Index: content/child/site_isolation_policy.h |
diff --git a/content/child/site_isolation_policy.h b/content/child/site_isolation_policy.h |
new file mode 100644 |
index 0000000000000000000000000000000000000000..c32aaa8c04b639f142584d0c7c4a1ec514a00422 |
--- /dev/null |
+++ b/content/child/site_isolation_policy.h |
@@ -0,0 +1,216 @@ |
+// Copyright (c) 2013 The Chromium Authors. All rights reserved. Use |
+// of this source code is governed by a BSD-style license that can be |
+// found in the LICENSE file. |
+ |
+#ifndef CONTENT_SITE_ISOLATION_POLICY_H_ |
+#define CONTENT_SITE_ISOLATION_POLICY_H_ |
+ |
+#include <map> |
+#include <utility> |
+ |
+#include "base/gtest_prod_util.h" |
+#include "content/common/content_export.h" |
+#include "third_party/WebKit/public/platform/WebURLRequest.h" |
+#include "third_party/WebKit/public/platform/WebURLResponse.h" |
+#include "third_party/WebKit/public/web/WebFrame.h" |
+#include "webkit/child/resource_loader_bridge.h" |
+#include "webkit/common/resource_response_info.h" |
+ |
+namespace content { |
+ |
+// SiteIsolationPolicy implements the cross-site document blocking policy (XSDP) |
+// for Site Isolation. XSDP will monitor network responses to a renderer and |
+// block illegal responses so that a compromised renderer cannot steal private |
+// information from other sites. For now SiteIsolationPolicy monitors responses |
+// to gather various UMA stats to see the compatibility impact of actual |
+// deployment of the policy. The UMA stat categories SiteIsolationPolicy gathers |
+// are as follows: |
+// |
+// SiteIsolation.AllResponses : # of all network responses. |
+// SiteIsolation.XSD.DataLength : the length of the first packet of a response. |
+// SiteIsolation.XSD.MimeType (enum): |
+// # of responses from other sites, tagged with a document mime type. |
+// 0:HTML, 1:XML, 2:JSON, 3:Plain, 4:Others |
+// SiteIsolation.XSD.[%MIMETYPE].Blocked : |
+// blocked # of cross-site document responses grouped by sniffed MIME type. |
+// SiteIsolation.XSD.[%MIMETYPE].Blocked.RenderableStatusCode : |
+// # of responses with renderable status code, |
+// out of SiteIsolation.XSD.[%MIMETYPE].Blocked. |
+// SiteIsolation.XSD.[%MIMETYPE].Blocked.NonRenderableStatusCode : |
+// # of responses with non-renderable status code, |
+// out of SiteIsolation.XSD.[%MIMETYPE].Blocked. |
+// SiteIsolation.XSD.[%MIMETYPE].NoSniffBlocked.RenderableStatusCode : |
+// # of responses failed to be sniffed for its MIME type, but blocked by |
+// "X-Content-Type-Options: nosniff" header, and with renderable status code |
+// out of SiteIsolation.XSD.[%MIMETYPE].Blocked. |
+// SiteIsolation.XSD.[%MIMETYPE].NoSniffBlocked.NonRenderableStatusCode : |
+// # of responses failed to be sniffed for its MIME type, but blocked by |
+// "X-Content-Type-Options: nosniff" header, and with non-renderable status |
+// code out of SiteIsolation.XSD.[%MIMETYPE].Blocked. |
+// SiteIsolation.XSD.[%MIMETYPE].NotBlocked : |
+// # of responses, but not blocked due to failure of mime sniffing. |
+// SiteIsolation.XSD.[%MIMETYPE].NotBlocked.MaybeJS : |
+// # of responses that are plausibly sniffed to be JavaScript. |
+ |
+class CONTENT_EXPORT SiteIsolationPolicy |
+ : public base::RefCounted<SiteIsolationPolicy>, |
+ public webkit_glue::ResourceLoaderBridge::Peer { |
