Lock down the registration of blob:chrome-extension:// URLs

content/public/browser/child_process_security_policy.h

Index: content/public/browser/child_process_security_policy.h
diff --git a/content/public/browser/child_process_security_policy.h b/content/public/browser/child_process_security_policy.h
index 9a2becf0c827c0a435215f4091477a4c7976fba3..7a226563f9d07c6948d0da2c6e01116f883ee073 100644
--- a/content/public/browser/child_process_security_policy.h
+++ b/content/public/browser/child_process_security_policy.h
@@ -34,11 +34,27 @@ class ChildProcessSecurityPolicy {
   static CONTENT_EXPORT ChildProcessSecurityPolicy* GetInstance();
 
   // Web-safe schemes can be requested by any child process.  Once a web-safe
-  // scheme has been registered, any child process can request URLs with
-  // that scheme.  There is no mechanism for revoking web-safe schemes.
+  // scheme has been registered, any child process can request URLs whose
+  // origins use that scheme. There is no mechanism for revoking web-safe
+  // schemes.
+  //
+  // Only call this function if URLs of this scheme are okay to host in
+  // any ordinary renderer process.
+  //
+  // Registering 'your-scheme' as web-safe also causes 'blob:your-scheme://'
+  // and 'filesystem:your-scheme://' URLs to be considered web-safe.
   virtual void RegisterWebSafeScheme(const std::string& scheme) = 0;
 
+  // More restrictive variant of RegisterWebSafeScheme; URLs with this scheme
+  // may be requested by any child process, but navigations to this scheme may
+  // only commit in child processes that have been explicitly granted
+  // permission to do so.
+  virtual void RegisterWebSafeIsolatedScheme(const std::string& scheme) = 0;
+
   // Returns true iff |scheme| has been registered as a web-safe scheme.
+  // TODO(nick): This function does not have enough information to render
+  // an appropriate judgment for blob and filesystem URLs; change it
+  // to accept an URL instead.

[Charlie Reis, 2016/09/28 22:07:16]

Good call!  Can we list a bug number here so we don't lose track of it?

[ncarter (slow), 2016/09/29 21:01:45]

Done.

   virtual bool IsWebSafeScheme(const std::string& scheme) = 0;
 
   // This permission grants only read access to a file.
@@ -58,6 +74,17 @@ class ChildProcessSecurityPolicy {
   // This permission grants delete permission for |dir|.
   virtual void GrantDeleteFrom(int child_id, const base::FilePath& dir) = 0;
 
+  // Determine whether the process has the capability to request the URL.
+  // Before servicing a child process's request for a URL, the content layer
+  // calls this method to determine whether it is safe.
+  virtual bool CanRequestURL(int child_id, const GURL& url) = 0;

[Charlie Reis, 2016/09/28 22:07:16]

Are these only public so tests can call them?  I suppose that's not a problem--
we've got similar CanReadFile (etc) ones below, and there's no risk to having
embedders call these methods once they're exposed.

[ncarter (slow), 2016/09/29 21:01:45]

Yes, they're exposed for test. Embedders already control the knobs that
determine the return value here, so I don't think there's an information hiding
concern.

+
+  // Whether the process is allowed to commit a document from the given URL.
+  // This is more restrictive than CanRequestURL, since CanRequestURL allows
+  // requests that might lead to cross-process navigations or external protocol
+  // handlers.
+  virtual bool CanCommitURL(int child_id, const GURL& url) = 0;
+
   // These methods verify whether or not the child process has been granted
   // permissions perform these functions on |file|.