Index: content/browser/child_process_security_policy_impl.cc |
diff --git a/content/browser/child_process_security_policy_impl.cc b/content/browser/child_process_security_policy_impl.cc |
index 901a95eb31c930895f16499515dca744bc39d978..44180df83455216528dd25608431aa262a5a139c 100644 |
--- a/content/browser/child_process_security_policy_impl.cc |
+++ b/content/browser/child_process_security_policy_impl.cc |
@@ -67,6 +67,31 @@ enum ChildProcessSecurityGrants { |
DELETE_FILE_GRANT = DELETE_FILE_PERMISSION, |
}; |
+// https://crbug.com/646278 Valid blob URLs should contain canonically |
+// serialized origins. |
+bool IsMalformedBlobUrl(const GURL& url) { |
+ if (!url.SchemeIsBlob()) |
+ return false; |
+ |
+ // If the part after blob: survives a roundtrip through url::Origin, then |
+ // it's a normal blob URL. |
+ std::string canonical_origin = url::Origin(url).Serialize(); |
+ canonical_origin.append(1, '/'); |
+ if (base::StartsWith(url.GetContent(), canonical_origin, |
+ base::CompareCase::INSENSITIVE_ASCII)) |
+ return false; |
+ |
+ // blob:blobinternal:// is used by blink for stream URLs. This doesn't survive |
+ // url::Origin canonicalization -- blobinternal is a fake scheme -- but allow |
+ // it anyway. TODO(nick): Added speculatively, might be unnecessary. |
+ if (base::StartsWith(url.GetContent(), "blobinternal://", |
+ base::CompareCase::INSENSITIVE_ASCII)) |
+ return false; |
+ |
+ // This is a malformed blob URL. |
+ return true; |
+} |
+ |
} // namespace |
// The SecurityState class is used to maintain per-child process security state |
@@ -177,6 +202,8 @@ class ChildProcessSecurityPolicyImpl::SecurityState { |
// Determine whether permission has been granted to commit |url|. |
bool CanCommitURL(const GURL& url) { |
+ DCHECK(!url.SchemeIsBlob() && !url.SchemeIsFileSystem()) |
+ << "inner_url extraction should be done already."; |
// Having permission to a scheme implies permission to all of its URLs. |
SchemeMap::const_iterator scheme_judgment( |
scheme_policy_.find(url.scheme())); |
@@ -301,6 +328,10 @@ ChildProcessSecurityPolicyImpl::ChildProcessSecurityPolicyImpl() { |
RegisterWebSafeScheme(url::kFtpScheme); |
RegisterWebSafeScheme(url::kDataScheme); |
RegisterWebSafeScheme("feed"); |
+ |
+ // TODO(nick): https://crbug.com/651534 blob: and filesystem: schemes embed |
+ // other origins, so we should not treat them as web safe. Remove callers of |
+ // IsWebSafeScheme(), and then eliminate the next two lines. |
RegisterWebSafeScheme(url::kBlobScheme); |
RegisterWebSafeScheme(url::kFileSystemScheme); |
@@ -311,9 +342,6 @@ ChildProcessSecurityPolicyImpl::ChildProcessSecurityPolicyImpl() { |
} |
ChildProcessSecurityPolicyImpl::~ChildProcessSecurityPolicyImpl() { |
- web_safe_schemes_.clear(); |
- pseudo_schemes_.clear(); |
- security_state_.clear(); |
} |
// static |
@@ -346,25 +374,43 @@ void ChildProcessSecurityPolicyImpl::Remove(int child_id) { |
void ChildProcessSecurityPolicyImpl::RegisterWebSafeScheme( |
const std::string& scheme) { |
base::AutoLock lock(lock_); |
- DCHECK_EQ(0U, web_safe_schemes_.count(scheme)) << "Add schemes at most once."; |
+ DCHECK_EQ(0U, schemes_okay_to_request_in_any_process_.count(scheme)) |
+ << "Add schemes at most once."; |
+ DCHECK_EQ(0U, pseudo_schemes_.count(scheme)) |
+ << "Web-safe implies not pseudo."; |
+ |
+ schemes_okay_to_request_in_any_process_.insert(scheme); |
+ schemes_okay_to_commit_in_any_process_.insert(scheme); |
+} |
+ |
+void ChildProcessSecurityPolicyImpl::RegisterWebSafeIsolatedScheme( |
+ const std::string& scheme, |
+ bool always_allow_in_origin_headers) { |
+ base::AutoLock lock(lock_); |
+ DCHECK_EQ(0U, schemes_okay_to_request_in_any_process_.count(scheme)) |
+ << "Add schemes at most once."; |
DCHECK_EQ(0U, pseudo_schemes_.count(scheme)) |
<< "Web-safe implies not pseudo."; |
- web_safe_schemes_.insert(scheme); |
+ schemes_okay_to_request_in_any_process_.insert(scheme); |
+ if (always_allow_in_origin_headers) |
+ schemes_okay_to_appear_as_origin_headers_.insert(scheme); |
} |
bool ChildProcessSecurityPolicyImpl::IsWebSafeScheme( |
const std::string& scheme) { |
base::AutoLock lock(lock_); |
- return base::ContainsKey(web_safe_schemes_, scheme); |
+ return base::ContainsKey(schemes_okay_to_request_in_any_process_, scheme); |
} |
void ChildProcessSecurityPolicyImpl::RegisterPseudoScheme( |
