| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "chrome/renderer/content_settings_observer.h" | 5 #include "chrome/renderer/content_settings_observer.h" |
| 6 | 6 |
| 7 #include "base/command_line.h" | 7 #include "base/command_line.h" |
| 8 #include "base/metrics/histogram.h" | 8 #include "base/metrics/histogram.h" |
| 9 #include "chrome/common/render_messages.h" | 9 #include "chrome/common/render_messages.h" |
| 10 #include "content/public/common/url_constants.h" | 10 #include "content/public/common/url_constants.h" |
| (...skipping 97 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 108 static const char kGoogleDotCom[] = "google.com"; | 108 static const char kGoogleDotCom[] = "google.com"; |
| 109 | 109 |
| 110 static bool IsHostInDomain(const std::string& host, const std::string& domain) { | 110 static bool IsHostInDomain(const std::string& host, const std::string& domain) { |
| 111 return (EndsWith(host, domain, false) && | 111 return (EndsWith(host, domain, false) && |
| 112 (host.length() == domain.length() || | 112 (host.length() == domain.length() || |
| 113 (host.length() > domain.length() && | 113 (host.length() > domain.length() && |
| 114 host[host.length() - domain.length() - 1] == '.'))); | 114 host[host.length() - domain.length() - 1] == '.'))); |
| 115 } | 115 } |
| 116 | 116 |
| 117 GURL GetOriginOrURL(const WebFrame* frame) { | 117 GURL GetOriginOrURL(const WebFrame* frame) { |
| 118 WebString top_origin = frame->top()->document().securityOrigin().toString(); | 118 WebString top_origin = frame->top()->securityOrigin().toString(); |
| 119 // The the |top_origin| is unique ("null") e.g., for file:// URLs. Use the | 119 // The |top_origin| is unique ("null") e.g., for file:// URLs. Use the |
| 120 // document URL as the primary URL in those cases. | 120 // document URL as the primary URL in those cases. |
| 121 // TODO(alexmos): This is broken for --site-per-process, since top() can be a |
| 122 // WebRemoteFrame which does not have a document(), and the WebRemoteFrame's |
| 123 // URL is not replicated. |
| 121 if (top_origin == "null") | 124 if (top_origin == "null") |
| 122 return frame->top()->document().url(); | 125 return frame->top()->document().url(); |
| 123 return GURL(top_origin); | 126 return GURL(top_origin); |
| 124 } | 127 } |
| 125 | 128 |
| 126 ContentSetting GetContentSettingFromRules( | 129 ContentSetting GetContentSettingFromRules( |
| 127 const ContentSettingsForOneType& rules, | 130 const ContentSettingsForOneType& rules, |
| 128 const WebFrame* frame, | 131 const WebFrame* frame, |
| 129 const GURL& secondary_url) { | 132 const GURL& secondary_url) { |
| 130 ContentSettingsForOneType::const_iterator it; | 133 ContentSettingsForOneType::const_iterator it; |
| (...skipping 133 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 264 // If we start failing this DCHECK, please makes sure we don't regress | 267 // If we start failing this DCHECK, please makes sure we don't regress |
| 265 // this bug: http://code.google.com/p/chromium/issues/detail?id=79304 | 268 // this bug: http://code.google.com/p/chromium/issues/detail?id=79304 |
| 266 DCHECK(frame->document().securityOrigin().toString() == "null" || | 269 DCHECK(frame->document().securityOrigin().toString() == "null" || |
| 267 !url.SchemeIs(url::kDataScheme)); | 270 !url.SchemeIs(url::kDataScheme)); |
| 268 } | 271 } |
| 269 | 272 |
| 270 bool ContentSettingsObserver::allowDatabase(const WebString& name, | 273 bool ContentSettingsObserver::allowDatabase(const WebString& name, |
| 271 const WebString& display_name, | 274 const WebString& display_name, |
| 272 unsigned long estimated_size) { | 275 unsigned long estimated_size) { |
| 273 WebFrame* frame = render_frame()->GetWebFrame(); | 276 WebFrame* frame = render_frame()->GetWebFrame(); |
| 274 if (frame->document().securityOrigin().isUnique() || | 277 if (frame->securityOrigin().isUnique() || |
| 275 frame->top()->document().securityOrigin().isUnique()) | 278 frame->top()->securityOrigin().isUnique()) |
| 276 return false; | 279 return false; |
| 277 | 280 |
| 278 bool result = false; | 281 bool result = false; |
| 279 Send(new ChromeViewHostMsg_AllowDatabase( | 282 Send(new ChromeViewHostMsg_AllowDatabase( |
| 280 routing_id(), GURL(frame->document().securityOrigin().toString()), | 283 routing_id(), GURL(frame->securityOrigin().toString()), |
| 281 GURL(frame->top()->document().securityOrigin().toString()), | 284 GURL(frame->top()->securityOrigin().toString()), name, display_name, |
