| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "chrome/renderer/chrome_content_renderer_client.h" | 5 #include "chrome/renderer/chrome_content_renderer_client.h" |
| 6 | 6 |
| 7 #include "base/strings/utf_string_conversions.h" | 7 #include "base/strings/utf_string_conversions.h" |
| 8 #include "chrome/common/extensions/extension.h" | 8 #include "chrome/common/extensions/extension.h" |
| 9 #include "chrome/common/extensions/extension_builder.h" | 9 #include "chrome/common/extensions/extension_builder.h" |
| 10 #include "content/public/common/webplugininfo.h" | 10 #include "content/public/common/webplugininfo.h" |
| (...skipping 19 matching lines...) Expand all Loading... |
| 30 const bool kExtensionRestricted = false; | 30 const bool kExtensionRestricted = false; |
| 31 const bool kExtensionUnrestricted = true; | 31 const bool kExtensionUnrestricted = true; |
| 32 const bool kExtensionNotFromWebStore = false; | 32 const bool kExtensionNotFromWebStore = false; |
| 33 const bool kExtensionFromWebStore = true; | 33 const bool kExtensionFromWebStore = true; |
| 34 const bool kNotHostedApp = false; | 34 const bool kNotHostedApp = false; |
| 35 const bool kHostedApp = true; | 35 const bool kHostedApp = true; |
| 36 | 36 |
| 37 const char kNaClMimeType[] = "application/x-nacl"; | 37 const char kNaClMimeType[] = "application/x-nacl"; |
| 38 const char kExtensionUrl[] = "chrome-extension://extension_id/background.html"; | 38 const char kExtensionUrl[] = "chrome-extension://extension_id/background.html"; |
| 39 | 39 |
| 40 const char kAllowedNaClAppURL1[] = "https://plus.google.com"; | 40 const char kPhotosAppURL1[] = "https://foo.plus.google.com"; |
| 41 const char kAllowedNaClAppURL2[] = "https://plus.sandbox.google.com"; | 41 const char kPhotosAppURL2[] = "https://foo.plus.sandbox.google.com"; |
| 42 const char kAllowedNaClManifestURL1[] = "https://ssl.gstatic.com/s2/oz/nacl/foo"
; | 42 const char kPhotosManifestURL1[] = "https://ssl.gstatic.com/s2/oz/nacl/foo"; |
| 43 const char kAllowedNaClManifestURL2[] = "https://ssl.gstatic.com/photos/nacl/foo
"; | 43 const char kPhotosManifestURL2[] = "https://ssl.gstatic.com/photos/nacl/foo"; |
| 44 |
| 45 const char kChatAppURL1[] = "https://foo.talkgadget.google.com"; |
| 46 const char kChatAppURL2[] = "https://foo.talk.google.com"; |
| 47 const char kChatManifestURL[] = "https://ssl.gstatic.com/chat/apps/fx"; |
| 44 | 48 |
| 45 bool AllowsDevInterfaces(const WebPluginParams& params) { | 49 bool AllowsDevInterfaces(const WebPluginParams& params) { |
| 46 for (size_t i = 0; i < params.attributeNames.size(); ++i) { | 50 for (size_t i = 0; i < params.attributeNames.size(); ++i) { |
| 47 if (params.attributeNames[i] == WebString::fromUTF8("@dev")) | 51 if (params.attributeNames[i] == WebString::fromUTF8("@dev")) |
| 48 return true; | 52 return true; |
| 49 } | 53 } |
| 50 return false; | 54 return false; |
| 51 } | 55 } |
| 52 | 56 |
| 53 void AddFakeDevAttribute(WebPluginParams* params) { | 57 void AddFakeDevAttribute(WebPluginParams* params) { |
| (...skipping 142 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 196 GURL(), | 200 GURL(), |
| 197 kNaClRestricted, | 201 kNaClRestricted, |
| 198 CreateExtension(kExtensionRestricted, kExtensionFromWebStore).get(), | 202 CreateExtension(kExtensionRestricted, kExtensionFromWebStore).get(), |
| 199 ¶ms)); | 203 ¶ms)); |
