Avoid using ContentBrowserClient::IsIllegalOrigin in ResourceDispatcherHost.

content/browser/loader/resource_dispatcher_host_impl.h

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 // This is the browser side of the resource dispatcher, it receives requests
 // from the child process (i.e. [Renderer, Plugin, Worker]ProcessHost), and
 // dispatches them to URLRequests. It then forwards the messages from the
 // URLRequests back to the correct process for handling.
 //
 // See http://dev.chromium.org/developers/design-documents/multi-process-resource-loading
@@ skipping 89 matching lines @@
       RenderFrameHost* root_frame_host);
 
   // Cancels any blocked request for the frame and its subframes.
   static void CancelBlockedRequestsForFrameFromUI(
       RenderFrameHostImpl* root_frame_host);
 
   // ResourceDispatcherHost implementation:
   void SetDelegate(ResourceDispatcherHostDelegate* delegate) override;
   void SetAllowCrossOriginAuthPrompt(bool value) override;
   void ClearLoginDelegateForRequest(net::URLRequest* request) override;
-
+  void AddSchemeForAccessCheck(const std::string& scheme) override;
+  void RegisterOriginForAccessChecks(
+      const ResourceContext* context,
+      const std::string& origin,
+      OriginAccessCheckMask access_check_mask) override;
+  void UnregisterOriginForAccessChecks(const ResourceContext* context,
+                                       const std::string& origin) override;
+  void AddProcessForOrigin(const ResourceContext* context,
+                           const std::string& origin,
+                           int process_id,
+                           bool owner_proces) override;
+  void RemoveProcessForOrigin(const ResourceContext* context,
+                              const std::string& origin,
+                              int process_id,
+                              bool owner_process) override;
   // Puts the resource dispatcher host in an inactive state (unable to begin
   // new requests).  Cancels all pending requests.
   void Shutdown();
 
   // Force cancels any pending requests for the given |context|. This is
   // necessary to ensure that before |context| goes away, all requests
   // for it are dead.
   void CancelRequestsForContext(ResourceContext* context);
 
   // Returns true if the message was a resource message that was processed.
@@ skipping 164 matching lines @@
   // Turns on stale-while-revalidate support, regardless of command-line flags
   // or experiment status. For unit tests only.
   void EnableStaleWhileRevalidateForTesting();
 
   // Sets the LoaderDelegate, which must outlive this object. Ownership is not
   // transferred. The LoaderDelegate should be interacted with on the IO thread.
   void SetLoaderDelegate(LoaderDelegate* loader_delegate);
 
   void OnRenderFrameDeleted(const GlobalFrameRoutingId& global_routing_id);
 
+  // Checks whether the child process identified by |child_process_id| is
+  // allowed to access the |origin| and returns true if not.
+  // 1. If the |origin| scheme is not registered then it is allowed.
+  // 2. If the |origin| host is not registered, then it is denied.
+  // 3. If the |child_process_id| is in the list of owner processes for the
+  //    |origin| it is allowed. Please see OriginAccessInfo defined above for

[Charlie Reis, 2016/08/09 02:07:48]

nit: Below?

+  //    more information.
+  // 4. If the origin access mask is DENY_FOR_NON_OWNERS it is denied.
+  // 5. If the origin access mask is ALLOW_EVERYTHING it is allowed.
+  // 6. If the |child_process_id| is in the list of other processes for the
+  //    |origin| and there are publicly available resources it is allowed.

[Charlie Reis, 2016/08/09 02:07:48]

Hmm.  This is hard to understand in the abstract without having extension
concepts to map it to, which also makes it hard to reason about whether the
policy is the same as before (or if it's correct).

Do we have a sense for whether it will be possible in general to completely
avoid having extension code in the network process?  I'm wondering if it would
be easier to have a similar ContentClient structure in that process where we can
call out to the embedder and let it answer questions like this in context.

Would that be a worse tradeoff?  I'm just trying to brainstorm ways to make this
easier to understand, since this abstract mapping is hard (and may be hard to
maintain as we eliminate or change the corner cases in the extension code
itself).

+  //    Please see OriginAccessInfo defined above for more information.
+  // 5. Deny if all checks above fail.
+  bool IsIllegalOrigin(ResourceContext* context,
+                       const GURL& origin,
+                       int child_process_id);
+
  private:
   friend class ResourceDispatcherHostTest;
 
   FRIEND_TEST_ALL_PREFIXES(ResourceDispatcherHostTest,
                            TestBlockedRequestsProcessDies);
   FRIEND_TEST_ALL_PREFIXES(ResourceDispatcherHostTest,
                            CalculateApproximateMemoryCost);
   FRIEND_TEST_ALL_PREFIXES(ResourceDispatcherHostTest,
                            DetachableResourceTimesOut);
   FRIEND_TEST_ALL_PREFIXES(ResourceDispatcherHostTest,
@@ skipping 13 matching lines @@
   struct LoadInfo {
     GURL url;
     net::LoadStateWithParam load_state;
     uint64_t upload_position;
     uint64_t upload_size;
   };
 
