Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(7)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: chrome/browser/plugins/plugin_utils.cc

Issue 2378573005: [HBD] Blanket BLOCK on all non-HTTP(s) and non-FILE URLs for Flash. (Closed)
Patch Set: fix dat merge Created 4 years, 2 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « chrome/browser/plugins/plugin_utils.h ('k') | chrome/browser/printing/print_preview_dialog_controller_browsertest.cc » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: chrome/browser/plugins/plugin_utils.cc
diff --git a/chrome/browser/plugins/plugin_utils.cc b/chrome/browser/plugins/plugin_utils.cc
index 582d098b1380424bcca1aa64cad2f0986093c9c5..2a21946c26d2769c5d4e9e859c8fb4a5675f905e 100644
--- a/chrome/browser/plugins/plugin_utils.cc
+++ b/chrome/browser/plugins/plugin_utils.cc
@@ -5,10 +5,12 @@
#include "chrome/browser/plugins/plugin_utils.h"
#include "base/values.h"
+#include "chrome/common/chrome_features.h"
#include "chrome/common/plugin_utils.h"
#include "components/content_settings/core/browser/host_content_settings_map.h"
#include "content/public/common/webplugininfo.h"
#include "url/gurl.h"
+#include "url/origin.h"
namespace {
@@ -17,29 +19,30 @@ const char kFlashPluginID[] = "adobe-flash-player";
void GetPluginContentSettingInternal(
const HostContentSettingsMap* host_content_settings_map,
bool use_javascript_setting,
- const GURL& policy_url,
+ const url::Origin& main_frame_origin,
const GURL& plugin_url,
const std::string& resource,
ContentSetting* setting,
bool* uses_default_content_setting,
bool* is_managed) {
+ GURL main_frame_url = main_frame_origin.GetURL();
std::unique_ptr<base::Value> value;
content_settings::SettingInfo info;
bool uses_plugin_specific_setting = false;
if (use_javascript_setting) {
value = host_content_settings_map->GetWebsiteSetting(
- policy_url, policy_url, CONTENT_SETTINGS_TYPE_JAVASCRIPT, std::string(),
- &info);
+ main_frame_url, main_frame_url, CONTENT_SETTINGS_TYPE_JAVASCRIPT,
+ std::string(), &info);
} else {
content_settings::SettingInfo specific_info;
std::unique_ptr<base::Value> specific_setting =
host_content_settings_map->GetWebsiteSetting(
- policy_url, plugin_url, CONTENT_SETTINGS_TYPE_PLUGINS, resource,
+ main_frame_url, plugin_url, CONTENT_SETTINGS_TYPE_PLUGINS, resource,
&specific_info);
content_settings::SettingInfo general_info;
std::unique_ptr<base::Value> general_setting =
host_content_settings_map->GetWebsiteSetting(
- policy_url, plugin_url, CONTENT_SETTINGS_TYPE_PLUGINS,
+ main_frame_url, plugin_url, CONTENT_SETTINGS_TYPE_PLUGINS,
std::string(), &general_info);
// If there is a plugin-specific setting, we use it, unless the general
// setting was set by policy, in which case it takes precedence.
@@ -63,6 +66,14 @@ void GetPluginContentSettingInternal(
}
if (is_managed)
*is_managed = info.source == content_settings::SETTING_SOURCE_POLICY;
+
+ // For non-JavaScript treated plugins (Flash): unless the user has explicitly
+ // ALLOWed plugins, return BLOCK for any non-HTTP and non-FILE origin.
+ if (!use_javascript_setting && *setting != CONTENT_SETTING_ALLOW &&
+ base::FeatureList::IsEnabled(features::kPreferHtmlOverPlugins) &&
+ !main_frame_url.SchemeIsHTTPOrHTTPS() && !main_frame_url.SchemeIsFile()) {
+ *setting = CONTENT_SETTING_BLOCK;
+ }
}
} // namespace
@@ -71,27 +82,28 @@ void GetPluginContentSettingInternal(
void PluginUtils::GetPluginContentSetting(
const HostContentSettingsMap* host_content_settings_map,
const content::WebPluginInfo& plugin,
- const GURL& policy_url,
+ const url::Origin& main_frame_origin,
const GURL& plugin_url,
const std::string& resource,
ContentSetting* setting,
bool* uses_default_content_setting,
bool* is_managed) {
- GetPluginContentSettingInternal(host_content_settings_map,
- ShouldUseJavaScriptSettingForPlugin(plugin),
- policy_url, plugin_url, resource, setting,
- uses_default_content_setting, is_managed);
+ GetPluginContentSettingInternal(
+ host_content_settings_map, ShouldUseJavaScriptSettingForPlugin(plugin),
+ main_frame_origin, plugin_url, resource, setting,
+ uses_default_content_setting, is_managed);
}
// static
ContentSetting PluginUtils::GetFlashPluginContentSetting(
const HostContentSettingsMap* host_content_settings_map,
- const GURL& policy_url,
+ const url::Origin& main_frame_origin,
const GURL& plugin_url,
bool* is_managed) {
ContentSetting plugin_setting = CONTENT_SETTING_DEFAULT;
- GetPluginContentSettingInternal(
- host_content_settings_map, false /* use_javascript_setting */, policy_url,
- plugin_url, kFlashPluginID, &plugin_setting, nullptr, is_managed);
+ GetPluginContentSettingInternal(host_content_settings_map,
+ false /* use_javascript_setting */,
+ main_frame_origin, plugin_url, kFlashPluginID,
+ &plugin_setting, nullptr, is_managed);
return plugin_setting;
}
« no previous file with comments | « chrome/browser/plugins/plugin_utils.h ('k') | chrome/browser/printing/print_preview_dialog_controller_browsertest.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698