OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "content/browser/renderer_host/render_view_host.h" | 5 #include "content/browser/renderer_host/render_view_host.h" |
6 | 6 |
7 #include <string> | 7 #include <string> |
8 #include <utility> | 8 #include <utility> |
9 #include <vector> | 9 #include <vector> |
10 | 10 |
(...skipping 921 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
932 const int renderer_id = process()->GetID(); | 932 const int renderer_id = process()->GetID(); |
933 ChildProcessSecurityPolicy* policy = | 933 ChildProcessSecurityPolicy* policy = |
934 ChildProcessSecurityPolicy::GetInstance(); | 934 ChildProcessSecurityPolicy::GetInstance(); |
935 // Without this check, an evil renderer can trick the browser into creating | 935 // Without this check, an evil renderer can trick the browser into creating |
936 // a navigation entry for a banned URL. If the user clicks the back button | 936 // a navigation entry for a banned URL. If the user clicks the back button |
937 // followed by the forward button (or clicks reload, or round-trips through | 937 // followed by the forward button (or clicks reload, or round-trips through |
938 // session restore, etc), we'll think that the browser commanded the | 938 // session restore, etc), we'll think that the browser commanded the |
939 // renderer to load the URL and grant the renderer the privileges to request | 939 // renderer to load the URL and grant the renderer the privileges to request |
940 // the URL. To prevent this attack, we block the renderer from inserting | 940 // the URL. To prevent this attack, we block the renderer from inserting |
941 // banned URLs into the navigation controller in the first place. | 941 // banned URLs into the navigation controller in the first place. |
942 FilterURL(policy, renderer_id, &validated_params.url); | 942 FilterURL(policy, renderer_id, false, &validated_params.url); |
943 FilterURL(policy, renderer_id, &validated_params.referrer.url); | 943 FilterURL(policy, renderer_id, true, &validated_params.referrer.url); |
944 for (std::vector<GURL>::iterator it(validated_params.redirects.begin()); | 944 for (std::vector<GURL>::iterator it(validated_params.redirects.begin()); |
945 it != validated_params.redirects.end(); ++it) { | 945 it != validated_params.redirects.end(); ++it) { |
946 FilterURL(policy, renderer_id, &(*it)); | 946 FilterURL(policy, renderer_id, false, &(*it)); |
947 } | 947 } |
948 FilterURL(policy, renderer_id, &validated_params.searchable_form_url); | 948 FilterURL(policy, renderer_id, true, &validated_params.searchable_form_url); |
949 FilterURL(policy, renderer_id, &validated_params.password_form.origin); | 949 FilterURL(policy, renderer_id, true, &validated_params.password_form.origin); |
950 FilterURL(policy, renderer_id, &validated_params.password_form.action); | 950 FilterURL(policy, renderer_id, true, &validated_params.password_form.action); |
951 | 951 |
952 delegate_->DidNavigate(this, validated_params); | 952 delegate_->DidNavigate(this, validated_params); |
953 } | 953 } |
954 | 954 |
955 void RenderViewHost::OnMsgUpdateState(int32 page_id, | 955 void RenderViewHost::OnMsgUpdateState(int32 page_id, |
956 const std::string& state) { | 956 const std::string& state) { |
957 delegate_->UpdateState(this, page_id, state); | 957 delegate_->UpdateState(this, page_id, state); |
958 } | 958 } |
959 | 959 |
960 void RenderViewHost::OnMsgUpdateTitle( | 960 void RenderViewHost::OnMsgUpdateTitle( |
(...skipping 69 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1030 | 1030 |
1031 // Validate the URLs in |params|. If the renderer can't request the URLs | 1031 // Validate the URLs in |params|. If the renderer can't request the URLs |
1032 // directly, don't show them in the context menu. | 1032 // directly, don't show them in the context menu. |
1033 ContextMenuParams validated_params(params); | 1033 ContextMenuParams validated_params(params); |
1034 int renderer_id = process()->GetID(); | 1034 int renderer_id = process()->GetID(); |
1035 ChildProcessSecurityPolicy* policy = | 1035 ChildProcessSecurityPolicy* policy = |
1036 ChildProcessSecurityPolicy::GetInstance(); | 1036 ChildProcessSecurityPolicy::GetInstance(); |
1037 | 1037 |