+ public: |
+ |
+ SiteIsolationPolicy( |
+ webkit_glue::ResourceLoaderBridge::Peer* original_peer, |
+ WebKit::WebString& frame_origin, |
+ GURL& request_url, |
+ int request_id, |
+ ResourceType::Type resource_type); |
+ |
+ // ResourceLoaderBridge::Peer methods: we directly calls original_peer_'s |
+ // corresponding member functions other than OnReceiveRedirect(), |
+ // OnReceivedResponse(), OnReceivedData(), and OnCompletedRequest(). |
+ virtual void OnUploadProgress(uint64 position, uint64 size) OVERRIDE; |
+ virtual void OnDownloadedData(int len) OVERRIDE; |
+ virtual void OnReceivedCachedMetadata(const char* data, int len) OVERRIDE; |
+ virtual void OnCompletedRequest( |
+ int error_code, |
+ bool was_ignored_by_handler, |
+ const std::string& security_info, |
+ const base::TimeTicks& completion_time) OVERRIDE; |
+ |
+ // Updates the request_url_ to |new_url| when the request this peer is |
+ // listening to is redirected. |
+ virtual bool OnReceivedRedirect( |
+ const GURL& new_url, |
+ const webkit_glue::ResourceResponseInfo& info, |
+ bool* has_new_first_party_for_cookies, |
+ GURL* new_first_party_for_cookies) OVERRIDE; |
+ |
+ // Records the HTTP header information of the response. We use the recorded |
+ // header information to decide if this response will be the subject of |
+ // cross-site document blocking. If it is, cross_site_document_header_ is set |
+ // to true. This also makes state_ proceed from INIT to RESPONSE_RECEIVED. |
+ virtual void OnReceivedResponse( |
+ const webkit_glue::ResourceResponseInfo& info) OVERRIDE; |
+ |
+ // Examines the first network packet to see whether this response should be |
+ // blocked by our cross-site document policy. This only examines response data |
+ // when cross_site_document_header_ is true by OnReceivedResponse(). We apply |
+ // content-sniffing to the first network packet to decide to block the |
+ // response and records various kinds of UMA data stats at the same time. |
+ // TODO(dsjang): Here is where we can do actual blocking of the body of a |
+ // response. When the body is blocked, we can return an empty string instead. |
+ virtual void OnReceivedData(const char* data, |
+ int data_length, |
+ int encoded_data_length) OVERRIDE; |
+ |
+private: |
+ FRIEND_TEST_ALL_PREFIXES(SiteIsolationPolicyTest, IsBlockableScheme); |
+ FRIEND_TEST_ALL_PREFIXES(SiteIsolationPolicyTest, IsSameSite); |
+ FRIEND_TEST_ALL_PREFIXES(SiteIsolationPolicyTest, IsValidCorsHeaderSet); |
+ FRIEND_TEST_ALL_PREFIXES(SiteIsolationPolicyTest, SniffForHTML); |
+ FRIEND_TEST_ALL_PREFIXES(SiteIsolationPolicyTest, SniffForXML); |
+ FRIEND_TEST_ALL_PREFIXES(SiteIsolationPolicyTest, SniffForJSON); |
+ FRIEND_TEST_ALL_PREFIXES(SiteIsolationPolicyTest, SniffForJS); |
+ |
+ enum CanonicalMimeType { |
+ HTML = 0, |
+ XML = 1, |
+ JSON = 2, |
+ Plain = 3, |
+ Others = 4, |
+ MaxCanonicalMimeType, |
+ }; |
+ |
+ enum RequestProgressState { |
+ INIT = 0, |
+ RESPONSE_RECEIVED = 1, |
+ DATA_RECEIVED = 2, |
+ COMPLETED = 3, |
+ }; |
+ |
+ // This class wraps original_peer_ to intercept certain calls of it to monitor |
+ // the lifetime of a request to apply our cross-site document blocking. |
+ webkit_glue::ResourceLoaderBridge::Peer* original_peer_; |
Charlie Reis
2013/08/19 16:20:06
Style nit: Fields go below methods.
