Index: content/browser/loader/async_resource_handler.cc |
diff --git a/content/browser/loader/async_resource_handler.cc b/content/browser/loader/async_resource_handler.cc |
index 7d146f318664e9ad242c45493dca151121d06d04..2d9ceb91416a5446f855bbdea22e05c86c8fe3d2 100644 |
--- a/content/browser/loader/async_resource_handler.cc |
+++ b/content/browser/loader/async_resource_handler.cc |
@@ -17,7 +17,10 @@ |
#include "base/memory/shared_memory.h" |
#include "base/metrics/histogram_macros.h" |
#include "base/strings/string_number_conversions.h" |
+#include "base/strings/stringprintf.h" |
#include "base/time/time.h" |
+#include "content/browser/frame_host/navigation_handle_impl.h" |
+#include "content/browser/frame_host/render_frame_host_impl.h" |
#include "content/browser/loader/netlog_observer.h" |
#include "content/browser/loader/resource_buffer.h" |
#include "content/browser/loader/resource_controller.h" |
@@ -28,6 +31,8 @@ |
#include "content/common/resource_messages.h" |
#include "content/common/resource_request_completion_status.h" |
#include "content/common/view_messages.h" |
+#include "content/public/browser/render_frame_host.h" |
+#include "content/public/browser/web_contents.h" |
#include "content/public/common/content_features.h" |
#include "content/public/common/resource_response.h" |
#include "ipc/ipc_message_macros.h" |
@@ -54,6 +59,9 @@ static int kMaxAllocationSize = 1024 * 32; |
const int kNumLeadingChunk = 2; |
const int kInlinedLeadingChunkSize = 2048; |
+const char kDataUrlConsoleError[] = |
+ "Not allowed to top-level navigate to resource: %s"; |
+ |
void GetNumericArg(const std::string& name, int* result) { |
const std::string& value = |
base::CommandLine::ForCurrentProcess()->GetSwitchValueASCII(name); |
@@ -72,6 +80,35 @@ void InitializeResourceBufferConstants() { |
GetNumericArg("resource-buffer-max-allocation-size", &kMaxAllocationSize); |
} |
+// Determines if the current navigation pointed by |render_process_id| and |
+// |render_frame_host_id| is renderer initiated and calls |callback| with |
+// the result. |
+void CheckNavigationIsRendererInitiated( |
meacer
2017/03/16 19:53:21
This is probably very wrong to do, so suggestions
|
+ int render_process_id, |
+ int render_frame_host_id, |
+ const base::Callback<void(bool)>& callback) { |
+ DCHECK_CURRENTLY_ON(BrowserThread::UI); |
+ RenderFrameHostImpl* rfh = |
+ RenderFrameHostImpl::FromID(render_process_id, render_frame_host_id); |
+ DCHECK(rfh); |
+ const bool should_cancel = rfh->navigation_handle()->IsRendererInitiated(); |
+ BrowserThread::PostTask(BrowserThread::IO, FROM_HERE, |
+ base::Bind(callback, should_cancel)); |
+} |
+ |
+void AddConsoleMessage( |
+ const content::ResourceRequestInfo::WebContentsGetter& web_contents_getter, |
+ const GURL& url) { |
+ DCHECK_CURRENTLY_ON(BrowserThread::UI); |
+ WebContents* contents = web_contents_getter.Run(); |
+ DCHECK(contents); |
+ if (contents) { |
+ contents->GetMainFrame()->AddMessageToConsole( |
+ CONSOLE_MESSAGE_LEVEL_ERROR, |
+ base::StringPrintf(kDataUrlConsoleError, url.spec().c_str())); |
+ } |
+} |
+ |
// This enum is used for logging a histogram and should not be reordered. |
enum ExpectedContentSizeResult { |
EQ_RESPONSE_BODY = 0, |
@@ -296,6 +333,44 @@ void AsyncResourceHandler::OnResponseStarted( |
// or of having to layout the new content twice. |
DCHECK(!has_controller()); |
+ // Block renderer-initiated, top-frame, non-download data URL navigations. |
+ // Renderer-initiated check is done on the UI thread. |
+ ResourceRequestInfoImpl* info = GetRequestInfo(); |
+ if (request()->url().SchemeIs("data") && |
+ info->requester_info()->IsRenderer() && info->IsMainFrame() && |
+ !info->IsDownload()) { |
+ int render_process_id, render_frame_id; |
+ if (info->GetAssociatedRenderFrame(&render_process_id, &render_frame_id)) { |
+ BrowserThread::PostTask( |
+ BrowserThread::UI, FROM_HERE, |
+ base::Bind( |
+ &CheckNavigationIsRendererInitiated, render_process_id, |
+ render_frame_id, |
+ base::Bind(&AsyncResourceHandler::OnResponseStartedInternal, |
+ base::Unretained(this), response, |
+ base::Passed(std::move(controller))))); |
+ return; |
+ } |
+ } |
+ OnResponseStartedInternal(response, std::move(controller), false); |
+} |
+ |
+void AsyncResourceHandler::OnResponseStartedInternal( |
+ ResourceResponse* response, |
+ std::unique_ptr<ResourceController> controller, |
+ bool should_cancel) { |
+ DCHECK_CURRENTLY_ON(BrowserThread::IO); |
+ ResourceRequestInfoImpl* info = GetRequestInfo(); |
+ |
+ if (should_cancel) { |
+ BrowserThread::PostTask( |
+ BrowserThread::UI, FROM_HERE, |
+ base::Bind(&AddConsoleMessage, info->GetWebContentsGetterForRequest(), |
+ request()->url())); |
+ controller->Cancel(); |
+ return; |
+ } |
+ |
response_started_ticks_ = base::TimeTicks::Now(); |
// We want to send a final upload progress message prior to sending the |
@@ -306,7 +381,6 @@ void AsyncResourceHandler::OnResponseStarted( |
upload_progress_tracker_ = nullptr; |
} |
- const ResourceRequestInfoImpl* info = GetRequestInfo(); |
ResourceMessageFilter* filter = GetFilter(); |
if (!filter) { |
controller->Cancel(); |