Block renderer-initiated main frame navigations to data URLs

content/browser/loader/async_resource_handler.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/browser/loader/async_resource_handler.h"
 
 #include <algorithm>
 #include <vector>
 
 #include "base/command_line.h"
 #include "base/containers/hash_tables.h"
 #include "base/debug/alias.h"
 #include "base/feature_list.h"
 #include "base/logging.h"
 #include "base/macros.h"
 #include "base/memory/ptr_util.h"
 #include "base/memory/shared_memory.h"
 #include "base/metrics/histogram_macros.h"
 #include "base/strings/string_number_conversions.h"
+#include "base/strings/stringprintf.h"
 #include "base/time/time.h"
+#include "content/browser/frame_host/navigation_handle_impl.h"
+#include "content/browser/frame_host/render_frame_host_impl.h"
 #include "content/browser/loader/netlog_observer.h"
 #include "content/browser/loader/resource_buffer.h"
 #include "content/browser/loader/resource_controller.h"
 #include "content/browser/loader/resource_dispatcher_host_impl.h"
 #include "content/browser/loader/resource_message_filter.h"
 #include "content/browser/loader/resource_request_info_impl.h"
 #include "content/browser/loader/upload_progress_tracker.h"
 #include "content/common/resource_messages.h"
 #include "content/common/resource_request_completion_status.h"
 #include "content/common/view_messages.h"
+#include "content/public/browser/render_frame_host.h"
+#include "content/public/browser/web_contents.h"
 #include "content/public/common/content_features.h"
 #include "content/public/common/resource_response.h"
 #include "ipc/ipc_message_macros.h"
 #include "net/base/io_buffer.h"
 #include "net/base/load_flags.h"
 #include "net/base/upload_progress.h"
 #include "net/url_request/redirect_info.h"
 
 using base::TimeDelta;
 using base::TimeTicks;
 
 namespace content {
 namespace {
 
 static int kBufferSize = 1024 * 512;
 static int kMinAllocationSize = 1024 * 4;
 static int kMaxAllocationSize = 1024 * 32;
 
 // Used when kOptimizeLoadingIPCForSmallResources is enabled.
 // Small resource typically issues two Read call: one for the content itself
 // and another for getting zero response to detect EOF.
 // Inline these two into the IPC message to avoid allocating an expensive
 // SharedMemory for small resources.
 const int kNumLeadingChunk = 2;
 const int kInlinedLeadingChunkSize = 2048;
 
+const char kDataUrlConsoleError[] =
+    "Not allowed to top-level navigate to resource: %s";
+
 void GetNumericArg(const std::string& name, int* result) {
   const std::string& value =
       base::CommandLine::ForCurrentProcess()->GetSwitchValueASCII(name);
   if (!value.empty())
     base::StringToInt(value, result);
 }
 
 void InitializeResourceBufferConstants() {
   static bool did_init = false;
   if (did_init)
     return;
   did_init = true;
 
   GetNumericArg("resource-buffer-size", &kBufferSize);
   GetNumericArg("resource-buffer-min-allocation-size", &kMinAllocationSize);
   GetNumericArg("resource-buffer-max-allocation-size", &kMaxAllocationSize);
 }
 
+// Determines if the current navigation pointed by |render_process_id| and
+// |render_frame_host_id| is renderer initiated and calls |callback| with
+// the result.
+void CheckNavigationIsRendererInitiated(

[meacer, 2017/03/16 19:53:21]

This is probably very wrong to do, so suggestions welcome :)

