content/browser/frame_host/render_frame_host_impl.cc - Issue 2165783003: Grant permission to the base url when loadDataWithBaseURL is called.

Side by Side Diff: content/browser/frame_host/render_frame_host_impl.cc

Issue 2165783003: Grant permission to the base url when loadDataWithBaseURL is called. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: Created 4 years, 5 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

« no previous file with comments | « no previous file | no next file » | no next file with comments »

OLD	NEW
1 // Copyright 2013 The Chromium Authors. All rights reserved.	1 // Copyright 2013 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "content/browser/frame_host/render_frame_host_impl.h"	5 #include "content/browser/frame_host/render_frame_host_impl.h"

6	6

7 #include <utility>	7 #include <utility>

8	8

9 #include "base/bind.h"	9 #include "base/bind.h"

10 #include "base/command_line.h"	10 #include "base/command_line.h"

(...skipping 2791 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
2802	2802

2803 void RenderFrameHostImpl::UpdatePermissionsForNavigation(	2803 void RenderFrameHostImpl::UpdatePermissionsForNavigation(

2804 const CommonNavigationParams& common_params,	2804 const CommonNavigationParams& common_params,

2805 const RequestNavigationParams& request_params) {	2805 const RequestNavigationParams& request_params) {

2806 // Browser plugin guests are not allowed to navigate outside web-safe schemes,	2806 // Browser plugin guests are not allowed to navigate outside web-safe schemes,

2807 // so do not grant them the ability to request additional URLs.	2807 // so do not grant them the ability to request additional URLs.

2808 if (!GetProcess()->IsForGuestsOnly()) {	2808 if (!GetProcess()->IsForGuestsOnly()) {

2809 ChildProcessSecurityPolicyImpl::GetInstance()->GrantRequestURL(	2809 ChildProcessSecurityPolicyImpl::GetInstance()->GrantRequestURL(

2810 GetProcess()->GetID(), common_params.url);	2810 GetProcess()->GetID(), common_params.url);

2811 if (common_params.url.SchemeIs(url::kDataScheme) &&	2811 if (common_params.url.SchemeIs(url::kDataScheme) &&

2812 common_params.base_url_for_data_url.SchemeIs(url::kFileScheme)) {	2812 !common_params.base_url_for_data_url.is_empty()) {

2813 // If 'data:' is used, and we have a 'file:' base url, grant access to	2813 // Need to grant permission to the base url because bse url will be used

2814 // local files.	2814 // as the origin for font requests.
	Charlie Reis 2016/07/22 18:31:49 Let's update the comment, because CORS is not just Let's update the comment, because CORS is not just about font requests (and because the previous file: comment still applies). Something like: When there's a base URL specified for the data URL, we also need to grant access to the base URL. This allows file: and other unexpected schemes to be accepted at commit time and during CORS checks (e.g., for font requests). hush (inactive) 2016/07/26 02:42:54 Done. Show quoted text On 2016/07/22 18:31:49, Charlie Reis wrote: > Let's update the comment, because CORS is not just about font requests (and > because the previous file: comment still applies). Something like: > > When there's a base URL specified for the data URL, we also need to grant access > to the base URL. This allows file: and other unexpected schemes to be accepted > at commit time and during CORS checks (e.g., for font requests). Done.
2815 ChildProcessSecurityPolicyImpl::GetInstance()->GrantRequestURL(	2815 ChildProcessSecurityPolicyImpl::GetInstance()->GrantRequestURL(

2816 GetProcess()->GetID(), common_params.base_url_for_data_url);	2816 GetProcess()->GetID(), common_params.base_url_for_data_url);

2817 }	2817 }

2818 }	2818 }

2819	2819

2820 // We may be returning to an existing NavigationEntry that had been granted	2820 // We may be returning to an existing NavigationEntry that had been granted

2821 // file access. If this is a different process, we will need to grant the	2821 // file access. If this is a different process, we will need to grant the

2822 // access again. Abuse is prevented, because the files listed in the page	2822 // access again. Abuse is prevented, because the files listed in the page

2823 // state are validated earlier, when they are received from the renderer (in	2823 // state are validated earlier, when they are received from the renderer (in

2824 // RenderFrameHostImpl::CanAccessFilesOfPageState).	2824 // RenderFrameHostImpl::CanAccessFilesOfPageState).

(...skipping 133 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
2958 // handler after it's destroyed so it can't run after the RFHI is destroyed.	2958 // handler after it's destroyed so it can't run after the RFHI is destroyed.

2959 web_bluetooth_service_->SetClientConnectionErrorHandler(base::Bind(	2959 web_bluetooth_service_->SetClientConnectionErrorHandler(base::Bind(

2960 &RenderFrameHostImpl::DeleteWebBluetoothService, base::Unretained(this)));	2960 &RenderFrameHostImpl::DeleteWebBluetoothService, base::Unretained(this)));

2961 }	2961 }

2962	2962

2963 void RenderFrameHostImpl::DeleteWebBluetoothService() {	2963 void RenderFrameHostImpl::DeleteWebBluetoothService() {

2964 web_bluetooth_service_.reset();	2964 web_bluetooth_service_.reset();

2965 }	2965 }

2966	2966

2967 } // namespace content	2967 } // namespace content

OLD	NEW