content/renderer/render_thread_impl.cc - Issue 1917073002: Block webpages from navigating to view-source URLs

Side by Side Diff: content/renderer/render_thread_impl.cc

Issue 1917073002: Block webpages from navigating to view-source URLs (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: Created 4 years, 8 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "content/renderer/render_thread_impl.h"	5 #include "content/renderer/render_thread_impl.h"

6	6

7 #include <algorithm>	7 #include <algorithm>

8 #include <limits>	8 #include <limits>

9 #include <map>	9 #include <map>

10 #include <utility>	10 #include <utility>

(...skipping 1307 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
1318 WebString chrome_scheme(base::ASCIIToUTF16(kChromeUIScheme));	1318 WebString chrome_scheme(base::ASCIIToUTF16(kChromeUIScheme));

1319 WebSecurityPolicy::registerURLSchemeAsDisplayIsolated(chrome_scheme);	1319 WebSecurityPolicy::registerURLSchemeAsDisplayIsolated(chrome_scheme);

1320 WebSecurityPolicy::registerURLSchemeAsNotAllowingJavascriptURLs(	1320 WebSecurityPolicy::registerURLSchemeAsNotAllowingJavascriptURLs(

1321 chrome_scheme);	1321 chrome_scheme);

1322 WebSecurityPolicy::registerURLSchemeAsSecure(chrome_scheme);	1322 WebSecurityPolicy::registerURLSchemeAsSecure(chrome_scheme);

1323 WebSecurityPolicy::registerURLSchemeAsCORSEnabled(chrome_scheme);	1323 WebSecurityPolicy::registerURLSchemeAsCORSEnabled(chrome_scheme);

1324	1324

1325 // chrome-devtools:	1325 // chrome-devtools:

1326 WebString devtools_scheme(base::ASCIIToUTF16(kChromeDevToolsScheme));	1326 WebString devtools_scheme(base::ASCIIToUTF16(kChromeDevToolsScheme));

1327 WebSecurityPolicy::registerURLSchemeAsDisplayIsolated(devtools_scheme);	1327 WebSecurityPolicy::registerURLSchemeAsDisplayIsolated(devtools_scheme);

	1328

	1329 // view-source:

	1330 WebString view_source_scheme(base::ASCIIToUTF16(kViewSourceScheme));

	1331 WebSecurityPolicy::registerURLSchemeAsDisplayIsolated(view_source_scheme);
	Charlie Reis 2016/04/27 21:47:03 This seems to equate to SecurityOrigin::canDisplay This seems to equate to SecurityOrigin::canDisplay, which has the following comment: // Returns true if \|document\| can display content from the given URL (e.g., // in an iframe or as an image). For example, web sites generally cannot // display content from the user's files system. Does it also prevent linking or navigating to such content? I don't see the code for that. meacer 2016/05/12 01:14:16 Yes, it also prevents linking and navigation. I th Show quoted text On 2016/04/27 21:47:03, Charlie Reis wrote: > This seems to equate to SecurityOrigin::canDisplay, which has the following > comment: > // Returns true if \|document\| can display content from the given URL (e.g., > // in an iframe or as an image). For example, web sites generally cannot > // display content from the user's files system. > > Does it also prevent linking or navigating to such content? I don't see the > code for that. Yes, it also prevents linking and navigation. I think \|canDisplay\| is a misnomer and we should probably consider renaming it and updating its documentation. Charlie Reis 2016/05/16 22:22:18 Ah. Yes, that would be a good idea. Do you know Show quoted text On 2016/05/12 01:14:16, Mustafa Emre Acer wrote: > On 2016/04/27 21:47:03, Charlie Reis wrote: > > This seems to equate to SecurityOrigin::canDisplay, which has the following > > comment: > > // Returns true if \|document\| can display content from the given URL > (e.g., > > // in an iframe or as an image). For example, web sites generally cannot > > // display content from the user's files system. > > > > Does it also prevent linking or navigating to such content? I don't see the > > code for that. > > Yes, it also prevents linking and navigation. I think \|canDisplay\| is a misnomer > and we should probably consider renaming it and updating its documentation. Ah. Yes, that would be a good idea. Do you know which code prevents linking and navigation for those schemes? I couldn't find it. (I can ask dcheng@ if not.)
1328 }	1332 }

1329	1333

1330 void RenderThreadImpl::NotifyTimezoneChange() {	1334 void RenderThreadImpl::NotifyTimezoneChange() {

1331 NotifyTimezoneChangeOnThisThread();	1335 NotifyTimezoneChangeOnThisThread();

1332 RenderThread::Get()->PostTaskToAllWebWorkers(	1336 RenderThread::Get()->PostTaskToAllWebWorkers(

1333 base::Bind(&NotifyTimezoneChangeOnThisThread));	1337 base::Bind(&NotifyTimezoneChangeOnThisThread));

1334 }	1338 }

1335	1339

1336 void RenderThreadImpl::RecordAction(const base::UserMetricsAction& action) {	1340 void RenderThreadImpl::RecordAction(const base::UserMetricsAction& action) {

1337 Send(new ViewHostMsg_UserMetricsRecordAction(action.str_));	1341 Send(new ViewHostMsg_UserMetricsRecordAction(action.str_));

(...skipping 775 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
2113 }	2117 }

2114	2118

2115 void RenderThreadImpl::PendingRenderFrameConnect::OnConnectionError() {	2119 void RenderThreadImpl::PendingRenderFrameConnect::OnConnectionError() {

2116 size_t erased =	2120 size_t erased =

2117 RenderThreadImpl::current()->pending_render_frame_connects_.erase(	2121 RenderThreadImpl::current()->pending_render_frame_connects_.erase(

2118 routing_id_);	2122 routing_id_);

2119 DCHECK_EQ(1u, erased);	2123 DCHECK_EQ(1u, erased);

2120 }	2124 }

2121	2125

2122 } // namespace content	2126 } // namespace content

OLD	NEW

« no previous file with comments | « no previous file | no next file » | no next file with comments »