Lock down the registration of blob:chrome-extension:// URLs

content/browser/child_process_security_policy_impl.h

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef CONTENT_BROWSER_CHILD_PROCESS_SECURITY_POLICY_IMPL_H_
 #define CONTENT_BROWSER_CHILD_PROCESS_SECURITY_POLICY_IMPL_H_
 
 #include <map>
 #include <memory>
 #include <set>
@@ skipping 25 matching lines @@
     : NON_EXPORTED_BASE(public ChildProcessSecurityPolicy) {
  public:
   // Object can only be created through GetInstance() so the constructor is
   // private.
   ~ChildProcessSecurityPolicyImpl() override;
 
   static ChildProcessSecurityPolicyImpl* GetInstance();
 
   // ChildProcessSecurityPolicy implementation.
   void RegisterWebSafeScheme(const std::string& scheme) override;
+  void RegisterWebSafeIsolatedScheme(const std::string& scheme) override;
   bool IsWebSafeScheme(const std::string& scheme) override;
   void GrantReadFile(int child_id, const base::FilePath& file) override;
   void GrantCreateReadWriteFile(int child_id,
                                 const base::FilePath& file) override;
   void GrantCopyInto(int child_id, const base::FilePath& dir) override;
   void GrantDeleteFrom(int child_id, const base::FilePath& dir) override;
   void GrantReadFileSystem(int child_id,
                            const std::string& filesystem_id) override;
   void GrantWriteFileSystem(int child_id,
                             const std::string& filesystem_id) override;
   void GrantCreateFileForFileSystem(int child_id,
                                     const std::string& filesystem_id) override;
   void GrantCreateReadWriteFileSystem(
       int child_id,
       const std::string& filesystem_id) override;
   void GrantCopyIntoFileSystem(int child_id,
                                const std::string& filesystem_id) override;
   void GrantDeleteFromFileSystem(int child_id,
                                  const std::string& filesystem_id) override;
   void GrantOrigin(int child_id, const url::Origin& origin) override;
   void GrantScheme(int child_id, const std::string& scheme) override;
+  bool CanRequestURL(int child_id, const GURL& url) override;
+  bool CanCommitURL(int child_id, const GURL& url) override;
   bool CanReadFile(int child_id, const base::FilePath& file) override;
   bool CanCreateReadWriteFile(int child_id,
                               const base::FilePath& file) override;
   bool CanReadFileSystem(int child_id,
                          const std::string& filesystem_id) override;
   bool CanReadWriteFileSystem(int child_id,
                               const std::string& filesystem_id) override;
   bool CanCopyIntoFileSystem(int child_id,
                              const std::string& filesystem_id) override;
   bool CanDeleteFromFileSystem(int child_id,
@@ skipping 43 matching lines @@
 
   // Grant the child process the ability to use Web UI Bindings.
   void GrantWebUIBindings(int child_id);
 
   // Grant the child process the ability to read raw cookies.
   void GrantReadRawCookies(int child_id);
 
   // Revoke read raw cookies permission.
   void RevokeReadRawCookies(int child_id);
 
-  // Before servicing a child process's request for a URL, the browser should
-  // call this method to determine whether the process has the capability to
-  // request the URL.
-  bool CanRequestURL(int child_id, const GURL& url);
-
-  // Whether the process is allowed to commit a document from the given URL.
-  // This is more restrictive than CanRequestURL, since CanRequestURL allows
-  // requests that might lead to cross-process navigations or external protocol
-  // handlers.
-  bool CanCommitURL(int child_id, const GURL& url);
 
   // Whether the given origin is valid for an origin header. Valid origin
   // headers are commitable URLs plus suborigin URLs.
   bool CanSetAsOriginHeader(int child_id, const GURL& url);
 
   // Explicit permissions checks for FileSystemURL specified files.
   bool CanReadFileSystemFile(int child_id, const storage::FileSystemURL& url);
   bool CanWriteFileSystemFile(int child_id, const storage::FileSystemURL& url);
   bool CanCreateFileSystemFile(int child_id, const storage::FileSystemURL& url);
   bool CanCreateReadWriteFileSystemFile(int child_id,
@@ skipping 80 matching lines @@
       int child_id,
       const std::string& filesystem_id,
       int permission);
 
   // You must acquire this lock before reading or writing any members of this
   // class.  You must not block while holding this lock.
   base::Lock lock_;
 
   // These schemes are white-listed for all child processes.  This set is
   // protected by |lock_|.
-  SchemeSet web_safe_schemes_;
+  SchemeSet schemes_okay_to_commit_in_any_process_;
+  SchemeSet schemes_okay_to_request_in_any_process_;
 
   // These schemes do not actually represent retrievable URLs.  For example,
   // the the URLs in the "about" scheme are aliases to other URLs.  This set is
   // protected by |lock_|.
   SchemeSet pseudo_schemes_;
 
   // This map holds a SecurityState for each child process.  The key for the
   // map is the ID of the ChildProcessHost.  The SecurityState objects are
   // owned by this object and are protected by |lock_|.  References to them must
   // not escape this class.
   SecurityStateMap security_state_;
 
   // This maps keeps the record of which js worker thread child process
   // corresponds to which main js thread child process.
   WorkerToMainProcessMap worker_map_;
 
   FileSystemPermissionPolicyMap file_system_policy_map_;
 
   DISALLOW_COPY_AND_ASSIGN(ChildProcessSecurityPolicyImpl);
 };
 
 }  // namespace content
 
 #endif  // CONTENT_BROWSER_CHILD_PROCESS_SECURITY_POLICY_IMPL_H_