OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "content/browser/renderer_host/render_view_host_impl.h" | 5 #include "content/browser/renderer_host/render_view_host_impl.h" |
6 | 6 |
7 #include <set> | 7 #include <set> |
8 #include <string> | 8 #include <string> |
9 #include <utility> | 9 #include <utility> |
10 #include <vector> | 10 #include <vector> |
(...skipping 477 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
488 const gfx::Point& client_pt, | 488 const gfx::Point& client_pt, |
489 const gfx::Point& screen_pt, | 489 const gfx::Point& screen_pt, |
490 WebDragOperationsMask operations_allowed) { | 490 WebDragOperationsMask operations_allowed) { |
491 const int renderer_id = GetProcess()->GetID(); | 491 const int renderer_id = GetProcess()->GetID(); |
492 ChildProcessSecurityPolicyImpl* policy = | 492 ChildProcessSecurityPolicyImpl* policy = |
493 ChildProcessSecurityPolicyImpl::GetInstance(); | 493 ChildProcessSecurityPolicyImpl::GetInstance(); |
494 | 494 |
495 // The URL could have been cobbled together from any highlighted text string, | 495 // The URL could have been cobbled together from any highlighted text string, |
496 // and can't be interpreted as a capability. | 496 // and can't be interpreted as a capability. |
497 WebDropData filtered_data(drop_data); | 497 WebDropData filtered_data(drop_data); |
498 FilterURL(policy, renderer_id, &filtered_data.url); | 498 FilterURL(policy, renderer_id, false, &filtered_data.url); |
499 | 499 |
500 // The filenames vector, on the other hand, does represent a capability to | 500 // The filenames vector, on the other hand, does represent a capability to |
501 // access the given files. | 501 // access the given files. |
502 std::set<FilePath> filesets; | 502 std::set<FilePath> filesets; |
503 for (std::vector<string16>::iterator iter(filtered_data.filenames.begin()); | 503 for (std::vector<string16>::iterator iter(filtered_data.filenames.begin()); |
504 iter != filtered_data.filenames.end(); ++iter) { | 504 iter != filtered_data.filenames.end(); ++iter) { |
505 FilePath path = FilePath::FromWStringHack(UTF16ToWideHack(*iter)); | 505 FilePath path = FilePath::FromWStringHack(UTF16ToWideHack(*iter)); |
506 policy->GrantRequestURL(renderer_id, net::FilePathToFileURL(path)); | 506 policy->GrantRequestURL(renderer_id, net::FilePathToFileURL(path)); |
507 policy->GrantReadFile(renderer_id, path); | 507 policy->GrantReadFile(renderer_id, path); |
508 | 508 |
(...skipping 523 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1032 const int renderer_id = GetProcess()->GetID(); | 1032 const int renderer_id = GetProcess()->GetID(); |
1033 ChildProcessSecurityPolicyImpl* policy = | 1033 ChildProcessSecurityPolicyImpl* policy = |
1034 ChildProcessSecurityPolicyImpl::GetInstance(); | 1034 ChildProcessSecurityPolicyImpl::GetInstance(); |
1035 // Without this check, an evil renderer can trick the browser into creating | 1035 // Without this check, an evil renderer can trick the browser into creating |
1036 // a navigation entry for a banned URL. If the user clicks the back button | 1036 // a navigation entry for a banned URL. If the user clicks the back button |
1037 // followed by the forward button (or clicks reload, or round-trips through | 1037 // followed by the forward button (or clicks reload, or round-trips through |
1038 // session restore, etc), we'll think that the browser commanded the | 1038 // session restore, etc), we'll think that the browser commanded the |
1039 // renderer to load the URL and grant the renderer the privileges to request | 1039 // renderer to load the URL and grant the renderer the privileges to request |
1040 // the URL. To prevent this attack, we block the renderer from inserting | 1040 // the URL. To prevent this attack, we block the renderer from inserting |
