OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "content/browser/child_process_security_policy_impl.h" | 5 #include "content/browser/child_process_security_policy_impl.h" |
6 | 6 |
7 #include <algorithm> | 7 #include <algorithm> |
8 #include <utility> | 8 #include <utility> |
9 | 9 |
10 #include "base/command_line.h" | 10 #include "base/command_line.h" |
(...skipping 49 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
60 CREATE_OVERWRITE_FILE_PERMISSION | | 60 CREATE_OVERWRITE_FILE_PERMISSION | |
61 READ_FILE_PERMISSION | | 61 READ_FILE_PERMISSION | |
62 WRITE_FILE_PERMISSION | | 62 WRITE_FILE_PERMISSION | |
63 COPY_INTO_FILE_PERMISSION | | 63 COPY_INTO_FILE_PERMISSION | |
64 DELETE_FILE_PERMISSION, | 64 DELETE_FILE_PERMISSION, |
65 | 65 |
66 COPY_INTO_FILE_GRANT = COPY_INTO_FILE_PERMISSION, | 66 COPY_INTO_FILE_GRANT = COPY_INTO_FILE_PERMISSION, |
67 DELETE_FILE_GRANT = DELETE_FILE_PERMISSION, | 67 DELETE_FILE_GRANT = DELETE_FILE_PERMISSION, |
68 }; | 68 }; |
69 | 69 |
| 70 // https://crbug.com/646278 Valid blob URLs should contain canonically |
| 71 // serialized origins. |
| 72 bool IsMalformedBlobUrl(const GURL& url) { |
| 73 if (!url.SchemeIsBlob()) |
| 74 return false; |
| 75 |
| 76 // If the part after blob: survives a roundtrip through url::Origin, then |
| 77 // it's a normal blob URL. |
| 78 std::string canonical_origin = url::Origin(url).Serialize(); |
| 79 canonical_origin.append(1, '/'); |
| 80 if (base::StartsWith(url.GetContent(), canonical_origin, |
| 81 base::CompareCase::INSENSITIVE_ASCII)) |
| 82 return false; |
| 83 |
| 84 // blob:blobinternal:// is used by blink for stream URLs. This doesn't survive |
| 85 // url::Origin canonicalization -- blobinternal is a fake scheme -- but allow |
| 86 // it anyway. TODO(nick): Added speculatively, might be unnecessary. |
| 87 if (base::StartsWith(url.GetContent(), "blobinternal://", |
| 88 base::CompareCase::INSENSITIVE_ASCII)) |
| 89 return false; |
| 90 |
| 91 // This is a malformed blob URL. |
| 92 return true; |
| 93 } |
| 94 |
70 } // namespace | 95 } // namespace |
71 | 96 |
72 // The SecurityState class is used to maintain per-child process security state | 97 // The SecurityState class is used to maintain per-child process security state |
73 // information. | 98 // information. |
74 class ChildProcessSecurityPolicyImpl::SecurityState { | 99 class ChildProcessSecurityPolicyImpl::SecurityState { |
75 public: | 100 public: |
76 SecurityState() | 101 SecurityState() |
77 : enabled_bindings_(0), | 102 : enabled_bindings_(0), |
78 can_read_raw_cookies_(false), | 103 can_read_raw_cookies_(false), |
79 can_send_midi_sysex_(false) { } | 104 can_send_midi_sysex_(false) { } |
(...skipping 492 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
572 // Every child process can request <about:blank>. | 597 // Every child process can request <about:blank>. |
573 if (base::LowerCaseEqualsASCII(url.spec(), url::kAboutBlankURL)) | 598 if (base::LowerCaseEqualsASCII(url.spec(), url::kAboutBlankURL)) |
574 return true; | 599 return true; |
575 // URLs like <about:version>, <about:crash>, <view-source:...> shouldn't be | 600 // URLs like <about:version>, <about:crash>, <view-source:...> shouldn't be |
576 // requestable by any child process. Also, this case covers | 601 // requestable by any child process. Also, this case covers |
577 // <javascript:...>, which should be handled internally by the process and | 602 // <javascript:...>, which should be handled internally by the process and |
578 // not kicked up to the browser. | 603 // not kicked up to the browser. |
579 return false; | 604 return false; |
580 } | 605 } |
581 | 606 |
| 607 if (IsMalformedBlobUrl(url)) |
| 608 return false; |
| 609 |
582 // If the process can commit the URL, it can request it. | 610 // If the process can commit the URL, it can request it. |
583 if (CanCommitURL(child_id, url)) | 611 if (CanCommitURL(child_id, url)) |
584 return true; | 612 return true; |
585 | 613 |
586 // Also allow URLs destined for ShellExecute and not the browser itself. | 614 // Also allow URLs destined for ShellExecute and not the browser itself. |
587 return !GetContentClient()->browser()->IsHandledURL(url) && | 615 return !GetContentClient()->browser()->IsHandledURL(url) && |
588 !net::URLRequest::IsHandledURL(url); | 616 !net::URLRequest::IsHandledURL(url); |
589 } | 617 } |
590 | 618 |
591 bool ChildProcessSecurityPolicyImpl::CanCommitURL(int child_id, | 619 bool ChildProcessSecurityPolicyImpl::CanCommitURL(int child_id, |
592 const GURL& url) { | 620 const GURL& url) { |
593 if (!url.is_valid()) | 621 if (!url.is_valid()) |
594 return false; // Can't commit invalid URLs. | 622 return false; // Can't commit invalid URLs. |
595 | 623 |
596 // Of all the pseudo schemes, only about:blank is allowed to commit. | 624 // Of all the pseudo schemes, only about:blank is allowed to commit. |
597 if (IsPseudoScheme(url.scheme())) | 625 if (IsPseudoScheme(url.scheme())) |
598 return base::LowerCaseEqualsASCII(url.spec(), url::kAboutBlankURL); | 626 return base::LowerCaseEqualsASCII(url.spec(), url::kAboutBlankURL); |
599 | 627 |
| 628 if (IsMalformedBlobUrl(url)) |
| 629 return false; |
| 630 |
600 // TODO(creis): Tighten this for Site Isolation, so that a URL from a site | 631 // TODO(creis): Tighten this for Site Isolation, so that a URL from a site |
601 // that is isolated can only be committed in a process dedicated to that site. | 632 // that is isolated can only be committed in a process dedicated to that site. |
602 // CanRequestURL should still allow all web-safe schemes. See | 633 // CanRequestURL should still allow all web-safe schemes. See |
603 // https://crbug.com/515309. | 634 // https://crbug.com/515309. |
604 if (IsWebSafeScheme(url.scheme())) | 635 if (IsWebSafeScheme(url.scheme())) |
605 return true; // The scheme has been white-listed for every child process. | 636 return true; // The scheme has been white-listed for every child process. |
606 | 637 |
607 { | 638 { |
608 base::AutoLock lock(lock_); | 639 base::AutoLock lock(lock_); |
609 | 640 |
(...skipping 241 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
851 base::AutoLock lock(lock_); | 882 base::AutoLock lock(lock_); |
852 | 883 |
853 SecurityStateMap::iterator state = security_state_.find(child_id); | 884 SecurityStateMap::iterator state = security_state_.find(child_id); |
854 if (state == security_state_.end()) | 885 if (state == security_state_.end()) |
855 return false; | 886 return false; |
856 | 887 |
857 return state->second->can_send_midi_sysex(); | 888 return state->second->can_send_midi_sysex(); |
858 } | 889 } |
859 | 890 |
860 } // namespace content | 891 } // namespace content |
OLD | NEW |