Chromium Code Reviews Chromium Code Reviews
Issue 2364633004:
Lock down the registration of blob:chrome-extension:// URLs (Closed)
| Index: content/browser/child_process_security_policy_impl.cc |
| diff --git a/content/browser/child_process_security_policy_impl.cc b/content/browser/child_process_security_policy_impl.cc |
| index db3fb1b3a7d08a2bb529a5db43c0569830973605..5fde9e0c2a927782568483749303f2ab987effe1 100644 |
| --- a/content/browser/child_process_security_policy_impl.cc |
| +++ b/content/browser/child_process_security_policy_impl.cc |
| @@ -202,6 +202,8 @@ class ChildProcessSecurityPolicyImpl::SecurityState { |
| // Determine whether permission has been granted to commit |url|. |
| bool CanCommitURL(const GURL& url) { |
| + DCHECK(!url.SchemeIsBlob() && !url.SchemeIsFileSystem()) |
| + << "inner_url extraction should be done already."; |
| // Having permission to a scheme implies permission to all of its URLs. |
| SchemeMap::const_iterator scheme_judgment( |
| scheme_policy_.find(url.scheme())); |
| @@ -326,6 +328,10 @@ ChildProcessSecurityPolicyImpl::ChildProcessSecurityPolicyImpl() { |
| RegisterWebSafeScheme(url::kFtpScheme); |
| RegisterWebSafeScheme(url::kDataScheme); |
| RegisterWebSafeScheme("feed"); |
| + |
| + // TODO(nick): blob: and filesystem: schemes embed other origins, |
| + // so we should not treat them as web safe. Remove callers of |
| + // IsWebSafeScheme(), and then eliminate the next two lines. |
| RegisterWebSafeScheme(url::kBlobScheme); |
| RegisterWebSafeScheme(url::kFileSystemScheme); |
| @@ -338,7 +344,8 @@ ChildProcessSecurityPolicyImpl::ChildProcessSecurityPolicyImpl() { |
| } |
| ChildProcessSecurityPolicyImpl::~ChildProcessSecurityPolicyImpl() { |
| - web_safe_schemes_.clear(); |
| + schemes_okay_to_request_in_any_process_.clear(); |
| + schemes_okay_to_commit_in_any_process_.clear(); |
| pseudo_schemes_.clear(); |
| security_state_.clear(); |
| } |
| @@ -373,25 +380,40 @@ void ChildProcessSecurityPolicyImpl::Remove(int child_id) { |
| void ChildProcessSecurityPolicyImpl::RegisterWebSafeScheme( |
| const std::string& scheme) { |
| base::AutoLock lock(lock_); |
| - DCHECK_EQ(0U, web_safe_schemes_.count(scheme)) << "Add schemes at most once."; |
| + DCHECK_EQ(0U, schemes_okay_to_request_in_any_process_.count(scheme)) |
| + << "Add schemes at most once."; |
| + DCHECK_EQ(0U, pseudo_schemes_.count(scheme)) |
| + << "Web-safe implies not pseudo."; |
| + |
| + schemes_okay_to_request_in_any_process_.insert(scheme); |
| + schemes_okay_to_commit_in_any_process_.insert(scheme); |
| +} |
| + |
| +void ChildProcessSecurityPolicyImpl::RegisterWebSafeIsolatedScheme( |
| + const std::string& scheme) { |
| + base::AutoLock lock(lock_); |
| + DCHECK_EQ(0U, schemes_okay_to_request_in_any_process_.count(scheme)) |
| + << "Add schemes at most once."; |
| DCHECK_EQ(0U, pseudo_schemes_.count(scheme)) |
| << "Web-safe implies not pseudo."; |
| - web_safe_schemes_.insert(scheme); |
| + schemes_okay_to_request_in_any_process_.insert(scheme); |
| } |
| bool ChildProcessSecurityPolicyImpl::IsWebSafeScheme( |
| const std::string& scheme) { |
| base::AutoLock lock(lock_); |
| - return base::ContainsKey(web_safe_schemes_, scheme); |
| + return base::ContainsKey(schemes_okay_to_request_in_any_process_, scheme); |
