fix service worker cross-origin problem in multibuffers

media/blink/resource_multibuffer_data_provider.cc

 // Copyright 2015 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "media/blink/resource_multibuffer_data_provider.h"
 
 #include <stddef.h>
 #include <utility>
 
 #include "base/bind.h"
@@ skipping 146 matching lines @@
 
   // This test is vital for security!
   if (cors_mode_ == UrlData::CORS_UNSPECIFIED) {
     // We allow the redirect if the origin is the same.
     if (origin_ != redirects_to_.GetOrigin()) {
       // We also allow the redirect if we don't have any data in the
       // cache, as that means that no dangerous data mixing can occur.
       if (url_data_->multibuffer()->map().empty() && fifo_.empty())
         return;
 
+      std::unique_ptr<ActiveLoader> active_loader = std::move(active_loader_);

[DaleCurtis, 2016/05/10 22:42:09]

How come active_loader_ needs to out live Fail()? Seems this could just be
active_loader_ = nullptr or done after fail?

[hubbe, 2016/05/11 00:06:38]

Good question, I was lazily doing this the same as in some other places. Cleaned
up here and elsewhere.

       url_data_->Fail();
     }
   }
 }
 
 void ResourceMultiBufferDataProvider::didSendData(
     WebURLLoader* loader,
     unsigned long long bytes_sent,
     unsigned long long total_bytes_to_be_sent) {
   NOTIMPLEMENTED();
@@ skipping 94 matching lines @@
       // to return.
       destination_url_data->set_length(content_length);
     } else if (response.httpStatusCode() == kHttpRangeNotSatisfiable) {
       // Really, we should never request a range that doesn't exist, but
       // if we do, let's handle it in a sane way.
       // Unsatisfiable range
       fifo_.push_back(DataBuffer::CreateEOSBuffer());
       destination_url_data->multibuffer()->OnDataProviderEvent(this);
       return;
     } else {
+      std::unique_ptr<ActiveLoader> active_loader = std::move(active_loader_);
       destination_url_data->Fail();
       return;
     }
   } else {
     destination_url_data->set_range_supported();
     if (content_length != kPositionNotSpecified) {
       destination_url_data->set_length(content_length + byte_pos());
     }
   }
 
@@ skipping 14 matching lines @@
         url_data_->multibuffer()->RemoveProvider(this));
     url_data_ = destination_url_data.get();
     // Give the ownership to our new owner.
     url_data_->multibuffer()->AddProvider(std::move(self));
 
     // Call callback to let upstream users know about the transfer.
     // This will merge the data from the two multibuffers and
     // cause clients to start using the new UrlData.
     old_url_data->RedirectTo(destination_url_data);
   }
+
+  // This test is vital for security!
+  const GURL& original_url = response.wasFetchedViaServiceWorker()
+                                 ? response.originalURLViaServiceWorker()
+                                 : response.url();
+  if (!url_data_->ValidateDataOrigin(original_url.GetOrigin())) {
+    std::unique_ptr<ActiveLoader> active_loader = std::move(active_loader_);
+    url_data_->Fail();
+    return;
+  }
 }
 
 void ResourceMultiBufferDataProvider::didReceiveData(WebURLLoader* loader,
                                                      const char* data,
                                                      int data_length,
                                                      int encoded_data_length) {
   DVLOG(1) << "didReceiveData: " << data_length << " bytes";
   DCHECK(!Available());
   DCHECK(active_loader_);
   DCHECK_GT(data_length, 0);
@@ skipping 173 matching lines @@
   }
 
   if (byte_pos() != first_byte_position) {
     return false;
   }
 
   return true;
 }
 
 }  // namespace media