Chromium Code Reviews Chromium Code Reviews
Issue 2075273002:
Resource requests from Save-Page-As should go through CanRequestURL checks. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| Index: content/browser/loader/resource_dispatcher_host_impl.cc |
| diff --git a/content/browser/loader/resource_dispatcher_host_impl.cc b/content/browser/loader/resource_dispatcher_host_impl.cc |
| index 11c590b98aa2bec8ae5c790b2321705d30bdfee8..6d86b06d47b3fa442ce52d6e0728716e1705740c 100644 |
| --- a/content/browser/loader/resource_dispatcher_host_impl.cc |
| +++ b/content/browser/loader/resource_dispatcher_host_impl.cc |
| @@ -1910,6 +1910,17 @@ void ResourceDispatcherHostImpl::BeginSaveFile(const GURL& url, |
| request.get(), save_item_id, save_package_id, child_id, |
| render_frame_route_id, url, save_file_manager_.get())); |
| + // Check if the renderer is permitted to request the requested URL. |
| + if (!ChildProcessSecurityPolicyImpl::GetInstance()->CanRequestURL(child_id, |
| + url)) { |
|
Łukasz Anforowicz
2016/06/18 00:37:20
This is based on a check done by ResourceDispatche
asanka
2016/06/20 20:24:18
Other things to check (you've probably got this co
Łukasz Anforowicz
2016/06/21 16:39:34
This sounds like something that can be tested via
asanka
2016/06/21 16:53:28
Yeah. From the same origin, source an image or som
Łukasz Anforowicz
2016/07/18 23:18:26
This was broken, but this seems to be a separate i
|
| + VLOG(1) << "Denied unauthorized save of " << url.possibly_invalid_spec(); |
| + handler->OnResponseCompleted( |
| + net::URLRequestStatus::FromError(net::ERR_ACCESS_DENIED), |
| + "", // |security_info|; ignored by SaveFileResourceHandler. |
| + nullptr); // |defer|; ignored by SaveFileResourceHandler. |
| + return; |
| + } |
| + |
| BeginRequestInternal(std::move(request), std::move(handler)); |
| } |