| 282 name, display_name, &result)); | 285 &result)); |
| 283 return result; | 286 return result; |
| 284 } | 287 } |
| 285 | 288 |
| 286 void ContentSettingsObserver::requestFileSystemAccessAsync( | 289 void ContentSettingsObserver::requestFileSystemAccessAsync( |
| 287 const WebPermissionCallbacks& callbacks) { | 290 const WebPermissionCallbacks& callbacks) { |
| 288 WebFrame* frame = render_frame()->GetWebFrame(); | 291 WebFrame* frame = render_frame()->GetWebFrame(); |
| 289 if (frame->document().securityOrigin().isUnique() || | 292 if (frame->securityOrigin().isUnique() || |
| 290 frame->top()->document().securityOrigin().isUnique()) { | 293 frame->top()->securityOrigin().isUnique()) { |
| 291 WebPermissionCallbacks permissionCallbacks(callbacks); | 294 WebPermissionCallbacks permissionCallbacks(callbacks); |
| 292 permissionCallbacks.doDeny(); | 295 permissionCallbacks.doDeny(); |
| 293 return; | 296 return; |
| 294 } | 297 } |
| 295 ++current_request_id_; | 298 ++current_request_id_; |
| 296 std::pair<PermissionRequestMap::iterator, bool> insert_result = | 299 std::pair<PermissionRequestMap::iterator, bool> insert_result = |
| 297 permission_requests_.insert( | 300 permission_requests_.insert( |
| 298 std::make_pair(current_request_id_, callbacks)); | 301 std::make_pair(current_request_id_, callbacks)); |
| 299 | 302 |
| 300 // Verify there are no duplicate insertions. | 303 // Verify there are no duplicate insertions. |
| 301 DCHECK(insert_result.second); | 304 DCHECK(insert_result.second); |
| 302 | 305 |
| 303 Send(new ChromeViewHostMsg_RequestFileSystemAccessAsync( | 306 Send(new ChromeViewHostMsg_RequestFileSystemAccessAsync( |
| 304 routing_id(), | 307 routing_id(), current_request_id_, |
| 305 current_request_id_, | 308 GURL(frame->securityOrigin().toString()), |
| 306 GURL(frame->document().securityOrigin().toString()), | 309 GURL(frame->top()->securityOrigin().toString()))); |
| 307 GURL(frame->top()->document().securityOrigin().toString()))); | |
| 308 } | 310 } |
| 309 | 311 |
| 310 bool ContentSettingsObserver::allowImage(bool enabled_per_settings, | 312 bool ContentSettingsObserver::allowImage(bool enabled_per_settings, |
| 311 const WebURL& image_url) { | 313 const WebURL& image_url) { |
| 312 bool allow = enabled_per_settings; | 314 bool allow = enabled_per_settings; |
| 313 if (enabled_per_settings) { | 315 if (enabled_per_settings) { |
| 314 if (is_interstitial_page_) | 316 if (is_interstitial_page_) |
| 315 return true; | 317 return true; |
| 316 | 318 |
| 317 if (IsWhitelistedForContentSettings()) | 319 if (IsWhitelistedForContentSettings()) |
| 318 return true; | 320 return true; |
| 319 | 321 |
| 320 if (content_setting_rules_) { | 322 if (content_setting_rules_) { |
| 321 GURL secondary_url(image_url); | 323 GURL secondary_url(image_url); |
| 322 allow = | 324 allow = |
| 323 GetContentSettingFromRules(content_setting_rules_->image_rules, | 325 GetContentSettingFromRules(content_setting_rules_->image_rules, |
| 324 render_frame()->GetWebFrame(), | 326 render_frame()->GetWebFrame(), |
| 325 secondary_url) != CONTENT_SETTING_BLOCK; | 327 secondary_url) != CONTENT_SETTING_BLOCK; |
| 326 } | 328 } |
| 327 } | 329 } |
| 328 if (!allow) | 330 if (!allow) |
| 329 DidBlockContentType(CONTENT_SETTINGS_TYPE_IMAGES); | 331 DidBlockContentType(CONTENT_SETTINGS_TYPE_IMAGES); |
| 330 return allow; | 332 return allow; |
| 331 } | 333 } |
| 332 | 334 |
| 333 bool ContentSettingsObserver::allowIndexedDB(const WebString& name, | 335 bool ContentSettingsObserver::allowIndexedDB(const WebString& name, |
| 334 const WebSecurityOrigin& origin) { | 336 const WebSecurityOrigin& origin) { |
| 335 WebFrame* frame = render_frame()->GetWebFrame(); | 337 WebFrame* frame = render_frame()->GetWebFrame(); |
| 336 if (frame->document().securityOrigin().isUnique() || | 338 if (frame->securityOrigin().isUnique() || |
| 337 frame->top()->document().securityOrigin().isUnique()) | 339 frame->top()->securityOrigin().isUnique()) |
| 338 return false; | 340 return false; |
| 339 | 341 |
| 340 bool result = false; | 342 bool result = false; |
| 341 Send(new ChromeViewHostMsg_AllowIndexedDB( | 343 Send(new ChromeViewHostMsg_AllowIndexedDB( |
| 342 routing_id(), GURL(frame->document().securityOrigin().toString()), | 344 routing_id(), GURL(frame->securityOrigin().toString()), |
| 343 GURL(frame->top()->document().securityOrigin().toString()), | 345 GURL(frame->top()->securityOrigin().toString()), name, &result)); |
| 344 name, &result)); | |
| 345 return result; | 346 return result; |
