diff options
| author | jochen <jochen@chromium.org> | 2015-02-23 08:55:37 -0800 |
|---|---|---|
| committer | Commit bot <commit-bot@chromium.org> | 2015-02-23 16:56:24 +0000 |
| commit | 7b6465936e610ec9b452446ca4c4718d07f4095c (patch) | |
| tree | e3ebcfeb17c2fff1b4c00b241ba3cb4f6194389f | |
| parent | 87911ef8bff9caff667d6f0ec8004c6e1fe211d2 (diff) | |
| download | chromium_src-7b6465936e610ec9b452446ca4c4718d07f4095c.zip chromium_src-7b6465936e610ec9b452446ca4c4718d07f4095c.tar.gz chromium_src-7b6465936e610ec9b452446ca4c4718d07f4095c.tar.bz2 | |
When sanitizing serialized navigation entries also take iframes into account
The state of the iframes is encoded in the page state, so we need to
decode the page state and recursively check it.
BUG=422871
R=marja@chromium.org
Review URL: https://codereview.chromium.org/948013002
Cr-Commit-Position: refs/heads/master@{#317595}
| -rw-r--r-- | components/sessions/content/content_serialized_navigation_driver.cc | 6 | ||||
| -rw-r--r-- | content/public/common/page_state.cc | 31 |
2 files changed, 35 insertions, 2 deletions
diff --git a/components/sessions/content/content_serialized_navigation_driver.cc b/components/sessions/content/content_serialized_navigation_driver.cc index 0c682f4..236eb28 100644 --- a/components/sessions/content/content_serialized_navigation_driver.cc +++ b/components/sessions/content/content_serialized_navigation_driver.cc @@ -100,10 +100,14 @@ void ContentSerializedNavigationDriver::Sanitize( content::Referrer::SanitizeForRequest(navigation->virtual_url_, old_referrer); + bool page_state_is_valid = navigation->encoded_page_state_.empty() || + content::PageState::CreateFromEncodedData( + navigation->encoded_page_state_).IsValid(); + // No need to compare the policy, as it doesn't change during // sanitization. If there has been a change, the referrer needs to be // stripped from the page state as well. - if (navigation->referrer_url_ != new_referrer.url) { + if (navigation->referrer_url_ != new_referrer.url || !page_state_is_valid) { navigation->referrer_url_ = GURL(); navigation->referrer_policy_ = GetDefaultReferrerPolicy(); navigation->encoded_page_state_ = diff --git a/content/public/common/page_state.cc b/content/public/common/page_state.cc index 9d100d3..1f3dd2f 100644 --- a/content/public/common/page_state.cc +++ b/content/public/common/page_state.cc @@ -7,6 +7,7 @@ #include "base/files/file_path.h" #include "base/strings/utf_string_conversions.h" #include "content/common/page_state_serialization.h" +#include "content/public/common/referrer.h" namespace content { namespace { @@ -55,6 +56,25 @@ void RecursivelyRemoveReferrer(ExplodedFrameState* state) { } } +bool RecursivelyCheckReferrer(ExplodedFrameState* state) { + Referrer referrer(GURL(state->referrer.string()), state->referrer_policy); + GURL url(state->url_string.string()); + if (url.SchemeIsHTTPOrHTTPS() && + Referrer::SanitizeForRequest(url, referrer).url != referrer.url) { + LOG(ERROR) << "Referrer for request to " << url << " is " << referrer.url + << " but should be " + << Referrer::SanitizeForRequest(url, referrer).url; + return false; + } + for (std::vector<ExplodedFrameState>::iterator it = state->children.begin(); + it != state->children.end(); + ++it) { + if (!RecursivelyCheckReferrer(&*it)) + return false; + } + return true; +} + } // namespace // static @@ -108,7 +128,16 @@ PageState::PageState() { } bool PageState::IsValid() const { - return !data_.empty(); + if (data_.empty()) + return false; + + ExplodedPageState state; + // This should return false, but tests create invalid page state. + if (!DecodePageState(data_, &state)) + return true; + + // TODO(jochen): Remove referrer check once http://crbug.com/450589 is fixed. + return RecursivelyCheckReferrer(&state.top); } bool PageState::Equals(const PageState& other) const { |