| OLD | NEW |
|---|
| 1 // Copyright 2013 The Chromium Authors. All rights reserved. | 1 // Copyright 2013 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 /* | 5 /* |
| 6 * Copyright (C) 2006, 2007, 2008, 2009 Apple Inc. All rights reserved. | 6 * Copyright (C) 2006, 2007, 2008, 2009 Apple Inc. All rights reserved. |
| 7 * Copyright (C) 2008 Nokia Corporation and/or its subsidiary(-ies) | 7 * Copyright (C) 2008 Nokia Corporation and/or its subsidiary(-ies) |
| 8 * Copyright (C) 2008, 2009 Torch Mobile Inc. All rights reserved. | 8 * Copyright (C) 2008, 2009 Torch Mobile Inc. All rights reserved. |
| 9 * (http://www.torchmobile.com/) | 9 * (http://www.torchmobile.com/) |
| 10 * | 10 * |
| (...skipping 1358 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1369 // However, due to reloads, even identical urls are *not* guaranteed to be | 1369 // However, due to reloads, even identical urls are *not* guaranteed to be |
| 1370 // in-page navigations, we have to trust the renderer almost entirely. | 1370 // in-page navigations, we have to trust the renderer almost entirely. |
| 1371 // The one thing we do know is that cross-origin navigations will *never* be | 1371 // The one thing we do know is that cross-origin navigations will *never* be |
| 1372 // in-page. Therefore, trust the renderer if the URLs are on the same origin, | 1372 // in-page. Therefore, trust the renderer if the URLs are on the same origin, |
| 1373 // and assume the renderer is malicious if a cross-origin navigation claims to | 1373 // and assume the renderer is malicious if a cross-origin navigation claims to |
| 1374 // be in-page. | 1374 // be in-page. |
| 1375 bool NavigationControllerImpl::IsURLInPageNavigation( | 1375 bool NavigationControllerImpl::IsURLInPageNavigation( |
| 1376 const GURL& url, | 1376 const GURL& url, |
| 1377 bool renderer_says_in_page, | 1377 bool renderer_says_in_page, |
| 1378 RenderFrameHost* rfh) const { | 1378 RenderFrameHost* rfh) const { |
| 1379 RenderFrameHostImpl* rfhi = static_cast<RenderFrameHostImpl*>(rfh); |
| 1379 GURL last_committed_url; | 1380 GURL last_committed_url; |
| 1380 if (rfh->GetParent()) { | 1381 if (rfh->GetParent()) { |
| 1381 last_committed_url = rfh->GetLastCommittedURL(); | 1382 // Use the FrameTreeNode's current_url and not rfh->GetLastCommittedURL(), |
| 1383 // which might be empty in a new RenderFrameHost after a process swap. |
| 1384 // Here, we care about the last committed URL in the FrameTreeNode, |
| 1385 // regardless of which process it is in. |
| 1386 last_committed_url = rfhi->frame_tree_node()->current_url(); |
| 1382 } else { | 1387 } else { |
| 1383 NavigationEntry* last_committed = GetLastCommittedEntry(); | 1388 NavigationEntry* last_committed = GetLastCommittedEntry(); |
| 1384 // There must be a last-committed entry to compare URLs to. TODO(avi): When | 1389 // There must be a last-committed entry to compare URLs to. TODO(avi): When |
| 1385 // might Blink say that a navigation is in-page yet there be no last- | 1390 // might Blink say that a navigation is in-page yet there be no last- |
| 1386 // committed entry? | 1391 // committed entry? |
| 1387 if (!last_committed) | 1392 if (!last_committed) |
| 1388 return false; | 1393 return false; |
| 1389 last_committed_url = last_committed->GetURL(); | 1394 last_committed_url = last_committed->GetURL(); |
| 1390 } | 1395 } |
| 1391 | 1396 |
| 1392 WebPreferences prefs = rfh->GetRenderViewHost()->GetWebkitPreferences(); | 1397 WebPreferences prefs = rfh->GetRenderViewHost()->GetWebkitPreferences(); |
| 1393 const url::Origin& committed_origin = static_cast<RenderFrameHostImpl*>(rfh) | 1398 const url::Origin& committed_origin = |
| 1394 ->frame_tree_node() | 1399 rfhi->frame_tree_node()->current_origin(); |
| 1395 ->current_origin(); | |
| 1396 bool is_same_origin = last_committed_url.is_empty() || | 1400 bool is_same_origin = last_committed_url.is_empty() || |