| 200 EXPECT_TRUE(AllowsDevInterfaces(params)); | 204 EXPECT_TRUE(AllowsDevInterfaces(params)); |
| 201 } | 205 } |
| 202 // Whitelisted URLs are allowed without --enable-nacl, without 'dev' | 206 // Whitelisted URLs are allowed without --enable-nacl, without 'dev' |
| 203 // interfaces. There is a whitelist for the app URL and the manifest URL. | 207 // interfaces. There is a whitelist for the app URL and the manifest URL. |
| 204 { | 208 { |
| 205 WebPluginParams params; | 209 WebPluginParams params; |
| 206 // Whitelisted manifest URL #1, whitelisted app URL root #1 is allowed. | 210 // Whitelisted Photos app is allowed (two app URLs, two manifest URLs) |
| 207 EXPECT_TRUE(ChromeContentRendererClient::IsNaClAllowed( | 211 EXPECT_TRUE(ChromeContentRendererClient::IsNaClAllowed( |
| 208 GURL(kAllowedNaClManifestURL1), | 212 GURL(kPhotosManifestURL1), |
| 209 GURL(kAllowedNaClAppURL1), | 213 GURL(kPhotosAppURL1), |
| 210 kNaClRestricted, | 214 kNaClRestricted, |
| 211 CreateExtension(kExtensionRestricted, kExtensionNotFromWebStore).get(), | 215 CreateExtension(kExtensionRestricted, kExtensionNotFromWebStore).get(), |
| 212 ¶ms)); | 216 ¶ms)); |
| 213 EXPECT_FALSE(AllowsDevInterfaces(params)); | 217 EXPECT_FALSE(AllowsDevInterfaces(params)); |
| 214 // Whitelisted manifest URL #2, whitelisted app URL root #1 is allowed. | |
| 215 EXPECT_TRUE(ChromeContentRendererClient::IsNaClAllowed( | 218 EXPECT_TRUE(ChromeContentRendererClient::IsNaClAllowed( |
| 216 GURL(kAllowedNaClManifestURL1), | 219 GURL(kPhotosManifestURL1), |
| 217 GURL(kAllowedNaClAppURL1), | 220 GURL(kPhotosAppURL2), |
| 218 kNaClRestricted, | 221 kNaClRestricted, |
| 219 CreateExtension(kExtensionRestricted, kExtensionNotFromWebStore).get(), | 222 CreateExtension(kExtensionRestricted, kExtensionNotFromWebStore).get(), |
| 220 ¶ms)); | 223 ¶ms)); |
| 221 EXPECT_FALSE(AllowsDevInterfaces(params)); | 224 EXPECT_FALSE(AllowsDevInterfaces(params)); |
| 222 // Whitelisted manifest URL #1, whitelisted app URL root #2 is allowed. | |
| 223 EXPECT_TRUE(ChromeContentRendererClient::IsNaClAllowed( | 225 EXPECT_TRUE(ChromeContentRendererClient::IsNaClAllowed( |
| 224 GURL(kAllowedNaClManifestURL1), | 226 GURL(kPhotosManifestURL2), |
| 225 GURL(kAllowedNaClAppURL2), | 227 GURL(kPhotosAppURL1), |
| 226 kNaClRestricted, | 228 kNaClRestricted, |
| 227 CreateExtension(kExtensionRestricted, kExtensionNotFromWebStore).get(), | 229 CreateExtension(kExtensionRestricted, kExtensionNotFromWebStore).get(), |
| 228 ¶ms)); | 230 ¶ms)); |
| 229 EXPECT_FALSE(AllowsDevInterfaces(params)); | 231 EXPECT_FALSE(AllowsDevInterfaces(params)); |
| 232 EXPECT_TRUE(ChromeContentRendererClient::IsNaClAllowed( |
| 233 GURL(kPhotosManifestURL2), |
| 234 GURL(kPhotosAppURL2), |
| 235 kNaClRestricted, |
| 236 CreateExtension(kExtensionRestricted, kExtensionNotFromWebStore).get(), |
| 237 ¶ms)); |
| 238 EXPECT_FALSE(AllowsDevInterfaces(params)); |
| 239 // Whitelisted Chat app is allowed. |
| 240 EXPECT_TRUE(ChromeContentRendererClient::IsNaClAllowed( |
| 241 GURL(kChatManifestURL), |
| 242 GURL(kChatAppURL1), |
| 243 kNaClRestricted, |
| 244 CreateExtension(kExtensionRestricted, kExtensionNotFromWebStore).get(), |
| 245 ¶ms)); |
| 246 EXPECT_TRUE(ChromeContentRendererClient::IsNaClAllowed( |
| 247 GURL(kChatManifestURL), |
| 248 GURL(kChatAppURL2), |
| 249 kNaClRestricted, |
