webkit/child/site_isolation_policy.h - Issue 22254005: UMA data collector for cross-site documents(XSD)

Unified Diff: webkit/child/site_isolation_policy.h

Issue 22254005: UMA data collector for cross-site documents(XSD) (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@lkgr

Patch Set: Merge lkgr into local branch Created 7 years, 4 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: webkit/child/site_isolation_policy.h

diff --git a/webkit/child/site_isolation_policy.h b/webkit/child/site_isolation_policy.h

new file mode 100644

index 0000000000000000000000000000000000000000..f810145e6fbee83d461b47e1f1edd8ec84c416fc

--- /dev/null

+++ b/webkit/child/site_isolation_policy.h

@@ -0,0 +1,221 @@

+// of this source code is governed by a BSD-style license that can be

+// found in the LICENSE file.

+#ifndef WEBKIT_CHILD_SITE_ISOLATION_POLICY_H_

+#define WEBKIT_CHILD_SITE_ISOLATION_POLICY_H_

+#include <map>

+#include <utility>

+#include "base/gtest_prod_util.h"

+#include "third_party/WebKit/public/web/WebFrame.h"

+#include "third_party/WebKit/public/platform/WebURLRequest.h"

+#include "third_party/WebKit/public/platform/WebURLResponse.h"

+#include "webkit/child/webkit_child_export.h"

+using WebKit::WebFrame;

+using WebKit::WebURLResponse;

+using WebKit::WebURLRequest;

+namespace webkit_glue {

+// |SiteIsolationPolicy| implements the cross-site document blocking

Charlie Reis 2013/08/13 00:53:19 nit: No |'s needed around the class name here or b

dsjang 2013/08/13 20:54:48 Done.

+// policy(XSDP) for Site Isolation. XSDP will monitor network

Charlie Reis 2013/08/13 00:53:19 nit: Please use a space before open parens in comm

dsjang 2013/08/13 20:54:48 Done.

+// responses to a renderer and blocks illegal responses so that a

Charlie Reis 2013/08/13 00:53:19 nit: blocks -> block

dsjang 2013/08/13 20:54:48 Done.

+// compromised renderer cannot steal private information from other

+// sites. For now |SiteIsolationPolicy| monitors responses to gather

+// various UMA stats to see the compatibility impact of actual

+// deployment of the policy. The UMA stat categories

+// |SiteIsolationPolicy| gathers are as follows:

Charlie Reis 2013/08/13 00:53:19 Part of this can fit on the previous line, right?

dsjang 2013/08/13 20:54:48 Done.

+//

+// SiteIsolation.AllResponses : # of all network responses

Charlie Reis 2013/08/13 00:53:19 nit: End with a period.

dsjang 2013/08/13 20:54:48 Done.

+// SiteIsolation.XSD.DataLength : the length of the first packet of a response.

+// SiteIsolation.XSD.MimeType (enum):

+// # of responses from other sites, tagged with a document mime type.

+// 0:HTML, 1:XML, 2:JSON, 3:Plain, 4:Others

+// SiteIsolation.XSD.[%MIMETYPE].Blocked :

+// blocked # of cross-site document response by [%MIMETYPE] sniffing.

Charlie Reis 2013/08/13 00:53:19 nit: extra space after "of" nit: responses grouped

dsjang 2013/08/13 20:54:48 Done.

+// SiteIsolation.XSD.[%MIMETYPE].Blocked.RenderableStatusCode :

+// # of responses with renderable status code,

+// out of SiteIsolation.XSD.[%MIMETYPE].Blocked

Charlie Reis 2013/08/13 00:53:19 nit: End with a period, here and below.

dsjang 2013/08/13 20:54:48 Done.

+// SiteIsolation.XSD.[%MIMETYPE].Blocked.NotRenderableStatusCode :

Charlie Reis 2013/08/13 00:53:19 NonRenderableStatusCode

dsjang 2013/08/13 20:54:48 Done.

+// # of responses with not renderable status code,

Charlie Reis 2013/08/13 00:53:19 with a non-renderable

dsjang 2013/08/13 20:54:48 Done.

+// out of SiteIsolation.XSD.[%MIMETYPE].Blocked

+// SiteIsolation.XSD.[%MIMETYPE].NotBlocked

Charlie Reis 2013/08/13 00:53:19 nit: End with a colon, here and for the MaybeJS ca

dsjang 2013/08/13 20:54:48 Done.

+// # of XSD responses, but not blocked due to failure of mime sniffing.

