| Index: content/browser/child_process_security_policy_impl.cc
|
| diff --git a/content/browser/child_process_security_policy_impl.cc b/content/browser/child_process_security_policy_impl.cc
|
| index 901a95eb31c930895f16499515dca744bc39d978..44180df83455216528dd25608431aa262a5a139c 100644
|
| --- a/content/browser/child_process_security_policy_impl.cc
|
| +++ b/content/browser/child_process_security_policy_impl.cc
|
| @@ -67,6 +67,31 @@ enum ChildProcessSecurityGrants {
|
| DELETE_FILE_GRANT = DELETE_FILE_PERMISSION,
|
| };
|
|
|
| +// https://crbug.com/646278 Valid blob URLs should contain canonically
|
| +// serialized origins.
|
| +bool IsMalformedBlobUrl(const GURL& url) {
|
| + if (!url.SchemeIsBlob())
|
| + return false;
|
| +
|
| + // If the part after blob: survives a roundtrip through url::Origin, then
|
| + // it's a normal blob URL.
|
| + std::string canonical_origin = url::Origin(url).Serialize();
|
| + canonical_origin.append(1, '/');
|
| + if (base::StartsWith(url.GetContent(), canonical_origin,
|
| + base::CompareCase::INSENSITIVE_ASCII))
|
| + return false;
|
| +
|
| + // blob:blobinternal:// is used by blink for stream URLs. This doesn't survive
|
| + // url::Origin canonicalization -- blobinternal is a fake scheme -- but allow
|
| + // it anyway. TODO(nick): Added speculatively, might be unnecessary.
|
| + if (base::StartsWith(url.GetContent(), "blobinternal://",
|
| + base::CompareCase::INSENSITIVE_ASCII))
|
| + return false;
|
| +
|
| + // This is a malformed blob URL.
|
| + return true;
|
| +}
|
| +
|
| } // namespace
|
|
|
| // The SecurityState class is used to maintain per-child process security state
|
| @@ -177,6 +202,8 @@ class ChildProcessSecurityPolicyImpl::SecurityState {
|
|
|
| // Determine whether permission has been granted to commit |url|.
|
| bool CanCommitURL(const GURL& url) {
|
| + DCHECK(!url.SchemeIsBlob() && !url.SchemeIsFileSystem())
|
| + << "inner_url extraction should be done already.";
|
| // Having permission to a scheme implies permission to all of its URLs.
|
| SchemeMap::const_iterator scheme_judgment(
|
| scheme_policy_.find(url.scheme()));
|
| @@ -301,6 +328,10 @@ ChildProcessSecurityPolicyImpl::ChildProcessSecurityPolicyImpl() {
|
| RegisterWebSafeScheme(url::kFtpScheme);
|
| RegisterWebSafeScheme(url::kDataScheme);
|
| RegisterWebSafeScheme("feed");
|
| +
|
| + // TODO(nick): https://crbug.com/651534 blob: and filesystem: schemes embed
|
| + // other origins, so we should not treat them as web safe. Remove callers of
|
| + // IsWebSafeScheme(), and then eliminate the next two lines.
|
| RegisterWebSafeScheme(url::kBlobScheme);
|
| RegisterWebSafeScheme(url::kFileSystemScheme);
|
|
|
| @@ -311,9 +342,6 @@ ChildProcessSecurityPolicyImpl::ChildProcessSecurityPolicyImpl() {
|
| }
|
|
|
| ChildProcessSecurityPolicyImpl::~ChildProcessSecurityPolicyImpl() {
|
| - web_safe_schemes_.clear();
|
| - pseudo_schemes_.clear();
|
| - security_state_.clear();
|
| }
|
|
|
| // static
|
| @@ -346,25 +374,43 @@ void ChildProcessSecurityPolicyImpl::Remove(int child_id) {
|
| void ChildProcessSecurityPolicyImpl::RegisterWebSafeScheme(
|
| const std::string& scheme) {
|
| base::AutoLock lock(lock_);
|
| - DCHECK_EQ(0U, web_safe_schemes_.count(scheme)) << "Add schemes at most once.";
|
| + DCHECK_EQ(0U, schemes_okay_to_request_in_any_process_.count(scheme))
|
| + << "Add schemes at most once.";
|
| + DCHECK_EQ(0U, pseudo_schemes_.count(scheme))
|
| + << "Web-safe implies not pseudo.";
|
| +
|
| + schemes_okay_to_request_in_any_process_.insert(scheme);
|
| + schemes_okay_to_commit_in_any_process_.insert(scheme);
|
| +}
|
| +
|
| +void ChildProcessSecurityPolicyImpl::RegisterWebSafeIsolatedScheme(
|
| + const std::string& scheme,
|
| + bool always_allow_in_origin_headers) {
|
| + base::AutoLock lock(lock_);
|
| + DCHECK_EQ(0U, schemes_okay_to_request_in_any_process_.count(scheme))
|
| + << "Add schemes at most once.";
|
| DCHECK_EQ(0U, pseudo_schemes_.count(scheme))
|
| << "Web-safe implies not pseudo.";
|
|
|
| - web_safe_schemes_.insert(scheme);
|
| + schemes_okay_to_request_in_any_process_.insert(scheme);
|
| + if (always_allow_in_origin_headers)
|
| + schemes_okay_to_appear_as_origin_headers_.insert(scheme);
|
| }
|
|
|
| bool ChildProcessSecurityPolicyImpl::IsWebSafeScheme(
|
| const std::string& scheme) {
|
| base::AutoLock lock(lock_);
|
|
|
| - return base::ContainsKey(web_safe_schemes_, scheme);
|
| + return base::ContainsKey(schemes_okay_to_request_in_any_process_, scheme);
|
| }
|
|
|
| void ChildProcessSecurityPolicyImpl::RegisterPseudoScheme(
|
| const std::string& scheme) {
|
| base::AutoLock lock(lock_);
|
| DCHECK_EQ(0U, pseudo_schemes_.count(scheme)) << "Add schemes at most once.";
|
| - DCHECK_EQ(0U, web_safe_schemes_.count(scheme))
|
| + DCHECK_EQ(0U, schemes_okay_to_request_in_any_process_.count(scheme))
|
| + << "Pseudo implies not web-safe.";
|
| + DCHECK_EQ(0U, schemes_okay_to_commit_in_any_process_.count(scheme))
|
| << "Pseudo implies not web-safe.";
|
|
|
| pseudo_schemes_.insert(scheme);
|
| @@ -390,6 +436,10 @@ void ChildProcessSecurityPolicyImpl::GrantRequestURL(
|
| return; // Can't grant the capability to request pseudo schemes.
