Lock down the registration of blob:chrome-extension:// URLs

content/public/browser/child_process_security_policy.h

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef CONTENT_PUBLIC_BROWSER_CHILD_PROCESS_SECURITY_POLICY_H_
 #define CONTENT_PUBLIC_BROWSER_CHILD_PROCESS_SECURITY_POLICY_H_
 
 #include <string>
 
 #include "content/common/content_export.h"
@@ skipping 16 matching lines @@
 class ChildProcessSecurityPolicy {
  public:
   virtual ~ChildProcessSecurityPolicy() {}
 
   // There is one global ChildProcessSecurityPolicy object for the entire
   // browser process.  The object returned by this method may be accessed on
   // any thread.
   static CONTENT_EXPORT ChildProcessSecurityPolicy* GetInstance();
 
   // Web-safe schemes can be requested by any child process.  Once a web-safe
-  // scheme has been registered, any child process can request URLs with
-  // that scheme.  There is no mechanism for revoking web-safe schemes.
+  // scheme has been registered, any child process can request URLs whose
+  // origins use that scheme. There is no mechanism for revoking web-safe
+  // schemes.
+  //
+  // Only call this function if URLs of this scheme are okay to host in
+  // any ordinary renderer process.
+  //
+  // Registering 'your-scheme' as web-safe also causes 'blob:your-scheme://'
+  // and 'filesystem:your-scheme://' URLs to be considered web-safe.
   virtual void RegisterWebSafeScheme(const std::string& scheme) = 0;
 
+  // More restrictive variant of RegisterWebSafeScheme; URLs with this scheme
+  // may be requested by any child process, but navigations to this scheme may
+  // only commit in child processes that have been explicitly granted
+  // permission to do so.
+  virtual void RegisterWebSafeIsolatedScheme(const std::string& scheme) = 0;
+
   // Returns true iff |scheme| has been registered as a web-safe scheme.
+  // TODO(nick): This function does not have enough information to render
+  // an appropriate judgment for blob and filesystem URLs; change it
+  // to accept an URL instead.

[Charlie Reis, 2016/09/28 22:07:16]

Good call!  Can we list a bug number here so we don't lose track of it?

[ncarter (slow), 2016/09/29 21:01:45]

Done.

   virtual bool IsWebSafeScheme(const std::string& scheme) = 0;
 
   // This permission grants only read access to a file.
   // Whenever the user picks a file from a <input type="file"> element, the
   // browser should call this function to grant the child process the capability
   // to upload the file to the web. Grants FILE_PERMISSION_READ_ONLY.
   virtual void GrantReadFile(int child_id, const base::FilePath& file) = 0;
 
   // This permission grants creation, read, and full write access to a file,
   // including attributes.
   virtual void GrantCreateReadWriteFile(int child_id,
                                         const base::FilePath& file) = 0;
 
   // This permission grants copy-into permission for |dir|.
   virtual void GrantCopyInto(int child_id, const base::FilePath& dir) = 0;
 
   // This permission grants delete permission for |dir|.
   virtual void GrantDeleteFrom(int child_id, const base::FilePath& dir) = 0;
 
+  // Determine whether the process has the capability to request the URL.
+  // Before servicing a child process's request for a URL, the content layer
+  // calls this method to determine whether it is safe.
+  virtual bool CanRequestURL(int child_id, const GURL& url) = 0;

[Charlie Reis, 2016/09/28 22:07:16]

Are these only public so tests can call them?  I suppose that's not a problem--
we've got similar CanReadFile (etc) ones below, and there's no risk to having
embedders call these methods once they're exposed.

[ncarter (slow), 2016/09/29 21:01:45]

Yes, they're exposed for test. Embedders already control the knobs that
determine the return value here, so I don't think there's an information hiding
concern.

+
+  // Whether the process is allowed to commit a document from the given URL.
+  // This is more restrictive than CanRequestURL, since CanRequestURL allows
+  // requests that might lead to cross-process navigations or external protocol
+  // handlers.
+  virtual bool CanCommitURL(int child_id, const GURL& url) = 0;
+
   // These methods verify whether or not the child process has been granted
   // permissions perform these functions on |file|.
 
   // Before servicing a child process's request to upload a file to the web, the
   // browser should call this method to determine whether the process has the
   // capability to upload the requested file.
   virtual bool CanReadFile(int child_id, const base::FilePath& file) = 0;
   virtual bool CanCreateReadWriteFile(int child_id,
                                       const base::FilePath& file) = 0;
 
@@ skipping 91 matching lines @@
   // Returns true if the process is permitted to read and modify the data for
   // the given origin. This is currently used for cookies and passwords.
   // Does not affect cookies attached to or set by network requests.
   // Only might return false if the --site-per-process flag is used.
   virtual bool CanAccessDataForOrigin(int child_id, const GURL& gurl) = 0;
 };
 
 }  // namespace content
 
 #endif  // CONTENT_PUBLIC_BROWSER_CHILD_PROCESS_SECURITY_POLICY_H_