Source/modules/navigatorcontentutils/NavigatorContentUtils.cpp - Issue 392993005: Custom handlers should throw SecurityError exception if the URL's origin differs from the document'…

Side by Side Diff: Source/modules/navigatorcontentutils/NavigatorContentUtils.cpp

Issue 392993005: Custom handlers should throw SecurityError exception if the URL's origin differs from the document'… (Closed) Base URL: https://chromium.googlesource.com/chromium/blink.git@master

Patch Set: moved navigatorcontentutils to http/tests Created 6 years, 4 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

« no previous file with comments | « LayoutTests/navigatorcontentutils/unregister-protocol-handler-expected.txt ('k') | Source/modules/navigatorcontentutils/NavigatorContentUtilsClient.h » ('j') | public/web/WebViewClient.h » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

OLD	NEW
1 /*	1 /*

2 * Copyright (C) 2011, Google Inc. All rights reserved.	2 * Copyright (C) 2011, Google Inc. All rights reserved.

3 * Copyright (C) 2014, Samsung Electronics. All rights reserved.	3 * Copyright (C) 2014, Samsung Electronics. All rights reserved.

4 *	4 *

5 * Redistribution and use in source and binary forms, with or without	5 * Redistribution and use in source and binary forms, with or without

6 * modification, are permitted provided that the following conditions are met:	6 * modification, are permitted provided that the following conditions are met:

7 *	7 *

8 * 1. Redistributions of source code must retain the above copyright	8 * 1. Redistributions of source code must retain the above copyright

9 * notice, this list of conditions and the following disclaimer.	9 * notice, this list of conditions and the following disclaimer.

10 * 2. Redistributions in binary form must reproduce the above copyright	10 * 2. Redistributions in binary form must reproduce the above copyright

(...skipping 50 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
61 "tel",	61 "tel",

62 "urn",	62 "urn",

63 "webcal",	63 "webcal",

64 "wtai",	64 "wtai",

65 "xmpp",	65 "xmpp",

66 };	66 };

67 for (size_t i = 0; i < WTF_ARRAY_LENGTH(schemes); ++i)	67 for (size_t i = 0; i < WTF_ARRAY_LENGTH(schemes); ++i)

68 schemeWhitelist->add(schemes[i]);	68 schemeWhitelist->add(schemes[i]);

69 }	69 }

70	70

71 static bool verifyCustomHandlerURL(const KURL& baseURL, const String& url, Excep tionState& exceptionState)	71 static bool verifyCustomHandlerURL(const Document& document, const String& url, ExceptionState& exceptionState)

72 {	72 {

73 // The specification requires that it is a SyntaxError if the "%s" token is	73 // The specification requires that it is a SyntaxError if the "%s" token is

74 // not present.	74 // not present.

75 static const char token[] = "%s";	75 static const char token[] = "%s";

76 int index = url.find(token);	76 int index = url.find(token);

77 if (-1 == index) {	77 if (-1 == index) {

78 exceptionState.throwDOMException(SyntaxError, "The url provided ('" + ur l + "') does not contain '%s'.");	78 exceptionState.throwDOMException(SyntaxError, "The url provided ('" + ur l + "') does not contain '%s'.");

79 return false;	79 return false;

80 }	80 }

81	81

82 // It is also a SyntaxError if the custom handler URL, as created by removin g	82 // It is also a SyntaxError if the custom handler URL, as created by removin g

83 // the "%s" token and prepending the base url, does not resolve.	83 // the "%s" token and prepending the base url, does not resolve.

84 String newURL = url;	84 String newURL = url;

85 newURL.remove(index, WTF_ARRAY_LENGTH(token) - 1);	85 newURL.remove(index, WTF_ARRAY_LENGTH(token) - 1);

86	86

	87 KURL baseURL = document.baseURL();

87 KURL kurl(baseURL, newURL);	88 KURL kurl(baseURL, newURL);
	abarth-chromium 2014/08/20 18:15:10 document.completeURL(newURL) document.completeURL(newURL) pals 2014/08/21 14:02:56 Done. Show quoted text On 2014/08/20 18:15:10, abarth wrote: > document.completeURL(newURL) Done.
88	89

89 if (kurl.isEmpty() \|\| !kurl.isValid()) {	90 if (kurl.isEmpty() \|\| !kurl.isValid()) {

90 exceptionState.throwDOMException(SyntaxError, "The custom handler URL cr eated by removing '%s' and prepending '" + baseURL.string() + "' is invalid.");	91 exceptionState.throwDOMException(SyntaxError, "The custom handler URL cr eated by removing '%s' and prepending '" + baseURL.string() + "' is invalid.");

91 return false;	92 return false;

92 }	93 }

93	94

	95 // The specification says that the API throws SecurityError exception if the URL's origin differs from the document's origin.

