OLD | NEW |
---|---|
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "content/browser/renderer_host/render_view_host_impl.h" | 5 #include "content/browser/renderer_host/render_view_host_impl.h" |
6 | 6 |
7 #include <set> | 7 #include <set> |
8 #include <string> | 8 #include <string> |
9 #include <utility> | 9 #include <utility> |
10 #include <vector> | 10 #include <vector> |
(...skipping 1022 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1033 ChildProcessSecurityPolicyImpl* policy = | 1033 ChildProcessSecurityPolicyImpl* policy = |
1034 ChildProcessSecurityPolicyImpl::GetInstance(); | 1034 ChildProcessSecurityPolicyImpl::GetInstance(); |
1035 // Without this check, an evil renderer can trick the browser into creating | 1035 // Without this check, an evil renderer can trick the browser into creating |
1036 // a navigation entry for a banned URL. If the user clicks the back button | 1036 // a navigation entry for a banned URL. If the user clicks the back button |
1037 // followed by the forward button (or clicks reload, or round-trips through | 1037 // followed by the forward button (or clicks reload, or round-trips through |
1038 // session restore, etc), we'll think that the browser commanded the | 1038 // session restore, etc), we'll think that the browser commanded the |
1039 // renderer to load the URL and grant the renderer the privileges to request | 1039 // renderer to load the URL and grant the renderer the privileges to request |
1040 // the URL. To prevent this attack, we block the renderer from inserting | 1040 // the URL. To prevent this attack, we block the renderer from inserting |
1041 // banned URLs into the navigation controller in the first place. | 1041 // banned URLs into the navigation controller in the first place. |
1042 FilterURL(policy, renderer_id, &validated_params.url); | 1042 FilterURL(policy, renderer_id, &validated_params.url); |
1043 FilterURL(policy, renderer_id, &validated_params.referrer.url); | 1043 if (!validated_params.referrer.url.is_empty()) |
Charlie Reis
2012/03/21 16:23:03
Your comment on the bug said that we should allow
| |
1044 FilterURL(policy, renderer_id, &validated_params.referrer.url); | |
1044 for (std::vector<GURL>::iterator it(validated_params.redirects.begin()); | 1045 for (std::vector<GURL>::iterator it(validated_params.redirects.begin()); |
1045 it != validated_params.redirects.end(); ++it) { | 1046 it != validated_params.redirects.end(); ++it) { |
1046 FilterURL(policy, renderer_id, &(*it)); | 1047 FilterURL(policy, renderer_id, &(*it)); |
1047 } | 1048 } |
1048 FilterURL(policy, renderer_id, &validated_params.searchable_form_url); | 1049 if (!validated_params.searchable_form_url.is_empty()) |
1049 FilterURL(policy, renderer_id, &validated_params.password_form.origin); | 1050 FilterURL(policy, renderer_id, &validated_params.searchable_form_url); |
1050 FilterURL(policy, renderer_id, &validated_params.password_form.action); | 1051 if (!validated_params.password_form.origin.is_empty()) |
1052 FilterURL(policy, renderer_id, &validated_params.password_form.origin); | |
1053 if (!validated_params.password_form.action.is_empty()) | |
1054 FilterURL(policy, renderer_id, &validated_params.password_form.action); | |
1051 | 1055 |
1052 delegate_->DidNavigate(this, validated_params); | 1056 delegate_->DidNavigate(this, validated_params); |
1053 } | 1057 } |
1054 | 1058 |
1055 void RenderViewHostImpl::OnMsgUpdateState(int32 page_id, | 1059 void RenderViewHostImpl::OnMsgUpdateState(int32 page_id, |
1056 const std::string& state) { | 1060 const std::string& state) { |
1057 delegate_->UpdateState(this, page_id, state); | 1061 delegate_->UpdateState(this, page_id, state); |
1058 } | 1062 } |
1059 | 1063 |
1060 void RenderViewHostImpl::OnMsgUpdateTitle( | 1064 void RenderViewHostImpl::OnMsgUpdateTitle( |
(...skipping 71 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1132 | 1136 |
1133 // Validate the URLs in |params|. If the renderer can't request the URLs | 1137 // Validate the URLs in |params|. If the renderer can't request the URLs |
1134 // directly, don't show them in the context menu. | 1138 // directly, don't show them in the context menu. |
1135 content::ContextMenuParams validated_params(params); | 1139 content::ContextMenuParams validated_params(params); |
1136 int renderer_id = GetProcess()->GetID(); | 1140 int renderer_id = GetProcess()->GetID(); |
1137 ChildProcessSecurityPolicyImpl* policy = | 1141 ChildProcessSecurityPolicyImpl* policy = |
1138 ChildProcessSecurityPolicyImpl::GetInstance(); | 1142 ChildProcessSecurityPolicyImpl::GetInstance(); |
1139 | 1143 |
1140 // We don't validate |unfiltered_link_url| so that this field can be used | 1144 // We don't validate |unfiltered_link_url| so that this field can be used |
1141 // when users want to copy the original link URL. | 1145 // when users want to copy the original link URL. |