1041 // banned URLs into the navigation controller in the first place. | 1041 // banned URLs into the navigation controller in the first place. |
1042 FilterURL(policy, renderer_id, &validated_params.url); | 1042 FilterURL(policy, renderer_id, false, &validated_params.url); |
1043 FilterURL(policy, renderer_id, &validated_params.referrer.url); | 1043 FilterURL(policy, renderer_id, true, &validated_params.referrer.url); |
1044 for (std::vector<GURL>::iterator it(validated_params.redirects.begin()); | 1044 for (std::vector<GURL>::iterator it(validated_params.redirects.begin()); |
1045 it != validated_params.redirects.end(); ++it) { | 1045 it != validated_params.redirects.end(); ++it) { |
1046 FilterURL(policy, renderer_id, &(*it)); | 1046 FilterURL(policy, renderer_id, false, &(*it)); |
1047 } | 1047 } |
1048 FilterURL(policy, renderer_id, &validated_params.searchable_form_url); | 1048 FilterURL(policy, renderer_id, true, &validated_params.searchable_form_url); |
1049 FilterURL(policy, renderer_id, &validated_params.password_form.origin); | 1049 FilterURL(policy, renderer_id, true, &validated_params.password_form.origin); |
1050 FilterURL(policy, renderer_id, &validated_params.password_form.action); | 1050 FilterURL(policy, renderer_id, true, &validated_params.password_form.action); |
1051 | 1051 |
1052 delegate_->DidNavigate(this, validated_params); | 1052 delegate_->DidNavigate(this, validated_params); |
1053 } | 1053 } |
1054 | 1054 |
1055 void RenderViewHostImpl::OnMsgUpdateState(int32 page_id, | 1055 void RenderViewHostImpl::OnMsgUpdateState(int32 page_id, |
1056 const std::string& state) { | 1056 const std::string& state) { |
1057 delegate_->UpdateState(this, page_id, state); | 1057 delegate_->UpdateState(this, page_id, state); |
1058 } | 1058 } |
1059 | 1059 |
1060 void RenderViewHostImpl::OnMsgUpdateTitle( | 1060 void RenderViewHostImpl::OnMsgUpdateTitle( |
(...skipping 71 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1132 | 1132 |
1133 // Validate the URLs in |params|. If the renderer can't request the URLs | 1133 // Validate the URLs in |params|. If the renderer can't request the URLs |
1134 // directly, don't show them in the context menu. | 1134 // directly, don't show them in the context menu. |
1135 content::ContextMenuParams validated_params(params); | 1135 content::ContextMenuParams validated_params(params); |
1136 int renderer_id = GetProcess()->GetID(); | 1136 int renderer_id = GetProcess()->GetID(); |
1137 ChildProcessSecurityPolicyImpl* policy = | 1137 ChildProcessSecurityPolicyImpl* policy = |
1138 ChildProcessSecurityPolicyImpl::GetInstance(); | 1138 ChildProcessSecurityPolicyImpl::GetInstance(); |
1139 | 1139 |
1140 // We don't validate |unfiltered_link_url| so that this field can be used | 1140 // We don't validate |unfiltered_link_url| so that this field can be used |
1141 // when users want to copy the original link URL. | 1141 // when users want to copy the original link URL. |
1142 FilterURL(policy, renderer_id, &validated_params.link_url); | 1142 FilterURL(policy, renderer_id, true, &validated_params.link_url); |
1143 FilterURL(policy, renderer_id, &validated_params.src_url); | 1143 FilterURL(policy, renderer_id, true, &validated_params.src_url); |
1144 FilterURL(policy, renderer_id, &validated_params.page_url); | 1144 FilterURL(policy, renderer_id, false, &validated_params.page_url); |
1145 FilterURL(policy, renderer_id, &validated_params.frame_url); | 1145 FilterURL(policy, renderer_id, true, &validated_params.frame_url); |
1146 | 1146 |
1147 view->ShowContextMenu(validated_params); | 1147 view->ShowContextMenu(validated_params); |
1148 } | 1148 } |
1149 | 1149 |