+    int render_process_id,
+    int render_frame_host_id,
+    const base::Callback<void(bool)>& callback) {
+  DCHECK_CURRENTLY_ON(BrowserThread::UI);
+  RenderFrameHostImpl* rfh =
+      RenderFrameHostImpl::FromID(render_process_id, render_frame_host_id);
+  DCHECK(rfh);
+  const bool should_cancel = rfh->navigation_handle()->IsRendererInitiated();
+  BrowserThread::PostTask(BrowserThread::IO, FROM_HERE,
+                          base::Bind(callback, should_cancel));
+}
+
+void AddConsoleMessage(
+    const content::ResourceRequestInfo::WebContentsGetter& web_contents_getter,
+    const GURL& url) {
+  DCHECK_CURRENTLY_ON(BrowserThread::UI);
+  WebContents* contents = web_contents_getter.Run();
+  DCHECK(contents);
+  if (contents) {
+    contents->GetMainFrame()->AddMessageToConsole(
+        CONSOLE_MESSAGE_LEVEL_ERROR,
+        base::StringPrintf(kDataUrlConsoleError, url.spec().c_str()));
+  }
+}
+
 // This enum is used for logging a histogram and should not be reordered.
 enum ExpectedContentSizeResult {
   EQ_RESPONSE_BODY = 0,
   EQ_RESPONSE_BODY_GT_EQ_BUFFER_SIZE = 1,
   GT_EQ_BUFFER_SIZE = 2,
   LT_RESPONSE_BODY = 3,
   GT_RESPONSE_BODY = 4,
   UNKNOWN = 5,
   EXPECTED_CONTENT_MAX,
 };
@@ skipping 204 matching lines @@
 void AsyncResourceHandler::OnResponseStarted(
     ResourceResponse* response,
     std::unique_ptr<ResourceController> controller) {
   // For changes to the main frame, inform the renderer of the new URL's
   // per-host settings before the request actually commits.  This way the
   // renderer will be able to set these precisely at the time the
   // request commits, avoiding the possibility of e.g. zooming the old content
   // or of having to layout the new content twice.
   DCHECK(!has_controller());
 
+  // Block renderer-initiated, top-frame, non-download data URL navigations.
+  // Renderer-initiated check is done on the UI thread.
+  ResourceRequestInfoImpl* info = GetRequestInfo();
+  if (request()->url().SchemeIs("data") &&
+      info->requester_info()->IsRenderer() && info->IsMainFrame() &&
+      !info->IsDownload()) {
+    int render_process_id, render_frame_id;
+    if (info->GetAssociatedRenderFrame(&render_process_id, &render_frame_id)) {
+      BrowserThread::PostTask(
+          BrowserThread::UI, FROM_HERE,
+          base::Bind(
+              &CheckNavigationIsRendererInitiated, render_process_id,
+              render_frame_id,
+              base::Bind(&AsyncResourceHandler::OnResponseStartedInternal,
+                         base::Unretained(this), response,
+                         base::Passed(std::move(controller)))));
+      return;
+    }
+  }
+  OnResponseStartedInternal(response, std::move(controller), false);
+}
+
+void AsyncResourceHandler::OnResponseStartedInternal(
+    ResourceResponse* response,
+    std::unique_ptr<ResourceController> controller,
+    bool should_cancel) {
+  DCHECK_CURRENTLY_ON(BrowserThread::IO);
+  ResourceRequestInfoImpl* info = GetRequestInfo();
+
+  if (should_cancel) {
+    BrowserThread::PostTask(
+        BrowserThread::UI, FROM_HERE,
+        base::Bind(&AddConsoleMessage, info->GetWebContentsGetterForRequest(),
+                   request()->url()));
+    controller->Cancel();
+    return;
+  }
+
   response_started_ticks_ = base::TimeTicks::Now();
 
   // We want to send a final upload progress message prior to sending the
   // response complete message even if we're waiting for an ack to to a
   // previous upload progress message.
   if (upload_progress_tracker_) {
     upload_progress_tracker_->OnUploadCompleted();
     upload_progress_tracker_ = nullptr;
   }
 
-  const ResourceRequestInfoImpl* info = GetRequestInfo();
   ResourceMessageFilter* filter = GetFilter();
   if (!filter) {
     controller->Cancel();
     return;
   }
 
   NetLogObserver::PopulateResponseInfo(request(), response);
   response->head.encoded_data_length = request()->raw_header_size();
 
   // If the parent handler downloaded the resource to a file, grant the child
@@ skipping 301 matching lines @@
 void AsyncResourceHandler::SendUploadProgress(
     const net::UploadProgress& progress) {
   ResourceMessageFilter* filter = GetFilter();
   if (!filter)
     return;
   filter->Send(new ResourceMsg_UploadProgress(
       GetRequestID(), progress.position(), progress.size()));
 }
 
 }  // namespace content