Chromium Code Reviews
Help | Chromium Project | Gerrit Changes | Sign in
(13)

Issue 2075273002: Resource requests from Save-Page-As should go through CanRequestURL checks. (Closed)

Created:
2 years, 11 months ago by Łukasz Anforowicz
Modified:
2 years, 10 months ago
CC:
asanka, chromium-reviews, darin-cc_chromium.org, jam, loading-reviews_chromium.org, rginda+watch_chromium.org, site-isolation-reviews_chromium.org
Base URL:
https://chromium.googlesource.com/chromium/src.git@master
Target Ref:
refs/pending/heads/master
Project:
chromium
Visibility:
Public.

Description

Resource requests from Save-Page-As should go through CanRequestURL checks. This CL: - Added checks to ResourceDispatcherHostImpl::BeginSaveFile to verify if the renderer process is authorized to access a given resource. - Removed separate code path for file: URIs that used to be implemented in SaveFileManager::SaveLocalFile. Avoiding a separate code path helps consolidate all authorization checks in one place. BUG=616429 Committed: https://crrev.com/eff8e457298d01b437e4fd78194ad6de3c8d7ad6 Cr-Commit-Position: refs/heads/master@{#408235}

Patch Set 1 #

Total comments: 17

Patch Set 2 : Attribute save-item-related network requests to the right frame. #

Patch Set 3 : Revert changes that unnecessarily break legitimate cases. #

Patch Set 4 : Add test that saving from a local file continues to work (despite removal of SaveFileManager::SaveL… #

Patch Set 5 : Rebasing... #

Patch Set 6 : Updated docs. #

Total comments: 10

Patch Set 7 : Tried addressing CR feedback from rdsmith@ and mmenke@. #

Patch Set 8 : Fixed accuracy of the frame-counting-comment in the browser test. #

Patch Set 9 : Using ResourceLoader to cancel unauthorized resource request. #

Patch Set 10 : Cancelling the request via SaveFileResourceHandler::MarkAsUnauthorized. #

Patch Set 11 : Rebasing... #

Total comments: 2

Patch Set 12 : Added comments + added DCHECK(!is_pending) to MarkAsUnauthorized. #

Total comments: 2

Patch Set 13 : Replace MarkAsUnauthorized with constructor argument. #

Unified diffs Side-by-side diffs Delta from patch set Stats (+202 lines, -106 lines) Patch
M chrome/browser/download/save_page_browsertest.cc View 1 2 3 4 5 6 7 8 9 10 11 12 4 chunks +82 lines, -21 lines 0 comments Download
M chrome/test/data/save_page/frames-objects.htm View 1 2 3 1 chunk +6 lines, -0 lines 0 comments Download
A chrome/test/data/save_page/text.txt View 1 2 3 1 chunk +1 line, -0 lines 0 comments Download
A chrome/test/data/save_page/unauthorized-access.htm View 1 chunk +16 lines, -0 lines 0 comments Download
M content/browser/download/docs/save-page-as.md View 1 2 3 4 5 6 7 8 9 10 3 chunks +5 lines, -6 lines 0 comments Download
M content/browser/download/save_file_manager.cc View 2 chunks +0 lines, -36 lines 0 comments Download
M content/browser/download/save_file_resource_handler.h View 1 2 3 4 5 6 7 8 9 10 11 12 2 chunks +16 lines, -1 line 0 comments Download
M content/browser/download/save_file_resource_handler.cc View 1 2 3 4 5 6 7 8 9 10 11 12 5 chunks +17 lines, -9 lines 0 comments Download
M content/browser/download/save_item.h View 1 3 chunks +11 lines, -2 lines 0 comments Download
M content/browser/download/save_item.cc View 1 2 3 4 5 6 7 8 9 10 1 chunk +3 lines, -1 line 0 comments Download
M content/browser/download/save_package.cc View 1 2 3 4 5 chunks +30 lines, -25 lines 0 comments Download
M content/browser/download/save_types.h View 1 chunk +0 lines, -3 lines 0 comments Download
M content/browser/loader/resource_dispatcher_host_impl.cc View 1 2 3 4 5 6 7 8 9 10 11 12 1 chunk +15 lines, -2 lines 0 comments Download

