OLD | NEW |
1 // Copyright 2013 The Chromium Authors. All rights reserved. | 1 // Copyright 2013 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 /* | 5 /* |
6 * Copyright (C) 2006, 2007, 2008, 2009 Apple Inc. All rights reserved. | 6 * Copyright (C) 2006, 2007, 2008, 2009 Apple Inc. All rights reserved. |
7 * Copyright (C) 2008 Nokia Corporation and/or its subsidiary(-ies) | 7 * Copyright (C) 2008 Nokia Corporation and/or its subsidiary(-ies) |
8 * Copyright (C) 2008, 2009 Torch Mobile Inc. All rights reserved. | 8 * Copyright (C) 2008, 2009 Torch Mobile Inc. All rights reserved. |
9 * (http://www.torchmobile.com/) | 9 * (http://www.torchmobile.com/) |
10 * | 10 * |
(...skipping 69 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
80 #include "content/public/common/content_constants.h" | 80 #include "content/public/common/content_constants.h" |
81 #include "content/public/common/content_features.h" | 81 #include "content/public/common/content_features.h" |
82 #include "media/base/mime_util.h" | 82 #include "media/base/mime_util.h" |
83 #include "net/base/escape.h" | 83 #include "net/base/escape.h" |
84 #include "skia/ext/platform_canvas.h" | 84 #include "skia/ext/platform_canvas.h" |
85 #include "url/url_constants.h" | 85 #include "url/url_constants.h" |
86 | 86 |
87 namespace content { | 87 namespace content { |
88 namespace { | 88 namespace { |
89 | 89 |
| 90 // Determine if the current page and the destination page could belong to the |
| 91 // same origin, in the given |rfh|. This is useful in cases like in-page |
| 92 // navigations that can't be cross-origin, but may look cross-origin at first |
| 93 // glance in some cases (e.g., about:blank to a web URL, or file:// to web URL |
| 94 // when universal access is granted to files). |
| 95 // |
| 96 // To resolve these, we can use url::Origin to ensure the actual origin isn't |
| 97 // changing. However, we also fall back to GURL::GetOrigin() to let a current |
| 98 // and destination unique origin return true, since unique url::Origins don't |
| 99 // appear equal to themselves. |
| 100 // |
| 101 // TODO(creis): Clarify that this shouldn't be used to determine script access. |
| 102 bool CouldBeSameOrigin(const GURL& current_url, |
| 103 const url::Origin& current_origin, |
| 104 const GURL& dest_url, |
| 105 const url::Origin& dest_origin, |
| 106 const WebPreferences& prefs) { |
| 107 // We don't care if web security is disabled. |
| 108 if (!prefs.web_security_enabled) |
| 109 return true; |
| 110 |
| 111 // File URLs may have been granted universal access to any URL. |
| 112 if (prefs.allow_universal_access_from_file_urls && |
| 113 current_origin.scheme() == url::kFileScheme) |
| 114 return true; |
| 115 |
| 116 // It's possible for the URLs to look different but the url::Origins to match, |
| 117 // such as when about:blank inherits its origin from a web page. |
| 118 if (current_origin == dest_origin) |
| 119 return true; |
| 120 |
| 121 // For unique origins like data: URLs, they won't appear equal to themselves. |
| 122 // |
| 123 // TODO(creis): Data URLs to/from about:blank, which fail url::Origin check. |
| 124 // TODO(creis): Other unique origins that can do in-page, like data->data. |
| 125 // TODO(creis): This is bad for sandboxed iframe URLs. Only return true if |
| 126 // both url::Origins are unique. Test this. |
| 127 //if (current_url.GetOrigin() == dest_url.GetOrigin()) |
| 128 if (current_origin.unique() && dest_origin.unique()) |
| 129 return true; |
| 130 |
| 131 return false; |
| 132 } |
| 133 |
90 // Invoked when entries have been pruned, or removed. For example, if the | 134 // Invoked when entries have been pruned, or removed. For example, if the |
91 // current entries are [google, digg, yahoo], with the current entry google, | 135 // current entries are [google, digg, yahoo], with the current entry google, |
