Change allowed bindings to be per RenderFrame instead of per RenderView.

content/browser/frame_host/render_frame_host_impl.cc

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/browser/frame_host/render_frame_host_impl.h"
 
 #include <utility>
 
 #include "base/bind.h"
 #include "base/command_line.h"
@@ skipping 63 matching lines @@
 #include "content/public/browser/browser_thread.h"
 #include "content/public/browser/content_browser_client.h"
 #include "content/public/browser/permission_manager.h"
 #include "content/public/browser/permission_type.h"
 #include "content/public/browser/render_process_host.h"
 #include "content/public/browser/render_widget_host_view.h"
 #include "content/public/browser/resource_context.h"
 #include "content/public/browser/storage_partition.h"
 #include "content/public/browser/stream_handle.h"
 #include "content/public/browser/user_metrics.h"
+#include "content/public/common/bindings_policy.h"
 #include "content/public/common/browser_side_navigation_policy.h"
 #include "content/public/common/content_constants.h"
 #include "content/public/common/content_features.h"
 #include "content/public/common/content_switches.h"
 #include "content/public/common/file_chooser_file_info.h"
 #include "content/public/common/file_chooser_params.h"
 #include "content/public/common/form_field_data.h"
 #include "content/public/common/isolated_world_ids.h"
 #include "content/public/common/service_manager_connection.h"
 #include "content/public/common/service_names.mojom.h"
@@ skipping 1213 matching lines @@
 }
 
 RenderWidgetHostView* RenderFrameHostImpl::GetView() {
   return GetRenderWidgetHost()->GetView();
 }
 
 GlobalFrameRoutingId RenderFrameHostImpl::GetGlobalFrameRoutingId() {
   return GlobalFrameRoutingId(GetProcess()->GetID(), GetRoutingID());
 }
 
-int RenderFrameHostImpl::GetEnabledBindings() {
-  return render_view_host_->GetEnabledBindings();
-}
-
 void RenderFrameHostImpl::SetNavigationHandle(
     std::unique_ptr<NavigationHandleImpl> navigation_handle) {
   navigation_handle_ = std::move(navigation_handle);
 
   // TODO(clamy): Remove this debug code once we understand better how we get to
   // the point of attempting to transfer a navigation from a RFH that is no
   // longer active.
   if (navigation_handle_ && !is_active())
     base::debug::DumpWithoutCrashing();
 }
@@ skipping 371 matching lines @@
 }
 
 void RenderFrameHostImpl::RequestFocusedFormFieldData(
     FormFieldDataCallback& callback) {
   static int next_id = 1;
   int request_id = ++next_id;
   form_field_data_callbacks_[request_id] = callback;
   Send(new FrameMsg_FocusedFormFieldDataRequest(GetRoutingID(), request_id));
 }
 
+void RenderFrameHostImpl::AllowBindings(int bindings_flags) {

[Charlie Reis, 2016/12/16 01:01:52]

Do we ever need frames to have different bindings than their parents?  That's
not possible today, so I'm curious if we can enforce that here.

[Sam McNally, 2017/01/12 09:27:08]

Done.

