Index: content/browser/service_worker/service_worker_dispatcher_host.cc |
diff --git a/content/browser/service_worker/service_worker_dispatcher_host.cc b/content/browser/service_worker/service_worker_dispatcher_host.cc |
index 2c68c82a3ef598b0c94388ea3e0f3f08943f3bcb..83abdc09325115c124b2039f2944c8a418fbf87d 100644 |
--- a/content/browser/service_worker/service_worker_dispatcher_host.cc |
+++ b/content/browser/service_worker/service_worker_dispatcher_host.cc |
@@ -18,6 +18,9 @@ |
#include "content/common/service_worker/service_worker_messages.h" |
#include "ipc/ipc_message_macros.h" |
#include "third_party/WebKit/public/platform/WebServiceWorkerError.h" |
+#include "third_party/WebKit/public/platform/WebString.h" |
+#include "third_party/WebKit/public/platform/WebURL.h" |
+#include "third_party/WebKit/public/web/WebSecurityOrigin.h" |
#include "url/gurl.h" |
using blink::WebServiceWorkerError; |
@@ -34,23 +37,29 @@ const uint32 kFilteredMessageClasses[] = { |
EmbeddedWorkerMsgStart, |
}; |
-// TODO(dominicc): When crbug.com/362214 is fixed, make |
-// Can(R|Unr)egisterServiceWorker also check that these are secure |
-// origins to defend against compromised renderers. |
+bool CanAccessFeatureRequiringSecureOrigin(const GURL& url) { |
+ blink::WebURL webUrl(url); |
falken
2014/08/08 09:06:14
We're in chromium, so use snake_case
|
+ blink::WebSecurityOrigin origin = blink::WebSecurityOrigin::create(webUrl); |
michaeln
2014/08/08 20:15:33
chromium /browser libs can't depend on blink like
|
+ blink::WebString unusedErrorMessage; |
falken
2014/08/08 09:06:14
ditto
|
+ return origin.canAccessFeatureRequiringSecureOrigin(unusedErrorMessage); |
+} |
+ |
bool CanRegisterServiceWorker(const GURL& document_url, |
const GURL& pattern, |
const GURL& script_url) { |
// TODO: Respect Chrome's content settings, if we add a setting for |
// controlling whether Service Worker is allowed. |
return document_url.GetOrigin() == pattern.GetOrigin() && |
- document_url.GetOrigin() == script_url.GetOrigin(); |
+ document_url.GetOrigin() == script_url.GetOrigin() && |
+ CanAccessFeatureRequiringSecureOrigin(document_url); |
} |
bool CanUnregisterServiceWorker(const GURL& document_url, |
const GURL& pattern) { |
// TODO: Respect Chrome's content settings, if we add a setting for |
// controlling whether Service Worker is allowed. |
- return document_url.GetOrigin() == pattern.GetOrigin(); |
+ return document_url.GetOrigin() == pattern.GetOrigin() && |
+ CanAccessFeatureRequiringSecureOrigin(document_url); |
} |
} // namespace |