Messages

Total messages: 38 (12 generated)
Łukasz Anforowicz
Asanka, can you please take a look? I am not quite sure if this CL ...
2 years, 11 months ago (2016-06-18 00:37:20 UTC) #2
asanka
https://codereview.chromium.org/2075273002/diff/1/chrome/test/data/save_page/unauthorized-access.htm File chrome/test/data/save_page/unauthorized-access.htm (right): https://codereview.chromium.org/2075273002/diff/1/chrome/test/data/save_page/unauthorized-access.htm#newcode16 chrome/test/data/save_page/unauthorized-access.htm:16: </html> On 2016/06/18 at 00:37:20, Łukasz Anforowicz wrote: > ...
2 years, 11 months ago (2016-06-20 20:24:19 UTC) #4
Łukasz Anforowicz
Thanks for the feedback. I haven't been able to address all of your feedback (the ...
2 years, 11 months ago (2016-06-21 16:39:34 UTC) #5
asanka
https://codereview.chromium.org/2075273002/diff/1/content/browser/loader/resource_dispatcher_host_impl.cc File content/browser/loader/resource_dispatcher_host_impl.cc (right): https://codereview.chromium.org/2075273002/diff/1/content/browser/loader/resource_dispatcher_host_impl.cc#newcode1915 content/browser/loader/resource_dispatcher_host_impl.cc:1915: url)) { On 2016/06/21 at 16:39:34, Łukasz (vacation till ...
2 years, 11 months ago (2016-06-21 16:53:28 UTC) #6
Łukasz Anforowicz
I've investigated tests suggested in the earlier CR feedback - please see my responses below. ...
2 years, 10 months ago (2016-07-18 23:18:27 UTC) #7
Łukasz Anforowicz
Randy, could you please take a look? (Asanka left quite a few good comments, but ...
2 years, 10 months ago (2016-07-18 23:21:52 UTC) #9
Randy Smith (Not in Mondays)
Pretty much only nits below. Just in case our timing doesn't work out and I ...
2 years, 10 months ago (2016-07-21 19:29:54 UTC) #10
mmenke
https://codereview.chromium.org/2075273002/diff/100001/content/browser/loader/resource_dispatcher_host_impl.cc File content/browser/loader/resource_dispatcher_host_impl.cc (right): https://codereview.chromium.org/2075273002/diff/100001/content/browser/loader/resource_dispatcher_host_impl.cc#newcode1897 content/browser/loader/resource_dispatcher_host_impl.cc:1897: nullptr); // |defer|; ignored by SaveFileResourceHandler. This seems kind ...
2 years, 10 months ago (2016-07-21 19:38:43 UTC) #12
Randy Smith (Not in Mondays)
https://codereview.chromium.org/2075273002/diff/100001/content/browser/loader/resource_dispatcher_host_impl.cc File content/browser/loader/resource_dispatcher_host_impl.cc (right): https://codereview.chromium.org/2075273002/diff/100001/content/browser/loader/resource_dispatcher_host_impl.cc#newcode1897 content/browser/loader/resource_dispatcher_host_impl.cc:1897: nullptr); // |defer|; ignored by SaveFileResourceHandler. On 2016/07/21 19:38:43, ...
2 years, 10 months ago (2016-07-21 19:52:53 UTC) #13
Łukasz Anforowicz
mmenke@ + rdsmith@, can you take another look please? https://codereview.chromium.org/2075273002/diff/100001/chrome/browser/download/save_page_browsertest.cc File chrome/browser/download/save_page_browsertest.cc (right): https://codereview.chromium.org/2075273002/diff/100001/chrome/browser/download/save_page_browsertest.cc#newcode1066 chrome/browser/download/save_page_browsertest.cc:1066: ...
2 years, 10 months ago (2016-07-21 23:44:31 UTC) #14
mmenke
