OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "content/browser/child_process_security_policy_impl.h" | 5 #include "content/browser/child_process_security_policy_impl.h" |
6 | 6 |
7 #include <algorithm> | 7 #include <algorithm> |
8 #include <utility> | 8 #include <utility> |
9 | 9 |
10 #include "base/command_line.h" | 10 #include "base/command_line.h" |
(...skipping 49 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
60 CREATE_OVERWRITE_FILE_PERMISSION | | 60 CREATE_OVERWRITE_FILE_PERMISSION | |
61 READ_FILE_PERMISSION | | 61 READ_FILE_PERMISSION | |
62 WRITE_FILE_PERMISSION | | 62 WRITE_FILE_PERMISSION | |
63 COPY_INTO_FILE_PERMISSION | | 63 COPY_INTO_FILE_PERMISSION | |
64 DELETE_FILE_PERMISSION, | 64 DELETE_FILE_PERMISSION, |
65 | 65 |
66 COPY_INTO_FILE_GRANT = COPY_INTO_FILE_PERMISSION, | 66 COPY_INTO_FILE_GRANT = COPY_INTO_FILE_PERMISSION, |
67 DELETE_FILE_GRANT = DELETE_FILE_PERMISSION, | 67 DELETE_FILE_GRANT = DELETE_FILE_PERMISSION, |
68 }; | 68 }; |
69 | 69 |
| 70 // https://crbug.com/646278 Valid blob URLs should contain canonically |
| 71 // serialized origins. |
| 72 bool IsMalformedBlobUrl(const GURL& url) { |
| 73 if (!url.SchemeIsBlob()) |
| 74 return false; |
| 75 |
| 76 // If the part after blob: survives a roundtrip through url::Origin, then |
| 77 // it's a normal blob URL. |
| 78 std::string canonical_origin = url::Origin(url).Serialize(); |
| 79 canonical_origin.append(1, '/'); |
| 80 if (base::StartsWith(url.GetContent(), canonical_origin, |
| 81 base::CompareCase::INSENSITIVE_ASCII)) |
| 82 return false; |
| 83 |
| 84 // blob:blobinternal:// is used by blink for stream URLs. This doesn't survive |
| 85 // url::Origin canonicalization -- blobinternal is a fake scheme -- but allow |
| 86 // it anyway. TODO(nick): Added speculatively, might be unnecessary. |
| 87 if (base::StartsWith(url.GetContent(), "blobinternal://", |
| 88 base::CompareCase::INSENSITIVE_ASCII)) |
| 89 return false; |
| 90 |
| 91 // This is a malformed blob URL. |
| 92 return true; |
| 93 } |
| 94 |
70 } // namespace | 95 } // namespace |
71 | 96 |
72 // The SecurityState class is used to maintain per-child process security state | 97 // The SecurityState class is used to maintain per-child process security state |
73 // information. | 98 // information. |
74 class ChildProcessSecurityPolicyImpl::SecurityState { | 99 class ChildProcessSecurityPolicyImpl::SecurityState { |
75 public: | 100 public: |
76 SecurityState() | 101 SecurityState() |
77 : enabled_bindings_(0), | 102 : enabled_bindings_(0), |
78 can_read_raw_cookies_(false), | 103 can_read_raw_cookies_(false), |
79 can_send_midi_sysex_(false) { } | 104 can_send_midi_sysex_(false) { } |
(...skipping 90 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
170 void RevokeReadRawCookies() { | 195 void RevokeReadRawCookies() { |
171 can_read_raw_cookies_ = false; | 196 can_read_raw_cookies_ = false; |
172 } | 197 } |
173 | 198 |
174 void GrantPermissionForMidiSysEx() { | 199 void GrantPermissionForMidiSysEx() { |
175 can_send_midi_sysex_ = true; | 200 can_send_midi_sysex_ = true; |
176 } | 201 } |
177 | 202 |
178 // Determine whether permission has been granted to commit |url|. | 203 // Determine whether permission has been granted to commit |url|. |
179 bool CanCommitURL(const GURL& url) { | 204 bool CanCommitURL(const GURL& url) { |
