Index: content/browser/loader/resource_dispatcher_host_impl.cc |
diff --git a/content/browser/loader/resource_dispatcher_host_impl.cc b/content/browser/loader/resource_dispatcher_host_impl.cc |
index 11c590b98aa2bec8ae5c790b2321705d30bdfee8..6d86b06d47b3fa442ce52d6e0728716e1705740c 100644 |
--- a/content/browser/loader/resource_dispatcher_host_impl.cc |
+++ b/content/browser/loader/resource_dispatcher_host_impl.cc |
@@ -1910,6 +1910,17 @@ void ResourceDispatcherHostImpl::BeginSaveFile(const GURL& url, |
request.get(), save_item_id, save_package_id, child_id, |
render_frame_route_id, url, save_file_manager_.get())); |
+ // Check if the renderer is permitted to request the requested URL. |
+ if (!ChildProcessSecurityPolicyImpl::GetInstance()->CanRequestURL(child_id, |
+ url)) { |
Łukasz Anforowicz
2016/06/18 00:37:20
This is based on a check done by ResourceDispatche
asanka
2016/06/20 20:24:18
Other things to check (you've probably got this co
Łukasz Anforowicz
2016/06/21 16:39:34
This sounds like something that can be tested via
asanka
2016/06/21 16:53:28
Yeah. From the same origin, source an image or som
Łukasz Anforowicz
2016/07/18 23:18:26
This was broken, but this seems to be a separate i
|
+ VLOG(1) << "Denied unauthorized save of " << url.possibly_invalid_spec(); |
+ handler->OnResponseCompleted( |
+ net::URLRequestStatus::FromError(net::ERR_ACCESS_DENIED), |
+ "", // |security_info|; ignored by SaveFileResourceHandler. |
+ nullptr); // |defer|; ignored by SaveFileResourceHandler. |
+ return; |
+ } |
+ |
BeginRequestInternal(std::move(request), std::move(handler)); |
} |