| 250 CreateExtension(kExtensionRestricted, kExtensionNotFromWebStore).get(), |
| 251 ¶ms)); |
| 230 | 252 |
| 231 // Whitelisted manifest URL, bad app URLs, NOT allowed. | 253 // Whitelisted manifest URL, bad app URLs, NOT allowed. |
| 232 EXPECT_FALSE(ChromeContentRendererClient::IsNaClAllowed( | 254 EXPECT_FALSE(ChromeContentRendererClient::IsNaClAllowed( |
| 233 GURL(kAllowedNaClManifestURL1), | 255 GURL(kPhotosManifestURL1), |
| 234 GURL("http://plus.google.com/foo"), // http scheme | 256 GURL("http://plus.google.com/foo"), // http scheme |
| 235 kNaClRestricted, | 257 kNaClRestricted, |
| 236 CreateExtension(kExtensionRestricted, kExtensionNotFromWebStore).get(), | 258 CreateExtension(kExtensionRestricted, kExtensionNotFromWebStore).get(), |
| 237 ¶ms)); | 259 ¶ms)); |
| 238 EXPECT_FALSE(ChromeContentRendererClient::IsNaClAllowed( | 260 EXPECT_FALSE(ChromeContentRendererClient::IsNaClAllowed( |
| 239 GURL(kAllowedNaClManifestURL1), | 261 GURL(kPhotosManifestURL1), |
| 240 GURL("http://plus.sandbox.google.com/foo"), // http scheme | 262 GURL("http://plus.sandbox.google.com/foo"), // http scheme |
| 241 kNaClRestricted, | 263 kNaClRestricted, |
| 242 CreateExtension(kExtensionRestricted, kExtensionNotFromWebStore).get(), | 264 CreateExtension(kExtensionRestricted, kExtensionNotFromWebStore).get(), |
| 243 ¶ms)); | 265 ¶ms)); |
| 244 EXPECT_FALSE(ChromeContentRendererClient::IsNaClAllowed( | 266 EXPECT_FALSE(ChromeContentRendererClient::IsNaClAllowed( |
| 245 GURL(kAllowedNaClManifestURL1), | 267 GURL(kPhotosManifestURL1), |
| 246 GURL("https://plus.google.evil.com/foo"), // bad host | 268 GURL("https://plus.google.evil.com/foo"), // bad host |
| 247 kNaClRestricted, | 269 kNaClRestricted, |
| 248 CreateExtension(kExtensionRestricted, kExtensionNotFromWebStore).get(), | 270 CreateExtension(kExtensionRestricted, kExtensionNotFromWebStore).get(), |
| 249 ¶ms)); | 271 ¶ms)); |
| 250 // Whitelisted app URL, bad manifest URL, NOT allowed. | 272 // Whitelisted app URL, bad manifest URL, NOT allowed. |
| 251 EXPECT_FALSE(ChromeContentRendererClient::IsNaClAllowed( | 273 EXPECT_FALSE(ChromeContentRendererClient::IsNaClAllowed( |
| 252 GURL("http://ssl.gstatic.com/s2/oz/nacl/foo"), // http scheme | 274 GURL("http://ssl.gstatic.com/s2/oz/nacl/foo"), // http scheme |
| 253 GURL(kAllowedNaClAppURL1), | 275 GURL(kPhotosAppURL1), |
| 254 kNaClRestricted, | 276 kNaClRestricted, |
| 255 CreateExtension(kExtensionRestricted, kExtensionNotFromWebStore).get(), | 277 CreateExtension(kExtensionRestricted, kExtensionNotFromWebStore).get(), |
| 256 ¶ms)); | 278 ¶ms)); |
| 257 EXPECT_FALSE(ChromeContentRendererClient::IsNaClAllowed( | 279 EXPECT_FALSE(ChromeContentRendererClient::IsNaClAllowed( |
| 258 GURL("https://ssl.gstatic.evil.com/s2/oz/nacl/foo"), // bad host | 280 GURL("https://ssl.gstatic.evil.com/s2/oz/nacl/foo"), // bad host |
| 259 GURL(kAllowedNaClAppURL1), | 281 GURL(kPhotosAppURL1), |
| 260 kNaClRestricted, | 282 kNaClRestricted, |
| 261 CreateExtension(kExtensionRestricted, kExtensionNotFromWebStore).get(), | 283 CreateExtension(kExtensionRestricted, kExtensionNotFromWebStore).get(), |
| 262 ¶ms)); | 284 ¶ms)); |
| 263 EXPECT_FALSE(ChromeContentRendererClient::IsNaClAllowed( | 285 EXPECT_FALSE(ChromeContentRendererClient::IsNaClAllowed( |
| 264 GURL("https://ssl.gstatic.com/wrong/s2/oz/nacl/foo"), // bad path | 286 GURL("https://ssl.gstatic.com/wrong/s2/oz/nacl/foo"), // bad path |
