Chromium Code Reviews Chromium Code Reviews
Issue 2378573005:
[HBD] Blanket BLOCK on all non-HTTP(s) and non-FILE URLs for Flash. (Closed)
| Index: chrome/browser/plugins/plugin_utils.cc |
| diff --git a/chrome/browser/plugins/plugin_utils.cc b/chrome/browser/plugins/plugin_utils.cc |
| index 582d098b1380424bcca1aa64cad2f0986093c9c5..54b7e7543a4d1810b3b3a3fffadc0a502b384644 100644 |
| --- a/chrome/browser/plugins/plugin_utils.cc |
| +++ b/chrome/browser/plugins/plugin_utils.cc |
| @@ -5,10 +5,12 @@ |
| #include "chrome/browser/plugins/plugin_utils.h" |
| #include "base/values.h" |
| +#include "chrome/common/chrome_features.h" |
| #include "chrome/common/plugin_utils.h" |
| #include "components/content_settings/core/browser/host_content_settings_map.h" |
| #include "content/public/common/webplugininfo.h" |
| #include "url/gurl.h" |
| +#include "url/origin.h" |
| namespace { |
| @@ -17,29 +19,32 @@ const char kFlashPluginID[] = "adobe-flash-player"; |
| void GetPluginContentSettingInternal( |
| const HostContentSettingsMap* host_content_settings_map, |
| bool use_javascript_setting, |
| - const GURL& policy_url, |
| + const url::Origin& main_frame_origin, |
| const GURL& plugin_url, |
| const std::string& resource, |
| ContentSetting* setting, |
| bool* uses_default_content_setting, |
| bool* is_managed) { |
| + GURL main_frame_url = |
| + main_frame_origin.unique() ? GURL() : GURL(main_frame_origin.Serialize()); |
|
nasko
2016/10/05 21:14:31
main_frame_origin.GetURL()
tommycli
2016/10/05 21:41:22
Done.
|
| + |
| std::unique_ptr<base::Value> value; |
| content_settings::SettingInfo info; |
| bool uses_plugin_specific_setting = false; |
| if (use_javascript_setting) { |
| value = host_content_settings_map->GetWebsiteSetting( |
| - policy_url, policy_url, CONTENT_SETTINGS_TYPE_JAVASCRIPT, std::string(), |
| - &info); |
| + main_frame_url, main_frame_url, CONTENT_SETTINGS_TYPE_JAVASCRIPT, |
| + std::string(), &info); |
| } else { |
| content_settings::SettingInfo specific_info; |
| std::unique_ptr<base::Value> specific_setting = |
| host_content_settings_map->GetWebsiteSetting( |
| - policy_url, plugin_url, CONTENT_SETTINGS_TYPE_PLUGINS, resource, |
| + main_frame_url, plugin_url, CONTENT_SETTINGS_TYPE_PLUGINS, resource, |
| &specific_info); |
| content_settings::SettingInfo general_info; |
| std::unique_ptr<base::Value> general_setting = |
| host_content_settings_map->GetWebsiteSetting( |
| - policy_url, plugin_url, CONTENT_SETTINGS_TYPE_PLUGINS, |
| + main_frame_url, plugin_url, CONTENT_SETTINGS_TYPE_PLUGINS, |
| std::string(), &general_info); |
| // If there is a plugin-specific setting, we use it, unless the general |
| // setting was set by policy, in which case it takes precedence. |
| @@ -63,6 +68,14 @@ void GetPluginContentSettingInternal( |
| } |
| if (is_managed) |
| *is_managed = info.source == content_settings::SETTING_SOURCE_POLICY; |
| + |
| + // For non-JavaScript treated plugins (Flash): unless the user has explicitly |
| + // ALLOWed plugins, return BLOCK for any non-HTTP and non-FILE origin. |
| + if (!use_javascript_setting && *setting != CONTENT_SETTING_ALLOW && |
| + base::FeatureList::IsEnabled(features::kPreferHtmlOverPlugins) && |
| + !main_frame_url.SchemeIsHTTPOrHTTPS() && !main_frame_url.SchemeIsFile()) { |
| + *setting = CONTENT_SETTING_BLOCK; |
| + } |
| } |
| } // namespace |
| @@ -71,27 +84,28 @@ void GetPluginContentSettingInternal( |
| void PluginUtils::GetPluginContentSetting( |
| const HostContentSettingsMap* host_content_settings_map, |
| const content::WebPluginInfo& plugin, |
| - const GURL& policy_url, |
| + const url::Origin& main_frame_origin, |
| const GURL& plugin_url, |
| const std::string& resource, |
| ContentSetting* setting, |
| bool* uses_default_content_setting, |
| bool* is_managed) { |
| - GetPluginContentSettingInternal(host_content_settings_map, |
| - ShouldUseJavaScriptSettingForPlugin(plugin), |
| - policy_url, plugin_url, resource, setting, |
| - uses_default_content_setting, is_managed); |
| + GetPluginContentSettingInternal( |
| + host_content_settings_map, ShouldUseJavaScriptSettingForPlugin(plugin), |
| + main_frame_origin, plugin_url, resource, setting, |
| + uses_default_content_setting, is_managed); |
| } |
| // static |
| ContentSetting PluginUtils::GetFlashPluginContentSetting( |
| const HostContentSettingsMap* host_content_settings_map, |
| - const GURL& policy_url, |
| + const url::Origin& main_frame_origin, |
| const GURL& plugin_url, |
| bool* is_managed) { |
| ContentSetting plugin_setting = CONTENT_SETTING_DEFAULT; |
| - GetPluginContentSettingInternal( |
| - host_content_settings_map, false /* use_javascript_setting */, policy_url, |
| - plugin_url, kFlashPluginID, &plugin_setting, nullptr, is_managed); |
| + GetPluginContentSettingInternal(host_content_settings_map, |
| + false /* use_javascript_setting */, |
| + main_frame_origin, plugin_url, kFlashPluginID, |
| + &plugin_setting, nullptr, is_managed); |
| return plugin_setting; |
| } |
