content/browser/child_process_security_policy_impl.cc - Issue 2494633004: Remove about:srcdoc url conversion.

Side by Side Diff: content/browser/child_process_security_policy_impl.cc

Issue 2494633004: Remove about:srcdoc url conversion. (Closed)

Patch Set: Addressed comments (@creis) Created 4 years, 1 month ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

« no previous file with comments | « content/browser/android/web_contents_observer_proxy.cc ('k') | content/browser/child_process_security_policy_unittest.cc » ('j') | content/browser/child_process_security_policy_unittest.cc » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

OLD	NEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "content/browser/child_process_security_policy_impl.h"	5 #include "content/browser/child_process_security_policy_impl.h"

6	6

7 #include <algorithm>	7 #include <algorithm>

8 #include <utility>	8 #include <utility>

9	9

10 #include "base/command_line.h"	10 #include "base/command_line.h"

(...skipping 608 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
619	619

620 state->second->RevokeReadRawCookies();	620 state->second->RevokeReadRawCookies();

621 }	621 }

622	622

623 bool ChildProcessSecurityPolicyImpl::CanRequestURL(	623 bool ChildProcessSecurityPolicyImpl::CanRequestURL(

624 int child_id, const GURL& url) {	624 int child_id, const GURL& url) {

625 if (!url.is_valid())	625 if (!url.is_valid())

626 return false; // Can't request invalid URLs.	626 return false; // Can't request invalid URLs.

627	627

628 if (IsPseudoScheme(url.scheme())) {	628 if (IsPseudoScheme(url.scheme())) {

629 // Every child process can request <about:blank>.	629 // Every child process can request <about:blank> and <about:srcdoc>
	Charlie Reis 2016/11/23 08:25:21 nit: End with period. nit: End with period. arthursonzogni 2016/11/23 14:39:26 Done. Show quoted text On 2016/11/23 08:25:21, Charlie Reis (slow) wrote: > nit: End with period. Done.
630 if (base::LowerCaseEqualsASCII(url.spec(), url::kAboutBlankURL))	630 if (url == url::kAboutBlankURL \|\| url == content::kAboutSrcDocURL)

631 return true;	631 return true;

632 // URLs like <about:version>, <about:crash>, <view-source:...> shouldn't be	632 // URLs like <about:version>, <about:crash>, <view-source:...> shouldn't be

633 // requestable by any child process. Also, this case covers	633 // requestable by any child process. Also, this case covers

634 // <javascript:...>, which should be handled internally by the process and	634 // <javascript:...>, which should be handled internally by the process and

635 // not kicked up to the browser.	635 // not kicked up to the browser.

636 return false;	636 return false;

637 }	637 }

638	638

639 // Blob and filesystem URLs require special treatment, since they embed an	639 // Blob and filesystem URLs require special treatment, since they embed an

640 // inner origin.	640 // inner origin.

(...skipping 16 matching lines...) Expand all Loading...
657 // Also allow URLs destined for ShellExecute and not the browser itself.	657 // Also allow URLs destined for ShellExecute and not the browser itself.

658 return !GetContentClient()->browser()->IsHandledURL(url) &&	658 return !GetContentClient()->browser()->IsHandledURL(url) &&

659 !net::URLRequest::IsHandledURL(url);	659 !net::URLRequest::IsHandledURL(url);

660 }	660 }

661	661

662 bool ChildProcessSecurityPolicyImpl::CanCommitURL(int child_id,	662 bool ChildProcessSecurityPolicyImpl::CanCommitURL(int child_id,

663 const GURL& url) {	663 const GURL& url) {

664 if (!url.is_valid())	664 if (!url.is_valid())

665 return false; // Can't commit invalid URLs.	665 return false; // Can't commit invalid URLs.

