[M54 merge] Lock down creation of blob:chrome-extension URLs from non-extension processes.

content/browser/child_process_security_policy_impl.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/browser/child_process_security_policy_impl.h"
 
 #include <algorithm>
 #include <utility>
 
 #include "base/command_line.h"
@@ skipping 49 matching lines @@
                                  CREATE_OVERWRITE_FILE_PERMISSION |
                                  READ_FILE_PERMISSION |
                                  WRITE_FILE_PERMISSION |
                                  COPY_INTO_FILE_PERMISSION |
                                  DELETE_FILE_PERMISSION,
 
   COPY_INTO_FILE_GRANT         = COPY_INTO_FILE_PERMISSION,
   DELETE_FILE_GRANT            = DELETE_FILE_PERMISSION,
 };
 
+// https://crbug.com/646278 Valid blob URLs should contain canonically
+// serialized origins.
+bool IsMalformedBlobUrl(const GURL& url) {
+  if (!url.SchemeIsBlob())
+    return false;
+
+  // If the part after blob: survives a roundtrip through url::Origin, then
+  // it's a normal blob URL.
+  std::string canonical_origin = url::Origin(url).Serialize();
+  canonical_origin.append(1, '/');
+  if (base::StartsWith(url.GetContent(), canonical_origin,
+                       base::CompareCase::INSENSITIVE_ASCII))
+    return false;
+
+  // blob:blobinternal:// is used by blink for stream URLs. This doesn't survive
+  // url::Origin canonicalization -- blobinternal is a fake scheme -- but allow
+  // it anyway. TODO(nick): Added speculatively, might be unnecessary.
+  if (base::StartsWith(url.GetContent(), "blobinternal://",
+                       base::CompareCase::INSENSITIVE_ASCII))
+    return false;
+
+  // This is a malformed blob URL.
+  return true;
+}
+
 }  // namespace
 
 // The SecurityState class is used to maintain per-child process security state
 // information.
 class ChildProcessSecurityPolicyImpl::SecurityState {
  public:
   SecurityState()
     : enabled_bindings_(0),
       can_read_raw_cookies_(false),
       can_send_midi_sysex_(false) { }
@@ skipping 90 matching lines @@
   void RevokeReadRawCookies() {
     can_read_raw_cookies_ = false;
   }
 
   void GrantPermissionForMidiSysEx() {
     can_send_midi_sysex_ = true;
   }
 
   // Determine whether permission has been granted to commit |url|.
   bool CanCommitURL(const GURL& url) {
+    DCHECK(!url.SchemeIsBlob() && !url.SchemeIsFileSystem())
+        << "inner_url extraction should be done already.";
     // Having permission to a scheme implies permission to all of its URLs.
     SchemeMap::const_iterator scheme_judgment(
         scheme_policy_.find(url.scheme()));
     if (scheme_judgment != scheme_policy_.end())
       return scheme_judgment->second;
 
     // Otherwise, check for permission for specific origin.
     if (base::ContainsKey(origin_set_, url::Origin(url)))
       return true;
 
@@ skipping 104 matching lines @@
   DISALLOW_COPY_AND_ASSIGN(SecurityState);
 };
 
 ChildProcessSecurityPolicyImpl::ChildProcessSecurityPolicyImpl() {
   // We know about these schemes and believe them to be safe.
   RegisterWebSafeScheme(url::kHttpScheme);
   RegisterWebSafeScheme(url::kHttpsScheme);
   RegisterWebSafeScheme(url::kFtpScheme);
   RegisterWebSafeScheme(url::kDataScheme);
   RegisterWebSafeScheme("feed");
+
+  // TODO(nick): https://crbug.com/651534 blob: and filesystem: schemes embed
+  // other origins, so we should not treat them as web safe. Remove callers of
+  // IsWebSafeScheme(), and then eliminate the next two lines.
   RegisterWebSafeScheme(url::kBlobScheme);
   RegisterWebSafeScheme(url::kFileSystemScheme);
 
   // We know about the following pseudo schemes and treat them specially.
   RegisterPseudoScheme(url::kAboutScheme);
   RegisterPseudoScheme(url::kJavaScriptScheme);
   RegisterPseudoScheme(kViewSourceScheme);
 }
 
 ChildProcessSecurityPolicyImpl::~ChildProcessSecurityPolicyImpl() {
-  web_safe_schemes_.clear();
-  pseudo_schemes_.clear();
-  security_state_.clear();
 }
 
 // static
 ChildProcessSecurityPolicy* ChildProcessSecurityPolicy::GetInstance() {
   return ChildProcessSecurityPolicyImpl::GetInstance();
 }
 
