diff options
| author | ananta@chromium.org <ananta@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2012-02-09 01:47:59 +0000 |
|---|---|---|
| committer | ananta@chromium.org <ananta@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2012-02-09 01:47:59 +0000 |
| commit | b953542108e0ffd871acc0de0919fe3da151db6c (patch) | |
| tree | a0009fdc038b805e3fada7350797297104345b64 | |
| parent | f7858268cca0e50b5e4ebd93ee42881b21e4ff45 (diff) | |
| download | chromium_src-b953542108e0ffd871acc0de0919fe3da151db6c.zip chromium_src-b953542108e0ffd871acc0de0919fe3da151db6c.tar.gz chromium_src-b953542108e0ffd871acc0de0919fe3da151db6c.tar.bz2 | |
Create a content public browser API around the ChildProcessSecurityPolicy class. The implementation of this
interface lives in content\browser\child_process_security_policy_impl.cc/.h.
Moved some security checks from the TabContentsDelegate implementation (chrome\browser) to the TabContents
code in content.
BUG=98716
Review URL: https://chromiumcodereview.appspot.com/9360014
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@121137 0039d316-1c4b-4281-b951-d872f2087c98
35 files changed, 305 insertions, 228 deletions
diff --git a/chrome/browser/DEPS b/chrome/browser/DEPS index 28c9fc6..31e2738 100644 --- a/chrome/browser/DEPS +++ b/chrome/browser/DEPS @@ -36,7 +36,6 @@ include_rules = [ "+content/browser/appcache/chrome_appcache_service.h", "+content/browser/browser_url_handler.h", "+content/browser/cert_store.h", - "+content/browser/child_process_security_policy.h", "+content/browser/chrome_blob_storage_context.h", "+content/browser/disposition_utils.h", "+content/browser/download/download_buffer.h", diff --git a/chrome/browser/browser_process_impl.cc b/chrome/browser/browser_process_impl.cc index 4491345..40aa7f4 100644 --- a/chrome/browser/browser_process_impl.cc +++ b/chrome/browser/browser_process_impl.cc @@ -67,11 +67,11 @@ #include "chrome/common/switch_utils.h" #include "chrome/common/url_constants.h" #include "chrome/installer/util/google_update_constants.h" -#include "content/browser/child_process_security_policy.h" #include "content/browser/download/mhtml_generation_manager.h" #include "content/browser/net/browser_online_state_observer.h" #include "content/browser/renderer_host/resource_dispatcher_host.h" #include "content/public/browser/browser_thread.h" +#include "content/public/browser/child_process_security_policy.h" #include "content/public/browser/notification_details.h" #include "content/public/browser/plugin_service.h" #include "content/public/browser/render_process_host.h" @@ -113,6 +113,7 @@ static const int kEndSessionTimeoutSeconds = 10; #endif using content::BrowserThread; +using content::ChildProcessSecurityPolicy; using content::PluginService; BrowserProcessImpl::BrowserProcessImpl(const CommandLine& command_line) diff --git a/chrome/browser/chrome_content_browser_client.cc b/chrome/browser/chrome_content_browser_client.cc index 2c4ce12..58aa49a 100644 --- a/chrome/browser/chrome_content_browser_client.cc +++ b/chrome/browser/chrome_content_browser_client.cc @@ -66,12 +66,12 @@ #include "chrome/common/render_messages.h" #include "chrome/common/url_constants.h" #include "content/browser/browser_url_handler.h" -#include "content/browser/child_process_security_policy.h" #include "content/browser/renderer_host/render_view_host.h" #include "content/browser/resource_context.h" #include "content/browser/ssl/ssl_cert_error_handler.h" #include "content/browser/ssl/ssl_client_auth_handler.h" #include "content/public/browser/browser_main_parts.h" +#include "content/public/browser/child_process_security_policy.h" #include "content/public/browser/render_process_host.h" #include "content/public/browser/site_instance.h" #include "content/public/browser/web_contents.h" @@ -130,6 +130,7 @@ using content::AccessTokenStore; using content::BrowserThread; +using content::ChildProcessSecurityPolicy; using content::SiteInstance; using content::WebContents; diff --git a/chrome/browser/chromeos/login/registration_screen.cc b/chrome/browser/chromeos/login/registration_screen.cc index 9f0d599..f0cb19c 100644 --- a/chrome/browser/chromeos/login/registration_screen.cc +++ b/chrome/browser/chromeos/login/registration_screen.cc @@ -11,14 +11,15 @@ #include "chrome/browser/chromeos/input_method/input_method_util.h" #include "chrome/browser/profiles/profile_manager.h" #include "chrome/common/url_constants.h" -#include "content/browser/child_process_security_policy.h" #include "content/browser/renderer_host/render_view_host.h" +#include "content/public/browser/child_process_security_policy.h" #include "content/public/browser/site_instance.h" #include "content/public/browser/web_contents.h" #include "googleurl/src/gurl.h" #include "net/url_request/url_request_about_job.h" #include "net/url_request/url_request_filter.h" +using content::ChildProcessSecurityPolicy; using content::OpenURLParams; using content::SiteInstance; using content::WebContents; diff --git a/chrome/browser/custom_handlers/protocol_handler_registry.cc b/chrome/browser/custom_handlers/protocol_handler_registry.cc index bcf9e24..500da2b 100644 --- a/chrome/browser/custom_handlers/protocol_handler_registry.cc +++ b/chrome/browser/custom_handlers/protocol_handler_registry.cc @@ -1,4 +1,4 @@ -// Copyright (c) 2011 The Chromium Authors. All rights reserved. +// Copyright (c) 2012 The Chromium Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -18,13 +18,14 @@ #include "chrome/common/chrome_switches.h" #include "chrome/common/custom_handlers/protocol_handler.h" #include "chrome/common/pref_names.h" -#include "content/browser/child_process_security_policy.h" #include "content/public/browser/browser_thread.h" +#include "content/public/browser/child_process_security_policy.h" #include "content/public/browser/notification_service.h" #include "net/base/network_delegate.h" #include "net/url_request/url_request_redirect_job.h" using content::BrowserThread; +using content::ChildProcessSecurityPolicy; // ProtocolHandlerRegistry ----------------------------------------------------- diff --git a/chrome/browser/extensions/extension_file_browser_private_api.cc b/chrome/browser/extensions/extension_file_browser_private_api.cc index 86eefb8..ff5c414 100644 --- a/chrome/browser/extensions/extension_file_browser_private_api.cc +++ b/chrome/browser/extensions/extension_file_browser_private_api.cc @@ -32,9 +32,9 @@ #include "chrome/common/extensions/extension.h" #include "chrome/common/extensions/file_browser_handler.h" #include "chrome/common/pref_names.h" -#include "content/browser/child_process_security_policy.h" #include "content/browser/renderer_host/render_view_host.h" #include "content/public/browser/browser_thread.h" +#include "content/public/browser/child_process_security_policy.h" #include "content/public/browser/render_process_host.h" #include "content/public/browser/site_instance.h" #include "content/public/browser/web_contents.h" @@ -55,6 +55,7 @@ using chromeos::disks::DiskMountManager; using content::BrowserThread; +using content::ChildProcessSecurityPolicy; using content::SiteInstance; using content::WebContents; diff --git a/chrome/browser/extensions/extension_page_capture_api.cc b/chrome/browser/extensions/extension_page_capture_api.cc index b198242..52cbc59 100644 --- a/chrome/browser/extensions/extension_page_capture_api.cc +++ b/chrome/browser/extensions/extension_page_capture_api.cc @@ -1,4 +1,4 @@ -// Copyright (c) 2011 The Chromium Authors. All rights reserved. +// Copyright (c) 2012 The Chromium Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -10,9 +10,9 @@ #include "chrome/browser/extensions/extension_tab_util.h" #include "chrome/browser/ui/tab_contents/tab_contents_wrapper.h" #include "chrome/common/extensions/extension_messages.h" -#include "content/browser/child_process_security_policy.h" #include "content/browser/renderer_host/render_view_host.h" #include "content/browser/download/mhtml_generation_manager.h" +#include "content/public/browser/child_process_security_policy.h" #include "content/public/browser/notification_details.h" #include "content/public/browser/notification_source.h" #include "content/public/browser/notification_types.h" @@ -20,6 +20,7 @@ #include "content/public/browser/web_contents.h" using content::BrowserThread; +using content::ChildProcessSecurityPolicy; using content::WebContents; // Error messages. diff --git a/chrome/browser/renderer_host/chrome_render_view_host_observer.cc b/chrome/browser/renderer_host/chrome_render_view_host_observer.cc index 4618346..a094e1a 100644 --- a/chrome/browser/renderer_host/chrome_render_view_host_observer.cc +++ b/chrome/browser/renderer_host/chrome_render_view_host_observer.cc @@ -13,12 +13,13 @@ #include "chrome/common/extensions/extension_messages.h" #include "chrome/common/render_messages.h" #include "chrome/common/url_constants.h" -#include "content/browser/child_process_security_policy.h" #include "content/browser/renderer_host/render_view_host.h" +#include "content/public/browser/child_process_security_policy.h" #include "content/public/browser/notification_service.h" #include "content/public/browser/render_view_host_delegate.h" #include "content/public/browser/site_instance.h" +using content::ChildProcessSecurityPolicy; using content::SiteInstance; ChromeRenderViewHostObserver::ChromeRenderViewHostObserver( diff --git a/chrome/browser/tab_contents/render_view_context_menu.cc b/chrome/browser/tab_contents/render_view_context_menu.cc index af82831..44c4477 100644 --- a/chrome/browser/tab_contents/render_view_context_menu.cc +++ b/chrome/browser/tab_contents/render_view_context_menu.cc @@ -60,12 +60,12 @@ #include "chrome/common/print_messages.h" #include "chrome/common/spellcheck_messages.h" #include "chrome/common/url_constants.h" -#include "content/browser/child_process_security_policy.h" #include "content/browser/download/download_types.h" #include "content/browser/renderer_host/render_view_host.h" #include "content/browser/renderer_host/render_widget_host_view.h" #include "content/browser/speech/speech_input_preferences.h" #include "content/browser/ssl/ssl_manager.h" +#include "content/public/browser/child_process_security_policy.h" #include "content/public/browser/download_manager.h" #include "content/public/browser/navigation_details.h" #include "content/public/browser/navigation_entry.h" @@ -89,6 +89,7 @@ #include "chrome/browser/extensions/file_manager_util.h" #endif +using content::ChildProcessSecurityPolicy; using content::DownloadManager; using content::NavigationEntry; using content::OpenURLParams; diff --git a/chrome/browser/ui/browser.cc b/chrome/browser/ui/browser.cc index fc60751..4ba4c0e 100644 --- a/chrome/browser/ui/browser.cc +++ b/chrome/browser/ui/browser.cc @@ -145,7 +145,6 @@ #include "chrome/common/url_constants.h" #include "chrome/common/web_apps.h" #include "content/browser/browser_url_handler.h" -#include "content/browser/child_process_security_policy.h" #include "content/browser/renderer_host/render_view_host.h" #include "content/public/browser/devtools_manager.h" #include "content/public/browser/download_item.h" @@ -2634,11 +2633,6 @@ void Browser::RunFileChooserHelper( // static void Browser::EnumerateDirectoryHelper(WebContents* tab, int request_id, const FilePath& path) { - ChildProcessSecurityPolicy* policy = - ChildProcessSecurityPolicy::GetInstance(); - if (!policy->CanReadDirectory(tab->GetRenderProcessHost()->GetID(), path)) - return; - Profile* profile = Profile::FromBrowserContext(tab->GetBrowserContext()); // FileSelectHelper adds a reference to itself and only releases it after @@ -2676,11 +2670,6 @@ void Browser::RegisterProtocolHandlerHelper(WebContents* tab, if (!tcw || tcw->profile()->IsOffTheRecord()) return; - ChildProcessSecurityPolicy* policy = - ChildProcessSecurityPolicy::GetInstance(); - if (policy->IsPseudoScheme(protocol) || policy->IsDisabledScheme(protocol)) - return; - ProtocolHandler handler = ProtocolHandler::CreateProtocolHandler(protocol, url, title); diff --git a/chrome/browser/ui/browser_init.cc b/chrome/browser/ui/browser_init.cc index 0f163e4..4a14ddd 100644 --- a/chrome/browser/ui/browser_init.cc +++ b/chrome/browser/ui/browser_init.cc @@ -81,8 +81,8 @@ #include "chrome/common/pref_names.h" #include "chrome/common/url_constants.h" #include "chrome/installer/util/browser_distribution.h" -#include "content/browser/child_process_security_policy.h" #include "content/public/browser/browser_thread.h" +#include "content/public/browser/child_process_security_policy.h" #include "content/public/browser/navigation_details.h" #include "content/public/browser/web_contents.h" #include "content/public/browser/web_contents_view.h" @@ -128,6 +128,7 @@ #endif using content::BrowserThread; +using content::ChildProcessSecurityPolicy; using content::OpenURLParams; using content::Referrer; using content::WebContents; diff --git a/content/browser/child_process_security_policy_browsertest.cc b/content/browser/child_process_security_policy_browsertest.cc index 225535f..33ea189 100644 --- a/content/browser/child_process_security_policy_browsertest.cc +++ b/content/browser/child_process_security_policy_browsertest.cc @@ -1,4 +1,4 @@ -// Copyright (c) 2011 The Chromium Authors. All rights reserved. +// Copyright (c) 2012 The Chromium Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -10,7 +10,7 @@ #include "chrome/browser/ui/browser.h" #include "chrome/test/base/in_process_browser_test.h" #include "chrome/test/base/ui_test_utils.h" -#include "content/browser/child_process_security_policy.h" +#include "content/browser/child_process_security_policy_impl.h" #include "content/browser/tab_contents/tab_contents.h" #include "content/public/browser/render_process_host.h" #include "content/public/common/result_codes.h" @@ -23,13 +23,15 @@ class ChildProcessSecurityPolicyInProcessBrowserTest public: virtual void SetUp() { EXPECT_EQ( - ChildProcessSecurityPolicy::GetInstance()->security_state_.size(), 0U); + ChildProcessSecurityPolicyImpl::GetInstance()->security_state_.size(), + 0U); InProcessBrowserTest::SetUp(); } virtual void TearDown() { EXPECT_EQ( - ChildProcessSecurityPolicy::GetInstance()->security_state_.size(), 0U); + ChildProcessSecurityPolicyImpl::GetInstance()->security_state_.size(), + 0U); InProcessBrowserTest::TearDown(); } }; @@ -41,7 +43,8 @@ IN_PROC_BROWSER_TEST_F(ChildProcessSecurityPolicyInProcessBrowserTest, NoLeak) { ui_test_utils::NavigateToURL(browser(), url); EXPECT_EQ( - ChildProcessSecurityPolicy::GetInstance()->security_state_.size(), 1U); + ChildProcessSecurityPolicyImpl::GetInstance()->security_state_.size(), + 1U); WebContents* tab = browser()->GetWebContentsAt(0); ASSERT_TRUE(tab != NULL); @@ -50,5 +53,6 @@ IN_PROC_BROWSER_TEST_F(ChildProcessSecurityPolicyInProcessBrowserTest, NoLeak) { tab->GetController().Reload(true); EXPECT_EQ( - ChildProcessSecurityPolicy::GetInstance()->security_state_.size(), 1U); + ChildProcessSecurityPolicyImpl::GetInstance()->security_state_.size(), + 1U); } diff --git a/content/browser/child_process_security_policy.cc b/content/browser/child_process_security_policy_impl.cc index 0a7779e..3fd4186 100644 --- a/content/browser/child_process_security_policy.cc +++ b/content/browser/child_process_security_policy_impl.cc @@ -2,7 +2,7 @@ // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. -#include "content/browser/child_process_security_policy.h" +#include "content/browser/child_process_security_policy_impl.h" #include "base/file_path.h" #include "base/logging.h" @@ -18,6 +18,7 @@ #include "net/url_request/url_request.h" #include "webkit/fileapi/isolated_context.h" +using content::ChildProcessSecurityPolicy; using content::SiteInstance; static const int kReadFilePermissions = @@ -32,7 +33,7 @@ static const int kEnumerateDirectoryPermissions = // The SecurityState class is used to maintain per-child process security state // information. -class ChildProcessSecurityPolicy::SecurityState { +class ChildProcessSecurityPolicyImpl::SecurityState { public: SecurityState() : enabled_bindings_(0), @@ -162,7 +163,7 @@ class ChildProcessSecurityPolicy::SecurityState { DISALLOW_COPY_AND_ASSIGN(SecurityState); }; -ChildProcessSecurityPolicy::ChildProcessSecurityPolicy() { +ChildProcessSecurityPolicyImpl::ChildProcessSecurityPolicyImpl() { // We know about these schemes and believe them to be safe. RegisterWebSafeScheme(chrome::kHttpScheme); RegisterWebSafeScheme(chrome::kHttpsScheme); @@ -178,7 +179,7 @@ ChildProcessSecurityPolicy::ChildProcessSecurityPolicy() { RegisterPseudoScheme(chrome::kViewSourceScheme); } -ChildProcessSecurityPolicy::~ChildProcessSecurityPolicy() { +ChildProcessSecurityPolicyImpl::~ChildProcessSecurityPolicyImpl() { web_safe_schemes_.clear(); pseudo_schemes_.clear(); STLDeleteContainerPairSecondPointers(security_state_.begin(), @@ -188,22 +189,26 @@ ChildProcessSecurityPolicy::~ChildProcessSecurityPolicy() { // static ChildProcessSecurityPolicy* ChildProcessSecurityPolicy::GetInstance() { - return Singleton<ChildProcessSecurityPolicy>::get(); + return ChildProcessSecurityPolicyImpl::GetInstance(); } -void ChildProcessSecurityPolicy::Add(int child_id) { +ChildProcessSecurityPolicyImpl* ChildProcessSecurityPolicyImpl::GetInstance() { + return Singleton<ChildProcessSecurityPolicyImpl>::get(); +} + +void ChildProcessSecurityPolicyImpl::Add(int child_id) { base::AutoLock lock(lock_); AddChild(child_id); } -void ChildProcessSecurityPolicy::AddWorker(int child_id, - int main_render_process_id) { +void ChildProcessSecurityPolicyImpl::AddWorker(int child_id, + int main_render_process_id) { base::AutoLock lock(lock_); AddChild(child_id); worker_map_[child_id] = main_render_process_id; } -void ChildProcessSecurityPolicy::Remove(int child_id) { +void ChildProcessSecurityPolicyImpl::Remove(int child_id) { base::AutoLock lock(lock_); if (!security_state_.count(child_id)) return; // May be called multiple times. @@ -213,7 +218,7 @@ void ChildProcessSecurityPolicy::Remove(int child_id) { worker_map_.erase(child_id); } -void ChildProcessSecurityPolicy::RegisterWebSafeScheme( +void ChildProcessSecurityPolicyImpl::RegisterWebSafeScheme( const std::string& scheme) { base::AutoLock lock(lock_); DCHECK(web_safe_schemes_.count(scheme) == 0) << "Add schemes at most