| 265 GURL(kAllowedNaClAppURL1), | 287 GURL(kPhotosAppURL1), |
| 266 kNaClRestricted, | 288 kNaClRestricted, |
| 267 CreateExtension(kExtensionRestricted, kExtensionNotFromWebStore).get(), | 289 CreateExtension(kExtensionRestricted, kExtensionNotFromWebStore).get(), |
| 268 ¶ms)); | 290 ¶ms)); |
| 269 } | 291 } |
| 270 // Whitelisted URLs can't get 'dev' interfaces with --enable-nacl. | 292 // Whitelisted URLs can't get 'dev' interfaces with --enable-nacl. |
| 271 { | 293 { |
| 272 WebPluginParams params; | 294 WebPluginParams params; |
| 273 EXPECT_TRUE(ChromeContentRendererClient::IsNaClAllowed( | 295 EXPECT_TRUE(ChromeContentRendererClient::IsNaClAllowed( |
| 274 GURL(kAllowedNaClManifestURL1), | 296 GURL(kPhotosManifestURL1), |
| 275 GURL(kAllowedNaClAppURL1), | 297 GURL(kPhotosAppURL1), |
| 276 kNaClUnrestricted, | 298 kNaClUnrestricted, |
| 277 CreateExtension(kExtensionRestricted, kExtensionNotFromWebStore).get(), | 299 CreateExtension(kExtensionRestricted, kExtensionNotFromWebStore).get(), |
| 278 ¶ms)); | 300 ¶ms)); |
| 279 EXPECT_FALSE(AllowsDevInterfaces(params)); | 301 EXPECT_FALSE(AllowsDevInterfaces(params)); |
| 280 } | 302 } |
| 281 // Whitelisted URLs can't get 'dev' interfaces by injecting a fake | 303 // Whitelisted URLs can't get 'dev' interfaces by injecting a fake |
| 282 // '@dev' attribute. | 304 // '@dev' attribute. |
| 283 { | 305 { |
| 284 WebPluginParams params; | 306 WebPluginParams params; |
| 285 AddFakeDevAttribute(¶ms); | 307 AddFakeDevAttribute(¶ms); |
| 286 EXPECT_TRUE(ChromeContentRendererClient::IsNaClAllowed( | 308 EXPECT_TRUE(ChromeContentRendererClient::IsNaClAllowed( |
| 287 GURL(kAllowedNaClManifestURL1), | 309 GURL(kPhotosManifestURL1), |
| 288 GURL(kAllowedNaClAppURL1), | 310 GURL(kPhotosAppURL1), |
| 289 kNaClRestricted, | 311 kNaClRestricted, |
| 290 CreateExtension(kExtensionRestricted, kExtensionNotFromWebStore).get(), | 312 CreateExtension(kExtensionRestricted, kExtensionNotFromWebStore).get(), |
| 291 ¶ms)); | 313 ¶ms)); |
| 292 EXPECT_FALSE(AllowsDevInterfaces(params)); | 314 EXPECT_FALSE(AllowsDevInterfaces(params)); |
| 293 } | 315 } |
| 294 // Non-whitelisted URLs are blocked without --enable-nacl. | 316 // Non-whitelisted URLs are blocked without --enable-nacl. |
| 295 { | 317 { |
| 296 WebPluginParams params; | 318 WebPluginParams params; |
| 297 EXPECT_FALSE(ChromeContentRendererClient::IsNaClAllowed( | 319 EXPECT_FALSE(ChromeContentRendererClient::IsNaClAllowed( |
| 298 GURL(), | 320 GURL(), |
| 299 GURL("https://plus.google.com.evil.com/foo1"), | 321 GURL("https://plus.google.com.evil.com/foo1"), |
| 300 kNaClRestricted, | 322 kNaClRestricted, |
| 301 CreateExtension(kExtensionRestricted, kExtensionNotFromWebStore).get(), | 323 CreateExtension(kExtensionRestricted, kExtensionNotFromWebStore).get(), |
| 302 ¶ms)); | 324 ¶ms)); |
| 303 EXPECT_FALSE(ChromeContentRendererClient::IsNaClAllowed( | 325 EXPECT_FALSE(ChromeContentRendererClient::IsNaClAllowed( |
| 304 GURL(), | 326 GURL(), |
| 305 GURL("https://plus.google.com.evil.com/foo2"), | 327 GURL("https://plus.google.com.evil.com/foo2"), |
| 306 kNaClRestricted, | 328 kNaClRestricted, |
| 307 CreateExtension(kExtensionRestricted, kExtensionFromWebStore).get(), | 329 CreateExtension(kExtensionRestricted, kExtensionFromWebStore).get(), |
| 308 ¶ms)); | 330 ¶ms)); |
