OLD | NEW |
---|---|
(Empty) | |
1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. Use | |
2 // of this source code is governed by a BSD-style license that can be | |
3 // found in the LICENSE file. | |
4 | |
5 #ifndef WEBKIT_CHILD_SITE_ISOLATION_POLICY_H_ | |
6 #define WEBKIT_CHILD_SITE_ISOLATION_POLICY_H_ | |
7 | |
8 #include <map> | |
9 #include <utility> | |
10 | |
11 #include "base/gtest_prod_util.h" | |
12 #include "third_party/WebKit/public/web/WebFrame.h" | |
13 #include "third_party/WebKit/public/platform/WebURLRequest.h" | |
14 #include "third_party/WebKit/public/platform/WebURLResponse.h" | |
15 #include "webkit/child/webkit_child_export.h" | |
16 | |
17 using WebKit::WebFrame; | |
18 using WebKit::WebURLResponse; | |
19 using WebKit::WebURLRequest; | |
20 | |
21 namespace webkit_glue { | |
22 | |
23 // |SiteIsolationPolicy| implements the cross-site document blocking | |
Charlie Reis
2013/08/13 00:53:19
nit: No |'s needed around the class name here or b
dsjang
2013/08/13 20:54:48
Done.
| |
24 // policy(XSDP) for Site Isolation. XSDP will monitor network | |
Charlie Reis
2013/08/13 00:53:19
nit: Please use a space before open parens in comm
dsjang
2013/08/13 20:54:48
Done.
| |
25 // responses to a renderer and blocks illegal responses so that a | |
Charlie Reis
2013/08/13 00:53:19
nit: blocks -> block
dsjang
2013/08/13 20:54:48
Done.
| |
26 // compromised renderer cannot steal private information from other | |
27 // sites. For now |SiteIsolationPolicy| monitors responses to gather | |
28 // various UMA stats to see the compatibility impact of actual | |
29 // deployment of the policy. The UMA stat categories | |
30 // |SiteIsolationPolicy| gathers are as follows: | |
Charlie Reis
2013/08/13 00:53:19
Part of this can fit on the previous line, right?
dsjang
2013/08/13 20:54:48
Done.
| |
31 // | |
32 // SiteIsolation.AllResponses : # of all network responses | |
Charlie Reis
2013/08/13 00:53:19
nit: End with a period.
dsjang
2013/08/13 20:54:48
Done.
| |
33 // SiteIsolation.XSD.DataLength : the length of the first packet of a response. | |
34 // SiteIsolation.XSD.MimeType (enum): | |
35 // # of responses from other sites, tagged with a document mime type. | |
36 // 0:HTML, 1:XML, 2:JSON, 3:Plain, 4:Others | |
37 // SiteIsolation.XSD.[%MIMETYPE].Blocked : | |
38 // blocked # of cross-site document response by [%MIMETYPE] sniffing. | |
Charlie Reis
2013/08/13 00:53:19
nit: extra space after "of"
nit: responses grouped
dsjang
2013/08/13 20:54:48
Done.
| |
39 // SiteIsolation.XSD.[%MIMETYPE].Blocked.RenderableStatusCode : | |
40 // # of responses with renderable status code, | |
41 // out of SiteIsolation.XSD.[%MIMETYPE].Blocked | |
Charlie Reis
2013/08/13 00:53:19
nit: End with a period, here and below.
dsjang
2013/08/13 20:54:48
Done.
| |
42 // SiteIsolation.XSD.[%MIMETYPE].Blocked.NotRenderableStatusCode : | |
Charlie Reis
2013/08/13 00:53:19
NonRenderableStatusCode
dsjang
2013/08/13 20:54:48
Done.
| |
43 // # of responses with not renderable status code, | |
Charlie Reis
2013/08/13 00:53:19
with a non-renderable
dsjang
2013/08/13 20:54:48
Done.
| |
44 // out of SiteIsolation.XSD.[%MIMETYPE].Blocked | |
45 // SiteIsolation.XSD.[%MIMETYPE].NotBlocked | |
Charlie Reis
2013/08/13 00:53:19
nit: End with a colon, here and for the MaybeJS ca
dsjang
2013/08/13 20:54:48
Done.
| |
46 // # of XSD responses, but not blocked due to failure of mime sniffing. | |
47 // SiteIsolation.XSD.[%MIMETYPE].NotBlocked.MaybeJS | |
48 // # of responses sniffed for of SiteIsolation.XSD.[%MIMETYPE].NotBlocked. | |
Charlie Reis
2013/08/13 00:53:19
I think there's a word missing here. # of respons
dsjang
2013/08/13 20:54:48
Done.