once."; @@ -222,13 +227,14 @@ void ChildProcessSecurityPolicy::RegisterWebSafeScheme( web_safe_schemes_.insert(scheme); } -bool ChildProcessSecurityPolicy::IsWebSafeScheme(const std::string& scheme) { +bool ChildProcessSecurityPolicyImpl::IsWebSafeScheme( + const std::string& scheme) { base::AutoLock lock(lock_); return (web_safe_schemes_.find(scheme) != web_safe_schemes_.end()); } -void ChildProcessSecurityPolicy::RegisterPseudoScheme( +void ChildProcessSecurityPolicyImpl::RegisterPseudoScheme( const std::string& scheme) { base::AutoLock lock(lock_); DCHECK(pseudo_schemes_.count(scheme) == 0) << "Add schemes at most once."; @@ -238,24 +244,26 @@ void ChildProcessSecurityPolicy::RegisterPseudoScheme( pseudo_schemes_.insert(scheme); } -bool ChildProcessSecurityPolicy::IsPseudoScheme(const std::string& scheme) { +bool ChildProcessSecurityPolicyImpl::IsPseudoScheme( + const std::string& scheme) { base::AutoLock lock(lock_); return (pseudo_schemes_.find(scheme) != pseudo_schemes_.end()); } -void ChildProcessSecurityPolicy::RegisterDisabledSchemes( +void ChildProcessSecurityPolicyImpl::RegisterDisabledSchemes( const std::set<std::string>& schemes) { base::AutoLock lock(lock_); disabled_schemes_ = schemes; } -bool ChildProcessSecurityPolicy::IsDisabledScheme(const std::string& scheme) { +bool ChildProcessSecurityPolicyImpl::IsDisabledScheme( + const std::string& scheme) { base::AutoLock lock(lock_); return disabled_schemes_.find(scheme) != disabled_schemes_.end(); } -void ChildProcessSecurityPolicy::GrantRequestURL( +void ChildProcessSecurityPolicyImpl::GrantRequestURL( int child_id, const GURL& url) { if (!url.is_valid()) @@ -290,17 +298,17 @@ void ChildProcessSecurityPolicy::GrantRequestURL( } } -void ChildProcessSecurityPolicy::GrantReadFile(int child_id, - const FilePath& file) { +void ChildProcessSecurityPolicyImpl::GrantReadFile(int child_id, + const FilePath& file) { GrantPermissionsForFile(child_id, file, kReadFilePermissions); } -void ChildProcessSecurityPolicy::GrantReadDirectory(int child_id, - const FilePath& directory) { +void ChildProcessSecurityPolicyImpl::GrantReadDirectory( + int child_id, const FilePath& directory) { GrantPermissionsForFile(child_id, directory, kEnumerateDirectoryPermissions); } -void ChildProcessSecurityPolicy::GrantPermissionsForFile( +void ChildProcessSecurityPolicyImpl::GrantPermissionsForFile( int child_id, const FilePath& file, int permissions) { base::AutoLock lock(lock_); @@ -311,7 +319,7 @@ void ChildProcessSecurityPolicy::GrantPermissionsForFile( state->second->GrantPermissionsForFile(file, permissions); } -void ChildProcessSecurityPolicy::RevokeAllPermissionsForFile( +void ChildProcessSecurityPolicyImpl::RevokeAllPermissionsForFile( int child_id, const FilePath& file) { base::AutoLock lock(lock_); @@ -322,7 +330,7 @@ void ChildProcessSecurityPolicy::RevokeAllPermissionsForFile( state->second->RevokeAllPermissionsForFile(file); } -void ChildProcessSecurityPolicy::GrantAccessFileSystem( +void ChildProcessSecurityPolicyImpl::GrantAccessFileSystem( int child_id, const std::string& filesystem_id) { base::AutoLock lock(lock_); @@ -333,8 +341,8 @@ void ChildProcessSecurityPolicy::GrantAccessFileSystem( state->second->GrantAccessFileSystem(filesystem_id); } -void ChildProcessSecurityPolicy::GrantScheme(int child_id, - const std::string& scheme) { +void ChildProcessSecurityPolicyImpl::GrantScheme(int child_id, + const std::string& scheme) { base::AutoLock lock(lock_); SecurityStateMap::iterator state = security_state_.find(child_id); @@ -344,7 +352,7 @@ void ChildProcessSecurityPolicy::GrantScheme(int child_id, state->second->GrantScheme(scheme); } -void ChildProcessSecurityPolicy::GrantWebUIBindings(int child_id) { +void ChildProcessSecurityPolicyImpl::GrantWebUIBindings(int child_id) { base::AutoLock lock(lock_); SecurityStateMap::iterator state = security_state_.find(child_id); @@ -360,7 +368,7 @@ void ChildProcessSecurityPolicy::GrantWebUIBindings(int child_id) { state->second->GrantScheme(chrome::kFileScheme); } -void ChildProcessSecurityPolicy::GrantReadRawCookies(int child_id) { +void ChildProcessSecurityPolicyImpl::GrantReadRawCookies(int child_id) { base::AutoLock lock(lock_); SecurityStateMap::iterator state = security_state_.find(child_id); @@ -370,7 +378,7 @@ void ChildProcessSecurityPolicy::GrantReadRawCookies(int child_id) { state->second->GrantReadRawCookies(); } -void ChildProcessSecurityPolicy::RevokeReadRawCookies(int child_id) { +void ChildProcessSecurityPolicyImpl::RevokeReadRawCookies(int child_id) { base::AutoLock