666	666

667 // Of all the pseudo schemes, only about:blank is allowed to commit.	667 // Of all the pseudo schemes, only about:blank is allowed to commit.
	Charlie Reis 2016/11/23 08:25:20 Do we need to allow about:srcdoc here, or will tha Do we need to allow about:srcdoc here, or will that never get this far? arthursonzogni 2016/11/23 14:39:26 Good question! CanCommitURL is called inside seve Show quoted text On 2016/11/23 08:25:20, Charlie Reis (slow) wrote: > Do we need to allow about:srcdoc here, or will that never get this far? Good question! CanCommitURL is called inside several function in * /content/browser/child_process_security_policy_impl.cc * /content/browser/blob_storage/blob_dispatcher_host.cc Where it can't be called with <about:srcdoc>: * In CanRequestURL: Never called because of the early return. * In CanCommitURL: Called only with blob: and file: scheme. * In HasPermissionsForFileSystemFile: called only with file: scheme. * In OnRegisterPublicBlobURL: called only with blob: scheme. Where it is called with <about:srcdoc> * In CanSetAsOriginHeader -> I think the correct behaviour is that it must returns false. It is the case if CanCommitURL(<about:srcdoc>) returns false too. Thus, if we don't touch anything, the global behavior is preserved (and is correct according to me). The only problem is that the meaning of CanCommitURL is not respected because <about:srcdoc> can actually be committed. Do you think CanCommitURL(<about:srcdoc>) should be true? Charlie Reis 2016/11/23 18:03:37 Glad to hear. In the abstract, yes, about:srcdoc Show quoted text On 2016/11/23 14:39:26, arthursonzogni wrote: > On 2016/11/23 08:25:20, Charlie Reis (slow) wrote: > > Do we need to allow about:srcdoc here, or will that never get this far? > > Good question! > > CanCommitURL is called inside several function in > * /content/browser/child_process_security_policy_impl.cc > * /content/browser/blob_storage/blob_dispatcher_host.cc > > Where it can't be called with <about:srcdoc>: > * In CanRequestURL: Never called because of the early return. > * In CanCommitURL: Called only with blob: and file: scheme. > * In HasPermissionsForFileSystemFile: called only with file: scheme. > * In OnRegisterPublicBlobURL: called only with blob: scheme. > > Where it is called with <about:srcdoc> > * In CanSetAsOriginHeader -> I think the correct behaviour is that it > must returns false. It is the case if CanCommitURL(<about:srcdoc>) > returns false too. > > Thus, if we don't touch anything, the global behavior is preserved > (and is correct according to me). The only problem is that the meaning > of CanCommitURL is not respected because <about:srcdoc> can actually be > committed. Do you think CanCommitURL(<about:srcdoc>) should be true? Glad to hear. In the abstract, yes, about:srcdoc can commit, so it's a little odd for this to return false in that case. Sounds like that would only matter in future possible uses for CanCommitURL, though, and we have test coverage that should catch the problem if it does start to matter. Thus, I'm ok either way for this CL. Charlie Reis 2016/11/24 00:17:00 Nick brings up the point that it's probably saner Show quoted text On 2016/11/23 18:03:37, Charlie Reis (slow) wrote: > On 2016/11/23 14:39:26, arthursonzogni wrote: > > On 2016/11/23 08:25:20, Charlie Reis (slow) wrote: > > > Do we need to allow about:srcdoc here, or will that never get this far? > > > > Good question! > > > > CanCommitURL is called inside several function in > > * /content/browser/child_process_security_policy_impl.cc > > * /content/browser/blob_storage/blob_dispatcher_host.cc > > > > Where it can't be called with <about:srcdoc>: > > * In CanRequestURL: Never called because of the early return. > > * In CanCommitURL: Called only with blob: and file: scheme. > > * In HasPermissionsForFileSystemFile: called only with file: scheme. > > * In OnRegisterPublicBlobURL: called only with blob: scheme. > > > > Where it is called with <about:srcdoc> > > * In CanSetAsOriginHeader -> I think the correct behaviour is that it > > must returns false. It is the case if CanCommitURL(<about:srcdoc>) > > returns false too. > > > > Thus, if we don't touch anything, the global behavior is preserved > > (and is correct according to me). The only problem is that the meaning > > of CanCommitURL is not respected because <about:srcdoc> can actually be > > committed. Do you think CanCommitURL(<about:srcdoc>) should be true? > > Glad to hear. > > In the abstract, yes, about:srcdoc can commit, so it's a little odd for this to > return false in that case. Sounds like that would only matter in future > possible uses for CanCommitURL, though, and we have test coverage that should > catch the problem if it does start to matter. Thus, I'm ok either way for this > CL. Nick brings up the point that it's probably saner for CanCommitURL to return true for about:srcdoc if we can, even if it happens to work in most cases.
668 if (IsPseudoScheme(url.scheme()))	668 if (IsPseudoScheme(url.scheme()))

669 return base::LowerCaseEqualsASCII(url.spec(), url::kAboutBlankURL);	669 return url == url::kAboutBlankURL;

670	670

671 // Blob and filesystem URLs require special treatment; validate the inner	671 // Blob and filesystem URLs require special treatment; validate the inner

672 // origin they embed.	672 // origin they embed.

673 if (url.SchemeIsBlob() \|\| url.SchemeIsFileSystem()) {	673 if (url.SchemeIsBlob() \|\| url.SchemeIsFileSystem()) {

674 if (IsMalformedBlobUrl(url))	674 if (IsMalformedBlobUrl(url))

675 return false;	675 return false;

676	676

677 url::Origin origin(url);	677 url::Origin origin(url);

678 return origin.unique() \|\| CanCommitURL(child_id, GURL(origin.Serialize()));	678 return origin.unique() \|\| CanCommitURL(child_id, GURL(origin.Serialize()));

679 }	679 }

(...skipping 313 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
993 base::AutoLock lock(lock_);	993 base::AutoLock lock(lock_);

994	994

995 SecurityStateMap::iterator state = security_state_.find(child_id);	995 SecurityStateMap::iterator state = security_state_.find(child_id);

996 if (state == security_state_.end())	996 if (state == security_state_.end())

997 return false;	997 return false;

998	998

999 return state->second->can_send_midi_sysex();	999 return state->second->can_send_midi_sysex();

1000 }	1000 }

1001	1001

1002 } // namespace content	1002 } // namespace content

OLD	NEW