1142 FilterURL(policy, renderer_id, &validated_params.link_url); | 1146 if (!validated_params.link_url.is_empty()) |
1143 FilterURL(policy, renderer_id, &validated_params.src_url); | 1147 FilterURL(policy, renderer_id, &validated_params.link_url); |
1148 if (!validated_params.src_url.is_empty()) | |
1149 FilterURL(policy, renderer_id, &validated_params.src_url); | |
1144 FilterURL(policy, renderer_id, &validated_params.page_url); | 1150 FilterURL(policy, renderer_id, &validated_params.page_url); |
1145 FilterURL(policy, renderer_id, &validated_params.frame_url); | 1151 if (!validated_params.frame_url.is_empty()) |
1152 FilterURL(policy, renderer_id, &validated_params.frame_url); | |
1146 | 1153 |
1147 view->ShowContextMenu(validated_params); | 1154 view->ShowContextMenu(validated_params); |
1148 } | 1155 } |
1149 | 1156 |
1150 void RenderViewHostImpl::OnMsgToggleFullscreen(bool enter_fullscreen) { | 1157 void RenderViewHostImpl::OnMsgToggleFullscreen(bool enter_fullscreen) { |
1151 DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI)); | 1158 DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI)); |
1152 delegate_->ToggleFullscreenMode(enter_fullscreen); | 1159 delegate_->ToggleFullscreenMode(enter_fullscreen); |
1153 WasResized(); | 1160 WasResized(); |
1154 } | 1161 } |
1155 | 1162 |
(...skipping 285 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1441 Send(new ViewMsg_SelectPopupMenuItem(GetRoutingID(), -1)); | 1448 Send(new ViewMsg_SelectPopupMenuItem(GetRoutingID(), -1)); |
1442 } | 1449 } |
1443 #endif | 1450 #endif |
1444 | 1451 |
1445 void RenderViewHostImpl::ToggleSpeechInput() { | 1452 void RenderViewHostImpl::ToggleSpeechInput() { |
1446 Send(new InputTagSpeechMsg_ToggleSpeechInput(GetRoutingID())); | 1453 Send(new InputTagSpeechMsg_ToggleSpeechInput(GetRoutingID())); |
1447 } | 1454 } |
1448 | 1455 |
1449 void RenderViewHostImpl::FilterURL(ChildProcessSecurityPolicyImpl* policy, | 1456 void RenderViewHostImpl::FilterURL(ChildProcessSecurityPolicyImpl* policy, |
1450 int renderer_id, | 1457 int renderer_id, |
1451 GURL* url) { | 1458 GURL* url) { |
Charlie Reis
2012/03/21 16:23:03
Can we add a comment saying why an empty URL is da
| |
1452 if (!url->is_valid()) | 1459 if (!url->is_valid()) { |
1453 return; // We don't need to block invalid URLs. | 1460 *url = GURL(chrome::kAboutBlankURL); |
1461 return; | |
1462 } | |
1454 | 1463 |
1455 if (url->SchemeIs(chrome::kAboutScheme)) { | 1464 if (url->SchemeIs(chrome::kAboutScheme)) { |
1456 // The renderer treats all URLs in the about: scheme as being about:blank. | 1465 // The renderer treats all URLs in the about: scheme as being about:blank. |
1457 // Canonicalize about: URLs to about:blank. | 1466 // Canonicalize about: URLs to about:blank. |
1458 *url = GURL(chrome::kAboutBlankURL); | 1467 *url = GURL(chrome::kAboutBlankURL); |
1459 } | 1468 } |
1460 | 1469 |
1461 if (!policy->CanRequestURL(renderer_id, *url)) { | 1470 if (!policy->CanRequestURL(renderer_id, *url)) { |
1462 // If this renderer is not permitted to request this URL, we invalidate the | 1471 // If this renderer is not permitted to request this URL, we invalidate the |
1463 // URL. This prevents us from storing the blocked URL and becoming confused | 1472 // URL. This prevents us from storing the blocked URL and becoming confused |
1464 // later. | 1473 // later. |
1465 VLOG(1) << "Blocked URL " << url->spec(); | 1474 VLOG(1) << "Blocked URL " << url->spec(); |
1466 *url = GURL(); | 1475 *url = GURL(chrome::kAboutBlankURL); |
1467 } | 1476 } |
1468 } | 1477 } |
1469 | 1478 |
1470 void RenderViewHostImpl::SetAltErrorPageURL(const GURL& url) { | 1479 void RenderViewHostImpl::SetAltErrorPageURL(const GURL& url) { |
1471 Send(new ViewMsg_SetAltErrorPageURL(GetRoutingID(), url)); | 1480 Send(new ViewMsg_SetAltErrorPageURL(GetRoutingID(), url)); |
1472 } | 1481 } |
1473 | 1482 |
1474 void RenderViewHostImpl::SetGuest(bool guest) { | 1483 void RenderViewHostImpl::SetGuest(bool guest) { |
1475 guest_ = guest; | 1484 guest_ = guest; |
1476 } | 1485 } |
(...skipping 245 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1722 // can cause navigations to be ignored in OnMsgNavigate. | 1731 // can cause navigations to be ignored in OnMsgNavigate. |
1723 is_waiting_for_beforeunload_ack_ = false; | 1732 is_waiting_for_beforeunload_ack_ = false; |
1724 is_waiting_for_unload_ack_ = false; | 1733 is_waiting_for_unload_ack_ = false; |
1725 } | 1734 } |
1726 | 1735 |
1727 void RenderViewHostImpl::ClearPowerSaveBlockers() { | 1736 void RenderViewHostImpl::ClearPowerSaveBlockers() { |
1728 STLDeleteValues(&power_save_blockers_); | 1737 STLDeleteValues(&power_save_blockers_); |
1729 } | 1738 } |
1730 | 1739 |
1731 } // namespace content | 1740 } // namespace content |
OLD | NEW |