content/browser/child_process_security_policy_impl.cc - Issue 2365433002: (re-land) Disallow navigations to blob URLs with non-canonical origins.

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: content/browser/child_process_security_policy_impl.cc

Issue 2365433002: (re-land) Disallow navigations to blob URLs with non-canonical origins. (Closed)

Patch Set: Remove newline Created 4 years, 3 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

« no previous file with comments | « content/browser/blob_storage/blob_url_browsertest.cc ('k') | content/browser/child_process_security_policy_unittest.cc » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

Index: content/browser/child_process_security_policy_impl.cc

diff --git a/content/browser/child_process_security_policy_impl.cc b/content/browser/child_process_security_policy_impl.cc

index 652a7ac175420cba631376bba186834094a5d1f8..60d7a7aed73f25731d5c5079c183ea8a0fdacd73 100644

--- a/content/browser/child_process_security_policy_impl.cc

+++ b/content/browser/child_process_security_policy_impl.cc

@@ -67,6 +67,31 @@ enum ChildProcessSecurityGrants {

DELETE_FILE_GRANT = DELETE_FILE_PERMISSION,

};

+// https://crbug.com/646278 Valid blob URLs should contain canonically

+// serialized origins.

+bool IsMalformedBlobUrl(const GURL& url) {

+ if (!url.SchemeIsBlob())

+ return false;

+ // If the part after blob: survives a roundtrip through url::Origin, then

+ // it's a normal blob URL.

+ std::string canonical_origin = url::Origin(url).Serialize();

+ canonical_origin.append(1, '/');

+ if (base::StartsWith(url.GetContent(), canonical_origin,

+ base::CompareCase::INSENSITIVE_ASCII))

+ return false;

+ // blob:blobinternal:// is used by blink for stream URLs. This doesn't survive

+ // url::Origin canonicalization -- blobinternal is a fake scheme -- but allow

+ // it anyway. TODO(nick): Added speculatively, might be unnecessary.

+ if (base::StartsWith(url.GetContent(), "blobinternal://",

+ base::CompareCase::INSENSITIVE_ASCII))

+ return false;

+ // This is a malformed blob URL.

+ return true;

} // namespace

// The SecurityState class is used to maintain per-child process security state

@@ -579,6 +604,9 @@ bool ChildProcessSecurityPolicyImpl::CanRequestURL(

return false;

}

+ if (IsMalformedBlobUrl(url))

+ return false;

// If the process can commit the URL, it can request it.

if (CanCommitURL(child_id, url))

return true;

@@ -597,6 +625,9 @@ bool ChildProcessSecurityPolicyImpl::CanCommitURL(int child_id,

if (IsPseudoScheme(url.scheme()))

return base::LowerCaseEqualsASCII(url.spec(), url::kAboutBlankURL);

+ if (IsMalformedBlobUrl(url))

+ return false;

// TODO(creis): Tighten this for Site Isolation, so that a URL from a site

// that is isolated can only be committed in a process dedicated to that site.

// CanRequestURL should still allow all web-safe schemes. See

« no previous file with comments | « content/browser/blob_storage/blob_url_browsertest.cc ('k') | content/browser/child_process_security_policy_unittest.cc » ('j') | no next file with comments »