Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(372)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: content/browser/service_worker/service_worker_dispatcher_host.cc

Issue 452013002: Kill renderers that register Service Workers from non-secure origins (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: Created 6 years, 4 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« content/browser/DEPS ('K') | « content/browser/DEPS ('k') | content/browser/service_worker/service_worker_dispatcher_host_unittest.cc » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: content/browser/service_worker/service_worker_dispatcher_host.cc
diff --git a/content/browser/service_worker/service_worker_dispatcher_host.cc b/content/browser/service_worker/service_worker_dispatcher_host.cc
index 2c68c82a3ef598b0c94388ea3e0f3f08943f3bcb..83abdc09325115c124b2039f2944c8a418fbf87d 100644
--- a/content/browser/service_worker/service_worker_dispatcher_host.cc
+++ b/content/browser/service_worker/service_worker_dispatcher_host.cc
@@ -18,6 +18,9 @@
#include "content/common/service_worker/service_worker_messages.h"
#include "ipc/ipc_message_macros.h"
#include "third_party/WebKit/public/platform/WebServiceWorkerError.h"
+#include "third_party/WebKit/public/platform/WebString.h"
+#include "third_party/WebKit/public/platform/WebURL.h"
+#include "third_party/WebKit/public/web/WebSecurityOrigin.h"
#include "url/gurl.h"
using blink::WebServiceWorkerError;
@@ -34,23 +37,29 @@ const uint32 kFilteredMessageClasses[] = {
EmbeddedWorkerMsgStart,
};
-// TODO(dominicc): When crbug.com/362214 is fixed, make
-// Can(R|Unr)egisterServiceWorker also check that these are secure
-// origins to defend against compromised renderers.
+bool CanAccessFeatureRequiringSecureOrigin(const GURL& url) {
+ blink::WebURL webUrl(url);
falken 2014/08/08 09:06:14 We're in chromium, so use snake_case
+ blink::WebSecurityOrigin origin = blink::WebSecurityOrigin::create(webUrl);
michaeln 2014/08/08 20:15:33 chromium /browser libs can't depend on blink like
+ blink::WebString unusedErrorMessage;
falken 2014/08/08 09:06:14 ditto
+ return origin.canAccessFeatureRequiringSecureOrigin(unusedErrorMessage);
+}
+
bool CanRegisterServiceWorker(const GURL& document_url,
const GURL& pattern,
const GURL& script_url) {
// TODO: Respect Chrome's content settings, if we add a setting for
// controlling whether Service Worker is allowed.
return document_url.GetOrigin() == pattern.GetOrigin() &&
- document_url.GetOrigin() == script_url.GetOrigin();
+ document_url.GetOrigin() == script_url.GetOrigin() &&
+ CanAccessFeatureRequiringSecureOrigin(document_url);
}
bool CanUnregisterServiceWorker(const GURL& document_url,
const GURL& pattern) {
// TODO: Respect Chrome's content settings, if we add a setting for
// controlling whether Service Worker is allowed.
- return document_url.GetOrigin() == pattern.GetOrigin();
+ return document_url.GetOrigin() == pattern.GetOrigin() &&
+ CanAccessFeatureRequiringSecureOrigin(document_url);
}
} // namespace
« content/browser/DEPS ('K') | « content/browser/DEPS ('k') | content/browser/service_worker/service_worker_dispatcher_host_unittest.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698