Index: content/browser/frame_host/navigation_request.cc |
diff --git a/content/browser/frame_host/navigation_request.cc b/content/browser/frame_host/navigation_request.cc |
index ba72304cea3d0d934f5d8ff0de3e8b4413035f01..34113d12079f64e8123a02d9db4a28248862bfc8 100644 |
--- a/content/browser/frame_host/navigation_request.cc |
+++ b/content/browser/frame_host/navigation_request.cc |
@@ -37,6 +37,7 @@ |
#include "content/public/browser/storage_partition.h" |
#include "content/public/browser/stream_handle.h" |
#include "content/public/common/appcache_info.h" |
+#include "content/public/common/child_process_host.h" |
#include "content/public/common/content_client.h" |
#include "content/public/common/origin_util.h" |
#include "content/public/common/request_context_type.h" |
@@ -500,6 +501,29 @@ void NavigationRequest::TransferNavigationHandleOwnership( |
void NavigationRequest::OnRequestRedirected( |
const net::RedirectInfo& redirect_info, |
const scoped_refptr<ResourceResponse>& response) { |
+ if (!ChildProcessSecurityPolicyImpl::GetInstance()->CanRedirectToURL( |
+ redirect_info.new_url)) { |
+ DVLOG(1) << "Denied redirect for " |
+ << redirect_info.new_url.possibly_invalid_spec(); |
+ // TODO(arthursonzogni): Consider switching to net::ERR_UNSAFE_REDIRECT |
+ // when PlzNavigate is launched. |
+ navigation_handle_->set_net_error_code(net::ERR_ABORTED); |
+ frame_tree_node_->ResetNavigationRequest(false, true); |
+ return; |
+ } |
+ |
+ // For non browser initiated navigations we need to check if the source has |
+ // access to the URL. We always allow browser initiated requests. |
Charlie Reis
2017/07/10 21:16:22
nit: Rephrase last sentence, since browser-initiat
arthursonzogni
2017/07/11 16:21:31
Done.
|
+ if (!browser_initiated_ && source_site_instance() && |
+ !ChildProcessSecurityPolicyImpl::GetInstance()->CanRequestURL( |
+ source_site_instance()->GetProcess()->GetID(), |
+ redirect_info.new_url)) { |
+ DVLOG(1) << "Denied unauthorized redirect for " |
+ << redirect_info.new_url.possibly_invalid_spec(); |
+ navigation_handle_->set_net_error_code(net::ERR_ABORTED); |
+ frame_tree_node_->ResetNavigationRequest(false, true); |
Charlie Reis
2017/07/10 21:16:22
Don't forget to return early! :)
arthursonzogni
2017/07/11 16:21:31
:) Done.
|
+ } |
+ |
// If a redirect occurs, the original site instance we thought is the |
// destination could change. |
dest_site_instance_ = nullptr; |
@@ -538,21 +562,6 @@ void NavigationRequest::OnRequestRedirected( |
return; |
} |
- // For non browser initiated navigations we need to check if the source has |
- // access to the URL. We always allow browser initiated requests. |
- // TODO(clamy): Kill the renderer if FilterURL fails? |
- GURL url = common_params_.url; |
- if (!browser_initiated_ && source_site_instance()) { |
- source_site_instance()->GetProcess()->FilterURL(false, &url); |
- // FilterURL sets the URL to about:blank if the CSP checks prevent the |
- // renderer from accessing it. |
- if ((url == url::kAboutBlankURL) && (url != common_params_.url)) { |
- navigation_handle_->set_net_error_code(net::ERR_ABORTED); |
- frame_tree_node_->ResetNavigationRequest(false, true); |
- return; |
- } |
- } |
- |
// Compute the SiteInstance to use for the redirect and pass its |
// RenderProcessHost if it has a process. Keep a reference if it has a |
// process, so that the SiteInstance and its associated process aren't deleted |