content/browser/service_worker/service_worker_dispatcher_host.cc - Issue 889323002: Allow SW registration only if it's secure AND it's HTTP or HTTPS

Unified Diff: content/browser/service_worker/service_worker_dispatcher_host.cc

Issue 889323002: Allow SW registration only if it's secure AND it's HTTP or HTTPS (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: check unregister too Created 5 years, 11 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: content/browser/service_worker/service_worker_dispatcher_host.cc

diff --git a/content/browser/service_worker/service_worker_dispatcher_host.cc b/content/browser/service_worker/service_worker_dispatcher_host.cc

index aa954ee1dd0f34a158417c8675def8e9efc585cb..83b9430adea50532d44b2d5d8bf0143846db2c21 100644

--- a/content/browser/service_worker/service_worker_dispatcher_host.cc

+++ b/content/browser/service_worker/service_worker_dispatcher_host.cc

@@ -34,6 +34,8 @@ namespace {

const char kNoDocumentURLErrorMessage[] =

"No URL is associated with the caller's document.";

+const char kDisallowedURLErrorMessage[] =

+ "The URL is not supported.";

nhiroki 2015/02/02 08:37:43 Ideally we should show more descriptive message sp

const char kShutdownErrorMessage[] =

"The Service Worker system has shutdown.";

const char kUserDeniedPermissionMessage[] =

@@ -53,7 +55,8 @@ bool AllOriginsMatch(const GURL& url_a, const GURL& url_b, const GURL& url_c) {

// consistent with Blink's

// SecurityOrigin::canAccessFeatureRequiringSecureOrigin.

bool OriginCanAccessServiceWorkers(const GURL& url) {

- return url.SchemeIsSecure() || net::IsLocalhost(url.host());

+ return url.SchemeIsHTTPOrHTTPS() &&

+ (url.SchemeIsSecure() || net::IsLocalhost(url.host()));

}

bool CanRegisterServiceWorker(const GURL& document_url,

@@ -63,7 +66,9 @@ bool CanRegisterServiceWorker(const GURL& document_url,

DCHECK(pattern.is_valid());

DCHECK(script_url.is_valid());

return AllOriginsMatch(document_url, pattern, script_url) &&

- OriginCanAccessServiceWorkers(document_url);

+ OriginCanAccessServiceWorkers(document_url) &&

+ OriginCanAccessServiceWorkers(pattern) &&

falken 2015/02/02 08:44:04 Actually, doesn't AllOriginsMatch mean you only ne

+ OriginCanAccessServiceWorkers(script_url);

}

bool CanUnregisterServiceWorker(const GURL& document_url,

@@ -71,7 +76,8 @@ bool CanUnregisterServiceWorker(const GURL& document_url,

DCHECK(document_url.is_valid());

DCHECK(pattern.is_valid());

return document_url.GetOrigin() == pattern.GetOrigin() &&

- OriginCanAccessServiceWorkers(document_url);

+ OriginCanAccessServiceWorkers(document_url) &&

+ OriginCanAccessServiceWorkers(pattern);

}

bool CanGetRegistration(const GURL& document_url,

@@ -294,7 +300,12 @@ void ServiceWorkerDispatcherHost::OnRegisterServiceWorker(

if (!CanRegisterServiceWorker(

provider_host->document_url(), pattern, script_url)) {

- BadMessageReceived();

+ // TODO(kinuko): Change this back to BadMessageReceived() once we start

+ // to check these in the renderer too. (http://crbug.com/453982)

+ Send(new ServiceWorkerMsg_ServiceWorkerRegistrationError(

+ thread_id, request_id, WebServiceWorkerError::ErrorTypeSecurity,

+ base::ASCIIToUTF16(kServiceWorkerRegisterErrorPrefix) +

+ base::ASCIIToUTF16(kDisallowedURLErrorMessage)));

return;

}

@@ -379,7 +390,12 @@ void ServiceWorkerDispatcherHost::OnUnregisterServiceWorker(

}

if (!CanUnregisterServiceWorker(provider_host->document_url(), pattern)) {