Chromium Code Reviews Chromium Code Reviews
Issue 913393003:
Restrict extensionview to chrome-extension:// (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| Index: extensions/browser/guest_view/extension_view/extension_view_guest.cc |
| diff --git a/extensions/browser/guest_view/extension_view/extension_view_guest.cc b/extensions/browser/guest_view/extension_view/extension_view_guest.cc |
| index 952ec1331cfb1a9eacee3e86989253bd3f22326a..e526f17a76c8e1053ce5d8b6962076ac79530643 100644 |
| --- a/extensions/browser/guest_view/extension_view/extension_view_guest.cc |
| +++ b/extensions/browser/guest_view/extension_view/extension_view_guest.cc |
| @@ -5,6 +5,8 @@ |
| #include "extensions/browser/guest_view/extension_view/extension_view_guest.h" |
| #include "base/metrics/user_metrics.h" |
| +#include "components/crx_file/id_util.h" |
| +#include "content/public/browser/child_process_security_policy.h" |
| #include "content/public/browser/render_process_host.h" |
| #include "content/public/common/result_codes.h" |
| #include "extensions/browser/api/extensions_api_client.h" |
| @@ -40,11 +42,20 @@ extensions::GuestViewBase* ExtensionViewGuest::Create( |
| void ExtensionViewGuest::NavigateGuest(const std::string& src, |
| bool force_navigation) { |
| - if (src.empty()) |
| + GURL url = extension_url_.Resolve(src); |
| + |
| + // Do not allow navigating a guest to schemes other than known safe schemes. |
| + bool scheme_is_blocked = |
| + (!content::ChildProcessSecurityPolicy::GetInstance()->IsWebSafeScheme( |
| + url.scheme()) && |
| + !url.SchemeIs(url::kAboutScheme)) || |
| + url.SchemeIs(url::kJavaScriptScheme); |
| + if (scheme_is_blocked || !url.is_valid()) { |
|
Fady Samuel
2015/02/17 20:17:04
I think a simpler check might be:
// If the URL i
apacible
2015/02/17 23:02:58
Sounds good. Changed.
|
| + NavigateGuest(url::kAboutBlankURL, true /* force_navigation */); |
| return; |
| + } |
| - GURL url(src); |
| - if (!url.is_valid() && !force_navigation && (url == view_page_)) |
| + if (!force_navigation && (view_page_ == url)) |
| return; |
| web_contents()->GetRenderProcessHost()->FilterURL(false, &url); |
| @@ -63,20 +74,33 @@ bool ExtensionViewGuest::CanRunInDetachedState() const { |
| void ExtensionViewGuest::CreateWebContents( |
| const base::DictionaryValue& create_params, |
| const WebContentsCreatedCallback& callback) { |
| - std::string str; |
| - if (!create_params.GetString(extensionview::kAttributeSrc, &str)) { |
| + // Gets the extension ID. |
| + create_params.GetString(extensionview::kAttributeExtension, &extension_id_); |
| + |
| + if (!crx_file::id_util::IdIsValid(extension_id_)) { |
| + callback.Run(nullptr); |
| + return; |
| + } |
| + |
| + // Gets the extension URL. |
| + extension_url_ = |
| + extensions::Extension::GetBaseURLFromExtensionId(extension_id_); |
| + |
| + if (!extension_url_.is_valid()) { |
| callback.Run(nullptr); |
| return; |
| } |
| - GURL source(str); |
| - if (!source.is_valid()) { |
| + // Get the src to build URL to render. |
| + std::string src; |
| + if (!create_params.GetString(extensionview::kAttributeSrc, &src)) { |
| callback.Run(nullptr); |
| return; |
| } |
| content::SiteInstance* view_site_instance = |
| - content::SiteInstance::CreateForURL(browser_context(), source); |
| + content::SiteInstance::CreateForURL(browser_context(), |
| + extension_url_); |
| WebContents::CreateParams params(browser_context(), view_site_instance); |
| params.guest_delegate = this; |