| 1397 // TODO(japhet): We should only permit navigations | 1401 // TODO(japhet): We should only permit navigations |
| 1398 // originating from about:blank to be in-page if the | 1402 // originating from about:blank to be in-page if the |
| 1399 // about:blank is the first document that frame loaded. | 1403 // about:blank is the first document that frame loaded. |
| 1400 // We don't have sufficient information to identify | 1404 // We don't have sufficient information to identify |
| 1401 // that case at the moment, so always allow about:blank | 1405 // that case at the moment, so always allow about:blank |
| 1402 // for now. | 1406 // for now. |
| 1403 last_committed_url == GURL(url::kAboutBlankURL) || | 1407 last_committed_url == GURL(url::kAboutBlankURL) || |
| 1404 last_committed_url.GetOrigin() == url.GetOrigin() || | 1408 last_committed_url.GetOrigin() == url.GetOrigin() || |
| 1405 !prefs.web_security_enabled || | 1409 !prefs.web_security_enabled || |
| (...skipping 441 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1847 return success; | 1851 return success; |
| 1848 } | 1852 } |
| 1849 | 1853 |
| 1850 void NavigationControllerImpl::FindFramesToNavigate( | 1854 void NavigationControllerImpl::FindFramesToNavigate( |
| 1851 FrameTreeNode* frame, | 1855 FrameTreeNode* frame, |
| 1852 FrameLoadVector* same_document_loads, | 1856 FrameLoadVector* same_document_loads, |
| 1853 FrameLoadVector* different_document_loads) { | 1857 FrameLoadVector* different_document_loads) { |
| 1854 DCHECK(pending_entry_); | 1858 DCHECK(pending_entry_); |
| 1855 DCHECK_GE(last_committed_entry_index_, 0); | 1859 DCHECK_GE(last_committed_entry_index_, 0); |
| 1856 FrameNavigationEntry* new_item = pending_entry_->GetFrameEntry(frame); | 1860 FrameNavigationEntry* new_item = pending_entry_->GetFrameEntry(frame); |
| 1861 // TODO(creis): Store the last committed FrameNavigationEntry to use here, |
| 1862 // rather than assuming the NavigationEntry has up to date info on subframes. |
| 1857 FrameNavigationEntry* old_item = | 1863 FrameNavigationEntry* old_item = |
| 1858 GetLastCommittedEntry()->GetFrameEntry(frame); | 1864 GetLastCommittedEntry()->GetFrameEntry(frame); |
| 1859 if (!new_item) | 1865 if (!new_item) |
| 1860 return; | 1866 return; |
| 1861 | 1867 |
| 1862 // Schedule a load in this frame if the new item isn't for the same item | 1868 // Schedule a load in this frame if the new item isn't for the same item |
| 1863 // sequence number in the same SiteInstance. Newly restored items may not have | 1869 // sequence number in the same SiteInstance. Newly restored items may not have |
| 1864 // a SiteInstance yet, in which case it will be assigned on first commit. | 1870 // a SiteInstance yet, in which case it will be assigned on first commit. |
| 1865 if (!old_item || | 1871 if (!old_item || |
| 1866 new_item->item_sequence_number() != old_item->item_sequence_number() || | 1872 new_item->item_sequence_number() != old_item->item_sequence_number() || |
| (...skipping 193 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 2060 } | 2066 } |
| 2061 } | 2067 } |
| 2062 } | 2068 } |
| 2063 | 2069 |
| 2064 void NavigationControllerImpl::SetGetTimestampCallbackForTest( | 2070 void NavigationControllerImpl::SetGetTimestampCallbackForTest( |
| 2065 const base::Callback<base::Time()>& get_timestamp_callback) { | 2071 const base::Callback<base::Time()>& get_timestamp_callback) { |
| 2066 get_timestamp_callback_ = get_timestamp_callback; | 2072 get_timestamp_callback_ = get_timestamp_callback; |
| 2067 } | 2073 } |
| 2068 | 2074 |
| 2069 } // namespace content | 2075 } // namespace content |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2023013002:
Prevent renderer kills for in-page navigations on subframes. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master