| } |
| void ChildProcessSecurityPolicyImpl::RegisterPseudoScheme( |
| const std::string& scheme) { |
| base::AutoLock lock(lock_); |
| DCHECK_EQ(0U, pseudo_schemes_.count(scheme)) << "Add schemes at most once."; |
| - DCHECK_EQ(0U, web_safe_schemes_.count(scheme)) |
| + DCHECK_EQ(0U, schemes_okay_to_request_in_any_process_.count(scheme)) |
| + << "Pseudo implies not web-safe."; |
| + DCHECK_EQ(0U, schemes_okay_to_commit_in_any_process_.count(scheme)) |
| << "Pseudo implies not web-safe."; |
| pseudo_schemes_.insert(scheme); |
| @@ -417,6 +439,10 @@ void ChildProcessSecurityPolicyImpl::GrantRequestURL( |
| return; // Can't grant the capability to request pseudo schemes. |
| } |
| + if (url.SchemeIsBlob() || url.SchemeIsFileSystem()) { |
| + return; // Don't grant blanket access to blob: or filesystem: schemes. |
| + } |
| + |
| { |
| base::AutoLock lock(lock_); |
| SecurityStateMap::iterator state = security_state_.find(child_id); |
| @@ -606,8 +632,19 @@ bool ChildProcessSecurityPolicyImpl::CanRequestURL( |
| return false; |
| } |
| - if (IsMalformedBlobUrl(url)) |
| - return false; |
| + // Blob and filesystem URLs require special treatment, since they embed an |
| + // inner origin. |
| + if (url.SchemeIsBlob() || url.SchemeIsFileSystem()) { |
| + if (IsMalformedBlobUrl(url)) |
| + return false; |
| + |
| + url::Origin origin(url); |
| + return origin.unique() || IsWebSafeScheme(origin.scheme()) || |
| + CanCommitURL(child_id, GURL(origin.Serialize())); |
| + } |
| + |
| + if (IsWebSafeScheme(url.scheme())) |
| + return true; |
| // If the process can commit the URL, it can request it. |
| if (CanCommitURL(child_id, url)) |
| @@ -627,19 +664,25 @@ bool ChildProcessSecurityPolicyImpl::CanCommitURL(int child_id, |
| if (IsPseudoScheme(url.scheme())) |
| return base::LowerCaseEqualsASCII(url.spec(), url::kAboutBlankURL); |
| - if (IsMalformedBlobUrl(url)) |
| - return false; |
| + // Blob and filesystem URLs require special treatment; validate the inner |
| + // origin they embed. |
| + if (url.SchemeIsBlob() || url.SchemeIsFileSystem()) { |
| + if (IsMalformedBlobUrl(url)) |
| + return false; |
| - // TODO(creis): Tighten this for Site Isolation, so that a URL from a site |
| - // that is isolated can only be committed in a process dedicated to that site. |
| - // CanRequestURL should still allow all web-safe schemes. See |
| - // https://crbug.com/515309. |
|
Charlie Reis
2016/09/28 22:07:16
Can we keep this TODO, or is there a reason that i
ncarter (slow)
2016/09/29 21:01:45
I updated the TODO.
|
| - if (IsWebSafeScheme(url.scheme())) |
| - return true; // The scheme has been white-listed for every child process. |
| + url::Origin origin(url); |
| + return origin.unique() || CanCommitURL(child_id, GURL(origin.Serialize())); |
| + } |
| { |
| base::AutoLock lock(lock_); |
| + // Most schemes can commit in any process. Note that we check |
| + // schemes_okay_to_commit_in_any_process_ here, which is stricter than |
| + // IsWebSafeScheme(). |
| + if (base::ContainsKey(schemes_okay_to_commit_in_any_process_, url.scheme())) |
| + return true; |
| + |
| SecurityStateMap::iterator state = security_state_.find(child_id); |
| if (state == security_state_.end()) |
| return false; |