| 205 DCHECK(!url.SchemeIsBlob() && !url.SchemeIsFileSystem()) |
| 206 << "inner_url extraction should be done already."; |
180 // Having permission to a scheme implies permission to all of its URLs. | 207 // Having permission to a scheme implies permission to all of its URLs. |
181 SchemeMap::const_iterator scheme_judgment( | 208 SchemeMap::const_iterator scheme_judgment( |
182 scheme_policy_.find(url.scheme())); | 209 scheme_policy_.find(url.scheme())); |
183 if (scheme_judgment != scheme_policy_.end()) | 210 if (scheme_judgment != scheme_policy_.end()) |
184 return scheme_judgment->second; | 211 return scheme_judgment->second; |
185 | 212 |
186 // Otherwise, check for permission for specific origin. | 213 // Otherwise, check for permission for specific origin. |
187 if (base::ContainsKey(origin_set_, url::Origin(url))) | 214 if (base::ContainsKey(origin_set_, url::Origin(url))) |
188 return true; | 215 return true; |
189 | 216 |
(...skipping 104 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
294 DISALLOW_COPY_AND_ASSIGN(SecurityState); | 321 DISALLOW_COPY_AND_ASSIGN(SecurityState); |
295 }; | 322 }; |
296 | 323 |
297 ChildProcessSecurityPolicyImpl::ChildProcessSecurityPolicyImpl() { | 324 ChildProcessSecurityPolicyImpl::ChildProcessSecurityPolicyImpl() { |
298 // We know about these schemes and believe them to be safe. | 325 // We know about these schemes and believe them to be safe. |
299 RegisterWebSafeScheme(url::kHttpScheme); | 326 RegisterWebSafeScheme(url::kHttpScheme); |
300 RegisterWebSafeScheme(url::kHttpsScheme); | 327 RegisterWebSafeScheme(url::kHttpsScheme); |
301 RegisterWebSafeScheme(url::kFtpScheme); | 328 RegisterWebSafeScheme(url::kFtpScheme); |
302 RegisterWebSafeScheme(url::kDataScheme); | 329 RegisterWebSafeScheme(url::kDataScheme); |
303 RegisterWebSafeScheme("feed"); | 330 RegisterWebSafeScheme("feed"); |
| 331 |
| 332 // TODO(nick): https://crbug.com/651534 blob: and filesystem: schemes embed |
| 333 // other origins, so we should not treat them as web safe. Remove callers of |
| 334 // IsWebSafeScheme(), and then eliminate the next two lines. |
304 RegisterWebSafeScheme(url::kBlobScheme); | 335 RegisterWebSafeScheme(url::kBlobScheme); |
305 RegisterWebSafeScheme(url::kFileSystemScheme); | 336 RegisterWebSafeScheme(url::kFileSystemScheme); |
306 | 337 |
307 // We know about the following pseudo schemes and treat them specially. | 338 // We know about the following pseudo schemes and treat them specially. |
308 RegisterPseudoScheme(url::kAboutScheme); | 339 RegisterPseudoScheme(url::kAboutScheme); |
309 RegisterPseudoScheme(url::kJavaScriptScheme); | 340 RegisterPseudoScheme(url::kJavaScriptScheme); |
310 RegisterPseudoScheme(kViewSourceScheme); | 341 RegisterPseudoScheme(kViewSourceScheme); |
311 } | 342 } |
312 | 343 |
313 ChildProcessSecurityPolicyImpl::~ChildProcessSecurityPolicyImpl() { | 344 ChildProcessSecurityPolicyImpl::~ChildProcessSecurityPolicyImpl() { |
314 web_safe_schemes_.clear(); | |
315 pseudo_schemes_.clear(); | |
316 security_state_.clear(); | |
317 } | 345 } |
318 | 346 |
319 // static | 347 // static |
320 ChildProcessSecurityPolicy* ChildProcessSecurityPolicy::GetInstance() { | 348 ChildProcessSecurityPolicy* ChildProcessSecurityPolicy::GetInstance() { |
321 return ChildProcessSecurityPolicyImpl::GetInstance(); | 349 return ChildProcessSecurityPolicyImpl::GetInstance(); |