   // Map from ProcessID+RouteID pair to the "most interesting" LoadState.
   typedef std::map<GlobalRoutingID, LoadInfo> LoadInfoMap;
 
+  // Contains information about an origin which is used for access checks. This
+  // means whether a process committing a URL is allowed to do so. We determine
+  // this based on whether the process has been registered for the origin.
+  // We maintain two maps
+  // 1. A map of owner processes. These are allowed to commit the URL even if
+  //    there are no publicly accessible resources.
+  // 2. A map of other processes. These are allowed to commit the URL only if
+  //    there are public resources.
+  struct OriginAccessInfo {
+    // This structure is complicated enough for clang to require the ctors to
+    // be explicitly defined in the cc file.
+    OriginAccessInfo();
+    ~OriginAccessInfo();
+    OriginAccessInfo(const OriginAccessInfo& other);
+
+    // Controls which can processes can commit the origin.
+    // By default owners can commit everything.
+    OriginAccessCheckMask access_check_mask;
+    // A process may be reused across multiple SiteInstances or routing ids.
+    // This means that a process could be added and removed multiple times for
+    // an origin via the AddProcessForOrigin() an RemoveProcessForOrigin()
+    // methods. To ensure that this works correctly we maintain a map of
+    // process id to refcount. The process id is removed from the map when the
+    // refcount drops to 0.
+    std::map<int, int> owner_processes;
+    std::map<int, int> other_processes;
+  };
+
+  // Map from the origin host (std::string) to the OriginAccessInfo structure
+  // defined above.
+  // This map is per ResourceContext.
+  typedef std::map<std::string, OriginAccessInfo> OriginAccessInfoMap;
+
+  typedef std::map<const ResourceContext*,
+                   std::unique_ptr<OriginAccessInfoMap>>
+      ResourceContextOriginMap;
+
   // ResourceLoaderDelegate implementation:
   ResourceDispatcherHostLoginDelegate* CreateLoginDelegate(
       ResourceLoader* loader,
       net::AuthChallengeInfo* auth_info) override;
   bool HandleExternalProtocol(ResourceLoader* loader, const GURL& url) override;
   void DidStartRequest(ResourceLoader* loader) override;
   void DidReceiveRedirect(ResourceLoader* loader, const GURL& new_url) override;
   void DidReceiveResponse(ResourceLoader* loader) override;
   void DidFinishLoading(ResourceLoader* loader) override;
   std::unique_ptr<net::ClientCertStore> CreateClientCertStore(
@@ skipping 192 matching lines @@
   // The certificate on a ResourceResponse is associated with a
   // particular renderer process. As a transfer to a new process
   // completes, the stored certificate has to be updated to reflect the
   // new renderer process.
   void UpdateResponseCertificateForTransfer(ResourceResponse* response,
                                             const net::SSLInfo& ssl_info,
                                             int child_id);
 
   CertStore* GetCertStore();
 
+  // Returns the OriginAccessInfoMap instance for the |context| passed in. This
+  // map is used to enforce access checks on web requests for some origins.
+  OriginAccessInfoMap* GetOriginAccessMapForResourceContext(
+      const ResourceContext* context);
+
   LoaderMap pending_loaders_;
 
   // Collection of temp files downloaded for child processes via
   // the download_to_file mechanism. We avoid deleting them until
   // the client no longer needs them.
   typedef std::map<int, scoped_refptr<storage::ShareableFileReference> >
       DeletableFilesMap;  // key is request id
   typedef std::map<int, DeletableFilesMap>
       RegisteredTempFiles;  // key is child process id
   RegisteredTempFiles registered_temp_files_;
@@ skipping 74 matching lines @@
   typedef std::map<GlobalRequestID,
                    base::ObserverList<ResourceMessageDelegate>*> DelegateMap;
   DelegateMap delegate_map_;
 
   std::unique_ptr<ResourceScheduler> scheduler_;
 
   // Allows tests to use a mock CertStore. If set, the CertStore must
   // outlive this ResourceDispatcherHostImpl.
   CertStore* cert_store_for_testing_;
 
+  // Used to check whether a request to retrieve an origin resource is allowed.
+  // This is only done for origins which are to be checked for access.
+  ResourceContextOriginMap context_origin_access_info_map_;
+
+  // This contains the set of origins we need to enforce access checks on. By
+  // default everything is allowed.
+  std::set<std::string> origins_for_access_check_;
+
   DISALLOW_COPY_AND_ASSIGN(ResourceDispatcherHostImpl);
 };
 
 }  // namespace content
 
 #endif  // CONTENT_BROWSER_LOADER_RESOURCE_DISPATCHER_HOST_IMPL_H_