| |
49 | |
50 struct ResponseMetaData { | |
51 | |
52 enum CanonicalMimeType { | |
53 HTML = 0, | |
54 XML = 1, | |
55 JSON = 2, | |
56 Plain = 3, | |
57 Others = 4, | |
58 MaxCanonicalMimeType, | |
59 }; | |
60 | |
61 static const char* CanonicalMimeTypeToString(CanonicalMimeType mime_type) { | |
62 const char* mime_type_names[] = {"HTML", "XML", "JSON", "Plain", "Others"}; | |
63 return mime_type_names[mime_type]; | |
64 }; | |
65 | |
66 static const char* TargetTypeToString(WebURLRequest::TargetType target_type) { | |
67 const char* target_type_names[] = { | |
68 "MainFrame", "Subframe", "Subresource", "StyleSheet", "Script", | |
69 "FontResource", "Image", "Object", "Media", "Worker", "SharedWorker", | |
70 "Prefetch", "Favicon", "XHR", "TextTrack", "Unspecified"}; | |
71 return target_type_names[target_type]; | |
72 }; | |
73 | |
74 ResponseMetaData(); | |
75 | |
76 std::string frame_origin; | |
77 std::string response_url; | |
78 unsigned request_identifier; | |
79 WebURLRequest::TargetType target_type; | |
80 CanonicalMimeType canonical_mime_type; | |
81 int http_status_code; | |
82 }; | |
83 | |
84 typedef std::map<unsigned, WebURLRequest::TargetType> TargetTypeMap; | |
85 typedef std::map<std::string, ResponseMetaData> UrlResponseMetaDataMap; | |
86 typedef std::map<unsigned, std::string> IdUrlMap; | |
Charlie Reis
2013/08/13 00:53:19
Converting a GURL to a string can lose information
dsjang
2013/08/13 20:54:48
Done.
| |
87 | |
88 class WEBKIT_CHILD_EXPORT SiteIsolationPolicy { | |
89 public: | |
90 // Registers |target_type| for |identifier| which identifies a | |
91 // specific request. In case HTTP redirection happens, this function | |
92 // is called multiple times for the same identifier. We do not | |
93 // depend on |target_type| to decide if a request is for navigation | |
94 // or not due to the redirection behavior. | |
95 static void WillSendRequest(unsigned identifier, | |
96 WebURLRequest::TargetType target_type); | |
97 | |
98 // Registers the header information of |response|. This function | |
99 // obtains the target_type set by |WillSendRequest|. We have to make | |
100 // sure to call either | |
101 // SiteIsolationPolicy::DidFinishResourceLoad(identifier)| or | |
102 // SiteIsolationPolicy::DidFinishResourceLoadForURL(response.url()) | |
103 // to free the bookkepping data. | |
104 // TODO(dsjang): There's a possibility that two distinct responses | |
105 // (identified by different identifiers) are from the same url, and | |
106 // this results in overwriting one of the two responses' bookkeeping | |
107 // data. For example, when there are <iframe src="urlA" /> and <img | |
108 // src="urlA"> on the same page, they will be two calls of | |
Charlie Reis
2013/08/13 00:53:19
nit: they -> there
dsjang
2013/08/13 20:54:48
Done.
| |
109 // |DidReceiveResponse| with the same url, but different | |
110 // identifiers. This can deteriorate our UMA data. Even though we | |
111 // expect that this rarely happens, find a way to use identifier | |
112 // throughout the entire HTTP transaction here. | |
113 static void DidReceiveResponse(WebFrame* frame, | |
114 unsigned identifier, | |
115 const WebURLResponse& response); | |
116 | |
117 // Examines the first network packet in case response_url is | |
118 // registered as a cross-site document by DidReceiveResponse(). | |
119 // This records various kinds of UMA data stats. This function is | |
120 // called only if the length of received data is non-zero. | |
121 static void DidReceiveData(const char* payload, | |
122 int length, | |
123 WebKit::WebURL& response_url); | |
124 | |
125 // TODO(dsjang): Either of the following two functions must be | |
126 // called at the end of thetransaction. WebURLLoaderImpl::didReceivedData() | |
Charlie Reis
2013/08/13 00:53:19
typo: thetransaction
dsjang
2013/08/13 20:54:48
Done.
| |
127 // is not a place where this can be called since it is not | |
128 // guaranteed that the function is called in case of network | |
129 // error. Instead, RenderFrameImpl::didFinishResourceLoad(identifier) and | |
130 // didFailLoad() are used for successful loading and failed loading, | |
131 // respectively. | |
132 static void DidFinishResourceLoad(unsigned identifier); | |
133 | |
134 // Does the same thing as DidFinishResourceLoad(), but accepts | |
135 // response_url. | |
136 static void DidFinishResourceLoadForUrl(const WebKit::WebURL& response_url); | |
137 | |
138 private: | |
139 | |
Charlie Reis
2013/08/13 00:53:19
nit: No blank line here.