322 } | 350 } |
323 | 351 |
324 ChildProcessSecurityPolicyImpl* ChildProcessSecurityPolicyImpl::GetInstance() { | 352 ChildProcessSecurityPolicyImpl* ChildProcessSecurityPolicyImpl::GetInstance() { |
325 return base::Singleton<ChildProcessSecurityPolicyImpl>::get(); | 353 return base::Singleton<ChildProcessSecurityPolicyImpl>::get(); |
326 } | 354 } |
(...skipping 12 matching lines...) Expand all Loading... |
339 | 367 |
340 void ChildProcessSecurityPolicyImpl::Remove(int child_id) { | 368 void ChildProcessSecurityPolicyImpl::Remove(int child_id) { |
341 base::AutoLock lock(lock_); | 369 base::AutoLock lock(lock_); |
342 security_state_.erase(child_id); | 370 security_state_.erase(child_id); |
343 worker_map_.erase(child_id); | 371 worker_map_.erase(child_id); |
344 } | 372 } |
345 | 373 |
346 void ChildProcessSecurityPolicyImpl::RegisterWebSafeScheme( | 374 void ChildProcessSecurityPolicyImpl::RegisterWebSafeScheme( |
347 const std::string& scheme) { | 375 const std::string& scheme) { |
348 base::AutoLock lock(lock_); | 376 base::AutoLock lock(lock_); |
349 DCHECK_EQ(0U, web_safe_schemes_.count(scheme)) << "Add schemes at most once."; | 377 DCHECK_EQ(0U, schemes_okay_to_request_in_any_process_.count(scheme)) |
| 378 << "Add schemes at most once."; |
350 DCHECK_EQ(0U, pseudo_schemes_.count(scheme)) | 379 DCHECK_EQ(0U, pseudo_schemes_.count(scheme)) |
351 << "Web-safe implies not pseudo."; | 380 << "Web-safe implies not pseudo."; |
352 | 381 |
353 web_safe_schemes_.insert(scheme); | 382 schemes_okay_to_request_in_any_process_.insert(scheme); |
| 383 schemes_okay_to_commit_in_any_process_.insert(scheme); |
| 384 } |
| 385 |
| 386 void ChildProcessSecurityPolicyImpl::RegisterWebSafeIsolatedScheme( |
| 387 const std::string& scheme, |
| 388 bool always_allow_in_origin_headers) { |
| 389 base::AutoLock lock(lock_); |
| 390 DCHECK_EQ(0U, schemes_okay_to_request_in_any_process_.count(scheme)) |
| 391 << "Add schemes at most once."; |
| 392 DCHECK_EQ(0U, pseudo_schemes_.count(scheme)) |
| 393 << "Web-safe implies not pseudo."; |
| 394 |
| 395 schemes_okay_to_request_in_any_process_.insert(scheme); |
| 396 if (always_allow_in_origin_headers) |
| 397 schemes_okay_to_appear_as_origin_headers_.insert(scheme); |
354 } | 398 } |
355 | 399 |
356 bool ChildProcessSecurityPolicyImpl::IsWebSafeScheme( | 400 bool ChildProcessSecurityPolicyImpl::IsWebSafeScheme( |
357 const std::string& scheme) { | 401 const std::string& scheme) { |
358 base::AutoLock lock(lock_); | 402 base::AutoLock lock(lock_); |
359 | 403 |
360 return base::ContainsKey(web_safe_schemes_, scheme); | 404 return base::ContainsKey(schemes_okay_to_request_in_any_process_, scheme); |
361 } | 405 } |
362 | 406 |
363 void ChildProcessSecurityPolicyImpl::RegisterPseudoScheme( | 407 void ChildProcessSecurityPolicyImpl::RegisterPseudoScheme( |
364 const std::string& scheme) { | 408 const std::string& scheme) { |
365 base::AutoLock lock(lock_); | 409 base::AutoLock lock(lock_); |
366 DCHECK_EQ(0U, pseudo_schemes_.count(scheme)) << "Add schemes at most once."; | 410 DCHECK_EQ(0U, pseudo_schemes_.count(scheme)) << "Add schemes at most once."; |
367 DCHECK_EQ(0U, web_safe_schemes_.count(scheme)) | 411 DCHECK_EQ(0U, schemes_okay_to_request_in_any_process_.count(scheme)) |
| 412 << "Pseudo implies not web-safe."; |