+// SiteIsolation.XSD.[%MIMETYPE].NotBlocked.MaybeJS

+// # of responses sniffed for of SiteIsolation.XSD.[%MIMETYPE].NotBlocked.

Charlie Reis 2013/08/13 00:53:19 I think there's a word missing here. # of respons

dsjang 2013/08/13 20:54:48 Done.

+struct ResponseMetaData {

+ enum CanonicalMimeType {

+ HTML = 0,

+ XML = 1,

+ JSON = 2,

+ Plain = 3,

+ Others = 4,

+ MaxCanonicalMimeType,

+ };

+ static const char* CanonicalMimeTypeToString(CanonicalMimeType mime_type) {

+ const char* mime_type_names[] = {"HTML", "XML", "JSON", "Plain", "Others"};

+ return mime_type_names[mime_type];

+ };

+ static const char* TargetTypeToString(WebURLRequest::TargetType target_type) {

+ const char* target_type_names[] = {

+ "MainFrame", "Subframe", "Subresource", "StyleSheet", "Script",

+ "FontResource", "Image", "Object", "Media", "Worker", "SharedWorker",

+ "Prefetch", "Favicon", "XHR", "TextTrack", "Unspecified"};

+ return target_type_names[target_type];

+ };

+ ResponseMetaData();

+ std::string frame_origin;

+ std::string response_url;

+ unsigned request_identifier;

+ WebURLRequest::TargetType target_type;

+ CanonicalMimeType canonical_mime_type;

+ int http_status_code;

+};

+typedef std::map<unsigned, WebURLRequest::TargetType> TargetTypeMap;

+typedef std::map<std::string, ResponseMetaData> UrlResponseMetaDataMap;

+typedef std::map<unsigned, std::string> IdUrlMap;

Charlie Reis 2013/08/13 00:53:19 Converting a GURL to a string can lose information

dsjang 2013/08/13 20:54:48 Done.

+class WEBKIT_CHILD_EXPORT SiteIsolationPolicy {

+ public:

+ // Registers |target_type| for |identifier| which identifies a

+ // specific request. In case HTTP redirection happens, this function

+ // is called multiple times for the same identifier. We do not

+ // depend on |target_type| to decide if a request is for navigation

+ // or not due to the redirection behavior.

+ static void WillSendRequest(unsigned identifier,

+ WebURLRequest::TargetType target_type);

+ // Registers the header information of |response|. This function

+ // obtains the target_type set by |WillSendRequest|. We have to make

+ // sure to call either

+ // SiteIsolationPolicy::DidFinishResourceLoad(identifier)| or

+ // SiteIsolationPolicy::DidFinishResourceLoadForURL(response.url())

+ // to free the bookkepping data.

+ // TODO(dsjang): There's a possibility that two distinct responses

+ // (identified by different identifiers) are from the same url, and

+ // this results in overwriting one of the two responses' bookkeeping

+ // data. For example, when there are <iframe src="urlA" /> and <img

+ // src="urlA"> on the same page, they will be two calls of

Charlie Reis 2013/08/13 00:53:19 nit: they -> there

dsjang 2013/08/13 20:54:48 Done.

+ // |DidReceiveResponse| with the same url, but different

+ // identifiers. This can deteriorate our UMA data. Even though we

+ // expect that this rarely happens, find a way to use identifier

+ // throughout the entire HTTP transaction here.

+ static void DidReceiveResponse(WebFrame* frame,

+ unsigned identifier,

+ const WebURLResponse& response);

+ // Examines the first network packet in case response_url is

+ // registered as a cross-site document by DidReceiveResponse().

+ // This records various kinds of UMA data stats. This function is

+ // called only if the length of received data is non-zero.

+ static void DidReceiveData(const char* payload,

+ int length,

+ WebKit::WebURL& response_url);

+ // TODO(dsjang): Either of the following two functions must be

+ // called at the end of thetransaction. WebURLLoaderImpl::didReceivedData()

Charlie Reis 2013/08/13 00:53:19 typo: thetransaction

dsjang 2013/08/13 20:54:48 Done.

+ // is not a place where this can be called since it is not

+ // guaranteed that the function is called in case of network

+ // error. Instead, RenderFrameImpl::didFinishResourceLoad(identifier) and

+ // didFailLoad() are used for successful loading and failed loading,

+ // respectively.

+ static void DidFinishResourceLoad(unsigned identifier);

+ // Does the same thing as DidFinishResourceLoad(), but accepts

+ // response_url.

