| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "content/browser/child_process_security_policy_impl.h" | 5 #include "content/browser/child_process_security_policy_impl.h" |
| 6 | 6 |
| 7 #include <algorithm> | 7 #include <algorithm> |
| 8 #include <utility> | 8 #include <utility> |
| 9 | 9 |
| 10 #include "base/command_line.h" | 10 #include "base/command_line.h" |
| (...skipping 182 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 193 } | 193 } |
| 194 | 194 |
| 195 void RevokeReadRawCookies() { | 195 void RevokeReadRawCookies() { |
| 196 can_read_raw_cookies_ = false; | 196 can_read_raw_cookies_ = false; |
| 197 } | 197 } |
| 198 | 198 |
| 199 void GrantPermissionForMidiSysEx() { | 199 void GrantPermissionForMidiSysEx() { |
| 200 can_send_midi_sysex_ = true; | 200 can_send_midi_sysex_ = true; |
| 201 } | 201 } |
| 202 | 202 |
| 203 bool CanCommitOrigin(const url::Origin& origin) { |
| 204 return base::ContainsKey(origin_set_, origin); |
| 205 } |
| 206 |
| 203 // Determine whether permission has been granted to commit |url|. | 207 // Determine whether permission has been granted to commit |url|. |
| 204 bool CanCommitURL(const GURL& url) { | 208 bool CanCommitURL(const GURL& url) { |
| 205 DCHECK(!url.SchemeIsBlob() && !url.SchemeIsFileSystem()) | 209 DCHECK(!url.SchemeIsBlob() && !url.SchemeIsFileSystem()) |
| 206 << "inner_url extraction should be done already."; | 210 << "inner_url extraction should be done already."; |
| 207 // Having permission to a scheme implies permission to all of its URLs. | 211 // Having permission to a scheme implies permission to all of its URLs. |
| 208 SchemeMap::const_iterator scheme_judgment( | 212 SchemeMap::const_iterator scheme_judgment( |
| 209 scheme_policy_.find(url.scheme())); | 213 scheme_policy_.find(url.scheme())); |
| 210 if (scheme_judgment != scheme_policy_.end()) | 214 if (scheme_judgment != scheme_policy_.end()) |
| 211 return scheme_judgment->second; | 215 return scheme_judgment->second; |
| 212 | 216 |
| 213 // Otherwise, check for permission for specific origin. | 217 // Otherwise, check for permission for specific origin. |
| 214 if (base::ContainsKey(origin_set_, url::Origin(url))) | 218 if (CanCommitOrigin(url::Origin(url))) |
| 215 return true; | 219 return true; |
| 216 | 220 |
| 217 // file:// URLs are more granular. The child may have been given | 221 // file:// URLs are more granular. The child may have been given |
| 218 // permission to a specific file but not the file:// scheme in general. | 222 // permission to a specific file but not the file:// scheme in general. |
| 219 if (url.SchemeIs(url::kFileScheme)) { | 223 if (url.SchemeIs(url::kFileScheme)) { |
| 220 base::FilePath path; | 224 base::FilePath path; |
| 221 if (net::FileURLToFilePath(url, &path)) | 225 if (net::FileURLToFilePath(url, &path)) |
| 222 return base::ContainsKey(request_file_set_, path); | 226 return base::ContainsKey(request_file_set_, path); |
| 223 } | 227 } |
| 224 | 228 |
| (...skipping 694 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 919 base::AutoLock lock(lock_); | 923 base::AutoLock lock(lock_); |
| 920 SecurityStateMap::iterator state = security_state_.find(child_id); | 924 SecurityStateMap::iterator state = security_state_.find(child_id); |
| 921 if (state == security_state_.end()) { | 925 if (state == security_state_.end()) { |
| 922 // TODO(nick): Returning true instead of false here is a temporary | 926 // TODO(nick): Returning true instead of false here is a temporary |
| 923 // workaround for https://crbug.com/600441 | 927 // workaround for https://crbug.com/600441 |
| 924 return true; | 928 return true; |
| 925 } | 929 } |
| 926 return state->second->CanAccessDataForOrigin(gurl); | 930 return state->second->CanAccessDataForOrigin(gurl); |
| 927 } | 931 } |
| 928 | 932 |
| 933 bool ChildProcessSecurityPolicyImpl::HasSpecificPermissionForOrigin( |
| 934 int child_id, |
| 935 const url::Origin& origin) { |
| 936 base::AutoLock lock(lock_); |
| 937 SecurityStateMap::iterator state = security_state_.find(child_id); |
| 938 if (state == security_state_.end()) |
| 939 return false; |
| 940 return state->second->CanCommitOrigin(origin); |
| 941 } |
| 942 |
| 929 void ChildProcessSecurityPolicyImpl::LockToOrigin(int child_id, | 943 void ChildProcessSecurityPolicyImpl::LockToOrigin(int child_id, |
| 930 const GURL& gurl) { | 944 const GURL& gurl) { |
| 931 // "gurl" can be currently empty in some cases, such as file://blah. | 945 // "gurl" can be currently empty in some cases, such as file://blah. |
| 932 DCHECK(SiteInstanceImpl::GetSiteForURL(NULL, gurl) == gurl); | 946 DCHECK(SiteInstanceImpl::GetSiteForURL(NULL, gurl) == gurl); |
| 933 base::AutoLock lock(lock_); | 947 base::AutoLock lock(lock_); |
| 934 SecurityStateMap::iterator state = security_state_.find(child_id); | 948 SecurityStateMap::iterator state = security_state_.find(child_id); |
| 935 DCHECK(state != security_state_.end()); | 949 DCHECK(state != security_state_.end()); |
| 936 state->second->LockToOrigin(gurl); | 950 state->second->LockToOrigin(gurl); |
| 937 } | 951 } |
| 938 | 952 |
| (...skipping 32 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 971 base::AutoLock lock(lock_); | 985 base::AutoLock lock(lock_); |
| 972 | 986 |
| 973 SecurityStateMap::iterator state = security_state_.find(child_id); | 987 SecurityStateMap::iterator state = security_state_.find(child_id); |
| 974 if (state == security_state_.end()) | 988 if (state == security_state_.end()) |
| 975 return false; | 989 return false; |
| 976 | 990 |
| 977 return state->second->can_send_midi_sysex(); | 991 return state->second->can_send_midi_sysex(); |
| 978 } | 992 } |
| 979 | 993 |
| 980 } // namespace content | 994 } // namespace content |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2450503002:
Tighten IO thread blob/filesystem URL checks for apps with webview permission. (Closed)