| 413 DCHECK_EQ(0U, schemes_okay_to_commit_in_any_process_.count(scheme)) |
368 << "Pseudo implies not web-safe."; | 414 << "Pseudo implies not web-safe."; |
369 | 415 |
370 pseudo_schemes_.insert(scheme); | 416 pseudo_schemes_.insert(scheme); |
371 } | 417 } |
372 | 418 |
373 bool ChildProcessSecurityPolicyImpl::IsPseudoScheme( | 419 bool ChildProcessSecurityPolicyImpl::IsPseudoScheme( |
374 const std::string& scheme) { | 420 const std::string& scheme) { |
375 base::AutoLock lock(lock_); | 421 base::AutoLock lock(lock_); |
376 | 422 |
377 return base::ContainsKey(pseudo_schemes_, scheme); | 423 return base::ContainsKey(pseudo_schemes_, scheme); |
378 } | 424 } |
379 | 425 |
380 void ChildProcessSecurityPolicyImpl::GrantRequestURL( | 426 void ChildProcessSecurityPolicyImpl::GrantRequestURL( |
381 int child_id, const GURL& url) { | 427 int child_id, const GURL& url) { |
382 | 428 |
383 if (!url.is_valid()) | 429 if (!url.is_valid()) |
384 return; // Can't grant the capability to request invalid URLs. | 430 return; // Can't grant the capability to request invalid URLs. |
385 | 431 |
386 if (IsWebSafeScheme(url.scheme())) | 432 if (IsWebSafeScheme(url.scheme())) |
387 return; // The scheme has already been whitelisted for every child process. | 433 return; // The scheme has already been whitelisted for every child process. |
388 | 434 |
389 if (IsPseudoScheme(url.scheme())) { | 435 if (IsPseudoScheme(url.scheme())) { |
390 return; // Can't grant the capability to request pseudo schemes. | 436 return; // Can't grant the capability to request pseudo schemes. |
391 } | 437 } |
392 | 438 |
| 439 if (url.SchemeIsBlob() || url.SchemeIsFileSystem()) { |
| 440 return; // Don't grant blanket access to blob: or filesystem: schemes. |
| 441 } |
| 442 |
393 { | 443 { |
394 base::AutoLock lock(lock_); | 444 base::AutoLock lock(lock_); |
395 SecurityStateMap::iterator state = security_state_.find(child_id); | 445 SecurityStateMap::iterator state = security_state_.find(child_id); |
396 if (state == security_state_.end()) | 446 if (state == security_state_.end()) |
397 return; | 447 return; |
398 | 448 |
399 // When the child process has been commanded to request this scheme, | 449 // When the child process has been commanded to request this scheme, |
400 // we grant it the capability to request all URLs of that scheme. | 450 // we grant it the capability to request all URLs of that scheme. |
401 state->second->GrantScheme(url.scheme()); | 451 state->second->GrantScheme(url.scheme()); |
402 } | 452 } |
(...skipping 169 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
572 // Every child process can request <about:blank>. | 622 // Every child process can request <about:blank>. |
573 if (base::LowerCaseEqualsASCII(url.spec(), url::kAboutBlankURL)) | 623 if (base::LowerCaseEqualsASCII(url.spec(), url::kAboutBlankURL)) |
574 return true; | 624 return true; |
575 // URLs like <about:version>, <about:crash>, <view-source:...> shouldn't be | 625 // URLs like <about:version>, <about:crash>, <view-source:...> shouldn't be |
576 // requestable by any child process. Also, this case covers | 626 // requestable by any child process. Also, this case covers |
577 // <javascript:...>, which should be handled internally by the process and | 627 // <javascript:...>, which should be handled internally by the process and |
