Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(221)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: content/browser/frame_host/navigation_controller_impl.cc

Issue 1960983002: Kill renderer if it changes the main frame's origin on subframe commits. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Created 4 years, 7 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « no previous file | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2013 The Chromium Authors. All rights reserved. 1 // Copyright 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 /* 5 /*
6 * Copyright (C) 2006, 2007, 2008, 2009 Apple Inc. All rights reserved. 6 * Copyright (C) 2006, 2007, 2008, 2009 Apple Inc. All rights reserved.
7 * Copyright (C) 2008 Nokia Corporation and/or its subsidiary(-ies) 7 * Copyright (C) 2008 Nokia Corporation and/or its subsidiary(-ies)
8 * Copyright (C) 2008, 2009 Torch Mobile Inc. All rights reserved. 8 * Copyright (C) 2008, 2009 Torch Mobile Inc. All rights reserved.
9 * (http://www.torchmobile.com/) 9 * (http://www.torchmobile.com/)
10 * 10 *
(...skipping 1301 matching lines...) Expand 10 before | Expand all | Expand 10 after
1312 // a history auto" navigation. Update the last committed index accordingly. 1312 // a history auto" navigation. Update the last committed index accordingly.
1313 // If we don't recognize the |nav_entry_id|, it might be either a pending 1313 // If we don't recognize the |nav_entry_id|, it might be either a pending
1314 // entry for a transfer or a recently pruned entry. We'll handle it below. 1314 // entry for a transfer or a recently pruned entry. We'll handle it below.
1315 if (entry_index != -1 && entry_index != last_committed_entry_index_) { 1315 if (entry_index != -1 && entry_index != last_committed_entry_index_) {
1316 // Make sure that a subframe commit isn't changing the main frame's 1316 // Make sure that a subframe commit isn't changing the main frame's
1317 // origin. Otherwise the renderer process may be confused, leading to a 1317 // origin. Otherwise the renderer process may be confused, leading to a
1318 // URL spoof. We can't check the path since that may change 1318 // URL spoof. We can't check the path since that may change
1319 // (https://crbug.com/373041). 1319 // (https://crbug.com/373041).
1320 if (GetLastCommittedEntry()->GetURL().GetOrigin() != 1320 if (GetLastCommittedEntry()->GetURL().GetOrigin() !=
1321 GetEntryAtIndex(entry_index)->GetURL().GetOrigin()) { 1321 GetEntryAtIndex(entry_index)->GetURL().GetOrigin()) {
1322 // TODO(creis): This is unexpectedly being encountered in practice. If 1322 bad_message::ReceivedBadMessage(rfh->GetProcess(),
1323 // you encounter this in practice, please post details to 1323 bad_message::NC_AUTO_SUBFRAME);
1324 // https://crbug.com/486916. Once that's resolved, we'll change this to
1325 // kill the renderer process with bad_message::NC_AUTO_SUBFRAME.
1326 NOTREACHED() << "Unexpected main frame origin change on AUTO_SUBFRAME.";
1327 } 1324 }
1328 1325
1329 // TODO(creis): Update the FrameNavigationEntry in --site-per-process. 1326 // TODO(creis): Update the FrameNavigationEntry in --site-per-process.
1330 last_committed_entry_index_ = entry_index; 1327 last_committed_entry_index_ = entry_index;
1331 DiscardNonCommittedEntriesInternal(); 1328 DiscardNonCommittedEntriesInternal();
1332 return true; 1329 return true;
1333 } 1330 }
1334 } 1331 }
1335 1332
1336 if (SiteIsolationPolicy::UseSubframeNavigationEntries()) { 1333 if (SiteIsolationPolicy::UseSubframeNavigationEntries()) {
(...skipping 716 matching lines...) Expand 10 before | Expand all | Expand 10 after
2053 } 2050 }
2054 } 2051 }
2055 } 2052 }
2056 2053
2057 void NavigationControllerImpl::SetGetTimestampCallbackForTest( 2054 void NavigationControllerImpl::SetGetTimestampCallbackForTest(
2058 const base::Callback<base::Time()>& get_timestamp_callback) { 2055 const base::Callback<base::Time()>& get_timestamp_callback) {
2059 get_timestamp_callback_ = get_timestamp_callback; 2056 get_timestamp_callback_ = get_timestamp_callback;
2060 } 2057 }
2061 2058
2062 } // namespace content 2059 } // namespace content
OLDNEW
« no previous file with comments | « no previous file | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698