lock(lock_); SecurityStateMap::iterator state = security_state_.find(child_id); @@ -380,7 +388,7 @@ void ChildProcessSecurityPolicy::RevokeReadRawCookies(int child_id) { state->second->RevokeReadRawCookies(); } -bool ChildProcessSecurityPolicy::CanRequestURL( +bool ChildProcessSecurityPolicyImpl::CanRequestURL( int child_id, const GURL& url) { if (!url.is_valid()) return false; // Can't request invalid URLs. @@ -432,19 +440,19 @@ bool ChildProcessSecurityPolicy::CanRequestURL( } } -bool ChildProcessSecurityPolicy::CanReadFile(int child_id, +bool ChildProcessSecurityPolicyImpl::CanReadFile(int child_id, const FilePath& file) { return HasPermissionsForFile(child_id, file, kReadFilePermissions); } -bool ChildProcessSecurityPolicy::CanReadDirectory(int child_id, - const FilePath& directory) { +bool ChildProcessSecurityPolicyImpl::CanReadDirectory( + int child_id, const FilePath& directory) { return HasPermissionsForFile(child_id, directory, kEnumerateDirectoryPermissions); } -bool ChildProcessSecurityPolicy::HasPermissionsForFile( +bool ChildProcessSecurityPolicyImpl::HasPermissionsForFile( int child_id, const FilePath& file, int permissions) { base::AutoLock lock(lock_); bool result = ChildProcessHasPermissionsForFile(child_id, file, permissions); @@ -461,7 +469,7 @@ bool ChildProcessSecurityPolicy::HasPermissionsForFile( return result; } -bool ChildProcessSecurityPolicy::HasWebUIBindings(int child_id) { +bool ChildProcessSecurityPolicyImpl::HasWebUIBindings(int child_id) { base::AutoLock lock(lock_); SecurityStateMap::iterator state = security_state_.find(child_id); @@ -471,7 +479,7 @@ bool ChildProcessSecurityPolicy::HasWebUIBindings(int child_id) { return state->second->has_web_ui_bindings(); } -bool ChildProcessSecurityPolicy::CanReadRawCookies(int child_id) { +bool ChildProcessSecurityPolicyImpl::CanReadRawCookies(int child_id) { base::AutoLock lock(lock_); SecurityStateMap::iterator state = security_state_.find(child_id); @@ -481,7 +489,7 @@ bool ChildProcessSecurityPolicy::CanReadRawCookies(int child_id) { return state->second->can_read_raw_cookies(); } -void ChildProcessSecurityPolicy::AddChild(int child_id) { +void ChildProcessSecurityPolicyImpl::AddChild(int child_id) { if (security_state_.count(child_id) != 0) { NOTREACHED() << "Add child process at most once."; return; @@ -490,7 +498,7 @@ void ChildProcessSecurityPolicy::AddChild(int child_id) { security_state_[child_id] = new SecurityState(); } -bool ChildProcessSecurityPolicy::ChildProcessHasPermissionsForFile( +bool ChildProcessSecurityPolicyImpl::ChildProcessHasPermissionsForFile( int child_id, const FilePath& file, int permissions) { SecurityStateMap::iterator state = security_state_.find(child_id); if (state == security_state_.end()) @@ -498,8 +506,8 @@ bool ChildProcessSecurityPolicy::ChildProcessHasPermissionsForFile( return state->second->HasPermissionsForFile(file, permissions); } -bool ChildProcessSecurityPolicy::CanUseCookiesForOrigin(int child_id, - const GURL& gurl) { +bool ChildProcessSecurityPolicyImpl::CanUseCookiesForOrigin(int child_id, + const GURL& gurl) { base::AutoLock lock(lock_); SecurityStateMap::iterator state = security_state_.find(child_id); if (state == security_state_.end()) @@ -507,7 +515,8 @@ bool ChildProcessSecurityPolicy::CanUseCookiesForOrigin(int child_id, return state->second->CanUseCookiesForOrigin(gurl); } -void ChildProcessSecurityPolicy::LockToOrigin(int child_id, const GURL& gurl) { +void ChildProcessSecurityPolicyImpl::LockToOrigin(int child_id, + const GURL& gurl) { // "gurl" can be currently empty in some cases, such as file://blah. DCHECK(SiteInstanceImpl::GetSiteForURL(NULL, gurl) == gurl); base::AutoLock lock(lock_); diff --git a/content/browser/child_process_security_policy.h b/content/browser/child_process_security_policy_impl.h index aa192f8..ee258bb 100644 --- a/content/browser/child_process_security_policy.h +++ b/content/browser/child_process_security_policy_impl.h @@ -2,8 +2,8 @@ // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. -#ifndef CONTENT_BROWSER_CHILD_PROCESS_SECURITY_POLICY_H_ -#define CONTENT_BROWSER_CHILD_PROCESS_SECURITY_POLICY_H_ +#ifndef CONTENT_BROWSER_CHILD_PROCESS_SECURITY_POLICY_IMPL_H_ +#define CONTENT_BROWSER_CHILD_PROCESS_SECURITY_POLICY_IMPL_H_ #pragma once @@ -11,40 +11,34 @@ #include <set> #include <string> -#include "base/basictypes.h" +#include "base/compiler_specific.h" #include "base/gtest_prod_util.h" #include "base/memory/singleton.h" #include "base/synchronization/lock.h" -#include "content/common/content_export.h" +#include "content/public/browser/child_process_security_policy.h" class FilePath; class GURL; -// The ChildProcessSecurityPolicy class is used to grant and revoke security -// capabilities for child processes. For example, it restricts whether a child -// process is permitted to load file:// URLs based on whether the process -// has ever been commanded to load file:// URLs by the browser. -// -// ChildProcessSecurityPolicy is a singleton that may be used on any thread. -// -class CONTENT_EXPORT ChildProcessSecurityPolicy { +class CONTENT_EXPORT ChildProcessSecurityPolicyImpl + : NON_EXPORTED_BASE(public content::ChildProcessSecurityPolicy) { public: // Object can only be created through GetInstance() so the constructor is // private. - ~ChildProcessSecurityPolicy(); + virtual ~ChildProcessSecurityPolicyImpl(); - // There is one global ChildProcessSecurityPolicy object for the entire - // browser process. The object returned by this method may be accessed on - // any thread. - static ChildProcessSecurityPolicy* GetInstance(); + static ChildProcessSecurityPolicyImpl* GetInstance(); - // Web-safe schemes can be requested by any child process. Once a web-safe - // scheme has been registered, any child process can request URLs with - // that scheme. There is no mechanism for revoking web-safe schemes. - void RegisterWebSafeScheme(const std::string& scheme); - - // Returns true iff |scheme| has been registered as a web-safe scheme. - bool IsWebSafeScheme(const std::string& scheme); + // ChildProcessSecurityPolicy implementation. + virtual void RegisterWebSafeScheme(const std::string& scheme) OVERRIDE; + virtual bool IsWebSafeScheme(const std::string& scheme) OVERRIDE; + virtual void RegisterDisabledSchemes(const std::set<std::string>& schemes) + OVERRIDE; + virtual void GrantPermissionsForFile(int child_id, + const FilePath& file, + int permissions) OVERRIDE; + virtual void GrantReadFile(int child_id, const FilePath& file) OVERRIDE; + virtual void GrantScheme(int child_id, const std::string& scheme) OVERRIDE; // Pseudo schemes are treated differently than other schemes because they // cannot be requested like normal URLs. There is no mechanism for revoking @@ -54,12 +48,6 @@ class CONTENT_EXPORT ChildProcessSecurityPolicy { // Returns true iff |scheme| has been registered as pseudo scheme. bool IsPseudoScheme(const std::string& scheme); - // Sets the list of disabled schemes. - // URLs using these schemes won't be loaded at all. The previous list of - // schemes is overwritten. An empty |schemes| disables this feature. - // Schemes listed as disabled take precedence over Web-safe schemes. - void RegisterDisabledSchemes(const std::set<std::string>& schemes); - // Returns true iff |scheme| is listed as a disabled scheme. bool IsDisabledScheme(const std::string& scheme); @@ -82,31 +70,16 @@ class CONTENT_EXPORT ChildProcessSecurityPolicy { // request the URL. void GrantRequestURL(int child_id, const GURL& url); - // Whenever the user picks a file from a <input type="file"> element, the - // browser should call this function to grant the child process the capability - // to upload the file to the web. - void GrantReadFile(int child_id, const FilePath& file); - // Grants the child process permission to enumerate all the files in // this directory and read those files. void GrantReadDirectory(int child_id, const FilePath& directory); - // Grants certain permissions to a file. |permissions| must be a bit-set of - // base::PlatformFileFlags. - void GrantPermissionsForFile(int child_id, - const FilePath& file, - int permissions); - // Revokes all permissions granted to the given file. void RevokeAllPermissionsForFile(int child_id, const FilePath& file); // Grants access permission to the given filesystem_id. void GrantAccessFileSystem(int child_id, const std::string& filesystem_id); - // Grants the child process the capability to access URLs of the provided - // scheme. - void GrantScheme(int child_id, const std::string& scheme); - // Grant the child process the ability to use Web UI Bindings. void GrantWebUIBindings(int child_id); @@ -166,9 +139,9 @@ class CONTENT_EXPORT ChildProcessSecurityPolicy { typedef std::map<int, SecurityState*> SecurityStateMap; typedef std::map<int, int> WorkerToMainProcessMap; - // Obtain an instance of ChildProcessSecurityPolicy via GetInstance(). - ChildProcessSecurityPolicy(); - friend struct DefaultSingletonTraits<ChildProcessSecurityPolicy>; + // Obtain an instance of ChildProcessSecurityPolicyImpl via GetInstance(). + ChildProcessSecurityPolicyImpl(); + friend struct