Index: content/browser/loader/resource_dispatcher_host_impl.cc |
diff --git a/content/browser/loader/resource_dispatcher_host_impl.cc b/content/browser/loader/resource_dispatcher_host_impl.cc |
index d2d0bc1b9e5bfc3cb0b78e5ffbf2ac3215cc6c1a..87f1b739cf1fa9000fab97a560b773d4723aa3ec 100644 |
--- a/content/browser/loader/resource_dispatcher_host_impl.cc |
+++ b/content/browser/loader/resource_dispatcher_host_impl.cc |
@@ -1887,10 +1887,20 @@ void ResourceDispatcherHostImpl::BeginSaveFile(const GURL& url, |
render_frame_route_id, false, context); |
extra_info->AssociateWithRequest(request.get()); // Request takes ownership. |
- std::unique_ptr<ResourceHandler> handler(new SaveFileResourceHandler( |
+ std::unique_ptr<SaveFileResourceHandler> handler(new SaveFileResourceHandler( |
request.get(), save_item_id, save_package_id, child_id, |
render_frame_route_id, url, save_file_manager_.get())); |
+ // Check if the renderer is permitted to request the requested URL. |
+ if (!ChildProcessSecurityPolicyImpl::GetInstance()->CanRequestURL(child_id, |
+ url)) { |
+ DVLOG(1) << "Denying unauthorized save of " << url.possibly_invalid_spec(); |
+ handler->MarkAsUnauthorized(); |
+ // We still begin request processing below (rather than returning here), |
+ // because we know MarkAsUnauthorized will cause the request to be |
mmenke
2016/07/27 18:55:59
nit (x2): Avoid "we" in comments, due to ambiguit
Łukasz Anforowicz
2016/07/27 19:16:50
Done :-)
|
+ // cancelled. See also doc comments for MarkAsUnauthorized. |
+ } |
+ |
BeginRequestInternal(std::move(request), std::move(handler)); |
} |