Chromium Code Reviews Chromium Code Reviews
Issue 2973433003:
Block redirects to renderer-debug urls. (Closed)
| OLD | NEW |
|---|---|
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "content/browser/frame_host/navigation_request.h" | 5 #include "content/browser/frame_host/navigation_request.h" |
| 6 | 6 |
| 7 #include <utility> | 7 #include <utility> |
| 8 | 8 |
| 9 #include "base/memory/ptr_util.h" | 9 #include "base/memory/ptr_util.h" |
| 10 #include "content/browser/appcache/appcache_navigation_handle.h" | 10 #include "content/browser/appcache/appcache_navigation_handle.h" |
| (...skipping 19 matching lines...) Expand all Loading... | |
| 30 #include "content/public/browser/browser_thread.h" | 30 #include "content/public/browser/browser_thread.h" |
| 31 #include "content/public/browser/content_browser_client.h" | 31 #include "content/public/browser/content_browser_client.h" |
| 32 #include "content/public/browser/global_request_id.h" | 32 #include "content/public/browser/global_request_id.h" |
| 33 #include "content/public/browser/navigation_controller.h" | 33 #include "content/public/browser/navigation_controller.h" |
| 34 #include "content/public/browser/navigation_data.h" | 34 #include "content/public/browser/navigation_data.h" |
| 35 #include "content/public/browser/navigation_ui_data.h" | 35 #include "content/public/browser/navigation_ui_data.h" |
| 36 #include "content/public/browser/render_view_host.h" | 36 #include "content/public/browser/render_view_host.h" |
| 37 #include "content/public/browser/storage_partition.h" | 37 #include "content/public/browser/storage_partition.h" |
| 38 #include "content/public/browser/stream_handle.h" | 38 #include "content/public/browser/stream_handle.h" |
| 39 #include "content/public/common/appcache_info.h" | 39 #include "content/public/common/appcache_info.h" |
| 40 #include "content/public/common/child_process_host.h" | |
| 40 #include "content/public/common/content_client.h" | 41 #include "content/public/common/content_client.h" |
| 41 #include "content/public/common/origin_util.h" | 42 #include "content/public/common/origin_util.h" |
| 42 #include "content/public/common/request_context_type.h" | 43 #include "content/public/common/request_context_type.h" |
| 43 #include "content/public/common/resource_request_body.h" | 44 #include "content/public/common/resource_request_body.h" |
| 44 #include "content/public/common/resource_response.h" | 45 #include "content/public/common/resource_response.h" |
| 45 #include "content/public/common/url_constants.h" | 46 #include "content/public/common/url_constants.h" |
| 46 #include "content/public/common/web_preferences.h" | 47 #include "content/public/common/web_preferences.h" |
| 47 #include "net/base/load_flags.h" | 48 #include "net/base/load_flags.h" |
| 48 #include "net/base/net_errors.h" | 49 #include "net/base/net_errors.h" |
| 49 #include "net/base/url_util.h" | 50 #include "net/base/url_util.h" |
| (...skipping 443 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 493 } | 494 } |
| 494 | 495 |
| 495 void NavigationRequest::TransferNavigationHandleOwnership( | 496 void NavigationRequest::TransferNavigationHandleOwnership( |
| 496 RenderFrameHostImpl* render_frame_host) { | 497 RenderFrameHostImpl* render_frame_host) { |
| 497 render_frame_host->SetNavigationHandle(std::move(navigation_handle_)); | 498 render_frame_host->SetNavigationHandle(std::move(navigation_handle_)); |
| 498 } | 499 } |
| 499 | 500 |
| 500 void NavigationRequest::OnRequestRedirected( | 501 void NavigationRequest::OnRequestRedirected( |
| 501 const net::RedirectInfo& redirect_info, | 502 const net::RedirectInfo& redirect_info, |
| 502 const scoped_refptr<ResourceResponse>& response) { | 503 const scoped_refptr<ResourceResponse>& response) { |
| 504 if (!ChildProcessSecurityPolicyImpl::GetInstance()->CanRedirectToURL( | |
| 505 redirect_info.new_url)) { | |
| 506 DVLOG(1) << "Denied redirect for " | |
| 507 << redirect_info.new_url.possibly_invalid_spec(); | |
| 508 // TODO(arthursonzogni): Consider switching to net::ERR_UNSAFE_REDIRECT | |
| 509 // when PlzNavigate is launched. | |
| 510 navigation_handle_->set_net_error_code(net::ERR_ABORTED); | |
| 511 frame_tree_node_->ResetNavigationRequest(false, true); | |
| 512 return; | |
| 513 } | |
| 514 | |
| 515 // For non browser initiated navigations we need to check if the source has | |
| 516 // access to the URL. We always allow browser initiated requests. | |
|
Charlie Reis
2017/07/10 21:16:22
nit: Rephrase last sentence, since browser-initiat
arthursonzogni
2017/07/11 16:21:31
Done.
| |
| 517 if (!browser_initiated_ && source_site_instance() && | |
| 518 !ChildProcessSecurityPolicyImpl::GetInstance()->CanRequestURL( | |
| 519 source_site_instance()->GetProcess()->GetID(), | |
| 520 redirect_info.new_url)) { | |
| 521 DVLOG(1) << "Denied unauthorized redirect for " | |
| 522 << redirect_info.new_url.possibly_invalid_spec(); | |
| 523 navigation_handle_->set_net_error_code(net::ERR_ABORTED); | |
| 524 frame_tree_node_->ResetNavigationRequest(false, true); | |
|
Charlie Reis
2017/07/10 21:16:22
Don't forget to return early! :)
arthursonzogni
2017/07/11 16:21:31
:) Done.