+  // Never grant any bindings to browser plugin guests.
+  if (GetProcess()->IsForGuestsOnly()) {
+    NOTREACHED() << "Never grant bindings to a guest process.";
+    return;
+  }
+
+  // Ensure we aren't granting WebUI bindings to a process that has already
+  // been used for non-privileged views.
+  if (bindings_flags & BINDINGS_POLICY_WEB_UI &&
+      GetProcess()->HasConnection() &&
+      !ChildProcessSecurityPolicyImpl::GetInstance()->HasWebUIBindings(
+          GetProcess()->GetID())) {
+    // This process has no bindings yet. Make sure it does not have more
+    // than this single active view.
+    // --single-process only has one renderer.
+    if (GetProcess()->GetActiveViewCount() > 1 &&
+        !base::CommandLine::ForCurrentProcess()->HasSwitch(
+            switches::kSingleProcess))
+      return;
+  }
+
+  if (bindings_flags & BINDINGS_POLICY_WEB_UI) {
+    ChildProcessSecurityPolicyImpl::GetInstance()->GrantWebUIBindings(
+        GetProcess()->GetID());
+  }
+
+  enabled_bindings_ |= bindings_flags;
+  // |frame_| may be disconnected in tests.
+  if (frame_)
+    frame_->AllowBindings(enabled_bindings_);
+}
+
+int RenderFrameHostImpl::GetEnabledBindings() const {
+  return enabled_bindings_;
+}
+
 void RenderFrameHostImpl::OnFocusedFormFieldDataResponse(
     int request_id,
     const FormFieldData& field_data) {
   auto it = form_field_data_callbacks_.find(request_id);
   if (it != form_field_data_callbacks_.end()) {
     it->second.Run(field_data);
     form_field_data_callbacks_.erase(it);
   }
 }
 
@@ skipping 933 matching lines @@
   GetProcess()->GetRemoteInterfaces()->GetInterface(&frame_factory);
   frame_factory->CreateFrame(routing_id_, GetProxy(&frame_),
                              frame_host_binding_.CreateInterfacePtrAndBind());
 
   service_manager::mojom::InterfaceProviderPtr remote_interfaces;
   service_manager::mojom::InterfaceProviderRequest remote_interfaces_request =
       GetProxy(&remote_interfaces);
   remote_interfaces_.reset(new service_manager::InterfaceProvider);
   remote_interfaces_->Bind(std::move(remote_interfaces));
   frame_->GetInterfaceProvider(std::move(remote_interfaces_request));
+  if (enabled_bindings_)
+    frame_->AllowBindings(enabled_bindings_);
 }
 
 void RenderFrameHostImpl::InvalidateMojoConnection() {
   interface_registry_.reset();
 
   ServiceManagerConnection* service_manager_connection =
       BrowserContext::GetServiceManagerConnectionFor(
           GetProcess()->GetBrowserContext());
   // |service_manager_connection| may be null in tests using TestBrowserContext.
   if (service_manager_connection) {
@@ skipping 56 matching lines @@
       }
     }
   }
   DCHECK_EQ(!pending_web_ui_, pending_web_ui_type_ == WebUI::kNoWebUI);
 
   // Either grant or check the RenderViewHost with/for proper bindings.
   if (pending_web_ui_ && !render_view_host_->GetProcess()->IsForGuestsOnly()) {
     // If a WebUI was created for the URL and the RenderView is not in a guest
     // process, then enable missing bindings with the RenderViewHost.
     int new_bindings = pending_web_ui_->GetBindings();
-    if ((render_view_host_->GetEnabledBindings() & new_bindings) !=
-        new_bindings) {
-      render_view_host_->AllowBindings(new_bindings);
+    if ((GetEnabledBindings() & new_bindings) != new_bindings) {
+      AllowBindings(new_bindings);
     }
   } else if (render_view_host_->is_active()) {
     // If the ongoing navigation is not to a WebUI or the RenderView is in a
     // guest process, ensure that we don't create an unprivileged RenderView in
     // a WebUI-enabled process unless it's swapped out.
     bool url_acceptable_for_webui =
         WebUIControllerFactoryRegistry::GetInstance()->IsURLAcceptableForWebUI(
             GetSiteInstance()->GetBrowserContext(), dest_url);
     if (!url_acceptable_for_webui) {
       CHECK(!ChildProcessSecurityPolicyImpl::GetInstance()->HasWebUIBindings(
@@ skipping 576 matching lines @@
   // pending_nav_entry_id. If the previous handle was a prematurely aborted
   // navigation loaded via LoadDataWithBaseURL, propagate the entry id.
   return NavigationHandleImpl::Create(
       params.url, frame_tree_node_, is_renderer_initiated,
       params.was_within_same_page, base::TimeTicks::Now(),
       entry_id_for_data_nav, params.gesture,
       false);  // started_from_context_menu
 }
 
 }  // namespace content