| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "content/browser/child_process_security_policy_impl.h" | 5 #include "content/browser/child_process_security_policy_impl.h" |
| 6 | 6 |
| 7 #include <algorithm> | 7 #include <algorithm> |
| 8 #include <utility> | 8 #include <utility> |
| 9 | 9 |
| 10 #include "base/command_line.h" | 10 #include "base/command_line.h" |
| (...skipping 183 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 194 } | 194 } |
| 195 | 195 |
| 196 void RevokeReadRawCookies() { | 196 void RevokeReadRawCookies() { |
| 197 can_read_raw_cookies_ = false; | 197 can_read_raw_cookies_ = false; |
| 198 } | 198 } |
| 199 | 199 |
| 200 void GrantPermissionForMidiSysEx() { | 200 void GrantPermissionForMidiSysEx() { |
| 201 can_send_midi_sysex_ = true; | 201 can_send_midi_sysex_ = true; |
| 202 } | 202 } |
| 203 | 203 |
| 204 bool CanCommitOrigin(const url::Origin& origin) { |
| 205 return base::ContainsKey(origin_set_, origin); |
| 206 } |
| 207 |
| 204 // Determine whether permission has been granted to commit |url|. | 208 // Determine whether permission has been granted to commit |url|. |
| 205 bool CanCommitURL(const GURL& url) { | 209 bool CanCommitURL(const GURL& url) { |
| 206 DCHECK(!url.SchemeIsBlob() && !url.SchemeIsFileSystem()) | 210 DCHECK(!url.SchemeIsBlob() && !url.SchemeIsFileSystem()) |
| 207 << "inner_url extraction should be done already."; | 211 << "inner_url extraction should be done already."; |
| 208 // Having permission to a scheme implies permission to all of its URLs. | 212 // Having permission to a scheme implies permission to all of its URLs. |
| 209 SchemeMap::const_iterator scheme_judgment( | 213 SchemeMap::const_iterator scheme_judgment( |
| 210 scheme_policy_.find(url.scheme())); | 214 scheme_policy_.find(url.scheme())); |
| 211 if (scheme_judgment != scheme_policy_.end()) | 215 if (scheme_judgment != scheme_policy_.end()) |
| 212 return scheme_judgment->second; | 216 return scheme_judgment->second; |
| 213 | 217 |
| 214 // Otherwise, check for permission for specific origin. | 218 // Otherwise, check for permission for specific origin. |
| 215 if (base::ContainsKey(origin_set_, url::Origin(url))) | 219 if (CanCommitOrigin(url::Origin(url))) |
| 216 return true; | 220 return true; |
| 217 | 221 |
| 218 // file:// URLs are more granular. The child may have been given | 222 // file:// URLs are more granular. The child may have been given |
| 219 // permission to a specific file but not the file:// scheme in general. | 223 // permission to a specific file but not the file:// scheme in general. |
| 220 if (url.SchemeIs(url::kFileScheme)) { | 224 if (url.SchemeIs(url::kFileScheme)) { |
| 221 base::FilePath path; | 225 base::FilePath path; |
| 222 if (net::FileURLToFilePath(url, &path)) | 226 if (net::FileURLToFilePath(url, &path)) |
| 223 return base::ContainsKey(request_file_set_, path); | 227 return base::ContainsKey(request_file_set_, path); |
| 224 } | 228 } |
| 225 | 229 |
| (...skipping 701 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 927 base::AutoLock lock(lock_); | 931 base::AutoLock lock(lock_); |
| 928 SecurityStateMap::iterator state = security_state_.find(child_id); | 932 SecurityStateMap::iterator state = security_state_.find(child_id); |
| 929 if (state == security_state_.end()) { | 933 if (state == security_state_.end()) { |
| 930 // TODO(nick): Returning true instead of false here is a temporary | 934 // TODO(nick): Returning true instead of false here is a temporary |
| 931 // workaround for https://crbug.com/600441 | 935 // workaround for https://crbug.com/600441 |
| 932 return true; | 936 return true; |
| 933 } | 937 } |
| 934 return state->second->CanAccessDataForOrigin(gurl); | 938 return state->second->CanAccessDataForOrigin(gurl); |
| 935 } | 939 } |
| 936 | 940 |
| 941 bool ChildProcessSecurityPolicyImpl::HasSpecificPermissionForOrigin( |
| 942 int child_id, |
| 943 const url::Origin& origin) { |
| 944 base::AutoLock lock(lock_); |
| 945 SecurityStateMap::iterator state = security_state_.find(child_id); |
| 946 if (state == security_state_.end()) |
| 947 return false; |
| 948 return state->second->CanCommitOrigin(origin); |
| 949 } |
| 950 |
| 937 void ChildProcessSecurityPolicyImpl::LockToOrigin(int child_id, | 951 void ChildProcessSecurityPolicyImpl::LockToOrigin(int child_id, |
| 938 const GURL& gurl) { | 952 const GURL& gurl) { |
| 939 // "gurl" can be currently empty in some cases, such as file://blah. | 953 // "gurl" can be currently empty in some cases, such as file://blah. |
| 940 DCHECK(SiteInstanceImpl::GetSiteForURL(NULL, gurl) == gurl); | 954 DCHECK(SiteInstanceImpl::GetSiteForURL(NULL, gurl) == gurl); |
| 941 base::AutoLock lock(lock_); | 955 base::AutoLock lock(lock_); |
| 942 SecurityStateMap::iterator state = security_state_.find(child_id); | 956 SecurityStateMap::iterator state = security_state_.find(child_id); |
| 943 DCHECK(state != security_state_.end()); | 957 DCHECK(state != security_state_.end()); |
| 944 state->second->LockToOrigin(gurl); | 958 state->second->LockToOrigin(gurl); |
| 945 } | 959 } |
| 946 | 960 |
| (...skipping 32 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 979 base::AutoLock lock(lock_); | 993 base::AutoLock lock(lock_); |
| 980 | 994 |
| 981 SecurityStateMap::iterator state = security_state_.find(child_id); | 995 SecurityStateMap::iterator state = security_state_.find(child_id); |
| 982 if (state == security_state_.end()) | 996 if (state == security_state_.end()) |
| 983 return false; | 997 return false; |
| 984 | 998 |
| 985 return state->second->can_send_midi_sysex(); | 999 return state->second->can_send_midi_sysex(); |
| 986 } | 1000 } |
| 987 | 1001 |
| 988 } // namespace content | 1002 } // namespace content |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2437753003:
Tighten IO thread blob/filesystem URL checks for apps with webview permission. (Closed)