578 // not kicked up to the browser. | 628 // not kicked up to the browser. |
579 return false; | 629 return false; |
580 } | 630 } |
581 | 631 |
| 632 // Blob and filesystem URLs require special treatment, since they embed an |
| 633 // inner origin. |
| 634 if (url.SchemeIsBlob() || url.SchemeIsFileSystem()) { |
| 635 if (IsMalformedBlobUrl(url)) |
| 636 return false; |
| 637 |
| 638 url::Origin origin(url); |
| 639 return origin.unique() || IsWebSafeScheme(origin.scheme()) || |
| 640 CanCommitURL(child_id, GURL(origin.Serialize())); |
| 641 } |
| 642 |
| 643 if (IsWebSafeScheme(url.scheme())) |
| 644 return true; |
| 645 |
582 // If the process can commit the URL, it can request it. | 646 // If the process can commit the URL, it can request it. |
583 if (CanCommitURL(child_id, url)) | 647 if (CanCommitURL(child_id, url)) |
584 return true; | 648 return true; |
585 | 649 |
586 // Also allow URLs destined for ShellExecute and not the browser itself. | 650 // Also allow URLs destined for ShellExecute and not the browser itself. |
587 return !GetContentClient()->browser()->IsHandledURL(url) && | 651 return !GetContentClient()->browser()->IsHandledURL(url) && |
588 !net::URLRequest::IsHandledURL(url); | 652 !net::URLRequest::IsHandledURL(url); |
589 } | 653 } |
590 | 654 |
591 bool ChildProcessSecurityPolicyImpl::CanCommitURL(int child_id, | 655 bool ChildProcessSecurityPolicyImpl::CanCommitURL(int child_id, |
592 const GURL& url) { | 656 const GURL& url) { |
593 if (!url.is_valid()) | 657 if (!url.is_valid()) |
594 return false; // Can't commit invalid URLs. | 658 return false; // Can't commit invalid URLs. |
595 | 659 |
596 // Of all the pseudo schemes, only about:blank is allowed to commit. | 660 // Of all the pseudo schemes, only about:blank is allowed to commit. |
597 if (IsPseudoScheme(url.scheme())) | 661 if (IsPseudoScheme(url.scheme())) |
598 return base::LowerCaseEqualsASCII(url.spec(), url::kAboutBlankURL); | 662 return base::LowerCaseEqualsASCII(url.spec(), url::kAboutBlankURL); |
599 | 663 |
600 // TODO(creis): Tighten this for Site Isolation, so that a URL from a site | 664 // Blob and filesystem URLs require special treatment; validate the inner |
601 // that is isolated can only be committed in a process dedicated to that site. | 665 // origin they embed. |
602 // CanRequestURL should still allow all web-safe schemes. See | 666 if (url.SchemeIsBlob() || url.SchemeIsFileSystem()) { |
603 // https://crbug.com/515309. | 667 if (IsMalformedBlobUrl(url)) |
604 if (IsWebSafeScheme(url.scheme())) | 668 return false; |
605 return true; // The scheme has been white-listed for every child process. | 669 |
| 670 url::Origin origin(url); |
| 671 return origin.unique() || CanCommitURL(child_id, GURL(origin.Serialize())); |
| 672 } |
606 | 673 |
607 { | 674 { |
608 base::AutoLock lock(lock_); | 675 base::AutoLock lock(lock_); |
609 | 676 |
| 677 // Most schemes can commit in any process. Note that we check |
| 678 // schemes_okay_to_commit_in_any_process_ here, which is stricter than |
| 679 // IsWebSafeScheme(). |
| 680 // |
| 681 // TODO(creis, nick): https://crbug.com/515309: in generalized Site |
| 682 // Isolation and/or --site-per-process, there will be no such thing as a |
| 683 // scheme that is okay to commit in any process. Instead, an URL from a site |
