OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "content/browser/child_process_security_policy_impl.h" | 5 #include "content/browser/child_process_security_policy_impl.h" |
6 | 6 |
7 #include "base/command_line.h" | 7 #include "base/command_line.h" |
8 #include "base/files/file_path.h" | 8 #include "base/files/file_path.h" |
9 #include "base/logging.h" | 9 #include "base/logging.h" |
10 #include "base/metrics/histogram.h" | 10 #include "base/metrics/histogram.h" |
(...skipping 158 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
169 | 169 |
170 // Determine whether permission has been granted to request |url|. | 170 // Determine whether permission has been granted to request |url|. |
171 bool CanRequestURL(const GURL& url) { | 171 bool CanRequestURL(const GURL& url) { |
172 // Having permission to a scheme implies permssion to all of its URLs. | 172 // Having permission to a scheme implies permssion to all of its URLs. |
173 SchemeMap::const_iterator judgment(scheme_policy_.find(url.scheme())); | 173 SchemeMap::const_iterator judgment(scheme_policy_.find(url.scheme())); |
174 if (judgment != scheme_policy_.end()) | 174 if (judgment != scheme_policy_.end()) |
175 return judgment->second; | 175 return judgment->second; |
176 | 176 |
177 // file:// URLs are more granular. The child may have been given | 177 // file:// URLs are more granular. The child may have been given |
178 // permission to a specific file but not the file:// scheme in general. | 178 // permission to a specific file but not the file:// scheme in general. |
179 if (url.SchemeIs(kFileScheme)) { | 179 if (url.SchemeIs(url::kFileScheme)) { |
180 base::FilePath path; | 180 base::FilePath path; |
181 if (net::FileURLToFilePath(url, &path)) | 181 if (net::FileURLToFilePath(url, &path)) |
182 return ContainsKey(request_file_set_, path); | 182 return ContainsKey(request_file_set_, path); |
183 } | 183 } |
184 | 184 |
185 return false; // Unmentioned schemes are disallowed. | 185 return false; // Unmentioned schemes are disallowed. |
186 } | 186 } |
187 | 187 |
188 // Determine if the certain permissions have been granted to a file. | 188 // Determine if the certain permissions have been granted to a file. |
189 bool HasPermissionsForFile(const base::FilePath& file, int permissions) { | 189 bool HasPermissionsForFile(const base::FilePath& file, int permissions) { |
(...skipping 113 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
303 // The set of isolated filesystems the child process is permitted to access. | 303 // The set of isolated filesystems the child process is permitted to access. |
304 FileSystemMap filesystem_permissions_; | 304 FileSystemMap filesystem_permissions_; |
305 | 305 |
306 DISALLOW_COPY_AND_ASSIGN(SecurityState); | 306 DISALLOW_COPY_AND_ASSIGN(SecurityState); |
307 }; | 307 }; |
308 | 308 |
309 ChildProcessSecurityPolicyImpl::ChildProcessSecurityPolicyImpl() { | 309 ChildProcessSecurityPolicyImpl::ChildProcessSecurityPolicyImpl() { |
310 // We know about these schemes and believe them to be safe. | 310 // We know about these schemes and believe them to be safe. |
311 RegisterWebSafeScheme(url::kHttpScheme); | 311 RegisterWebSafeScheme(url::kHttpScheme); |
312 RegisterWebSafeScheme(url::kHttpsScheme); | 312 RegisterWebSafeScheme(url::kHttpsScheme); |
313 RegisterWebSafeScheme(kFtpScheme); | 313 RegisterWebSafeScheme(url::kFtpScheme); |
314 RegisterWebSafeScheme(kDataScheme); | 314 RegisterWebSafeScheme(url::kDataScheme); |
315 RegisterWebSafeScheme("feed"); | 315 RegisterWebSafeScheme("feed"); |
316 RegisterWebSafeScheme(kBlobScheme); | 316 RegisterWebSafeScheme(url::kBlobScheme); |
317 RegisterWebSafeScheme(kFileSystemScheme); | 317 RegisterWebSafeScheme(url::kFileSystemScheme); |
318 | 318 |
319 // We know about the following pseudo schemes and treat them specially. | 319 // We know about the following pseudo schemes and treat them specially. |
320 RegisterPseudoScheme(kAboutScheme); | 320 RegisterPseudoScheme(kAboutScheme); |
321 RegisterPseudoScheme(kJavaScriptScheme); | 321 RegisterPseudoScheme(url::kJavaScriptScheme); |
322 RegisterPseudoScheme(kViewSourceScheme); | 322 RegisterPseudoScheme(kViewSourceScheme); |
323 } | 323 } |
324 | 324 |