 ChildProcessSecurityPolicyImpl* ChildProcessSecurityPolicyImpl::GetInstance() {
   return base::Singleton<ChildProcessSecurityPolicyImpl>::get();
 }
@@ skipping 12 matching lines @@
 
 void ChildProcessSecurityPolicyImpl::Remove(int child_id) {
   base::AutoLock lock(lock_);
   security_state_.erase(child_id);
   worker_map_.erase(child_id);
 }
 
 void ChildProcessSecurityPolicyImpl::RegisterWebSafeScheme(
     const std::string& scheme) {
   base::AutoLock lock(lock_);
-  DCHECK_EQ(0U, web_safe_schemes_.count(scheme)) << "Add schemes at most once.";
+  DCHECK_EQ(0U, schemes_okay_to_request_in_any_process_.count(scheme))
+      << "Add schemes at most once.";
   DCHECK_EQ(0U, pseudo_schemes_.count(scheme))
       << "Web-safe implies not pseudo.";
 
-  web_safe_schemes_.insert(scheme);
+  schemes_okay_to_request_in_any_process_.insert(scheme);
+  schemes_okay_to_commit_in_any_process_.insert(scheme);
+}
+
+void ChildProcessSecurityPolicyImpl::RegisterWebSafeIsolatedScheme(
+    const std::string& scheme,
+    bool always_allow_in_origin_headers) {
+  base::AutoLock lock(lock_);
+  DCHECK_EQ(0U, schemes_okay_to_request_in_any_process_.count(scheme))
+      << "Add schemes at most once.";
+  DCHECK_EQ(0U, pseudo_schemes_.count(scheme))
+      << "Web-safe implies not pseudo.";
+
+  schemes_okay_to_request_in_any_process_.insert(scheme);
+  if (always_allow_in_origin_headers)
+    schemes_okay_to_appear_as_origin_headers_.insert(scheme);
 }
 
 bool ChildProcessSecurityPolicyImpl::IsWebSafeScheme(
     const std::string& scheme) {
   base::AutoLock lock(lock_);
 
-  return base::ContainsKey(web_safe_schemes_, scheme);
+  return base::ContainsKey(schemes_okay_to_request_in_any_process_, scheme);
 }
 
 void ChildProcessSecurityPolicyImpl::RegisterPseudoScheme(
     const std::string& scheme) {
   base::AutoLock lock(lock_);
   DCHECK_EQ(0U, pseudo_schemes_.count(scheme)) << "Add schemes at most once.";
-  DCHECK_EQ(0U, web_safe_schemes_.count(scheme))
+  DCHECK_EQ(0U, schemes_okay_to_request_in_any_process_.count(scheme))
+      << "Pseudo implies not web-safe.";
+  DCHECK_EQ(0U, schemes_okay_to_commit_in_any_process_.count(scheme))
       << "Pseudo implies not web-safe.";
 
   pseudo_schemes_.insert(scheme);
 }
 
 bool ChildProcessSecurityPolicyImpl::IsPseudoScheme(
     const std::string& scheme) {
   base::AutoLock lock(lock_);
 
   return base::ContainsKey(pseudo_schemes_, scheme);
 }
 
 void ChildProcessSecurityPolicyImpl::GrantRequestURL(
     int child_id, const GURL& url) {
 
   if (!url.is_valid())
     return;  // Can't grant the capability to request invalid URLs.
 
   if (IsWebSafeScheme(url.scheme()))
     return;  // The scheme has already been whitelisted for every child process.
 
   if (IsPseudoScheme(url.scheme())) {
     return;  // Can't grant the capability to request pseudo schemes.
   }
 
+  if (url.SchemeIsBlob() || url.SchemeIsFileSystem()) {
+    return;  // Don't grant blanket access to blob: or filesystem: schemes.
+  }
+
   {
     base::AutoLock lock(lock_);
     SecurityStateMap::iterator state = security_state_.find(child_id);
     if (state == security_state_.end())
       return;
 
     // When the child process has been commanded to request this scheme,
     // we grant it the capability to request all URLs of that scheme.
     state->second->GrantScheme(url.scheme());
   }
@@ skipping 169 matching lines @@
     // Every child process can request <about:blank>.
     if (base::LowerCaseEqualsASCII(url.spec(), url::kAboutBlankURL))
       return true;
     // URLs like <about:version>, <about:crash>, <view-source:...> shouldn't be
     // requestable by any child process.  Also, this case covers
     // <javascript:...>, which should be handled internally by the process and
     // not kicked up to the browser.
     return false;
   }
 