	96 if (!document.securityOrigin()->canRequest(kurl)) {

	97 exceptionState.throwSecurityError("Can only register custom handler in t he document's origin.");

	98 return false;

	99 }

	100

94 return true;	101 return true;

95 }	102 }

96	103

97 static bool isSchemeWhitelisted(const String& scheme)	104 static bool isSchemeWhitelisted(const String& scheme)

98 {	105 {

99 if (!schemeWhitelist)	106 if (!schemeWhitelist)

100 initCustomSchemeHandlerWhitelist();	107 initCustomSchemeHandlerWhitelist();

101	108

102 StringBuilder builder;	109 StringBuilder builder;

103 unsigned length = scheme.length();	110 unsigned length = scheme.length();

(...skipping 38 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
142 PassOwnPtrWillBeRawPtr<NavigatorContentUtils> NavigatorContentUtils::create(Pass OwnPtr<NavigatorContentUtilsClient> client)	149 PassOwnPtrWillBeRawPtr<NavigatorContentUtils> NavigatorContentUtils::create(Pass OwnPtr<NavigatorContentUtilsClient> client)

143 {	150 {

144 return adoptPtrWillBeNoop(new NavigatorContentUtils(client));	151 return adoptPtrWillBeNoop(new NavigatorContentUtils(client));

145 }	152 }

146	153

147 void NavigatorContentUtils::registerProtocolHandler(Navigator& navigator, const String& scheme, const String& url, const String& title, ExceptionState& exceptio nState)	154 void NavigatorContentUtils::registerProtocolHandler(Navigator& navigator, const String& scheme, const String& url, const String& title, ExceptionState& exceptio nState)

148 {	155 {

149 if (!navigator.frame())	156 if (!navigator.frame())

150 return;	157 return;

151	158

152 ASSERT(navigator.frame()->document());	159 Document* document = navigator.frame()->document();

153 KURL baseURL = navigator.frame()->document()->baseURL();	160 ASSERT(document);

154	161

155 if (!verifyCustomHandlerURL(baseURL, url, exceptionState))	162 if (!verifyCustomHandlerURL(*document, url, exceptionState))

156 return;	163 return;

157	164

158 if (!verifyCustomHandlerScheme(scheme, exceptionState))	165 if (!verifyCustomHandlerScheme(scheme, exceptionState))

159 return;	166 return;

160	167

161 ASSERT(navigator.frame()->page());	168 ASSERT(navigator.frame()->page());

162 NavigatorContentUtils::from(*navigator.frame()->page())->client()->registerP rotocolHandler(scheme, baseURL, KURL(ParsedURLString, url), title);	169 KURL baseURL = document->baseURL();

	170 KURL absoluteURL(baseURL, url);
	abarth-chromium 2014/08/20 18:15:10 document->completeURL(...) document->completeURL(...) pals 2014/08/21 14:02:56 Done. Show quoted text On 2014/08/20 18:15:10, abarth wrote: > document->completeURL(...) Done.
	171 NavigatorContentUtils::from(*navigator.frame()->page())->client()->registerP rotocolHandler(scheme, absoluteURL, title);

163 }	172 }

164	173

165 static String customHandlersStateString(const NavigatorContentUtilsClient::Custo mHandlersState state)	174 static String customHandlersStateString(const NavigatorContentUtilsClient::Custo mHandlersState state)

166 {	175 {

167 DEFINE_STATIC_LOCAL(const String, newHandler, ("new"));	176 DEFINE_STATIC_LOCAL(const String, newHandler, ("new"));

168 DEFINE_STATIC_LOCAL(const String, registeredHandler, ("registered"));	177 DEFINE_STATIC_LOCAL(const String, registeredHandler, ("registered"));

169 DEFINE_STATIC_LOCAL(const String, declinedHandler, ("declined"));	178 DEFINE_STATIC_LOCAL(const String, declinedHandler, ("declined"));

170	179

171 switch (state) {	180 switch (state) {

172 case NavigatorContentUtilsClient::CustomHandlersNew:	181 case NavigatorContentUtilsClient::CustomHandlersNew:

(...skipping 13 matching lines...) Expand all Loading...
186 DEFINE_STATIC_LOCAL(const String, declined, ("declined"));	195 DEFINE_STATIC_LOCAL(const String, declined, ("declined"));

187	196

188 if (!navigator.frame())	197 if (!navigator.frame())

189 return declined;	198 return declined;

190	199

191 Document* document = navigator.frame()->document();	200 Document* document = navigator.frame()->document();

192 ASSERT(document);	201 ASSERT(document);

193 if (document->activeDOMObjectsAreStopped())	202 if (document->activeDOMObjectsAreStopped())

194 return declined;	203 return declined;

195	204

196 KURL baseURL = document->baseURL();	205 if (!verifyCustomHandlerURL(*document, url, exceptionState))

197

198 if (!verifyCustomHandlerURL(baseURL, url, exceptionState))

199 return declined;	206 return declined;

200	207

201 if (!verifyCustomHandlerScheme(scheme, exceptionState))	208 if (!verifyCustomHandlerScheme(scheme, exceptionState))

202 return declined;	209 return declined;

203	210

204 ASSERT(navigator.frame()->page());	211 ASSERT(navigator.frame()->page());

205 return customHandlersStateString(NavigatorContentUtils::from(*navigator.fram e()->page())->client()->isProtocolHandlerRegistered(scheme, baseURL, KURL(Parsed URLString, url)));	212 KURL baseURL = document->baseURL();

	213 KURL absoluteURL(baseURL, url);
	abarth-chromium 2014/08/20 18:15:10 ditto ditto pals 2014/08/21 14:02:56 Done. Show quoted text On 2014/08/20 18:15:10, abarth wrote: > ditto Done.
	214 return customHandlersStateString(NavigatorContentUtils::from(*navigator.fram e()->page())->client()->isProtocolHandlerRegistered(scheme, absoluteURL));

206 }	215 }

207	216

208 void NavigatorContentUtils::unregisterProtocolHandler(Navigator& navigator, cons t String& scheme, const String& url, ExceptionState& exceptionState)	217 void NavigatorContentUtils::unregisterProtocolHandler(Navigator& navigator, cons t String& scheme, const String& url, ExceptionState& exceptionState)

209 {	218 {

210 if (!navigator.frame())	219 if (!navigator.frame())

211 return;	220 return;

212	221

213 ASSERT(navigator.frame()->document());	222 Document* document = navigator.frame()->document();

214 KURL baseURL = navigator.frame()->document()->baseURL();	223 ASSERT(document);

215	224

216 if (!verifyCustomHandlerURL(baseURL, url, exceptionState))	225 if (!verifyCustomHandlerURL(*document, url, exceptionState))

217 return;	226 return;

218	227

219 if (!verifyCustomHandlerScheme(scheme, exceptionState))	228 if (!verifyCustomHandlerScheme(scheme, exceptionState))

220 return;	229 return;

221	230

222 ASSERT(navigator.frame()->page());	231 ASSERT(navigator.frame()->page());

223 NavigatorContentUtils::from(*navigator.frame()->page())->client()->unregiste rProtocolHandler(scheme, baseURL, KURL(ParsedURLString, url));	232 KURL baseURL = document->baseURL();

	233 KURL absoluteURL(baseURL, url);
	abarth-chromium 2014/08/20 18:15:10 ditto ditto pals 2014/08/21 14:02:55 Done. Show quoted text On 2014/08/20 18:15:10, abarth wrote: > ditto Done.
	234 NavigatorContentUtils::from(*navigator.frame()->page())->client()->unregiste rProtocolHandler(scheme, absoluteURL);

224 }	235 }

225	236

226 const char* NavigatorContentUtils::supplementName()	237 const char* NavigatorContentUtils::supplementName()

227 {	238 {

228 return "NavigatorContentUtils";	239 return "NavigatorContentUtils";

229 }	240 }

230	241

231 void provideNavigatorContentUtilsTo(Page& page, PassOwnPtr<NavigatorContentUtils Client> client)	242 void provideNavigatorContentUtilsTo(Page& page, PassOwnPtr<NavigatorContentUtils Client> client)

232 {	243 {

233 NavigatorContentUtils::provideTo(page, NavigatorContentUtils::supplementName (), NavigatorContentUtils::create(client));	244 NavigatorContentUtils::provideTo(page, NavigatorContentUtils::supplementName (), NavigatorContentUtils::create(client));

234 }	245 }

235	246

236 } // namespace blink	247 } // namespace blink

OLD	NEW