Chromium Code Reviews Chromium Code Reviews
Issue 1507023004:
Harden the implementation of '--disable-web-security' (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| Index: third_party/WebKit/Source/platform/weborigin/SecurityOrigin.cpp |
| diff --git a/third_party/WebKit/Source/platform/weborigin/SecurityOrigin.cpp b/third_party/WebKit/Source/platform/weborigin/SecurityOrigin.cpp |
| index 4d75bab3529a61a2a191458c4ae88b59fa55fdeb..1db025f7722b939de5232ee3adf36c0194b3d354 100644 |
| --- a/third_party/WebKit/Source/platform/weborigin/SecurityOrigin.cpp |
| +++ b/third_party/WebKit/Source/platform/weborigin/SecurityOrigin.cpp |
| @@ -35,6 +35,7 @@ |
| #include "platform/weborigin/SchemeRegistry.h" |
| #include "platform/weborigin/SecurityOriginCache.h" |
| #include "platform/weborigin/SecurityPolicy.h" |
| +#include "public/platform/Platform.h" |
| #include "url/url_canon_ip.h" |
| #include "wtf/HexNumber.h" |
| #include "wtf/MainThread.h" |
| @@ -125,6 +126,7 @@ SecurityOrigin::SecurityOrigin(const KURL& url) |
| , m_effectivePort(url.port() ? url.port() : defaultPortForProtocol(m_protocol)) |
| , m_isUnique(false) |
| , m_universalAccess(false) |
| + , m_universalAccessForFileOrigins(false) |
| , m_domainWasSetInDOM(false) |
| , m_blockLocalAccessFromLocalOrigin(false) |
| { |
| @@ -152,6 +154,7 @@ SecurityOrigin::SecurityOrigin() |
| , m_effectivePort(InvalidPort) |
| , m_isUnique(true) |
| , m_universalAccess(false) |
| + , m_universalAccessForFileOrigins(false) |
| , m_domainWasSetInDOM(false) |
| , m_canLoadLocalResources(false) |
| , m_blockLocalAccessFromLocalOrigin(false) |
| @@ -167,6 +170,7 @@ SecurityOrigin::SecurityOrigin(const SecurityOrigin* other) |
| , m_effectivePort(other->m_effectivePort) |
| , m_isUnique(other->m_isUnique) |
| , m_universalAccess(other->m_universalAccess) |
| + , m_universalAccessForFileOrigins(other->m_universalAccessForFileOrigins) |
| , m_domainWasSetInDOM(other->m_domainWasSetInDOM) |
| , m_canLoadLocalResources(other->m_canLoadLocalResources) |
| , m_blockLocalAccessFromLocalOrigin(other->m_blockLocalAccessFromLocalOrigin) |
| @@ -234,7 +238,14 @@ bool SecurityOrigin::isSecure(const KURL& url) |
| bool SecurityOrigin::canAccess(const SecurityOrigin* other) const |
| { |
| - if (m_universalAccess) |
| + if (m_universalAccess) { |
| + // TODO(mkwst): I would love to make this a RELEASE_ASSERT_WITH_SECURITY_IMPLICATIONS, but that |
| + // would be seriously expensive as it would inject an IPC to the embedder on this very hot path. |
| + ASSERT(blink::Platform::current()->canGrantUniversalAccess()); |
|
esprehn
2015/12/10 08:06:44
you don't need the blink:: prefix, also this shoul
|
| + return true; |
| + } |
| + |
| + if (m_universalAccessForFileOrigins && isLocal()) |
| return true; |
| if (this == other) |
| @@ -288,7 +299,14 @@ bool SecurityOrigin::passesFileCheck(const SecurityOrigin* other) const |
| bool SecurityOrigin::canRequest(const KURL& url) const |
| { |
| - if (m_universalAccess) |
| + if (m_universalAccess) { |
| + // TODO(mkwst): I would love to make this a RELEASE_ASSERT_WITH_SECURITY_IMPLICATIONS, but that |
| + // would be seriously expensive as it would inject an IPC to the embedder on this very hot path. |
| + ASSERT(blink::Platform::current()->canGrantUniversalAccess()); |
|
esprehn
2015/12/10 08:06:44
ditto
|
| + return true; |
| + } |
| + |
| + if (m_universalAccessForFileOrigins && isLocal()) |
| return true; |
| if (cachedOrigin(url) == this) |
| @@ -337,7 +355,14 @@ bool SecurityOrigin::taintsCanvas(const KURL& url) const |
| bool SecurityOrigin::canDisplay(const KURL& url) const |
| { |
| - if (m_universalAccess) |
| + if (m_universalAccess) { |
| + // TODO(mkwst): I would love to make this a RELEASE_ASSERT_WITH_SECURITY_IMPLICATIONS, but that |
| + // would be seriously expensive as it would inject an IPC to the embedder on this very hot path. |
| + ASSERT(blink::Platform::current()->canGrantUniversalAccess()); |
|
esprehn
2015/12/10 08:06:44
ditto
|
| + return true; |
| + } |
| + |
| + if (m_universalAccessForFileOrigins && isLocal()) |
| return true; |
| String protocol = url.protocol().lower(); |
| @@ -378,9 +403,18 @@ void SecurityOrigin::grantLoadLocalResources() |
| void SecurityOrigin::grantUniversalAccess() |
| { |
| + // This must not be granted unless the embedder says we can grant this kind of permission. |
| + RELEASE_ASSERT_WITH_SECURITY_IMPLICATION(blink::Platform::current()->canGrantUniversalAccess()); |
| m_universalAccess = true; |
| } |
| +void SecurityOrigin::grantUniversalAccessForFileOrigins() |
| +{ |
| + // This must not be granted to non-local origins, hence the release assert. |
| + RELEASE_ASSERT_WITH_SECURITY_IMPLICATION(isLocal()); |
| + m_universalAccessForFileOrigins = true; |
| +} |
| + |
| void SecurityOrigin::blockLocalAccessFromLocalOrigin() |
| { |
| ASSERT(isLocal()); |
| @@ -535,6 +569,7 @@ PassOwnPtr<SecurityOrigin::PrivilegeData> SecurityOrigin::createPrivilegeData() |
| { |
| OwnPtr<PrivilegeData> privilegeData = adoptPtr(new PrivilegeData); |
| privilegeData->m_universalAccess = m_universalAccess; |
| + privilegeData->m_universalAccessForFileOrigins = m_universalAccessForFileOrigins; |
| privilegeData->m_canLoadLocalResources = m_canLoadLocalResources; |
| privilegeData->m_blockLocalAccessFromLocalOrigin = m_blockLocalAccessFromLocalOrigin; |
| return privilegeData.release(); |
| @@ -543,6 +578,7 @@ PassOwnPtr<SecurityOrigin::PrivilegeData> SecurityOrigin::createPrivilegeData() |
| void SecurityOrigin::transferPrivilegesFrom(PassOwnPtr<PrivilegeData> privilegeData) |
| { |
| m_universalAccess = privilegeData->m_universalAccess; |
| + m_universalAccessForFileOrigins = privilegeData->m_universalAccessForFileOrigins; |
| m_canLoadLocalResources = privilegeData->m_canLoadLocalResources; |
| m_blockLocalAccessFromLocalOrigin = privilegeData->m_blockLocalAccessFromLocalOrigin; |
| } |
