Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(627)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: content/browser/blob_storage/blob_dispatcher_host.cc

Issue 2399853003: [M54 merge] Lock down creation of blob:chrome-extension URLs from non-extension processes. (Closed)
Patch Set: Rebase Created 4 years, 2 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « content/browser/bad_message.h ('k') | content/browser/blob_storage/blob_url_browsertest.cc » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2016 The Chromium Authors. All rights reserved. 1 // Copyright 2016 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "content/browser/blob_storage/blob_dispatcher_host.h" 5 #include "content/browser/blob_storage/blob_dispatcher_host.h"
6 6
7 #include <algorithm> 7 #include <algorithm>
8 8
9 #include "base/bind.h" 9 #include "base/bind.h"
10 #include "base/metrics/histogram_macros.h" 10 #include "base/metrics/histogram_macros.h"
(...skipping 286 matching lines...) Expand 10 before | Expand all | Expand 10 after
297 context); 297 context);
298 Send(new BlobStorageMsg_CancelBuildingBlob( 298 Send(new BlobStorageMsg_CancelBuildingBlob(
299 uuid, IPCBlobCreationCancelCode::BLOB_DEREFERENCED_WHILE_BUILDING)); 299 uuid, IPCBlobCreationCancelCode::BLOB_DEREFERENCED_WHILE_BUILDING));
300 } 300 }
301 } 301 }
302 } 302 }
303 303
304 void BlobDispatcherHost::OnRegisterPublicBlobURL(const GURL& public_url, 304 void BlobDispatcherHost::OnRegisterPublicBlobURL(const GURL& public_url,
305 const std::string& uuid) { 305 const std::string& uuid) {
306 DCHECK_CURRENTLY_ON(BrowserThread::IO); 306 DCHECK_CURRENTLY_ON(BrowserThread::IO);
307 BlobStorageContext* context = this->context(); 307 ChildProcessSecurityPolicyImpl* security_policy =
308 ChildProcessSecurityPolicyImpl::GetInstance();
309
310 // Blob urls have embedded origins. A frame should only be creating blob URLs
311 // in the origin of its current document. Make sure that the origin advertised
312 // on the URL is allowed to be rendered in this process.
313 if (!public_url.SchemeIsBlob() ||
314 !security_policy->CanCommitURL(process_id_, public_url)) {
315 bad_message::ReceivedBadMessage(this, bad_message::BDH_DISALLOWED_ORIGIN);
316 return;
317 }
308 if (uuid.empty()) { 318 if (uuid.empty()) {
309 bad_message::ReceivedBadMessage(this, 319 bad_message::ReceivedBadMessage(this,
310 bad_message::BDH_INVALID_URL_OPERATION); 320 bad_message::BDH_INVALID_URL_OPERATION);
311 return; 321 return;
312 } 322 }
323 BlobStorageContext* context = this->context();
313 if (!IsInUseInHost(uuid) || context->registry().IsURLMapped(public_url)) { 324 if (!IsInUseInHost(uuid) || context->registry().IsURLMapped(public_url)) {
314 UMA_HISTOGRAM_ENUMERATION("Storage.Blob.InvalidURLRegister", BDH_INCREMENT, 325 UMA_HISTOGRAM_ENUMERATION("Storage.Blob.InvalidURLRegister", BDH_INCREMENT,
315 BDH_TRACING_ENUM_LAST); 326 BDH_TRACING_ENUM_LAST);
316 return; 327 return;
317 } 328 }
318 context->RegisterPublicBlobURL(public_url, uuid); 329 context->RegisterPublicBlobURL(public_url, uuid);
319 public_blob_urls_.insert(public_url); 330 public_blob_urls_.insert(public_url);
320 } 331 }
321 332
322 void BlobDispatcherHost::OnRevokePublicBlobURL(const GURL& public_url) { 333 void BlobDispatcherHost::OnRevokePublicBlobURL(const GURL& public_url) {
(...skipping 75 matching lines...) Expand 10 before | Expand all | Expand 10 after
398 context->RevokePublicBlobURL(url); 409 context->RevokePublicBlobURL(url);
399 } 410 }
400 for (const auto& uuid_refnum_pair : blobs_inuse_map_) { 411 for (const auto& uuid_refnum_pair : blobs_inuse_map_) {
401 for (int i = 0; i < uuid_refnum_pair.second; ++i) 412 for (int i = 0; i < uuid_refnum_pair.second; ++i)
402 context->DecrementBlobRefCount(uuid_refnum_pair.first); 413 context->DecrementBlobRefCount(uuid_refnum_pair.first);
403 } 414 }
404 async_builder_.CancelAll(context); 415 async_builder_.CancelAll(context);
405 } 416 }
406 417
407 } // namespace content 418 } // namespace content
OLDNEW
« no previous file with comments | « content/browser/bad_message.h ('k') | content/browser/blob_storage/blob_url_browsertest.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698