content/browser/child_process_security_policy_impl.cc - Issue 2973433003: Block redirects to renderer-debug urls.

Side by Side Diff: content/browser/child_process_security_policy_impl.cc

Issue 2973433003: Block redirects to renderer-debug urls. (Closed)

Patch Set: Nit: Charlie Harrison Created 3 years, 5 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

« chrome/browser/captive_portal/captive_portal_tab_helper.cc ('K') | « content/browser/child_process_security_policy_impl.h ('k') | content/browser/child_process_security_policy_unittest.cc » ('j') | content/browser/child_process_security_policy_unittest.cc » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

OLD	NEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "content/browser/child_process_security_policy_impl.h"	5 #include "content/browser/child_process_security_policy_impl.h"

6	6

7 #include <algorithm>	7 #include <algorithm>

8 #include <utility>	8 #include <utility>

9	9

10 #include "base/command_line.h"	10 #include "base/command_line.h"

(...skipping 649 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
660	660

661 // If the process can commit the URL, it can request it.	661 // If the process can commit the URL, it can request it.

662 if (CanCommitURL(child_id, url))	662 if (CanCommitURL(child_id, url))

663 return true;	663 return true;

664	664

665 // Also allow URLs destined for ShellExecute and not the browser itself.	665 // Also allow URLs destined for ShellExecute and not the browser itself.

666 return !GetContentClient()->browser()->IsHandledURL(url) &&	666 return !GetContentClient()->browser()->IsHandledURL(url) &&

667 !net::URLRequest::IsHandledURL(url);	667 !net::URLRequest::IsHandledURL(url);

668 }	668 }

669	669

	670 bool ChildProcessSecurityPolicyImpl::CanRedirectToURL(const GURL& url) {
	Charlie Reis 2017/07/07 17:12:59 It makes me nervous to be doing a narrower version It makes me nervous to be doing a narrower version of CanRequestURL here, especially with no comments pointing out the similarities and differences. If we change one in the future, we may need to change both. I'm not sure I understand why we can't use CanRequestURL on the initiating process? If that process isn't allowed to request the post-redirect URL, then we probably shouldn't be allowing it. (The destination process seems unimportant, but I could be wrong.) clamy 2017/07/10 12:29:19 The issue is that we need to block redirects to re Show quoted text On 2017/07/07 17:12:59, Charlie Reis (slow) wrote: > It makes me nervous to be doing a narrower version of CanRequestURL here, > especially with no comments pointing out the similarities and differences. If > we change one in the future, we may need to change both. > > I'm not sure I understand why we can't use CanRequestURL on the initiating > process? If that process isn't allowed to request the post-redirect URL, then > we probably shouldn't be allowing it. (The destination process seems > unimportant, but I could be wrong.) The issue is that we need to block redirects to renderer debug urls for all kind of navigations. This include browser-initiated navigations and renderer-initiated navigations that went through the OpenURL path. In those two cases, it makes no sense to call CanRequestURL with the current process, since it's quite possible that it will not be the process that will commit them. And in the case of browser-initiated navigations, this process did not even initiated the navigation in the first place. This is why I wanted Arthur to write a function that could check whether a redirect was allowed regardless of the process instead of calling CanRequestURL. Charlie Reis 2017/07/10 21:16:21 I'm happy with where we ended up. I think there's Show quoted text On 2017/07/10 12:29:19, clamy wrote: > On 2017/07/07 17:12:59, Charlie Reis (slow) wrote: > > It makes me nervous to be doing a narrower version of CanRequestURL here, > > especially with no comments pointing out the similarities and differences. If > > we change one in the future, we may need to change both. > > > > I'm not sure I understand why we can't use CanRequestURL on the initiating > > process? If that process isn't allowed to request the post-redirect URL, then > > we probably shouldn't be allowing it. (The destination process seems > > unimportant, but I could be wrong.) > > The issue is that we need to block redirects to renderer debug urls for all kind > of navigations. This include browser-initiated navigations and > renderer-initiated navigations that went through the OpenURL path. In those two > cases, it makes no sense to call CanRequestURL with the current process, since > it's quite possible that it will not be the process that will commit them. And > in the case of browser-initiated navigations, this process did not even > initiated the navigation in the first place. This is why I wanted Arthur to > write a function that could check whether a redirect was allowed regardless of > the process instead of calling CanRequestURL. I'm happy with where we ended up. I think there's still a reason to call CanRequestURL on renderer-initiated navigations, but I agree that we want some additional checks that also apply to browser-initiated navigations where there's no initiating process.
	671 if (!url.is_valid())

	672 return false; // Can't redirect to invalid URLs.