325 ChildProcessSecurityPolicyImpl::~ChildProcessSecurityPolicyImpl() { | 325 ChildProcessSecurityPolicyImpl::~ChildProcessSecurityPolicyImpl() { |
326 web_safe_schemes_.clear(); | 326 web_safe_schemes_.clear(); |
327 pseudo_schemes_.clear(); | 327 pseudo_schemes_.clear(); |
328 STLDeleteContainerPairSecondPointers(security_state_.begin(), | 328 STLDeleteContainerPairSecondPointers(security_state_.begin(), |
329 security_state_.end()); | 329 security_state_.end()); |
330 security_state_.clear(); | 330 security_state_.clear(); |
331 } | 331 } |
(...skipping 95 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
427 | 427 |
428 // When the child process has been commanded to request this scheme, | 428 // When the child process has been commanded to request this scheme, |
429 // we grant it the capability to request all URLs of that scheme. | 429 // we grant it the capability to request all URLs of that scheme. |
430 state->second->GrantScheme(url.scheme()); | 430 state->second->GrantScheme(url.scheme()); |
431 } | 431 } |
432 } | 432 } |
433 | 433 |
434 void ChildProcessSecurityPolicyImpl::GrantRequestSpecificFileURL( | 434 void ChildProcessSecurityPolicyImpl::GrantRequestSpecificFileURL( |
435 int child_id, | 435 int child_id, |
436 const GURL& url) { | 436 const GURL& url) { |
437 if (!url.SchemeIs(kFileScheme)) | 437 if (!url.SchemeIs(url::kFileScheme)) |
438 return; | 438 return; |
439 | 439 |
440 { | 440 { |
441 base::AutoLock lock(lock_); | 441 base::AutoLock lock(lock_); |
442 SecurityStateMap::iterator state = security_state_.find(child_id); | 442 SecurityStateMap::iterator state = security_state_.find(child_id); |
443 if (state == security_state_.end()) | 443 if (state == security_state_.end()) |
444 return; | 444 return; |
445 | 445 |
446 // When the child process has been commanded to request a file:// URL, | 446 // When the child process has been commanded to request a file:// URL, |
447 // then we grant it the capability for that URL only. | 447 // then we grant it the capability for that URL only. |
(...skipping 103 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
551 SecurityStateMap::iterator state = security_state_.find(child_id); | 551 SecurityStateMap::iterator state = security_state_.find(child_id); |
552 if (state == security_state_.end()) | 552 if (state == security_state_.end()) |
553 return; | 553 return; |
554 | 554 |
555 state->second->GrantBindings(BINDINGS_POLICY_WEB_UI); | 555 state->second->GrantBindings(BINDINGS_POLICY_WEB_UI); |
556 | 556 |
557 // Web UI bindings need the ability to request chrome: URLs. | 557 // Web UI bindings need the ability to request chrome: URLs. |
558 state->second->GrantScheme(kChromeUIScheme); | 558 state->second->GrantScheme(kChromeUIScheme); |
559 | 559 |
560 // Web UI pages can contain links to file:// URLs. | 560 // Web UI pages can contain links to file:// URLs. |
561 state->second->GrantScheme(kFileScheme); | 561 state->second->GrantScheme(url::kFileScheme); |
562 } | 562 } |
563 | 563 |
564 void ChildProcessSecurityPolicyImpl::GrantReadRawCookies(int child_id) { | 564 void ChildProcessSecurityPolicyImpl::GrantReadRawCookies(int child_id) { |
565 base::AutoLock lock(lock_); | 565 base::AutoLock lock(lock_); |
566 | 566 |
567 SecurityStateMap::iterator state = security_state_.find(child_id); | 567 SecurityStateMap::iterator state = security_state_.find(child_id); |
568 if (state == security_state_.end()) | 568 if (state == security_state_.end()) |
569 return; | 569 return; |
570 | 570 |
571 state->second->GrantReadRawCookies(); | 571 state->second->GrantReadRawCookies(); |
(...skipping 313 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
885 base::AutoLock lock(lock_); | 885 base::AutoLock lock(lock_); |
886 | 886 |
887 SecurityStateMap::iterator state = security_state_.find(child_id); | 887 SecurityStateMap::iterator state = security_state_.find(child_id); |
888 if (state == security_state_.end()) | 888 if (state == security_state_.end()) |
889 return false; | 889 return false; |
890 | 890 |
891 return state->second->can_send_midi_sysex(); | 891 return state->second->can_send_midi_sysex(); |
892 } | 892 } |
893 | 893 |
894 } // namespace content | 894 } // namespace content |
OLD | NEW |