OLD | NEW |
1 /* | 1 /* |
2 * Copyright (C) 2007 Apple Inc. All rights reserved. | 2 * Copyright (C) 2007 Apple Inc. All rights reserved. |
3 * | 3 * |
4 * Redistribution and use in source and binary forms, with or without | 4 * Redistribution and use in source and binary forms, with or without |
5 * modification, are permitted provided that the following conditions | 5 * modification, are permitted provided that the following conditions |
6 * are met: | 6 * are met: |
7 * 1. Redistributions of source code must retain the above copyright | 7 * 1. Redistributions of source code must retain the above copyright |
8 * notice, this list of conditions and the following disclaimer. | 8 * notice, this list of conditions and the following disclaimer. |
9 * 2. Redistributions in binary form must reproduce the above copyright | 9 * 2. Redistributions in binary form must reproduce the above copyright |
10 * notice, this list of conditions and the following disclaimer in the | 10 * notice, this list of conditions and the following disclaimer in the |
(...skipping 98 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
109 } | 109 } |
110 | 110 |
111 HistoryScrollRestorationType History::ScrollRestorationInternal() const { | 111 HistoryScrollRestorationType History::ScrollRestorationInternal() const { |
112 HistoryItem* history_item = | 112 HistoryItem* history_item = |
113 GetFrame() ? GetFrame()->Loader().GetDocumentLoader()->GetHistoryItem() | 113 GetFrame() ? GetFrame()->Loader().GetDocumentLoader()->GetHistoryItem() |
114 : nullptr; | 114 : nullptr; |
115 return history_item ? history_item->ScrollRestorationType() | 115 return history_item ? history_item->ScrollRestorationType() |
116 : kScrollRestorationAuto; | 116 : kScrollRestorationAuto; |
117 } | 117 } |
118 | 118 |
| 119 // TODO(crbug.com/394296): This is not the long-term fix to IPC flooding that we |
| 120 // need. However, it does somewhat mitigate the immediate concern of |pushState| |
| 121 // and |replaceState| DoS (assuming the renderer has not been compromised). |
| 122 bool History::ShouldThrottleStateObjectChanges() { |
| 123 const int kStateUpdateLimit = 50; |
| 124 |
| 125 if (state_flood_guard.count > kStateUpdateLimit) { |
| 126 static constexpr auto kStateUpdateLimitResetInterval = |
| 127 TimeDelta::FromSeconds(10); |
| 128 const auto now = TimeTicks::Now(); |
| 129 if (now - state_flood_guard.last_updated > kStateUpdateLimitResetInterval) { |
| 130 state_flood_guard.count = 0; |
| 131 state_flood_guard.last_updated = now; |
| 132 return false; |
| 133 } |
| 134 return true; |
| 135 } |
| 136 |
| 137 state_flood_guard.count++; |
| 138 return false; |
| 139 } |
| 140 |
119 bool History::stateChanged() const { | 141 bool History::stateChanged() const { |
120 return last_state_object_requested_ != StateInternal(); | 142 return last_state_object_requested_ != StateInternal(); |
121 } | 143 } |
122 | 144 |
123 bool History::IsSameAsCurrentState(SerializedScriptValue* state) const { | 145 bool History::IsSameAsCurrentState(SerializedScriptValue* state) const { |
124 return state == StateInternal(); | 146 return state == StateInternal(); |
125 } | 147 } |
126 | 148 |
127 void History::back(ScriptState* script_state) { | 149 void History::back(ScriptState* script_state) { |
128 go(script_state, -1); | 150 go(script_state, -1); |
(...skipping 94 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
223 // place: JavaScript already had this URL, b) JavaScript can only access a | 245 // place: JavaScript already had this URL, b) JavaScript can only access a |
224 // same-origin History object. | 246 // same-origin History object. |
225 exception_state.ThrowSecurityError( | 247 exception_state.ThrowSecurityError( |
226 "A history state object with URL '" + full_url.ElidedString() + | 248 "A history state object with URL '" + full_url.ElidedString() + |
227 "' cannot be created in a document with origin '" + | 249 "' cannot be created in a document with origin '" + |
228 GetFrame()->GetDocument()->GetSecurityOrigin()->ToString() + | 250 GetFrame()->GetDocument()->GetSecurityOrigin()->ToString() + |
229 "' and URL '" + GetFrame()->GetDocument()->Url().ElidedString() + "'."); | 251 "' and URL '" + GetFrame()->GetDocument()->Url().ElidedString() + "'."); |
230 return; | 252 return; |
231 } | 253 } |
232 | 254 |
| 255 if (ShouldThrottleStateObjectChanges()) |
| 256 return; |
| 257 |
233 GetFrame()->Loader().UpdateForSameDocumentNavigation( | 258 GetFrame()->Loader().UpdateForSameDocumentNavigation( |
234 full_url, kSameDocumentNavigationHistoryApi, std::move(data), | 259 full_url, kSameDocumentNavigationHistoryApi, std::move(data), |
235 restoration_type, type, GetFrame()->GetDocument()); | 260 restoration_type, type, GetFrame()->GetDocument()); |
236 } | 261 } |
237 | 262 |
238 } // namespace blink | 263 } // namespace blink |
OLD | NEW |