1038 // We don't validate |unfiltered_link_url| so that this field can be used | 1038 // We don't validate |unfiltered_link_url| so that this field can be used |
1039 // when users want to copy the original link URL. | 1039 // when users want to copy the original link URL. |
1040 FilterURL(policy, renderer_id, &validated_params.link_url); | 1040 FilterURL(policy, renderer_id, true, &validated_params.link_url); |
1041 FilterURL(policy, renderer_id, &validated_params.src_url); | 1041 FilterURL(policy, renderer_id, true, &validated_params.src_url); |
1042 FilterURL(policy, renderer_id, &validated_params.page_url); | 1042 FilterURL(policy, renderer_id, false, &validated_params.page_url); |
1043 FilterURL(policy, renderer_id, &validated_params.frame_url); | 1043 FilterURL(policy, renderer_id, true, &validated_params.frame_url); |
1044 | 1044 |
1045 view->ShowContextMenu(validated_params); | 1045 view->ShowContextMenu(validated_params); |
1046 } | 1046 } |
1047 | 1047 |
1048 void RenderViewHost::OnMsgToggleFullscreen(bool enter_fullscreen) { | 1048 void RenderViewHost::OnMsgToggleFullscreen(bool enter_fullscreen) { |
1049 DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI)); | 1049 DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI)); |
1050 delegate_->ToggleFullscreenMode(enter_fullscreen); | 1050 delegate_->ToggleFullscreenMode(enter_fullscreen); |
1051 } | 1051 } |
1052 | 1052 |
1053 void RenderViewHost::OnMsgOpenURL(const GURL& url, | 1053 void RenderViewHost::OnMsgOpenURL(const GURL& url, |
1054 const content::Referrer& referrer, | 1054 const content::Referrer& referrer, |
1055 WindowOpenDisposition disposition, | 1055 WindowOpenDisposition disposition, |
1056 int64 source_frame_id) { | 1056 int64 source_frame_id) { |
1057 GURL validated_url(url); | 1057 GURL validated_url(url); |
1058 FilterURL(ChildProcessSecurityPolicy::GetInstance(), | 1058 FilterURL(ChildProcessSecurityPolicy::GetInstance(), |
1059 process()->GetID(), &validated_url); | 1059 process()->GetID(), false, &validated_url); |
1060 | 1060 |
1061 delegate_->RequestOpenURL( | 1061 delegate_->RequestOpenURL( |
1062 validated_url, referrer, disposition, source_frame_id); | 1062 validated_url, referrer, disposition, source_frame_id); |
1063 } | 1063 } |
1064 | 1064 |
1065 void RenderViewHost::OnMsgDidContentsPreferredSizeChange( | 1065 void RenderViewHost::OnMsgDidContentsPreferredSizeChange( |
1066 const gfx::Size& new_size) { | 1066 const gfx::Size& new_size) { |
1067 delegate_->UpdatePreferredSize(new_size); | 1067 delegate_->UpdatePreferredSize(new_size); |
1068 } | 1068 } |
1069 | 1069 |
(...skipping 65 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1135 return; | 1135 return; |
1136 | 1136 |
1137 GURL drag_url = drop_data.url; | 1137 GURL drag_url = drop_data.url; |
1138 GURL html_base_url = drop_data.html_base_url; | 1138 GURL html_base_url = drop_data.html_base_url; |
1139 | 1139 |
1140 ChildProcessSecurityPolicy* policy = | 1140 ChildProcessSecurityPolicy* policy = |
1141 ChildProcessSecurityPolicy::GetInstance(); | 1141 ChildProcessSecurityPolicy::GetInstance(); |
1142 | 1142 |
1143 // Allow drag of Javascript URLs to enable bookmarklet drag to bookmark bar. | 1143 // Allow drag of Javascript URLs to enable bookmarklet drag to bookmark bar. |
1144 if (!drag_url.SchemeIs(chrome::kJavaScriptScheme)) | 1144 if (!drag_url.SchemeIs(chrome::kJavaScriptScheme)) |
1145 FilterURL(policy, process()->GetID(), &drag_url); | 1145 FilterURL(policy, process()->GetID(), false, &drag_url); |
1146 FilterURL(policy, process()->GetID(), &html_base_url); | 1146 FilterURL(policy, process()->GetID(), false, &html_base_url); |
1147 | 1147 |
1148 if (drag_url != drop_data.url || html_base_url != drop_data.html_base_url) { | 1148 if (drag_url != drop_data.url || html_base_url != drop_data.html_base_url) { |
1149 WebDropData drop_data_copy = drop_data; | 1149 WebDropData drop_data_copy = drop_data; |
1150 drop_data_copy.url = drag_url; | 1150 drop_data_copy.url = drag_url; |
1151 drop_data_copy.html_base_url = html_base_url; | 1151 drop_data_copy.html_base_url = html_base_url; |
1152 view->StartDragging(drop_data_copy, drag_operations_mask, image, | 1152 view->StartDragging(drop_data_copy, drag_operations_mask, image, |