92 // and the user types in cnet, then digg and yahoo are pruned. | 136 // and the user types in cnet, then digg and yahoo are pruned. |
93 void NotifyPrunedEntries(NavigationControllerImpl* nav_controller, | 137 void NotifyPrunedEntries(NavigationControllerImpl* nav_controller, |
94 bool from_front, | 138 bool from_front, |
95 int count) { | 139 int count) { |
96 PrunedDetails details; | 140 PrunedDetails details; |
97 details.from_front = from_front; | 141 details.from_front = from_front; |
98 details.count = count; | 142 details.count = count; |
99 NotificationService::current()->Notify( | 143 NotificationService::current()->Notify( |
(...skipping 1199 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1299 | 1343 |
1300 // If the |nav_entry_id| is non-zero and matches an existing entry, this is | 1344 // If the |nav_entry_id| is non-zero and matches an existing entry, this is |
1301 // a history auto" navigation. Update the last committed index accordingly. | 1345 // a history auto" navigation. Update the last committed index accordingly. |
1302 // If we don't recognize the |nav_entry_id|, it might be either a pending | 1346 // If we don't recognize the |nav_entry_id|, it might be either a pending |
1303 // entry for a transfer or a recently pruned entry. We'll handle it below. | 1347 // entry for a transfer or a recently pruned entry. We'll handle it below. |
1304 if (entry_index != -1 && entry_index != last_committed_entry_index_) { | 1348 if (entry_index != -1 && entry_index != last_committed_entry_index_) { |
1305 // Make sure that a subframe commit isn't changing the main frame's | 1349 // Make sure that a subframe commit isn't changing the main frame's |
1306 // origin. Otherwise the renderer process may be confused, leading to a | 1350 // origin. Otherwise the renderer process may be confused, leading to a |
1307 // URL spoof. We can't check the path since that may change | 1351 // URL spoof. We can't check the path since that may change |
1308 // (https://crbug.com/373041). | 1352 // (https://crbug.com/373041). |
1309 if (GetLastCommittedEntry()->GetURL().GetOrigin() != | 1353 // RenderFrameHostImpl* main_frame = |
1310 GetEntryAtIndex(entry_index)->GetURL().GetOrigin()) { | 1354 // delegate_->GetFrameTree()->root()->current_frame_host(); |
| 1355 GURL dest_top_url = GetEntryAtIndex(entry_index)->GetURL(); |
| 1356 GURL current_top_url = GetLastCommittedEntry()->GetURL(); |
| 1357 GURL blank_url(url::kAboutBlankURL); |
| 1358 url::Origin current_origin = |
| 1359 delegate_->GetFrameTree()->root()->current_origin(); |
| 1360 |
| 1361 // Allow about:blank to be the current or destination origin, beyond the |
| 1362 // other checks in CouldBeSameOrigin. We can't verify the about:blank |
| 1363 // cases any more strictly, since we don't know the destination origin. |
| 1364 // TODO(creis): If we track url::Origin on NavigationEntry, we might be |
| 1365 // able to call IsUrlInPageNavigation here instead, to share code. |
| 1366 bool could_be_same_origin = |
| 1367 dest_top_url == blank_url || |
| 1368 // TODO(creis): This part isn't needed, due to the constructed origin. |
| 1369 //(current_top_url == blank_url && |
| 1370 // dest_top_url.GetOrigin() == GURL(current_origin.Serialize())) || |
| 1371 CouldBeSameOrigin(current_top_url, current_origin, |
| 1372 dest_top_url, url::Origin(dest_top_url), |
| 1373 rfh->GetRenderViewHost()->GetWebkitPreferences()); |
| 1374 if (!could_be_same_origin) { |
1311 bad_message::ReceivedBadMessage(rfh->GetProcess(), | 1375 bad_message::ReceivedBadMessage(rfh->GetProcess(), |
1312 bad_message::NC_AUTO_SUBFRAME); | 1376 bad_message::NC_AUTO_SUBFRAME); |
1313 } | 1377 } |
1314 | 1378 |
1315 // TODO(creis): Update the FrameNavigationEntry in --site-per-process. | 1379 // TODO(creis): Update the FrameNavigationEntry in --site-per-process. |
1316 last_committed_entry_index_ = entry_index; | 1380 last_committed_entry_index_ = entry_index; |
