| Index: content/browser/child_process_security_policy_impl.cc
|
| diff --git a/content/browser/child_process_security_policy_impl.cc b/content/browser/child_process_security_policy_impl.cc
|
| index 652a7ac175420cba631376bba186834094a5d1f8..111b070f1e1b496e7a852b027b89343b99188ff0 100644
|
| --- a/content/browser/child_process_security_policy_impl.cc
|
| +++ b/content/browser/child_process_security_policy_impl.cc
|
| @@ -579,6 +579,14 @@ bool ChildProcessSecurityPolicyImpl::CanRequestURL(
|
| return false;
|
| }
|
|
|
| + // https://crbug.com/646278 Valid blob URLs should contain canonically
|
| + // serialized origins.
|
| + if (url.SchemeIsBlob() &&
|
| + !base::StartsWith(url.GetContent(), url::Origin(url).Serialize() + "/",
|
| + base::CompareCase::INSENSITIVE_ASCII)) {
|
| + return false;
|
| + }
|
| +
|
| // If the process can commit the URL, it can request it.
|
| if (CanCommitURL(child_id, url))
|
| return true;
|
| @@ -597,6 +605,14 @@ bool ChildProcessSecurityPolicyImpl::CanCommitURL(int child_id,
|
| if (IsPseudoScheme(url.scheme()))
|
| return base::LowerCaseEqualsASCII(url.spec(), url::kAboutBlankURL);
|
|
|
| + // https://crbug.com/646278 Valid blob URLs should contain canonically
|
| + // serialized origins.
|
| + if (url.SchemeIsBlob() &&
|
| + !base::StartsWith(url.GetContent(), url::Origin(url).Serialize() + "/",
|
| + base::CompareCase::INSENSITIVE_ASCII)) {
|
| + return false;
|
| + }
|
| +
|
| // TODO(creis): Tighten this for Site Isolation, so that a URL from a site
|
| // that is isolated can only be committed in a process dedicated to that site.
|
| // CanRequestURL should still allow all web-safe schemes. See
|
|
|
Chromium Code Reviews
Issue 2347163004:
Disallow navigations to blob URLs with non-canonical origins. (Closed)