| 346 } | 347 } |
| 347 | 348 |
| 348 bool ContentSettingsObserver::allowPlugins(bool enabled_per_settings) { | 349 bool ContentSettingsObserver::allowPlugins(bool enabled_per_settings) { |
| 349 return enabled_per_settings; | 350 return enabled_per_settings; |
| 350 } | 351 } |
| 351 | 352 |
| 352 bool ContentSettingsObserver::allowScript(bool enabled_per_settings) { | 353 bool ContentSettingsObserver::allowScript(bool enabled_per_settings) { |
| 353 if (!enabled_per_settings) | 354 if (!enabled_per_settings) |
| 354 return false; | 355 return false; |
| (...skipping 37 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 392 GetContentSettingFromRules(content_setting_rules_->script_rules, | 393 GetContentSettingFromRules(content_setting_rules_->script_rules, |
| 393 render_frame()->GetWebFrame(), | 394 render_frame()->GetWebFrame(), |
| 394 GURL(script_url)); | 395 GURL(script_url)); |
| 395 allow = setting != CONTENT_SETTING_BLOCK; | 396 allow = setting != CONTENT_SETTING_BLOCK; |
| 396 } | 397 } |
| 397 return allow || IsWhitelistedForContentSettings(); | 398 return allow || IsWhitelistedForContentSettings(); |
| 398 } | 399 } |
| 399 | 400 |
| 400 bool ContentSettingsObserver::allowStorage(bool local) { | 401 bool ContentSettingsObserver::allowStorage(bool local) { |
| 401 WebFrame* frame = render_frame()->GetWebFrame(); | 402 WebFrame* frame = render_frame()->GetWebFrame(); |
| 402 if (frame->document().securityOrigin().isUnique() || | 403 if (frame->securityOrigin().isUnique() || |
| 403 frame->top()->document().securityOrigin().isUnique()) | 404 frame->top()->securityOrigin().isUnique()) |
| 404 return false; | 405 return false; |
| 405 bool result = false; | 406 bool result = false; |
| 406 | 407 |
| 407 StoragePermissionsKey key( | 408 StoragePermissionsKey key( |
| 408 GURL(frame->document().securityOrigin().toString()), local); | 409 GURL(frame->document().securityOrigin().toString()), local); |
| 409 std::map<StoragePermissionsKey, bool>::const_iterator permissions = | 410 std::map<StoragePermissionsKey, bool>::const_iterator permissions = |
| 410 cached_storage_permissions_.find(key); | 411 cached_storage_permissions_.find(key); |
| 411 if (permissions != cached_storage_permissions_.end()) | 412 if (permissions != cached_storage_permissions_.end()) |
| 412 return permissions->second; | 413 return permissions->second; |
| 413 | 414 |
| 414 Send(new ChromeViewHostMsg_AllowDOMStorage( | 415 Send(new ChromeViewHostMsg_AllowDOMStorage( |
| 415 routing_id(), GURL(frame->document().securityOrigin().toString()), | 416 routing_id(), GURL(frame->securityOrigin().toString()), |
| 416 GURL(frame->top()->document().securityOrigin().toString()), | 417 GURL(frame->top()->securityOrigin().toString()), local, &result)); |
| 417 local, &result)); | |
| 418 cached_storage_permissions_[key] = result; | 418 cached_storage_permissions_[key] = result; |
| 419 return result; | 419 return result; |
| 420 } | 420 } |
| 421 | 421 |
| 422 bool ContentSettingsObserver::allowReadFromClipboard(bool default_value) { | 422 bool ContentSettingsObserver::allowReadFromClipboard(bool default_value) { |
| 423 bool allowed = false; | 423 bool allowed = false; |
| 424 #if defined(ENABLE_EXTENSIONS) | 424 #if defined(ENABLE_EXTENSIONS) |
| 425 extensions::ScriptContext* calling_context = | 425 extensions::ScriptContext* calling_context = |
| 426 extension_dispatcher_->script_context_set().GetCalling(); | 426 extension_dispatcher_->script_context_set().GetCalling(); |
| 427 if (calling_context) { | 427 if (calling_context) { |
| (...skipping 289 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 717 | 717 |
| 718 // If the scheme is file:, an empty file name indicates a directory listing, | 718 // If the scheme is file:, an empty file name indicates a directory listing, |
| 719 // which requires JavaScript to function properly. | 719 // which requires JavaScript to function properly. |
| 720 if (EqualsASCII(origin.protocol(), url::kFileScheme)) { | 720 if (EqualsASCII(origin.protocol(), url::kFileScheme)) { |
| 721 return document_url.SchemeIs(url::kFileScheme) && | 721 return document_url.SchemeIs(url::kFileScheme) && |
| 722 document_url.ExtractFileName().empty(); | 722 document_url.ExtractFileName().empty(); |
| 723 } | 723 } |
| 724 | 724 |
| 725 return false; | 725 return false; |
| 726 } | 726 } |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 789273006:
Make ContentSettingsObserver security checks work with OOPIF. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master