| 684 // that is isolated may only be committed in a process dedicated to that |
| 685 // site, so CanCommitURL will need to rely on explicit, per-process grants. |
| 686 // Note how today, even with extension isolation, the line below does not |
| 687 // enforce that http pages cannot commit in an extension process. |
| 688 if (base::ContainsKey(schemes_okay_to_commit_in_any_process_, url.scheme())) |
| 689 return true; |
| 690 |
610 SecurityStateMap::iterator state = security_state_.find(child_id); | 691 SecurityStateMap::iterator state = security_state_.find(child_id); |
611 if (state == security_state_.end()) | 692 if (state == security_state_.end()) |
612 return false; | 693 return false; |
613 | 694 |
614 // Otherwise, we consult the child process's security state to see if it is | 695 // Otherwise, we consult the child process's security state to see if it is |
615 // allowed to commit the URL. | 696 // allowed to commit the URL. |
616 return state->second->CanCommitURL(url); | 697 return state->second->CanCommitURL(url); |
617 } | 698 } |
618 } | 699 } |
619 | 700 |
| 701 bool ChildProcessSecurityPolicyImpl::CanSetAsOriginHeader(int child_id, |
| 702 const GURL& url) { |
| 703 if (!url.is_valid()) |
| 704 return false; // Can't set invalid URLs as origin headers. |
| 705 |
| 706 // If this process can commit |url|, it can use |url| as an origin for |
| 707 // outbound requests. |
| 708 if (CanCommitURL(child_id, url)) |
| 709 return true; |
| 710 |
| 711 // Allow schemes which may come from scripts executing in isolated worlds; |
| 712 // XHRs issued by such scripts reflect the script origin rather than the |
| 713 // document origin. |
| 714 { |
| 715 base::AutoLock lock(lock_); |
| 716 if (base::ContainsKey(schemes_okay_to_appear_as_origin_headers_, |
| 717 url.scheme())) |
| 718 return true; |
| 719 } |
| 720 return false; |
| 721 } |
| 722 |
620 bool ChildProcessSecurityPolicyImpl::CanReadFile(int child_id, | 723 bool ChildProcessSecurityPolicyImpl::CanReadFile(int child_id, |
621 const base::FilePath& file) { | 724 const base::FilePath& file) { |
622 return HasPermissionsForFile(child_id, file, READ_FILE_GRANT); | 725 return HasPermissionsForFile(child_id, file, READ_FILE_GRANT); |
623 } | 726 } |
624 | 727 |
625 bool ChildProcessSecurityPolicyImpl::CanReadAllFiles( | 728 bool ChildProcessSecurityPolicyImpl::CanReadAllFiles( |
626 int child_id, | 729 int child_id, |
627 const std::vector<base::FilePath>& files) { | 730 const std::vector<base::FilePath>& files) { |
628 return std::all_of(files.begin(), files.end(), | 731 return std::all_of(files.begin(), files.end(), |
629 [this, child_id](const base::FilePath& file) { | 732 [this, child_id](const base::FilePath& file) { |
(...skipping 221 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
851 base::AutoLock lock(lock_); | 954 base::AutoLock lock(lock_); |
852 | 955 |
853 SecurityStateMap::iterator state = security_state_.find(child_id); | 956 SecurityStateMap::iterator state = security_state_.find(child_id); |
854 if (state == security_state_.end()) | 957 if (state == security_state_.end()) |
855 return false; | 958 return false; |
856 | 959 |
857 return state->second->can_send_midi_sysex(); | 960 return state->second->can_send_midi_sysex(); |
858 } | 961 } |
859 | 962 |
860 } // namespace content | 963 } // namespace content |
OLD | NEW |