const std::string& scheme) { |
base::AutoLock lock(lock_); |
DCHECK_EQ(0U, pseudo_schemes_.count(scheme)) << "Add schemes at most once."; |
- DCHECK_EQ(0U, web_safe_schemes_.count(scheme)) |
+ DCHECK_EQ(0U, schemes_okay_to_request_in_any_process_.count(scheme)) |
+ << "Pseudo implies not web-safe."; |
+ DCHECK_EQ(0U, schemes_okay_to_commit_in_any_process_.count(scheme)) |
<< "Pseudo implies not web-safe."; |
pseudo_schemes_.insert(scheme); |
@@ -390,6 +436,10 @@ void ChildProcessSecurityPolicyImpl::GrantRequestURL( |
return; // Can't grant the capability to request pseudo schemes. |
} |
+ if (url.SchemeIsBlob() || url.SchemeIsFileSystem()) { |
+ return; // Don't grant blanket access to blob: or filesystem: schemes. |
+ } |
+ |
{ |
base::AutoLock lock(lock_); |
SecurityStateMap::iterator state = security_state_.find(child_id); |
@@ -579,6 +629,20 @@ bool ChildProcessSecurityPolicyImpl::CanRequestURL( |
return false; |
} |
+ // Blob and filesystem URLs require special treatment, since they embed an |
+ // inner origin. |
+ if (url.SchemeIsBlob() || url.SchemeIsFileSystem()) { |
+ if (IsMalformedBlobUrl(url)) |
+ return false; |
+ |
+ url::Origin origin(url); |
+ return origin.unique() || IsWebSafeScheme(origin.scheme()) || |
+ CanCommitURL(child_id, GURL(origin.Serialize())); |
+ } |
+ |
+ if (IsWebSafeScheme(url.scheme())) |
+ return true; |
+ |
// If the process can commit the URL, it can request it. |
if (CanCommitURL(child_id, url)) |
return true; |
@@ -597,16 +661,33 @@ bool ChildProcessSecurityPolicyImpl::CanCommitURL(int child_id, |
if (IsPseudoScheme(url.scheme())) |
return base::LowerCaseEqualsASCII(url.spec(), url::kAboutBlankURL); |
- // TODO(creis): Tighten this for Site Isolation, so that a URL from a site |
- // that is isolated can only be committed in a process dedicated to that site. |
- // CanRequestURL should still allow all web-safe schemes. See |
- // https://crbug.com/515309. |
- if (IsWebSafeScheme(url.scheme())) |
- return true; // The scheme has been white-listed for every child process. |
+ // Blob and filesystem URLs require special treatment; validate the inner |
+ // origin they embed. |
+ if (url.SchemeIsBlob() || url.SchemeIsFileSystem()) { |
+ if (IsMalformedBlobUrl(url)) |
+ return false; |
+ |
+ url::Origin origin(url); |
+ return origin.unique() || CanCommitURL(child_id, GURL(origin.Serialize())); |
+ } |
{ |
base::AutoLock lock(lock_); |
+ // Most schemes can commit in any process. Note that we check |
+ // schemes_okay_to_commit_in_any_process_ here, which is stricter than |
+ // IsWebSafeScheme(). |
+ // |
+ // TODO(creis, nick): https://crbug.com/515309: in generalized Site |
+ // Isolation and/or --site-per-process, there will be no such thing as a |
+ // scheme that is okay to commit in any process. Instead, an URL from a site |
+ // that is isolated may only be committed in a process dedicated to that |
+ // site, so CanCommitURL will need to rely on explicit, per-process grants. |
+ // Note how today, even with extension isolation, the line below does not |
+ // enforce that http pages cannot commit in an extension process. |
+ if (base::ContainsKey(schemes_okay_to_commit_in_any_process_, url.scheme())) |
+ return true; |
+ |
SecurityStateMap::iterator state = security_state_.find(child_id); |
if (state == security_state_.end()) |
return false; |
@@ -617,6 +698,28 @@ bool ChildProcessSecurityPolicyImpl::CanCommitURL(int child_id, |
} |
} |
+bool ChildProcessSecurityPolicyImpl::CanSetAsOriginHeader(int child_id, |
+ const GURL& url) { |
+ if (!url.is_valid()) |
+ return false; // Can't set invalid URLs as origin headers. |
+ |
+ // If this process can commit |url|, it can use |url| as an origin for |
+ // outbound requests. |
+ if (CanCommitURL(child_id, url)) |
+ return true; |
+ |
+ // Allow schemes which may come from scripts executing in isolated worlds; |
+ // XHRs issued by such scripts reflect the script origin rather than the |
+ // document origin. |
+ { |
+ base::AutoLock lock(lock_); |
+ if (base::ContainsKey(schemes_okay_to_appear_as_origin_headers_, |
+ url.scheme())) |
+ return true; |
+ } |
+ return false; |
+} |
+ |
bool ChildProcessSecurityPolicyImpl::CanReadFile(int child_id, |
const base::FilePath& file) { |
return HasPermissionsForFile(child_id, file, READ_FILE_GRANT); |