+  // Blob and filesystem URLs require special treatment, since they embed an
+  // inner origin.
+  if (url.SchemeIsBlob() || url.SchemeIsFileSystem()) {
+    if (IsMalformedBlobUrl(url))
+      return false;
+
+    url::Origin origin(url);
+    return origin.unique() || IsWebSafeScheme(origin.scheme()) ||
+           CanCommitURL(child_id, GURL(origin.Serialize()));
+  }
+
+  if (IsWebSafeScheme(url.scheme()))
+    return true;
+
   // If the process can commit the URL, it can request it.
   if (CanCommitURL(child_id, url))
     return true;
 
   // Also allow URLs destined for ShellExecute and not the browser itself.
   return !GetContentClient()->browser()->IsHandledURL(url) &&
          !net::URLRequest::IsHandledURL(url);
 }
 
 bool ChildProcessSecurityPolicyImpl::CanCommitURL(int child_id,
                                                   const GURL& url) {
   if (!url.is_valid())
     return false;  // Can't commit invalid URLs.
 
   // Of all the pseudo schemes, only about:blank is allowed to commit.
   if (IsPseudoScheme(url.scheme()))
     return base::LowerCaseEqualsASCII(url.spec(), url::kAboutBlankURL);
 
-  // TODO(creis): Tighten this for Site Isolation, so that a URL from a site
-  // that is isolated can only be committed in a process dedicated to that site.
-  // CanRequestURL should still allow all web-safe schemes. See
-  // https://crbug.com/515309.
-  if (IsWebSafeScheme(url.scheme()))
-    return true;  // The scheme has been white-listed for every child process.
+  // Blob and filesystem URLs require special treatment; validate the inner
+  // origin they embed.
+  if (url.SchemeIsBlob() || url.SchemeIsFileSystem()) {
+    if (IsMalformedBlobUrl(url))
+      return false;
+
+    url::Origin origin(url);
+    return origin.unique() || CanCommitURL(child_id, GURL(origin.Serialize()));
+  }
 
   {
     base::AutoLock lock(lock_);
 
+    // Most schemes can commit in any process. Note that we check
+    // schemes_okay_to_commit_in_any_process_ here, which is stricter than
+    // IsWebSafeScheme().
+    //
+    // TODO(creis, nick): https://crbug.com/515309: in generalized Site
+    // Isolation and/or --site-per-process, there will be no such thing as a
+    // scheme that is okay to commit in any process. Instead, an URL from a site
+    // that is isolated may only be committed in a process dedicated to that
+    // site, so CanCommitURL will need to rely on explicit, per-process grants.
+    // Note how today, even with extension isolation, the line below does not
+    // enforce that http pages cannot commit in an extension process.
+    if (base::ContainsKey(schemes_okay_to_commit_in_any_process_, url.scheme()))
+      return true;
+
     SecurityStateMap::iterator state = security_state_.find(child_id);
     if (state == security_state_.end())
       return false;
 
     // Otherwise, we consult the child process's security state to see if it is
     // allowed to commit the URL.
     return state->second->CanCommitURL(url);
   }
 }
 
+bool ChildProcessSecurityPolicyImpl::CanSetAsOriginHeader(int child_id,
+                                                          const GURL& url) {
+  if (!url.is_valid())
+    return false;  // Can't set invalid URLs as origin headers.
+
+  // If this process can commit |url|, it can use |url| as an origin for
+  // outbound requests.
+  if (CanCommitURL(child_id, url))
+    return true;
+
+  // Allow schemes which may come from scripts executing in isolated worlds;
+  // XHRs issued by such scripts reflect the script origin rather than the
+  // document origin.
+  {
+    base::AutoLock lock(lock_);
+    if (base::ContainsKey(schemes_okay_to_appear_as_origin_headers_,
+                          url.scheme()))
+      return true;
+  }
+  return false;
+}
+
 bool ChildProcessSecurityPolicyImpl::CanReadFile(int child_id,
                                                  const base::FilePath& file) {
   return HasPermissionsForFile(child_id, file, READ_FILE_GRANT);
 }
 
 bool ChildProcessSecurityPolicyImpl::CanReadAllFiles(
     int child_id,
     const std::vector<base::FilePath>& files) {
   return std::all_of(files.begin(), files.end(),
                      [this, child_id](const base::FilePath& file) {
@@ skipping 221 matching lines @@
   base::AutoLock lock(lock_);
 
   SecurityStateMap::iterator state = security_state_.find(child_id);
   if (state == security_state_.end())
     return false;
 
   return state->second->can_send_midi_sysex();
 }
 
 }  // namespace content