M52: Merge "Reland: service worker: Don't control a subframe of an insecure context"

content/browser/service_worker/service_worker_provider_host.cc

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/browser/service_worker/service_worker_provider_host.h"
 
 #include <utility>
 
 #include "base/guid.h"
 #include "base/stl_util.h"
 #include "base/time/time.h"
 #include "content/browser/message_port_message_filter.h"
 #include "content/browser/service_worker/service_worker_context_core.h"
 #include "content/browser/service_worker/service_worker_context_request_handler.h"
 #include "content/browser/service_worker/service_worker_controllee_request_handler.h"
 #include "content/browser/service_worker/service_worker_dispatcher_host.h"
 #include "content/browser/service_worker/service_worker_handle.h"
 #include "content/browser/service_worker/service_worker_registration_handle.h"
 #include "content/browser/service_worker/service_worker_version.h"
 #include "content/common/resource_request_body.h"
 #include "content/common/service_worker/service_worker_messages.h"
 #include "content/common/service_worker/service_worker_types.h"
 #include "content/common/service_worker/service_worker_utils.h"
+#include "content/public/browser/content_browser_client.h"
 #include "content/public/common/browser_side_navigation_policy.h"
 #include "content/public/common/child_process_host.h"
+#include "content/public/common/content_client.h"
+#include "content/public/common/origin_util.h"
 
 namespace content {
 
 namespace {
 
 // PlzNavigate
 // Next ServiceWorkerProviderHost ID for navigations, starts at -2 and keeps
 // going down.
 int g_next_navigation_provider_id = -2;
 
@@ skipping 11 matching lines @@
 // static
 std::unique_ptr<ServiceWorkerProviderHost>
 ServiceWorkerProviderHost::PreCreateNavigationHost(
     base::WeakPtr<ServiceWorkerContextCore> context) {
   CHECK(IsBrowserSideNavigationEnabled());
   // Generate a new browser-assigned id for the host.
   int provider_id = g_next_navigation_provider_id--;
   return std::unique_ptr<ServiceWorkerProviderHost>(
       new ServiceWorkerProviderHost(
           ChildProcessHost::kInvalidUniqueID, MSG_ROUTING_NONE, provider_id,
-          SERVICE_WORKER_PROVIDER_FOR_WINDOW, context, nullptr));
+          SERVICE_WORKER_PROVIDER_FOR_WINDOW, FrameSecurityLevel::UNINITIALIZED,
+          context, nullptr));
 }
 
 ServiceWorkerProviderHost::ServiceWorkerProviderHost(
     int render_process_id,
     int route_id,
     int provider_id,
     ServiceWorkerProviderType provider_type,
+    FrameSecurityLevel parent_frame_security_level,
     base::WeakPtr<ServiceWorkerContextCore> context,
     ServiceWorkerDispatcherHost* dispatcher_host)
     : client_uuid_(base::GenerateGUID()),
       render_process_id_(render_process_id),
       route_id_(route_id),
       render_thread_id_(kDocumentMainThreadId),
       provider_id_(provider_id),
       provider_type_(provider_type),
+      parent_frame_security_level_(parent_frame_security_level),
       context_(context),
       dispatcher_host_(dispatcher_host),
       allow_association_(true) {
   DCHECK_NE(SERVICE_WORKER_PROVIDER_UNKNOWN, provider_type_);
-  DCHECK_NE(SERVICE_WORKER_PROVIDER_FOR_SANDBOXED_FRAME, provider_type_);
 
   // PlzNavigate
   CHECK(render_process_id != ChildProcessHost::kInvalidUniqueID ||
         IsBrowserSideNavigationEnabled());
 
   if (provider_type_ == SERVICE_WORKER_PROVIDER_FOR_CONTROLLER) {
     // Actual thread id is set when the service worker context gets started.
     render_thread_id_ = kInvalidEmbeddedWorkerThreadId;
   }
   context_->RegisterProviderHostByClientID(client_uuid_, this);
@@ skipping 17 matching lines @@
   for (const GURL& pattern : associated_patterns_)
     DecreaseProcessReference(pattern);
 }
 
 int ServiceWorkerProviderHost::frame_id() const {
   if (provider_type_ == SERVICE_WORKER_PROVIDER_FOR_WINDOW)
     return route_id_;
   return MSG_ROUTING_NONE;
 }
 