1150 void RenderViewHostImpl::OnMsgToggleFullscreen(bool enter_fullscreen) { | 1150 void RenderViewHostImpl::OnMsgToggleFullscreen(bool enter_fullscreen) { |
1151 DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI)); | 1151 DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI)); |
1152 delegate_->ToggleFullscreenMode(enter_fullscreen); | 1152 delegate_->ToggleFullscreenMode(enter_fullscreen); |
1153 WasResized(); | 1153 WasResized(); |
1154 } | 1154 } |
1155 | 1155 |
1156 void RenderViewHostImpl::OnMsgOpenURL(const GURL& url, | 1156 void RenderViewHostImpl::OnMsgOpenURL(const GURL& url, |
1157 const content::Referrer& referrer, | 1157 const content::Referrer& referrer, |
1158 WindowOpenDisposition disposition, | 1158 WindowOpenDisposition disposition, |
1159 int64 source_frame_id) { | 1159 int64 source_frame_id) { |
1160 GURL validated_url(url); | 1160 GURL validated_url(url); |
1161 FilterURL(ChildProcessSecurityPolicyImpl::GetInstance(), | 1161 FilterURL(ChildProcessSecurityPolicyImpl::GetInstance(), |
1162 GetProcess()->GetID(), &validated_url); | 1162 GetProcess()->GetID(), false, &validated_url); |
1163 | 1163 |
1164 delegate_->RequestOpenURL( | 1164 delegate_->RequestOpenURL( |
1165 validated_url, referrer, disposition, source_frame_id); | 1165 validated_url, referrer, disposition, source_frame_id); |
1166 } | 1166 } |
1167 | 1167 |
1168 void RenderViewHostImpl::OnMsgDidContentsPreferredSizeChange( | 1168 void RenderViewHostImpl::OnMsgDidContentsPreferredSizeChange( |
1169 const gfx::Size& new_size) { | 1169 const gfx::Size& new_size) { |
1170 delegate_->UpdatePreferredSize(new_size); | 1170 delegate_->UpdatePreferredSize(new_size); |
1171 } | 1171 } |
1172 | 1172 |
(...skipping 64 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1237 RenderViewHostDelegate::View* view = delegate_->GetViewDelegate(); | 1237 RenderViewHostDelegate::View* view = delegate_->GetViewDelegate(); |
1238 if (!view) | 1238 if (!view) |
1239 return; | 1239 return; |
1240 | 1240 |
1241 WebDropData filtered_data(drop_data); | 1241 WebDropData filtered_data(drop_data); |
1242 ChildProcessSecurityPolicyImpl* policy = | 1242 ChildProcessSecurityPolicyImpl* policy = |
1243 ChildProcessSecurityPolicyImpl::GetInstance(); | 1243 ChildProcessSecurityPolicyImpl::GetInstance(); |
1244 | 1244 |
1245 // Allow drag of Javascript URLs to enable bookmarklet drag to bookmark bar. | 1245 // Allow drag of Javascript URLs to enable bookmarklet drag to bookmark bar. |
1246 if (!filtered_data.url.SchemeIs(chrome::kJavaScriptScheme)) | 1246 if (!filtered_data.url.SchemeIs(chrome::kJavaScriptScheme)) |
1247 FilterURL(policy, GetProcess()->GetID(), &filtered_data.url); | 1247 FilterURL(policy, GetProcess()->GetID(), false, &filtered_data.url); |
1248 FilterURL(policy, GetProcess()->GetID(), &filtered_data.html_base_url); | 1248 FilterURL(policy, GetProcess()->GetID(), false, &filtered_data.html_base_url); |
1249 view->StartDragging(filtered_data, drag_operations_mask, image, image_offset); | 1249 view->StartDragging(filtered_data, drag_operations_mask, image, image_offset); |
1250 } | 1250 } |
1251 | 1251 |
1252 void RenderViewHostImpl::OnUpdateDragCursor(WebDragOperation current_op) { | 1252 void RenderViewHostImpl::OnUpdateDragCursor(WebDragOperation current_op) { |
1253 RenderViewHostDelegate::View* view = delegate_->GetViewDelegate(); | 1253 RenderViewHostDelegate::View* view = delegate_->GetViewDelegate(); |
1254 if (view) | 1254 if (view) |
1255 view->UpdateDragCursor(current_op); | 1255 view->UpdateDragCursor(current_op); |
1256 } | 1256 } |
1257 | 1257 |
1258 void RenderViewHostImpl::OnTargetDropACK() { | 1258 void RenderViewHostImpl::OnTargetDropACK() { |
