from inserting | 1223 // the URL. To prevent this attack, we block the renderer from inserting |
(...skipping 468 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1699 #endif | 1692 #endif |
1700 | 1693 |
1701 void RenderViewHostImpl::SendOrientationChangeEvent(int orientation) { | 1694 void RenderViewHostImpl::SendOrientationChangeEvent(int orientation) { |
1702 Send(new ViewMsg_OrientationChangeEvent(GetRoutingID(), orientation)); | 1695 Send(new ViewMsg_OrientationChangeEvent(GetRoutingID(), orientation)); |
1703 } | 1696 } |
1704 | 1697 |
1705 void RenderViewHostImpl::ToggleSpeechInput() { | 1698 void RenderViewHostImpl::ToggleSpeechInput() { |
1706 Send(new InputTagSpeechMsg_ToggleSpeechInput(GetRoutingID())); | 1699 Send(new InputTagSpeechMsg_ToggleSpeechInput(GetRoutingID())); |
1707 } | 1700 } |
1708 | 1701 |
| 1702 bool RenderViewHostImpl::CanCommitURL(const GURL& url) { |
| 1703 // TODO(creis): We should also check for WebUI pages here. Also, when the |
| 1704 // out-of-process iframes implementation is ready, we should check for |
| 1705 // cross-site URLs that are not allowed to commit in this process. |
| 1706 |
| 1707 // Give the client a chance to disallow URLs from committing. |
| 1708 return GetContentClient()->browser()->CanCommitURL(GetProcess(), url); |
| 1709 } |
| 1710 |
1709 void RenderViewHostImpl::FilterURL(ChildProcessSecurityPolicyImpl* policy, | 1711 void RenderViewHostImpl::FilterURL(ChildProcessSecurityPolicyImpl* policy, |
1710 const RenderProcessHost* process, | 1712 const RenderProcessHost* process, |
1711 bool empty_allowed, | 1713 bool empty_allowed, |
1712 GURL* url) { | 1714 GURL* url) { |
1713 if (empty_allowed && url->is_empty()) | 1715 if (empty_allowed && url->is_empty()) |
1714 return; | 1716 return; |
1715 | 1717 |
1716 // The browser process should never hear the swappedout:// URL from any | 1718 // The browser process should never hear the swappedout:// URL from any |
1717 // of the renderer's messages. Check for this in debug builds, but don't | 1719 // of the renderer's messages. Check for this in debug builds, but don't |
1718 // let it crash a release browser. | 1720 // let it crash a release browser. |
(...skipping 360 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
2079 webkit_glue::FilePathsFromHistoryState(state); | 2081 webkit_glue::FilePathsFromHistoryState(state); |
2080 for (std::vector<base::FilePath>::const_iterator file = file_paths.begin(); | 2082 for (std::vector<base::FilePath>::const_iterator file = file_paths.begin(); |
2081 file != file_paths.end(); ++file) { | 2083 file != file_paths.end(); ++file) { |
2082 if (!policy->CanReadFile(GetProcess()->GetID(), *file)) | 2084 if (!policy->CanReadFile(GetProcess()->GetID(), *file)) |
2083 return false; | 2085 return false; |
2084 } | 2086 } |
2085 return true; | 2087 return true; |
2086 } | 2088 } |
2087 | 2089 |
2088 } // namespace content | 2090 } // namespace content |
OLD | NEW |