dsjang
2013/08/13 20:54:48
Done.
| |
140 FRIEND_TEST_ALL_PREFIXES(SiteIsolationPolicyTest, IsBlockableScheme); | |
141 FRIEND_TEST_ALL_PREFIXES(SiteIsolationPolicyTest, IsSameSite); | |
142 FRIEND_TEST_ALL_PREFIXES(SiteIsolationPolicyTest, IsValidCorsHeaderSet); | |
143 FRIEND_TEST_ALL_PREFIXES(SiteIsolationPolicyTest, SniffForHTML); | |
144 FRIEND_TEST_ALL_PREFIXES(SiteIsolationPolicyTest, SniffForXML); | |
145 FRIEND_TEST_ALL_PREFIXES(SiteIsolationPolicyTest, SniffForJSON); | |
146 FRIEND_TEST_ALL_PREFIXES(SiteIsolationPolicyTest, SniffForJS); | |
147 | |
148 // Returns the representative mime type enum value of the mime type | |
149 // of response. For example, this returns the same value for all | |
150 // text/xml mime type families such as application/xml, | |
151 // application/rss+xml. | |
152 static ResponseMetaData::CanonicalMimeType GetCanonicalMimeType( | |
153 const WebURLResponse& response); | |
154 | |
155 // Returns whether this scheme is a target of cross-site document | |
156 // policy(XSDP). This returns true only for http://* and https:// | |
Charlie Reis
2013/08/13 00:53:19
nit: No * needed if you don't have it on both.
dsjang
2013/08/13 20:54:48
Done.
| |
157 // urls. | |
158 static bool IsBlockableScheme(const GURL& frame_origin); | |
159 | |
160 // Returns whether the two urls belong to the same sites. | |
161 static bool IsSameSite(const GURL& frame_origin, const GURL& response_url); | |
162 | |
163 // Returns whether there's a valid CORS header for frame_origin. | |
164 // This is simliar to CrossOriginAccessControl::passesAccessControlCheck(), | |
165 // but we use sites as our security domain, not origins. | |
166 // TODO(dsjang): this must be improved to be more accurate to the | |
167 // actual CORS specification. For now, this works conservatively, | |
168 // allowing XSDs that are not allowed by actual CORS rules by | |
169 // ignoring 1) credentials and 2) methods. Preflight requests don't | |
170 // matter here since they are not used to decide whether to block a | |
171 // document or not on the client side. | |
172 static bool IsValidCorsHeaderSet(GURL& frame_origin, | |
173 GURL& website_origin, | |
174 std::string access_control_origin); | |
175 | |
176 // Returns whether the given frame is navigating. When this is true, | |
177 // the frame is requesting is a web page to be loaded. | |
178 static bool IsFrameNavigating(WebFrame* frame); | |
179 | |
180 static bool SniffForHTML(const char* data, size_t length); | |
181 static bool SniffForXML(const char* data, size_t length); | |
182 static bool SniffForJSON(const char* data, size_t length); | |
183 | |
184 static bool MatchesSignature(const char* data, | |
185 size_t length, | |
186 const char* signatures[], | |
187 size_t arr_size); | |
188 | |
189 // TODO(dsjang): this is only needed for collecting UMA stat. Will | |
190 // be deleted when this class is used for actual blocking. | |
191 static bool SniffForJS(const char* data, size_t length); | |
192 | |
193 // TODO(dsjang): this is only needed for collecting UMA stat. Will | |
194 // be deleted when this class is used for actual blocking. | |
195 static bool IsRenderableStatusCodeForDocument(int status_code); | |
196 | |
197 // Maintain bookkeeping data between WillSendRequest() and | |
198 // DidReceiveResponse(). The key is the identifier of response. | |
199 static TargetTypeMap* GetIdTargetMap(); | |
200 | |
201 // Maintain data between DidReceiveResponse() and DidReceiveData(). | |
202 // The key is the url of response. We can't use identifier anymore | |
203 // from here since that information is no longer available for | |
204 // DidReceiveData(). | |
205 static UrlResponseMetaDataMap* GetUrlResponseMetaDataMap(); | |
206 | |
207 // This maps the identifier of a response to the response's | |
208 // url. This is used to free ResponseMetaData in | |
209 // url_responsedata_map_, when DidReceiveData() is never called. | |
210 static IdUrlMap* GetIdUrlMap(); | |
211 | |
212 // Never needs to be constructed/destructed. | |
213 SiteIsolationPolicy() {} | |
214 ~SiteIsolationPolicy() {} | |
215 | |
216 DISALLOW_COPY_AND_ASSIGN(SiteIsolationPolicy); | |
217 }; | |
218 | |
219 } // namespace content | |
220 | |
221 #endif // WEBKIT_CHILD_SITE_ISOLATION_POLICY_H_ | |
OLD | NEW |