|
| }
|
|
|
| + if (url.SchemeIsBlob() || url.SchemeIsFileSystem()) {
|
| + return; // Don't grant blanket access to blob: or filesystem: schemes.
|
| + }
|
| +
|
| {
|
| base::AutoLock lock(lock_);
|
| SecurityStateMap::iterator state = security_state_.find(child_id);
|
| @@ -579,6 +629,20 @@ bool ChildProcessSecurityPolicyImpl::CanRequestURL(
|
| return false;
|
| }
|
|
|
| + // Blob and filesystem URLs require special treatment, since they embed an
|
| + // inner origin.
|
| + if (url.SchemeIsBlob() || url.SchemeIsFileSystem()) {
|
| + if (IsMalformedBlobUrl(url))
|
| + return false;
|
| +
|
| + url::Origin origin(url);
|
| + return origin.unique() || IsWebSafeScheme(origin.scheme()) ||
|
| + CanCommitURL(child_id, GURL(origin.Serialize()));
|
| + }
|
| +
|
| + if (IsWebSafeScheme(url.scheme()))
|
| + return true;
|
| +
|
| // If the process can commit the URL, it can request it.
|
| if (CanCommitURL(child_id, url))
|
| return true;
|
| @@ -597,16 +661,33 @@ bool ChildProcessSecurityPolicyImpl::CanCommitURL(int child_id,
|
| if (IsPseudoScheme(url.scheme()))
|
| return base::LowerCaseEqualsASCII(url.spec(), url::kAboutBlankURL);
|
|
|
| - // TODO(creis): Tighten this for Site Isolation, so that a URL from a site
|
| - // that is isolated can only be committed in a process dedicated to that site.
|
| - // CanRequestURL should still allow all web-safe schemes. See
|
| - // https://crbug.com/515309.
|
| - if (IsWebSafeScheme(url.scheme()))
|
| - return true; // The scheme has been white-listed for every child process.
|
| + // Blob and filesystem URLs require special treatment; validate the inner
|
| + // origin they embed.
|
| + if (url.SchemeIsBlob() || url.SchemeIsFileSystem()) {
|
| + if (IsMalformedBlobUrl(url))
|
| + return false;
|
| +
|
| + url::Origin origin(url);
|
| + return origin.unique() || CanCommitURL(child_id, GURL(origin.Serialize()));
|
| + }
|
|
|
| {
|
| base::AutoLock lock(lock_);
|
|
|
| + // Most schemes can commit in any process. Note that we check
|
| + // schemes_okay_to_commit_in_any_process_ here, which is stricter than
|
| + // IsWebSafeScheme().
|
| + //
|
| + // TODO(creis, nick): https://crbug.com/515309: in generalized Site
|
| + // Isolation and/or --site-per-process, there will be no such thing as a
|
| + // scheme that is okay to commit in any process. Instead, an URL from a site
|
| + // that is isolated may only be committed in a process dedicated to that
|
| + // site, so CanCommitURL will need to rely on explicit, per-process grants.
|
| + // Note how today, even with extension isolation, the line below does not
|
| + // enforce that http pages cannot commit in an extension process.
|
| + if (base::ContainsKey(schemes_okay_to_commit_in_any_process_, url.scheme()))
|
| + return true;
|
| +
|
| SecurityStateMap::iterator state = security_state_.find(child_id);
|
| if (state == security_state_.end())
|
| return false;
|
| @@ -617,6 +698,28 @@ bool ChildProcessSecurityPolicyImpl::CanCommitURL(int child_id,
|
| }
|
| }
|
|
|
| +bool ChildProcessSecurityPolicyImpl::CanSetAsOriginHeader(int child_id,
|
| + const GURL& url) {
|
| + if (!url.is_valid())
|
| + return false; // Can't set invalid URLs as origin headers.
|
| +
|
| + // If this process can commit |url|, it can use |url| as an origin for
|
| + // outbound requests.
|
| + if (CanCommitURL(child_id, url))
|
| + return true;
|
| +
|
| + // Allow schemes which may come from scripts executing in isolated worlds;
|
| + // XHRs issued by such scripts reflect the script origin rather than the
|
| + // document origin.
|
| + {
|
| + base::AutoLock lock(lock_);
|
| + if (base::ContainsKey(schemes_okay_to_appear_as_origin_headers_,
|
| + url.scheme()))
|
| + return true;
|
| + }
|
| + return false;
|
| +}
|
| +
|
| bool ChildProcessSecurityPolicyImpl::CanReadFile(int child_id,
|
| const base::FilePath& file) {
|
| return HasPermissionsForFile(child_id, file, READ_FILE_GRANT);
|
|
|
Chromium Code Reviews
Issue 2399853003:
[M54 merge] Lock down creation of blob:chrome-extension URLs from non-extension processes. (Closed)
