Tighten IO thread blob/filesystem URL checks for apps with webview permission.

content/browser/child_process_security_policy_impl.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/browser/child_process_security_policy_impl.h"
 
 #include <algorithm>
 #include <utility>
 
 #include "base/command_line.h"
@@ skipping 183 matching lines @@
   }
 
   void RevokeReadRawCookies() {
     can_read_raw_cookies_ = false;
   }
 
   void GrantPermissionForMidiSysEx() {
     can_send_midi_sysex_ = true;
   }
 
+  bool CanCommitOrigin(const url::Origin& origin) {
+    return base::ContainsKey(origin_set_, origin);
+  }
+
   // Determine whether permission has been granted to commit |url|.
   bool CanCommitURL(const GURL& url) {
     DCHECK(!url.SchemeIsBlob() && !url.SchemeIsFileSystem())
         << "inner_url extraction should be done already.";
     // Having permission to a scheme implies permission to all of its URLs.
     SchemeMap::const_iterator scheme_judgment(
         scheme_policy_.find(url.scheme()));
     if (scheme_judgment != scheme_policy_.end())
       return scheme_judgment->second;
 
     // Otherwise, check for permission for specific origin.
-    if (base::ContainsKey(origin_set_, url::Origin(url)))
+    if (CanCommitOrigin(url::Origin(url)))
       return true;
 
     // file:// URLs are more granular.  The child may have been given
     // permission to a specific file but not the file:// scheme in general.
     if (url.SchemeIs(url::kFileScheme)) {
       base::FilePath path;
       if (net::FileURLToFilePath(url, &path))
         return base::ContainsKey(request_file_set_, path);
     }
 
@@ skipping 701 matching lines @@
   base::AutoLock lock(lock_);
   SecurityStateMap::iterator state = security_state_.find(child_id);
   if (state == security_state_.end()) {
     // TODO(nick): Returning true instead of false here is a temporary
     // workaround for https://crbug.com/600441
     return true;
   }
   return state->second->CanAccessDataForOrigin(gurl);
 }
 
+bool ChildProcessSecurityPolicyImpl::HasSpecificPermissionForOrigin(
+    int child_id,
+    const url::Origin& origin) {
+  base::AutoLock lock(lock_);
+  SecurityStateMap::iterator state = security_state_.find(child_id);
+  if (state == security_state_.end())
+    return false;

[ncarter (slow), 2016/10/20 17:46:50]

In previous interactions with CPSP, these |return false| cases were the source
of headaches (hence the lame return true on line 936).

I'm mentioning this so that we can remember it as a possible cause, if the DWOC
happens in practice -- races between the final few IPCs before a process dies,
and ChildProcessSecurityPolicyImpl::Remove() for that process_id.

[alexmos, 2016/10/20 18:40:23]

Acknowledged.

+  return state->second->CanCommitOrigin(origin);
+}
+
 void ChildProcessSecurityPolicyImpl::LockToOrigin(int child_id,
                                                   const GURL& gurl) {
   // "gurl" can be currently empty in some cases, such as file://blah.
   DCHECK(SiteInstanceImpl::GetSiteForURL(NULL, gurl) == gurl);
   base::AutoLock lock(lock_);
   SecurityStateMap::iterator state = security_state_.find(child_id);
   DCHECK(state != security_state_.end());
   state->second->LockToOrigin(gurl);
 }
 
@@ skipping 32 matching lines @@
   base::AutoLock lock(lock_);
 
   SecurityStateMap::iterator state = security_state_.find(child_id);
   if (state == security_state_.end())
     return false;
 
   return state->second->can_send_midi_sysex();
 }
 
 }  // namespace content