+bool ServiceWorkerProviderHost::IsContextSecureForServiceWorker() const {
+  // |document_url_| may be empty if loading has not begun, or
+  // ServiceWorkerRequestHandler didn't handle the load (because e.g. another
+  // handler did first, or the initial request URL was such that
+  // OriginCanAccessServiceWorkers returned false).
+  if (!document_url_.is_valid())
+    return false;
+  if (!OriginCanAccessServiceWorkers(document_url_))
+    return false;
+
+  if (is_parent_frame_secure())
+    return true;
+
+  std::set<std::string> schemes;
+  GetContentClient()->browser()->GetSchemesBypassingSecureContextCheckWhitelist(
+      &schemes);
+  return schemes.find(document_url().scheme()) != schemes.end();
+}
+
 void ServiceWorkerProviderHost::OnVersionAttributesChanged(
     ServiceWorkerRegistration* registration,
     ChangedVersionAttributesMask changed_mask,
     const ServiceWorkerRegistrationInfo& info) {
   if (!get_ready_callback_ || get_ready_callback_->called)
     return;
   if (changed_mask.active_changed() && registration->active_version()) {
     // Wait until the state change so we don't send the get for ready
     // registration complete message before set version attributes message.
     registration->active_version()->RegisterStatusChangeCallback(base::Bind(
@@ skipping 34 matching lines @@
   document_url_ = url;
 }
 
 void ServiceWorkerProviderHost::SetTopmostFrameUrl(const GURL& url) {
   topmost_frame_url_ = url;
 }
 
 void ServiceWorkerProviderHost::SetControllerVersionAttribute(
     ServiceWorkerVersion* version,
     bool notify_controllerchange) {
+  CHECK(!version || IsContextSecureForServiceWorker());
   if (version == controlling_version_.get())
     return;
 
   scoped_refptr<ServiceWorkerVersion> previous_version = controlling_version_;
   controlling_version_ = version;
   if (version)
     version->AddControllee(this);
   if (previous_version.get())
     previous_version->RemoveControllee(this);
 
@@ skipping 26 matching lines @@
 }
 
 bool ServiceWorkerProviderHost::IsProviderForClient() const {
   switch (provider_type_) {
     case SERVICE_WORKER_PROVIDER_FOR_WINDOW:
     case SERVICE_WORKER_PROVIDER_FOR_WORKER:
     case SERVICE_WORKER_PROVIDER_FOR_SHARED_WORKER:
       return true;
     case SERVICE_WORKER_PROVIDER_FOR_CONTROLLER:
       return false;
-    case SERVICE_WORKER_PROVIDER_FOR_SANDBOXED_FRAME:
     case SERVICE_WORKER_PROVIDER_UNKNOWN:
       NOTREACHED() << provider_type_;
   }
   NOTREACHED() << provider_type_;
   return false;
 }
 
 blink::WebServiceWorkerClientType ServiceWorkerProviderHost::client_type()
     const {
   switch (provider_type_) {
     case SERVICE_WORKER_PROVIDER_FOR_WINDOW:
       return blink::WebServiceWorkerClientTypeWindow;
     case SERVICE_WORKER_PROVIDER_FOR_WORKER:
       return blink::WebServiceWorkerClientTypeWorker;
     case SERVICE_WORKER_PROVIDER_FOR_SHARED_WORKER:
       return blink::WebServiceWorkerClientTypeSharedWorker;
     case SERVICE_WORKER_PROVIDER_FOR_CONTROLLER:
-    case SERVICE_WORKER_PROVIDER_FOR_SANDBOXED_FRAME:
     case SERVICE_WORKER_PROVIDER_UNKNOWN:
       NOTREACHED() << provider_type_;
   }
   NOTREACHED() << provider_type_;
   return blink::WebServiceWorkerClientTypeWindow;
 }
 
 void ServiceWorkerProviderHost::AssociateRegistration(
     ServiceWorkerRegistration* registration,
     bool notify_controllerchange) {
+  CHECK(IsContextSecureForServiceWorker());
   DCHECK(CanAssociateRegistration(registration));
   associated_registration_ = registration;
   AddMatchingRegistration(registration);
   SendAssociateRegistrationMessage();
   SetControllerVersionAttribute(registration->active_version(),
                                 notify_controllerchange);
 }
 
 void ServiceWorkerProviderHost::DisassociateRegistration() {
   queued_events_.clear();
   if (!associated_registration_.get())
     return;
   associated_registration_ = NULL;
   SetControllerVersionAttribute(NULL, false /* notify_controllerchange */);
 
   if (!dispatcher_host_)
     return;
 
   // Disassociation message should be sent only for controllees.
   DCHECK(IsProviderForClient());
   Send(new ServiceWorkerMsg_DisassociateRegistration(
       render_thread_id_, provider_id()));
 }
 
 void ServiceWorkerProviderHost::AddMatchingRegistration(
     ServiceWorkerRegistration* registration) {
   DCHECK(ServiceWorkerUtils::ScopeMatches(
         registration->pattern(), document_url_));
+  if (!IsContextSecureForServiceWorker())
+    return;
   size_t key = registration->pattern().spec().size();
   if (ContainsKey(matching_registrations_, key))
     return;
   IncreaseProcessReference(registration->pattern());
   registration->AddListener(this);
   matching_registrations_[key] = registration;
   ReturnRegistrationForReadyIfNeeded();
 }
 
 void ServiceWorkerProviderHost::RemoveMatchingRegistration(
@@ skipping 364 matching lines @@
       Send(new ServiceWorkerMsg_SetControllerServiceWorker(
           render_thread_id_, provider_id(),
           GetOrCreateServiceWorkerHandle(
               associated_registration_->active_version()),
           false /* shouldNotifyControllerChange */));
     }
   }
 }
 
 }  // namespace content