1317 DiscardNonCommittedEntriesInternal(); | 1381 DiscardNonCommittedEntriesInternal(); |
1318 return true; | 1382 return true; |
1319 } | 1383 } |
1320 } | 1384 } |
(...skipping 69 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1390 // might Blink say that a navigation is in-page yet there be no last- | 1454 // might Blink say that a navigation is in-page yet there be no last- |
1391 // committed entry? | 1455 // committed entry? |
1392 if (!last_committed) | 1456 if (!last_committed) |
1393 return false; | 1457 return false; |
1394 last_committed_url = last_committed->GetURL(); | 1458 last_committed_url = last_committed->GetURL(); |
1395 } | 1459 } |
1396 | 1460 |
1397 WebPreferences prefs = rfh->GetRenderViewHost()->GetWebkitPreferences(); | 1461 WebPreferences prefs = rfh->GetRenderViewHost()->GetWebkitPreferences(); |
1398 const url::Origin& committed_origin = | 1462 const url::Origin& committed_origin = |
1399 rfhi->frame_tree_node()->current_origin(); | 1463 rfhi->frame_tree_node()->current_origin(); |
1400 bool is_same_origin = last_committed_url.is_empty() || | 1464 bool is_same_origin = CouldBeSameOrigin(last_committed_url, committed_origin, |
| 1465 url, origin, prefs); |
| 1466 /*last_committed_url.is_empty() || |
1401 // TODO(japhet): We should only permit navigations | 1467 // TODO(japhet): We should only permit navigations |
1402 // originating from about:blank to be in-page if the | 1468 // originating from about:blank to be in-page if the |
1403 // about:blank is the first document that frame loaded. | 1469 // about:blank is the first document that frame loaded. |
1404 // We don't have sufficient information to identify | 1470 // We don't have sufficient information to identify |
1405 // that case at the moment, so always allow about:blank | 1471 // that case at the moment, so always allow about:blank |
1406 // for now. | 1472 // for now. |
1407 last_committed_url == GURL(url::kAboutBlankURL) || | 1473 last_committed_url == GURL(url::kAboutBlankURL) || |
1408 last_committed_url.GetOrigin() == url.GetOrigin() || | 1474 last_committed_url.GetOrigin() == url.GetOrigin() || |
1409 committed_origin == origin || | 1475 committed_origin == origin || |
1410 !prefs.web_security_enabled || | 1476 !prefs.web_security_enabled || |
1411 (prefs.allow_universal_access_from_file_urls && | 1477 (prefs.allow_universal_access_from_file_urls && |
1412 committed_origin.scheme() == url::kFileScheme); | 1478 committed_origin.scheme() == url::kFileScheme);*/ |
1413 if (!is_same_origin && renderer_says_in_page) { | 1479 if (!is_same_origin && renderer_says_in_page) { |
1414 bad_message::ReceivedBadMessage(rfh->GetProcess(), | 1480 bad_message::ReceivedBadMessage(rfh->GetProcess(), |
1415 bad_message::NC_IN_PAGE_NAVIGATION); | 1481 bad_message::NC_IN_PAGE_NAVIGATION); |
1416 } | 1482 } |
1417 return is_same_origin && renderer_says_in_page; | 1483 return is_same_origin && renderer_says_in_page; |
1418 } | 1484 } |
1419 | 1485 |
1420 void NavigationControllerImpl::CopyStateFrom( | 1486 void NavigationControllerImpl::CopyStateFrom( |
1421 const NavigationController& temp) { | 1487 const NavigationController& temp) { |
1422 const NavigationControllerImpl& source = | 1488 const NavigationControllerImpl& source = |
(...skipping 644 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
2067 } | 2133 } |
2068 } | 2134 } |
2069 } | 2135 } |
2070 | 2136 |
2071 void NavigationControllerImpl::SetGetTimestampCallbackForTest( | 2137 void NavigationControllerImpl::SetGetTimestampCallbackForTest( |
2072 const base::Callback<base::Time()>& get_timestamp_callback) { | 2138 const base::Callback<base::Time()>& get_timestamp_callback) { |
2073 get_timestamp_callback_ = get_timestamp_callback; | 2139 get_timestamp_callback_ = get_timestamp_callback; |
2074 } | 2140 } |
2075 | 2141 |
2076 } // namespace content | 2142 } // namespace content |
OLD | NEW |