	673

	674 const std::string& scheme = url.scheme();

	675

	676 if (IsPseudoScheme(scheme)) {

	677 // Redirects to a pseudo scheme (about, javascript, view-source, ...) are

	678 // not allowed. An exception is made for <about:blank> and its variations.

	679 return url.IsAboutBlank();

	680 }

	681

	682 // Redirects to blob-url or filesystem-url are not allowed.

	683 if (url.SchemeIsBlob() \|\| url.SchemeIsFileSystem())

	684 return false;

	685

	686 return IsWebSafeScheme(scheme);
	Charlie Reis 2017/07/07 17:12:59 We're basically skipping the CanCommitURL and IsHa We're basically skipping the CanCommitURL and IsHandledURL checks from CanRequestURL. Are we sure this won't break things? We tend to find regressions after introducing restrictions like this, and it's not clear to me if this is a safe assumption. (e.g., Could some non-web-safe schemes redirect to each other from the right process type?) clamy 2017/07/10 12:29:19 As explained above, we can't really use the proces Show quoted text On 2017/07/07 17:12:59, Charlie Reis (slow) wrote: > We're basically skipping the CanCommitURL and IsHandledURL checks from > CanRequestURL. Are we sure this won't break things? We tend to find > regressions after introducing restrictions like this, and it's not clear to me > if this is a safe assumption. (e.g., Could some non-web-safe schemes redirect > to each other from the right process type?) As explained above, we can't really use the process in that check. Would you prefer if we just remove this check and always return true instead? This is what we're doing in PlzNavigate currently. Charlie Reis 2017/07/10 21:16:21 Sure. If we need to, we can tighten it in a separ Show quoted text On 2017/07/10 12:29:19, clamy wrote: > On 2017/07/07 17:12:59, Charlie Reis (slow) wrote: > > We're basically skipping the CanCommitURL and IsHandledURL checks from > > CanRequestURL. Are we sure this won't break things? We tend to find > > regressions after introducing restrictions like this, and it's not clear to me > > if this is a safe assumption. (e.g., Could some non-web-safe schemes redirect > > to each other from the right process type?) > > As explained above, we can't really use the process in that check. Would you > prefer if we just remove this check and always return true instead? This is what > we're doing in PlzNavigate currently. Sure. If we need to, we can tighten it in a separate CL.
	687 }

	688

670 bool ChildProcessSecurityPolicyImpl::CanCommitURL(int child_id,	689 bool ChildProcessSecurityPolicyImpl::CanCommitURL(int child_id,

671 const GURL& url) {	690 const GURL& url) {

672 if (!url.is_valid())	691 if (!url.is_valid())

673 return false; // Can't commit invalid URLs.	692 return false; // Can't commit invalid URLs.

674	693

675 // Of all the pseudo schemes, only about:blank and about:srcdoc are allowed to	694 // Of all the pseudo schemes, only about:blank and about:srcdoc are allowed to

676 // commit.	695 // commit.

677 if (IsPseudoScheme(url.scheme()))	696 if (IsPseudoScheme(url.scheme()))

678 return url == url::kAboutBlankURL \|\| url == kAboutSrcDocURL;	697 return url == url::kAboutBlankURL \|\| url == kAboutSrcDocURL;

679	698

(...skipping 463 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
1143 return found;	1162 return found;

1144 }	1163 }

1145	1164

1146 void ChildProcessSecurityPolicyImpl::RemoveIsolatedOriginForTesting(	1165 void ChildProcessSecurityPolicyImpl::RemoveIsolatedOriginForTesting(

1147 const url::Origin& origin) {	1166 const url::Origin& origin) {

1148 base::AutoLock lock(lock_);	1167 base::AutoLock lock(lock_);

1149 isolated_origins_.erase(origin);	1168 isolated_origins_.erase(origin);

1150 }	1169 }

1151	1170

1152 } // namespace content	1171 } // namespace content

OLD	NEW