dsjang
2013/08/19 21:37:18
Done.
|
+ |
+ // These are fixed when the object is created. |
+ GURL frame_origin_; |
+ // However, request_url_ is updated to a new url when redirected. |
+ GURL request_url_; |
+ int request_id_; |
+ ResourceType::Type resource_type_; |
+ |
+ // The current state of the request. This can only proceeds to a greater value |
+ // when an event happens. This is only used for sanity checks in DCHECK() to |
+ // see if callbacks are called in an expected order. |
+ RequestProgressState state_; |
+ |
+ // This is set to true when we decide that the response is a target of our |
+ // cross-site document blocking policy, decided when the headers are deceived |
+ // by OnReceivedResponse(). |
+ bool cross_site_document_header_; |
+ |
+ // The following 3 member variables are only valid after OnReceivedResponse() |
+ // is called (after RESPONSE_RECEIVED). This must be the same as request_url_ |
+ // since request_url_ is updated whenever the request is redirected. |
+ CanonicalMimeType canonical_mime_type_; |
+ int http_status_code_; |
+ bool no_sniff_; |
+ |
+ // This is initially false, but becomes true after we confirm that this is |
+ // safe under our cross-site document policy by applying content sniffing to |
+ // the first network packet from the response. |
+ bool confirmed_safe_; |
+ |
+ // Find a frame identified by frame_id from the frame tree rooted at |frame|. |
+ static WebKit::WebFrame* FindFrame(WebKit::WebFrame* frame, int frame_id); |
+ |
+ // Returns the representative mime type enum value of the mime type of |
+ // response. For example, this returns the same value for all text/xml mime |
+ // type families such as application/xml, application/rss+xml. |
+ static CanonicalMimeType GetCanonicalMimeType( |
+ const std::string& mime_type); |
+ |
+ // Returns whether this scheme is a target of cross-site document |
+ // policy(XSDP). This returns true only for http://* and https://* urls. |
+ static bool IsBlockableScheme(const GURL& frame_origin); |
+ |
+ // Returns whether the two urls belong to the same sites. |
+ static bool IsSameSite(const GURL& frame_origin, const GURL& response_url); |
+ |
+ // Returns whether there's a valid CORS header for frame_origin. This is |
+ // simliar to CrossOriginAccessControl::passesAccessControlCheck(), but we use |
+ // sites as our security domain, not origins. TODO(dsjang): this must be |
+ // improved to be more accurate to the actual CORS specification. For now, |
+ // this works conservatively, allowing XSDs that are not allowed by actual |
+ // CORS rules by ignoring 1) credentials and 2) methods. Preflight requests |
+ // don't matter here since they are not used to decide whether to block a |
+ // document or not on the client side. |
+ static bool IsValidCorsHeaderSet(GURL& frame_origin, |
+ GURL& website_origin, |
+ std::string access_control_origin); |
+ |
+ static bool SniffForHTML(const char* data, size_t length); |
+ static bool SniffForXML(const char* data, size_t length); |
+ static bool SniffForJSON(const char* data, size_t length); |
+ |
+ static bool MatchesSignature(const char* data, |
+ size_t length, |
+ const char* signatures[], |
+ size_t arr_size); |
+ |
+ // TODO(dsjang): this is only needed for collecting UMA stat. Will be deleted |
+ // when this class is used for actual blocking. |
+ static bool SniffForJS(const char* data, size_t length); |
+ |
+ // TODO(dsjang): this is only needed for collecting UMA stat. Will be deleted |
+ // when this class is used for actual blocking. |
+ static bool IsRenderableStatusCodeForDocument(int status_code); |
+ |
+ friend class base::RefCounted<SiteIsolationPolicy>; |
+ virtual ~SiteIsolationPolicy() {} |
+ |
+ DISALLOW_COPY_AND_ASSIGN(SiteIsolationPolicy); |
+}; |
+ |
+} // namespace content |
+ |
+#endif // CONTENT_SITE_ISOLATION_POLICY_H_ |