1153 image_offset); | 1153 image_offset); |
1154 } else { | 1154 } else { |
1155 view->StartDragging(drop_data, drag_operations_mask, image, image_offset); | 1155 view->StartDragging(drop_data, drag_operations_mask, image, image_offset); |
1156 } | 1156 } |
(...skipping 167 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1324 Send(new ViewMsg_SelectPopupMenuItem(routing_id(), -1)); | 1324 Send(new ViewMsg_SelectPopupMenuItem(routing_id(), -1)); |
1325 } | 1325 } |
1326 #endif | 1326 #endif |
1327 | 1327 |
1328 void RenderViewHost::ToggleSpeechInput() { | 1328 void RenderViewHost::ToggleSpeechInput() { |
1329 Send(new SpeechInputMsg_ToggleSpeechInput(routing_id())); | 1329 Send(new SpeechInputMsg_ToggleSpeechInput(routing_id())); |
1330 } | 1330 } |
1331 | 1331 |
1332 void RenderViewHost::FilterURL(ChildProcessSecurityPolicy* policy, | 1332 void RenderViewHost::FilterURL(ChildProcessSecurityPolicy* policy, |
1333 int renderer_id, | 1333 int renderer_id, |
| 1334 bool empty_allowed, |
1334 GURL* url) { | 1335 GURL* url) { |
1335 if (!url->is_valid()) | 1336 if (empty_allowed && url->is_empty()) |
1336 return; // We don't need to block invalid URLs. | 1337 return; |
| 1338 |
| 1339 if (!url->is_valid()) { |
| 1340 // Have to use about:blank for the denied case, instead of an empty GURL. |
| 1341 // This is because the browser treats navigation to an empty GURL as a |
| 1342 // navigation to the home page. This is often a privileged page |
| 1343 // (chrome://newtab/) which is exactly what we don't want. |
| 1344 *url = GURL(chrome::kAboutBlankURL); |
| 1345 return; |
| 1346 } |
1337 | 1347 |
1338 if (url->SchemeIs(chrome::kAboutScheme)) { | 1348 if (url->SchemeIs(chrome::kAboutScheme)) { |
1339 // The renderer treats all URLs in the about: scheme as being about:blank. | 1349 // The renderer treats all URLs in the about: scheme as being about:blank. |
1340 // Canonicalize about: URLs to about:blank. | 1350 // Canonicalize about: URLs to about:blank. |
1341 *url = GURL(chrome::kAboutBlankURL); | 1351 *url = GURL(chrome::kAboutBlankURL); |
1342 } | 1352 } |
1343 | 1353 |
1344 if (!policy->CanRequestURL(renderer_id, *url)) { | 1354 if (!policy->CanRequestURL(renderer_id, *url)) { |
1345 // If this renderer is not permitted to request this URL, we invalidate the | 1355 // If this renderer is not permitted to request this URL, we invalidate the |
1346 // URL. This prevents us from storing the blocked URL and becoming confused | 1356 // URL. This prevents us from storing the blocked URL and becoming confused |
1347 // later. | 1357 // later. |
1348 VLOG(1) << "Blocked URL " << url->spec(); | 1358 VLOG(1) << "Blocked URL " << url->spec(); |
1349 *url = GURL(); | 1359 *url = GURL(chrome::kAboutBlankURL); |
1350 } | 1360 } |
1351 } | 1361 } |
1352 | 1362 |
1353 void RenderViewHost::SetAltErrorPageURL(const GURL& url) { | 1363 void RenderViewHost::SetAltErrorPageURL(const GURL& url) { |
1354 Send(new ViewMsg_SetAltErrorPageURL(routing_id(), url)); | 1364 Send(new ViewMsg_SetAltErrorPageURL(routing_id(), url)); |
1355 } | 1365 } |
1356 | 1366 |
1357 void RenderViewHost::ExitFullscreen() { | 1367 void RenderViewHost::ExitFullscreen() { |
1358 RejectMouseLockOrUnlockIfNecessary(); | 1368 RejectMouseLockOrUnlockIfNecessary(); |
1359 } | 1369 } |
(...skipping 212 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1572 // Whenever we change swap out state, we should not be waiting for | 1582 // Whenever we change swap out state, we should not be waiting for |
1573 // beforeunload or unload acks. We clear them here to be safe, since they | 1583 // beforeunload or unload acks. We clear them here to be safe, since they |
1574 // can cause navigations to be ignored in OnMsgNavigate. | 1584 // can cause navigations to be ignored in OnMsgNavigate. |
1575 is_waiting_for_beforeunload_ack_ = false; | 1585 is_waiting_for_beforeunload_ack_ = false; |
1576 is_waiting_for_unload_ack_ = false; | 1586 is_waiting_for_unload_ack_ = false; |
1577 } | 1587 } |
1578 | 1588 |
1579 void RenderViewHost::ClearPowerSaveBlockers() { | 1589 void RenderViewHost::ClearPowerSaveBlockers() { |
1580 STLDeleteValues(&power_save_blockers_); | 1590 STLDeleteValues(&power_save_blockers_); |
1581 } | 1591 } |
OLD | NEW |