| 309 EXPECT_FALSE(ChromeContentRendererClient::IsNaClAllowed( | 331 EXPECT_FALSE(ChromeContentRendererClient::IsNaClAllowed( |
| 310 GURL(), | 332 GURL(), |
| 311 GURL("https://plus.google.com.evil.com/foo3"), | 333 GURL("https://talkgadget.google.com.evil.com/foo3"), |
| 312 kNaClRestricted, | 334 kNaClRestricted, |
| 313 CreateExtension(kExtensionUnrestricted, kExtensionNotFromWebStore) | 335 CreateExtension(kExtensionUnrestricted, kExtensionNotFromWebStore) |
| 314 .get(), | 336 .get(), |
| 315 ¶ms)); | 337 ¶ms)); |
| 316 EXPECT_FALSE(ChromeContentRendererClient::IsNaClAllowed( | 338 EXPECT_FALSE(ChromeContentRendererClient::IsNaClAllowed( |
| 317 GURL(), | 339 GURL(), |
| 318 GURL("https://plus.google.com.evil.com/foo4"), | 340 GURL("https://talkgadget.google.com.evil.com/foo4"), |
| 319 kNaClRestricted, | 341 kNaClRestricted, |
| 320 CreateExtension(kExtensionUnrestricted, kExtensionFromWebStore).get(), | 342 CreateExtension(kExtensionUnrestricted, kExtensionFromWebStore).get(), |
| 321 ¶ms)); | 343 ¶ms)); |
| 322 } | 344 } |
| 323 // Non chrome-extension:// URLs belonging to hosted apps are allowed. | 345 // Non chrome-extension:// URLs belonging to hosted apps are allowed. |
| 324 { | 346 { |
| 325 WebPluginParams params; | 347 WebPluginParams params; |
| 326 EXPECT_TRUE(ChromeContentRendererClient::IsNaClAllowed( | 348 EXPECT_TRUE(ChromeContentRendererClient::IsNaClAllowed( |
| 327 GURL(), | 349 GURL(), |
| 328 GURL("http://example.com/test.html"), | 350 GURL("http://example.com/test.html"), |
| 329 kNaClRestricted, | 351 kNaClRestricted, |
| 330 CreateHostedApp(kExtensionRestricted, | 352 CreateHostedApp(kExtensionRestricted, |
| 331 kExtensionNotFromWebStore, | 353 kExtensionNotFromWebStore, |
| 332 "http://example.com/").get(), | 354 "http://example.com/").get(), |
| 333 ¶ms)); | 355 ¶ms)); |
| 334 EXPECT_FALSE(ChromeContentRendererClient::IsNaClAllowed( | 356 EXPECT_FALSE(ChromeContentRendererClient::IsNaClAllowed( |
| 335 GURL(), | 357 GURL(), |
| 336 GURL("http://example.evil.com/test.html"), | 358 GURL("http://example.evil.com/test.html"), |
| 337 kNaClRestricted, | 359 kNaClRestricted, |
| 338 CreateHostedApp(kExtensionRestricted, | 360 CreateHostedApp(kExtensionRestricted, |
| 339 kExtensionNotFromWebStore, | 361 kExtensionNotFromWebStore, |
| 340 "http://example.com/").get(), | 362 "http://example.com/").get(), |
| 341 ¶ms)); | 363 ¶ms)); |
| 342 } | 364 } |
| 343 } | 365 } |
| 344 | 366 |
| 367 TEST_F(ChromeContentRendererClientTest, AllowPepperMediaStreamAPI) { |
| 368 ChromeContentRendererClient test; |
| 369 #if !defined(OS_ANDROID) |
| 370 EXPECT_TRUE(test.AllowPepperMediaStreamAPI(GURL(kChatAppURL1))); |
| 371 EXPECT_TRUE(test.AllowPepperMediaStreamAPI(GURL(kChatAppURL2))); |
| 372 #else |
| 373 EXPECT_FALSE(test.AllowPepperMediaStreamAPI(GURL(kChatAppURL1))); |
| 374 EXPECT_FALSE(test.AllowPepperMediaStreamAPI(GURL(kChatAppURL2))); |
| 375 #endif |
| 376 EXPECT_FALSE(test.AllowPepperMediaStreamAPI( |
| 377 GURL("http://talkgadget.google.com"))); |
| 378 EXPECT_FALSE(test.AllowPepperMediaStreamAPI( |
| 379 GURL("https://talkgadget.evil.com"))); |
| 380 } |
| 381 |
| 345 } // namespace chrome | 382 } // namespace chrome |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 23466009:
Expand whitelist for media stream APIs. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src