Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(295)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: content/browser/child_process_security_policy_impl.cc

Issue 2365433002: (re-land) Disallow navigations to blob URLs with non-canonical origins. (Closed)
Patch Set: Remove newline Created 4 years, 2 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « content/browser/blob_storage/blob_url_browsertest.cc ('k') | content/browser/child_process_security_policy_unittest.cc » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "content/browser/child_process_security_policy_impl.h" 5 #include "content/browser/child_process_security_policy_impl.h"
6 6
7 #include <algorithm> 7 #include <algorithm>
8 #include <utility> 8 #include <utility>
9 9
10 #include "base/command_line.h" 10 #include "base/command_line.h"
(...skipping 49 matching lines...) Expand 10 before | Expand all | Expand 10 after
60 CREATE_OVERWRITE_FILE_PERMISSION | 60 CREATE_OVERWRITE_FILE_PERMISSION |
61 READ_FILE_PERMISSION | 61 READ_FILE_PERMISSION |
62 WRITE_FILE_PERMISSION | 62 WRITE_FILE_PERMISSION |
63 COPY_INTO_FILE_PERMISSION | 63 COPY_INTO_FILE_PERMISSION |
64 DELETE_FILE_PERMISSION, 64 DELETE_FILE_PERMISSION,
65 65
66 COPY_INTO_FILE_GRANT = COPY_INTO_FILE_PERMISSION, 66 COPY_INTO_FILE_GRANT = COPY_INTO_FILE_PERMISSION,
67 DELETE_FILE_GRANT = DELETE_FILE_PERMISSION, 67 DELETE_FILE_GRANT = DELETE_FILE_PERMISSION,
68 }; 68 };
69 69
70 // https://crbug.com/646278 Valid blob URLs should contain canonically
71 // serialized origins.
72 bool IsMalformedBlobUrl(const GURL& url) {
73 if (!url.SchemeIsBlob())
74 return false;
75
76 // If the part after blob: survives a roundtrip through url::Origin, then
77 // it's a normal blob URL.
78 std::string canonical_origin = url::Origin(url).Serialize();
79 canonical_origin.append(1, '/');
80 if (base::StartsWith(url.GetContent(), canonical_origin,
81 base::CompareCase::INSENSITIVE_ASCII))
82 return false;
83
84 // blob:blobinternal:// is used by blink for stream URLs. This doesn't survive
85 // url::Origin canonicalization -- blobinternal is a fake scheme -- but allow
86 // it anyway. TODO(nick): Added speculatively, might be unnecessary.
87 if (base::StartsWith(url.GetContent(), "blobinternal://",
88 base::CompareCase::INSENSITIVE_ASCII))
89 return false;
90
91 // This is a malformed blob URL.
92 return true;
93 }
94
70 } // namespace 95 } // namespace
71 96
72 // The SecurityState class is used to maintain per-child process security state 97 // The SecurityState class is used to maintain per-child process security state
73 // information. 98 // information.
74 class ChildProcessSecurityPolicyImpl::SecurityState { 99 class ChildProcessSecurityPolicyImpl::SecurityState {
75 public: 100 public:
76 SecurityState() 101 SecurityState()
77 : enabled_bindings_(0), 102 : enabled_bindings_(0),
78 can_read_raw_cookies_(false), 103 can_read_raw_cookies_(false),
79 can_send_midi_sysex_(false) { } 104 can_send_midi_sysex_(false) { }
(...skipping 492 matching lines...) Expand 10 before | Expand all | Expand 10 after
572 // Every child process can request <about:blank>. 597 // Every child process can request <about:blank>.
573 if (base::LowerCaseEqualsASCII(url.spec(), url::kAboutBlankURL)) 598 if (base::LowerCaseEqualsASCII(url.spec(), url::kAboutBlankURL))
574 return true; 599 return true;
575 // URLs like <about:version>, <about:crash>, <view-source:...> shouldn't be 600 // URLs like <about:version>, <about:crash>, <view-source:...> shouldn't be
576 // requestable by any child process. Also, this case covers 601 // requestable by any child process. Also, this case covers
577 // <javascript:...>, which should be handled internally by the process and 602 // <javascript:...>, which should be handled internally by the process and
578 // not kicked up to the browser. 603 // not kicked up to the browser.
579 return false; 604 return false;
580 } 605 }
581 606
607 if (IsMalformedBlobUrl(url))
608 return false;
609
582 // If the process can commit the URL, it can request it. 610 // If the process can commit the URL, it can request it.
583 if (CanCommitURL(child_id, url)) 611 if (CanCommitURL(child_id, url))
584 return true; 612 return true;
585 613
586 // Also allow URLs destined for ShellExecute and not the browser itself. 614 // Also allow URLs destined for ShellExecute and not the browser itself.
587 return !GetContentClient()->browser()->IsHandledURL(url) && 615 return !GetContentClient()->browser()->IsHandledURL(url) &&
588 !net::URLRequest::IsHandledURL(url); 616 !net::URLRequest::IsHandledURL(url);
589 } 617 }
590 618
591 bool ChildProcessSecurityPolicyImpl::CanCommitURL(int child_id, 619 bool ChildProcessSecurityPolicyImpl::CanCommitURL(int child_id,
592 const GURL& url) { 620 const GURL& url) {
593 if (!url.is_valid()) 621 if (!url.is_valid())
594 return false; // Can't commit invalid URLs. 622 return false; // Can't commit invalid URLs.
595 623
596 // Of all the pseudo schemes, only about:blank is allowed to commit. 624 // Of all the pseudo schemes, only about:blank is allowed to commit.
597 if (IsPseudoScheme(url.scheme())) 625 if (IsPseudoScheme(url.scheme()))
598 return base::LowerCaseEqualsASCII(url.spec(), url::kAboutBlankURL); 626 return base::LowerCaseEqualsASCII(url.spec(), url::kAboutBlankURL);
599 627
628 if (IsMalformedBlobUrl(url))
629 return false;
630
600 // TODO(creis): Tighten this for Site Isolation, so that a URL from a site 631 // TODO(creis): Tighten this for Site Isolation, so that a URL from a site
601 // that is isolated can only be committed in a process dedicated to that site. 632 // that is isolated can only be committed in a process dedicated to that site.
602 // CanRequestURL should still allow all web-safe schemes. See 633 // CanRequestURL should still allow all web-safe schemes. See
603 // https://crbug.com/515309. 634 // https://crbug.com/515309.
604 if (IsWebSafeScheme(url.scheme())) 635 if (IsWebSafeScheme(url.scheme()))
605 return true; // The scheme has been white-listed for every child process. 636 return true; // The scheme has been white-listed for every child process.
606 637
607 { 638 {
608 base::AutoLock lock(lock_); 639 base::AutoLock lock(lock_);
609 640
(...skipping 241 matching lines...) Expand 10 before | Expand all | Expand 10 after
851 base::AutoLock lock(lock_); 882 base::AutoLock lock(lock_);
852 883
853 SecurityStateMap::iterator state = security_state_.find(child_id); 884 SecurityStateMap::iterator state = security_state_.find(child_id);
854 if (state == security_state_.end()) 885 if (state == security_state_.end())
855 return false; 886 return false;
856 887
857 return state->second->can_send_midi_sysex(); 888 return state->second->can_send_midi_sysex();
858 } 889 }
859 890
860 } // namespace content 891 } // namespace content
OLDNEW
« no previous file with comments | « content/browser/blob_storage/blob_url_browsertest.cc ('k') | content/browser/child_process_security_policy_unittest.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698