+ static void DidFinishResourceLoadForUrl(const WebKit::WebURL& response_url);

+private:

Charlie Reis 2013/08/13 00:53:19 nit: No blank line here.

dsjang 2013/08/13 20:54:48 Done.

+ FRIEND_TEST_ALL_PREFIXES(SiteIsolationPolicyTest, IsBlockableScheme);

+ FRIEND_TEST_ALL_PREFIXES(SiteIsolationPolicyTest, IsSameSite);

+ FRIEND_TEST_ALL_PREFIXES(SiteIsolationPolicyTest, IsValidCorsHeaderSet);

+ FRIEND_TEST_ALL_PREFIXES(SiteIsolationPolicyTest, SniffForHTML);

+ FRIEND_TEST_ALL_PREFIXES(SiteIsolationPolicyTest, SniffForXML);

+ FRIEND_TEST_ALL_PREFIXES(SiteIsolationPolicyTest, SniffForJSON);

+ FRIEND_TEST_ALL_PREFIXES(SiteIsolationPolicyTest, SniffForJS);

+ // Returns the representative mime type enum value of the mime type

+ // of response. For example, this returns the same value for all

+ // text/xml mime type families such as application/xml,

+ // application/rss+xml.

+ static ResponseMetaData::CanonicalMimeType GetCanonicalMimeType(

+ const WebURLResponse& response);

+ // Returns whether this scheme is a target of cross-site document

+ // policy(XSDP). This returns true only for http://* and https://

Charlie Reis 2013/08/13 00:53:19 nit: No * needed if you don't have it on both.

dsjang 2013/08/13 20:54:48 Done.

+ // urls.

+ static bool IsBlockableScheme(const GURL& frame_origin);

+ // Returns whether the two urls belong to the same sites.

+ static bool IsSameSite(const GURL& frame_origin, const GURL& response_url);

+ // Returns whether there's a valid CORS header for frame_origin.

+ // This is simliar to CrossOriginAccessControl::passesAccessControlCheck(),

+ // but we use sites as our security domain, not origins.

+ // TODO(dsjang): this must be improved to be more accurate to the

+ // actual CORS specification. For now, this works conservatively,

+ // allowing XSDs that are not allowed by actual CORS rules by

+ // ignoring 1) credentials and 2) methods. Preflight requests don't

+ // matter here since they are not used to decide whether to block a

+ // document or not on the client side.

+ static bool IsValidCorsHeaderSet(GURL& frame_origin,

+ GURL& website_origin,

+ std::string access_control_origin);

+ // Returns whether the given frame is navigating. When this is true,

+ // the frame is requesting is a web page to be loaded.

+ static bool IsFrameNavigating(WebFrame* frame);

+ static bool SniffForHTML(const char* data, size_t length);

+ static bool SniffForXML(const char* data, size_t length);

+ static bool SniffForJSON(const char* data, size_t length);

+ static bool MatchesSignature(const char* data,

+ size_t length,

+ const char* signatures[],

+ size_t arr_size);

+ // TODO(dsjang): this is only needed for collecting UMA stat. Will

+ // be deleted when this class is used for actual blocking.

+ static bool SniffForJS(const char* data, size_t length);

+ // TODO(dsjang): this is only needed for collecting UMA stat. Will

+ // be deleted when this class is used for actual blocking.

+ static bool IsRenderableStatusCodeForDocument(int status_code);

+ // Maintain bookkeeping data between WillSendRequest() and

+ // DidReceiveResponse(). The key is the identifier of response.

+ static TargetTypeMap* GetIdTargetMap();

+ // Maintain data between DidReceiveResponse() and DidReceiveData().

+ // The key is the url of response. We can't use identifier anymore

+ // from here since that information is no longer available for

+ // DidReceiveData().

+ static UrlResponseMetaDataMap* GetUrlResponseMetaDataMap();

+ // This maps the identifier of a response to the response's

+ // url. This is used to free ResponseMetaData in

+ // url_responsedata_map_, when DidReceiveData() is never called.

+ static IdUrlMap* GetIdUrlMap();

+ // Never needs to be constructed/destructed.

+ SiteIsolationPolicy() {}

+ ~SiteIsolationPolicy() {}

+ DISALLOW_COPY_AND_ASSIGN(SiteIsolationPolicy);

+};

+} // namespace content

+#endif // WEBKIT_CHILD_SITE_ISOLATION_POLICY_H_

« no previous file with comments | « content/renderer/render_frame_impl.cc ('k') | webkit/child/site_isolation_policy.cc » ('j') | webkit/child/site_isolation_policy.cc » ('J')