| |
| 525 } | |
| 526 | |
| 503 // If a redirect occurs, the original site instance we thought is the | 527 // If a redirect occurs, the original site instance we thought is the |
| 504 // destination could change. | 528 // destination could change. |
| 505 dest_site_instance_ = nullptr; | 529 dest_site_instance_ = nullptr; |
| 506 | 530 |
| 507 // If the navigation is no longer a POST, the POST data should be reset. | 531 // If the navigation is no longer a POST, the POST data should be reset. |
| 508 if (redirect_info.new_method != "POST") | 532 if (redirect_info.new_method != "POST") |
| 509 common_params_.post_data = nullptr; | 533 common_params_.post_data = nullptr; |
| 510 | 534 |
| 511 // Mark time for the Navigation Timing API. | 535 // Mark time for the Navigation Timing API. |
| 512 if (request_params_.navigation_timing.redirect_start.is_null()) { | 536 if (request_params_.navigation_timing.redirect_start.is_null()) { |
| (...skipping 18 matching lines...) Expand all Loading... | |
| 531 // otherwise block. | 555 // otherwise block. |
| 532 if (CheckContentSecurityPolicyFrameSrc(true /* is redirect */) == | 556 if (CheckContentSecurityPolicyFrameSrc(true /* is redirect */) == |
| 533 CONTENT_SECURITY_POLICY_CHECK_FAILED) { | 557 CONTENT_SECURITY_POLICY_CHECK_FAILED) { |
| 534 OnRequestFailed(false, net::ERR_BLOCKED_BY_CLIENT); | 558 OnRequestFailed(false, net::ERR_BLOCKED_BY_CLIENT); |
| 535 | 559 |
| 536 // DO NOT ADD CODE after this. The previous call to OnRequestFailed has | 560 // DO NOT ADD CODE after this. The previous call to OnRequestFailed has |
| 537 // destroyed the NavigationRequest. | 561 // destroyed the NavigationRequest. |
| 538 return; | 562 return; |
| 539 } | 563 } |
| 540 | 564 |
| 541 // For non browser initiated navigations we need to check if the source has | |
| 542 // access to the URL. We always allow browser initiated requests. | |
| 543 // TODO(clamy): Kill the renderer if FilterURL fails? | |
| 544 GURL url = common_params_.url; | |
| 545 if (!browser_initiated_ && source_site_instance()) { | |
| 546 source_site_instance()->GetProcess()->FilterURL(false, &url); | |
| 547 // FilterURL sets the URL to about:blank if the CSP checks prevent the | |
| 548 // renderer from accessing it. | |
| 549 if ((url == url::kAboutBlankURL) && (url != common_params_.url)) { | |
| 550 navigation_handle_->set_net_error_code(net::ERR_ABORTED); | |
| 551 frame_tree_node_->ResetNavigationRequest(false, true); | |
| 552 return; | |
| 553 } | |
| 554 } | |
| 555 | |
| 556 // Compute the SiteInstance to use for the redirect and pass its | 565 // Compute the SiteInstance to use for the redirect and pass its |
| 557 // RenderProcessHost if it has a process. Keep a reference if it has a | 566 // RenderProcessHost if it has a process. Keep a reference if it has a |
| 558 // process, so that the SiteInstance and its associated process aren't deleted | 567 // process, so that the SiteInstance and its associated process aren't deleted |
| 559 // before the navigation is ready to commit. | 568 // before the navigation is ready to commit. |
| 560 scoped_refptr<SiteInstance> site_instance = | 569 scoped_refptr<SiteInstance> site_instance = |
| 561 frame_tree_node_->render_manager()->GetSiteInstanceForNavigationRequest( | 570 frame_tree_node_->render_manager()->GetSiteInstanceForNavigationRequest( |
| 562 *this); | 571 *this); |
| 563 speculative_site_instance_ = | 572 speculative_site_instance_ = |
| 564 site_instance->HasProcess() ? site_instance : nullptr; | 573 site_instance->HasProcess() ? site_instance : nullptr; |
| 565 | 574 |
| (...skipping 442 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 1008 CSPDirective::FrameSrc, common_params_.url, is_redirect, | 1017 CSPDirective::FrameSrc, common_params_.url, is_redirect, |
| 1009 common_params_.source_location.value_or(SourceLocation()), | 1018 common_params_.source_location.value_or(SourceLocation()), |
| 1010 CSPContext::CHECK_ENFORCED_CSP)) { | 1019 CSPContext::CHECK_ENFORCED_CSP)) { |
| 1011 return CONTENT_SECURITY_POLICY_CHECK_PASSED; | 1020 return CONTENT_SECURITY_POLICY_CHECK_PASSED; |
| 1012 } | 1021 } |
| 1013 | 1022 |
| 1014 return CONTENT_SECURITY_POLICY_CHECK_FAILED; | 1023 return CONTENT_SECURITY_POLICY_CHECK_FAILED; |
| 1015 } | 1024 } |
| 1016 | 1025 |
| 1017 } // namespace content | 1026 } // namespace content |
| OLD | NEW |