https://codereview.chromium.org/2075273002/diff/100001/content/browser/loader/resource_dispatcher_host_impl.cc File content/browser/loader/resource_dispatcher_host_impl.cc (right): https://codereview.chromium.org/2075273002/diff/100001/content/browser/loader/resource_dispatcher_host_impl.cc#newcode1897 content/browser/loader/resource_dispatcher_host_impl.cc:1897: nullptr); // |defer|; ignored by SaveFileResourceHandler. On 2016/07/21 23:44:30, ...
2 years, 10 months ago (2016-07-22 00:12:16 UTC) #15
Łukasz Anforowicz
mmenke@, could you please take another look? I have little confidence in the latest changes ...
2 years, 10 months ago (2016-07-22 18:10:45 UTC) #16
mmenke
On 2016/07/22 18:10:45, Łukasz Anforowicz wrote: > mmenke@, could you please take another look? I ...
2 years, 10 months ago (2016-07-22 18:18:06 UTC) #17
mmenke
On 2016/07/22 18:10:45, Łukasz Anforowicz wrote: > mmenke@, could you please take another look? I ...
2 years, 10 months ago (2016-07-22 18:35:23 UTC) #19
Łukasz Anforowicz
On 2016/07/22 18:35:23, mmenke wrote: > On 2016/07/22 18:10:45, Łukasz Anforowicz wrote: > > mmenke@, ...
2 years, 10 months ago (2016-07-22 19:31:47 UTC) #20
mmenke
On 2016/07/22 19:31:47, Łukasz Anforowicz wrote: > On 2016/07/22 18:35:23, mmenke wrote: > > On ...
2 years, 10 months ago (2016-07-22 19:49:10 UTC) #21
Randy Smith (Not in Mondays)
On 2016/07/22 19:49:10, mmenke wrote: > On 2016/07/22 19:31:47, Łukasz Anforowicz wrote: > > On ...
2 years, 10 months ago (2016-07-23 14:10:56 UTC) #22
mmenke
Sorry for the delay. SaveFileResourceHandler and content/browser/loader LGTM. I made two suggestions, but don't think ...
2 years, 10 months ago (2016-07-27 14:45:19 UTC) #23
Łukasz Anforowicz
On 2016/07/27 14:45:19, mmenke wrote: > Sorry for the delay. No worries. Thanks for the ...
2 years, 10 months ago (2016-07-27 18:48:02 UTC) #24
mmenke
On 2016/07/27 18:48:02, Łukasz Anforowicz wrote: > On 2016/07/27 14:45:19, mmenke wrote: > > Sorry ...
2 years, 10 months ago (2016-07-27 18:54:18 UTC) #25
mmenke
Still LGTM https://codereview.chromium.org/2075273002/diff/220001/content/browser/loader/resource_dispatcher_host_impl.cc File content/browser/loader/resource_dispatcher_host_impl.cc (right): https://codereview.chromium.org/2075273002/diff/220001/content/browser/loader/resource_dispatcher_host_impl.cc#newcode1900 content/browser/loader/resource_dispatcher_host_impl.cc:1900: // because we know MarkAsUnauthorized will cause ...
2 years, 10 months ago (2016-07-27 18:55:59 UTC) #26
Łukasz Anforowicz
On 2016/07/27 18:54:18, mmenke wrote: https://codereview.chromium.org/2075273002/diff/200001/content/browser/download/save_file_resource_handler.h#newcode76 > > > content/browser/download/save_file_resource_handler.h:76: void > > > MarkAsUnauthorized() ...
2 years, 10 months ago (2016-07-27 19:16:51 UTC) #27
mmenke
On 2016/07/27 19:16:51, Łukasz Anforowicz wrote: > On 2016/07/27 18:54:18, mmenke wrote: > https://codereview.chromium.org/2075273002/diff/200001/content/browser/download/save_file_resource_handler.h#newcode76 > ...
2 years, 10 months ago (2016-07-27 19:40:53 UTC) #30
commit-bot: I haz the power
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.org/2075273002/240001
2 years, 10 months ago (2016-07-27 20:20:29 UTC) #35
commit-bot: I haz the power
Committed patchset #13 (id:240001)
2 years, 10 months ago (2016-07-27 21:03:42 UTC) #36
commit-bot: I haz the power
2 years, 10 months ago (2016-07-27 21:05:09 UTC) #38
Message was sent while issue was closed.
Patchset 13 (id:??) landed as
https://crrev.com/eff8e457298d01b437e4fd78194ad6de3c8d7ad6
Cr-Commit-Position: refs/heads/master@{#408235}

Powered by Google App Engine
This is Rietveld 408576698