(...skipping 182 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1441 Send(new ViewMsg_SelectPopupMenuItem(GetRoutingID(), -1)); | 1441 Send(new ViewMsg_SelectPopupMenuItem(GetRoutingID(), -1)); |
1442 } | 1442 } |
1443 #endif | 1443 #endif |
1444 | 1444 |
1445 void RenderViewHostImpl::ToggleSpeechInput() { | 1445 void RenderViewHostImpl::ToggleSpeechInput() { |
1446 Send(new InputTagSpeechMsg_ToggleSpeechInput(GetRoutingID())); | 1446 Send(new InputTagSpeechMsg_ToggleSpeechInput(GetRoutingID())); |
1447 } | 1447 } |
1448 | 1448 |
1449 void RenderViewHostImpl::FilterURL(ChildProcessSecurityPolicyImpl* policy, | 1449 void RenderViewHostImpl::FilterURL(ChildProcessSecurityPolicyImpl* policy, |
1450 int renderer_id, | 1450 int renderer_id, |
| 1451 bool empty_allowed, |
1451 GURL* url) { | 1452 GURL* url) { |
1452 if (!url->is_valid()) | 1453 if (empty_allowed && url->is_empty()) |
1453 return; // We don't need to block invalid URLs. | 1454 return; |
| 1455 |
| 1456 if (!url->is_valid()) { |
| 1457 // Have to use about:blank for the denied case, instead of an empty GURL. |
| 1458 // This is because the browser treats navigation to an empty GURL as a |
| 1459 // navigation to the home page. This is often a privileged page |
| 1460 // (chrome://newtab/) which is exactly what we don't want. |
| 1461 *url = GURL(chrome::kAboutBlankURL); |
| 1462 return; |
| 1463 } |
1454 | 1464 |
1455 if (url->SchemeIs(chrome::kAboutScheme)) { | 1465 if (url->SchemeIs(chrome::kAboutScheme)) { |
1456 // The renderer treats all URLs in the about: scheme as being about:blank. | 1466 // The renderer treats all URLs in the about: scheme as being about:blank. |
1457 // Canonicalize about: URLs to about:blank. | 1467 // Canonicalize about: URLs to about:blank. |
1458 *url = GURL(chrome::kAboutBlankURL); | 1468 *url = GURL(chrome::kAboutBlankURL); |
1459 } | 1469 } |
1460 | 1470 |
1461 if (!policy->CanRequestURL(renderer_id, *url)) { | 1471 if (!policy->CanRequestURL(renderer_id, *url)) { |
1462 // If this renderer is not permitted to request this URL, we invalidate the | 1472 // If this renderer is not permitted to request this URL, we invalidate the |
1463 // URL. This prevents us from storing the blocked URL and becoming confused | 1473 // URL. This prevents us from storing the blocked URL and becoming confused |
1464 // later. | 1474 // later. |
1465 VLOG(1) << "Blocked URL " << url->spec(); | 1475 VLOG(1) << "Blocked URL " << url->spec(); |
1466 *url = GURL(); | 1476 *url = GURL(chrome::kAboutBlankURL); |
1467 } | 1477 } |
1468 } | 1478 } |
1469 | 1479 |
1470 void RenderViewHostImpl::SetAltErrorPageURL(const GURL& url) { | 1480 void RenderViewHostImpl::SetAltErrorPageURL(const GURL& url) { |
1471 Send(new ViewMsg_SetAltErrorPageURL(GetRoutingID(), url)); | 1481 Send(new ViewMsg_SetAltErrorPageURL(GetRoutingID(), url)); |
1472 } | 1482 } |
1473 | 1483 |
1474 void RenderViewHostImpl::SetGuest(bool guest) { | 1484 void RenderViewHostImpl::SetGuest(bool guest) { |
1475 guest_ = guest; | 1485 guest_ = guest; |
1476 } | 1486 } |
(...skipping 245 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1722 // can cause navigations to be ignored in OnMsgNavigate. | 1732 // can cause navigations to be ignored in OnMsgNavigate. |
1723 is_waiting_for_beforeunload_ack_ = false; | 1733 is_waiting_for_beforeunload_ack_ = false; |
1724 is_waiting_for_unload_ack_ = false; | 1734 is_waiting_for_unload_ack_ = false; |
1725 } | 1735 } |
1726 | 1736 |
1727 void RenderViewHostImpl::ClearPowerSaveBlockers() { | 1737 void RenderViewHostImpl::ClearPowerSaveBlockers() { |
1728 STLDeleteValues(&power_save_blockers_); | 1738 STLDeleteValues(&power_save_blockers_); |
1729 } | 1739 } |
1730 | 1740 |
1731 } // namespace content | 1741 } // namespace content |
OLD | NEW |