Non-SFI NaCl: Batch-open resource files

components/nacl/renderer/ppb_nacl_private_impl.cc

Index: components/nacl/renderer/ppb_nacl_private_impl.cc
diff --git a/components/nacl/renderer/ppb_nacl_private_impl.cc b/components/nacl/renderer/ppb_nacl_private_impl.cc
index 3c84afe5d1ee4a16187fef0b715342f5b239acf4..3e2780e6464b6db340bde7cacb57880778c366ff 100644
--- a/components/nacl/renderer/ppb_nacl_private_impl.cc
+++ b/components/nacl/renderer/ppb_nacl_private_impl.cc
@@ -89,6 +89,17 @@ bool InitializePnaclResourceHost() {
   return true;
 }
 
+bool CheckSecurityOrigin(content::PepperPluginInstance* plugin_instance,

[Mark Seaborn, 2015/03/04 05:07:31]

If the SchemeIs("chrome-extension") check moves here, this could be named
CanOpenViaFastPath(), perhaps?

[Yusuke Sato, 2015/03/04 18:45:49]

Done.

+                         const GURL& gurl) {
+  // IMPORTANT: Make sure the document can request the given URL. If we don't
+  // check, a malicious app could probe the extension system. This enforces a
+  // same-origin policy which prevents the app from requesting resources from
+  // another app.
+  blink::WebSecurityOrigin security_origin =
+      plugin_instance->GetContainer()->element().document().securityOrigin();
+  return security_origin.canRequest(gurl);
+}
+
 // This contains state that is produced by LaunchSelLdr() and consumed
 // by StartPpapiProxy().
 struct InstanceInfo {
@@ -375,7 +386,10 @@ void LaunchSelLdr(PP_Instance instance,
   int routing_id = GetRoutingID(instance);
   NexeLoadManager* load_manager = GetNexeLoadManager(instance);
   DCHECK(load_manager);
-  if (!routing_id || !load_manager) {
+  content::PepperPluginInstance* plugin_instance =
+      content::PepperPluginInstance::Get(instance);
+  DCHECK(plugin_instance);
+  if (!routing_id || !load_manager || !plugin_instance) {
     if (nexe_file_info->handle != PP_kInvalidFileHandle) {
       base::File closer(nexe_file_info->handle);
     }
@@ -401,6 +415,24 @@ void LaunchSelLdr(PP_Instance instance,
 
   IPC::PlatformFileForTransit nexe_for_transit =
       IPC::InvalidPlatformFileForTransit();
+
+  std::vector<std::pair<
+    std::string /*url*/, std::string /*key*/> > resource_files_to_prefetch;
+  if (process_type == kNativeNaClProcessType) {

[Mark Seaborn, 2015/03/04 05:07:31]

This should be conditionalised on Non-SFI mode for now.  Otherwise Chromium will
potentially be doing some unnecessary work to pre-open these files in SFI mode.

(I think it was conditionalised before but that got lost in the refactoring?)

[Yusuke Sato, 2015/03/04 18:45:49]

Done.

+    JsonManifest* manifest = GetJsonManifest(instance);
+    if (manifest)
+      manifest->GetPrefetchableFiles(&resource_files_to_prefetch);
+    for (size_t i = 0; i < resource_files_to_prefetch.size(); ++i) {
+      const GURL gurl(resource_files_to_prefetch[i].first);
+      DCHECK(gurl.SchemeIs("chrome-extension"));

[Mark Seaborn, 2015/03/04 05:07:30]

I had in mind that this check would move into CheckSecurityOrigin() and be
shared.

[Yusuke Sato, 2015/03/04 18:45:50]

Done. Removed.

+      // IMPORTANT SECURITY CHECK. DO NOT REMOVE.

[Mark Seaborn, 2015/03/04 05:07:31]

Nit: doesn't really need caps. :-)

The caps are kind of an implicit way of saying "we don't have test coverage for
this security check, in the style of 'goto fail'". :-/  (Obviously that's not
your fault, and we don't have the infrastructure to test for this
straightforwardly.)

[Yusuke Sato, 2015/03/04 18:45:49]

Done.

+      if (!CheckSecurityOrigin(plugin_instance, gurl)) {
+        resource_files_to_prefetch.clear();
+        break;
+      }
+    }
+  }
+
 #if defined(OS_POSIX)
   if (nexe_file_info->handle != PP_kInvalidFileHandle)
     nexe_for_transit = base::FileDescriptor(nexe_file_info->handle, true);
@@ -418,6 +450,7 @@ void LaunchSelLdr(PP_Instance instance,
               nexe_for_transit,
               nexe_file_info->token_lo,
               nexe_file_info->token_hi,
+              resource_files_to_prefetch,
               routing_id,
               perm_bits,
               PP_ToBool(uses_nonsfi_mode),
@@ -725,13 +758,9 @@ PP_FileHandle OpenNaClExecutable(PP_Instance instance,
       content::PepperPluginInstance::Get(instance);
   if (!plugin_instance)
     return PP_kInvalidFileHandle;
-  // IMPORTANT: Make sure the document can request the given URL. If we don't
-  // check, a malicious app could probe the extension system. This enforces a
-  // same-origin policy which prevents the app from requesting resources from
-  // another app.
-  blink::WebSecurityOrigin security_origin =
-      plugin_instance->GetContainer()->element().document().securityOrigin();
-  if (!security_origin.canRequest(gurl))
+
+  // IMPORTANT SECURITY CHECK. DO NOT REMOVE.
+  if (!CheckSecurityOrigin(plugin_instance, gurl))
     return PP_kInvalidFileHandle;
 
   IPC::PlatformFileForTransit out_fd = IPC::InvalidPlatformFileForTransit();