DefaultSingletonTraits<ChildProcessSecurityPolicyImpl>; // Adds child process during registration. void AddChild(int child_id); @@ -207,7 +180,7 @@ class CONTENT_EXPORT ChildProcessSecurityPolicy { // corresponds to which main js thread child process. WorkerToMainProcessMap worker_map_; - DISALLOW_COPY_AND_ASSIGN(ChildProcessSecurityPolicy); + DISALLOW_COPY_AND_ASSIGN(ChildProcessSecurityPolicyImpl); }; -#endif // CONTENT_BROWSER_CHILD_PROCESS_SECURITY_POLICY_H_ +#endif // CONTENT_BROWSER_CHILD_PROCESS_SECURITY_POLICY_IMPL_H_ diff --git a/content/browser/child_process_security_policy_unittest.cc b/content/browser/child_process_security_policy_unittest.cc index 02ebfa2..39d50d3 100644 --- a/content/browser/child_process_security_policy_unittest.cc +++ b/content/browser/child_process_security_policy_unittest.cc @@ -1,4 +1,4 @@ -// Copyright (c) 2011 The Chromium Authors. All rights reserved. +// Copyright (c) 2012 The Chromium Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -8,7 +8,7 @@ #include "base/basictypes.h" #include "base/file_path.h" #include "base/platform_file.h" -#include "content/browser/child_process_security_policy.h" +#include "content/browser/child_process_security_policy_impl.h" #include "content/browser/mock_content_browser_client.h" #include "content/common/test_url_constants.h" #include "content/public/common/url_constants.h" @@ -73,7 +73,8 @@ class ChildProcessSecurityPolicyTest : public testing::Test { }; TEST_F(ChildProcessSecurityPolicyTest, IsWebSafeSchemeTest) { - ChildProcessSecurityPolicy* p = ChildProcessSecurityPolicy::GetInstance(); + ChildProcessSecurityPolicyImpl* p = + ChildProcessSecurityPolicyImpl::GetInstance(); EXPECT_TRUE(p->IsWebSafeScheme(chrome::kHttpScheme)); EXPECT_TRUE(p->IsWebSafeScheme(chrome::kHttpsScheme)); @@ -91,7 +92,8 @@ TEST_F(ChildProcessSecurityPolicyTest, IsWebSafeSchemeTest) { } TEST_F(ChildProcessSecurityPolicyTest, IsPseudoSchemeTest) { - ChildProcessSecurityPolicy* p = ChildProcessSecurityPolicy::GetInstance(); + ChildProcessSecurityPolicyImpl* p = + ChildProcessSecurityPolicyImpl::GetInstance(); EXPECT_TRUE(p->IsPseudoScheme(chrome::kAboutScheme)); EXPECT_TRUE(p->IsPseudoScheme(chrome::kJavaScriptScheme)); @@ -105,7 +107,8 @@ TEST_F(ChildProcessSecurityPolicyTest, IsPseudoSchemeTest) { } TEST_F(ChildProcessSecurityPolicyTest, IsDisabledSchemeTest) { - ChildProcessSecurityPolicy* p = ChildProcessSecurityPolicy::GetInstance(); + ChildProcessSecurityPolicyImpl* p = + ChildProcessSecurityPolicyImpl::GetInstance(); EXPECT_FALSE(p->IsDisabledScheme("evil-scheme")); std::set<std::string> disabled_set; @@ -121,7 +124,8 @@ TEST_F(ChildProcessSecurityPolicyTest, IsDisabledSchemeTest) { } TEST_F(ChildProcessSecurityPolicyTest, StandardSchemesTest) { - ChildProcessSecurityPolicy* p = ChildProcessSecurityPolicy::GetInstance(); + ChildProcessSecurityPolicyImpl* p = + ChildProcessSecurityPolicyImpl::GetInstance(); p->Add(kRendererID); @@ -145,7 +149,8 @@ TEST_F(ChildProcessSecurityPolicyTest, StandardSchemesTest) { } TEST_F(ChildProcessSecurityPolicyTest, AboutTest) { - ChildProcessSecurityPolicy* p = ChildProcessSecurityPolicy::GetInstance(); + ChildProcessSecurityPolicyImpl* p = + ChildProcessSecurityPolicyImpl::GetInstance(); p->Add(kRendererID); @@ -181,7 +186,8 @@ TEST_F(ChildProcessSecurityPolicyTest, AboutTest) { } TEST_F(ChildProcessSecurityPolicyTest, JavaScriptTest) { - ChildProcessSecurityPolicy* p = ChildProcessSecurityPolicy::GetInstance(); + ChildProcessSecurityPolicyImpl* p = + ChildProcessSecurityPolicyImpl::GetInstance(); p->Add(kRendererID); @@ -193,7 +199,8 @@ TEST_F(ChildProcessSecurityPolicyTest, JavaScriptTest) { } TEST_F(ChildProcessSecurityPolicyTest, RegisterWebSafeSchemeTest) { - ChildProcessSecurityPolicy* p = ChildProcessSecurityPolicy::GetInstance(); + ChildProcessSecurityPolicyImpl* p = + ChildProcessSecurityPolicyImpl::GetInstance(); p->Add(kRendererID); @@ -213,7 +220,8 @@ TEST_F(ChildProcessSecurityPolicyTest, RegisterWebSafeSchemeTest) { } TEST_F(ChildProcessSecurityPolicyTest, CanServiceCommandsTest) { - ChildProcessSecurityPolicy* p = ChildProcessSecurityPolicy::GetInstance(); + ChildProcessSecurityPolicyImpl* p = + ChildProcessSecurityPolicyImpl::GetInstance(); p->Add(kRendererID); @@ -240,7 +248,8 @@ TEST_F(ChildProcessSecurityPolicyTest, CanServiceCommandsTest) { } TEST_F(ChildProcessSecurityPolicyTest, ViewSource) { - ChildProcessSecurityPolicy* p = ChildProcessSecurityPolicy::GetInstance(); + ChildProcessSecurityPolicyImpl* p = + ChildProcessSecurityPolicyImpl::GetInstance(); p->Add(kRendererID); @@ -263,7 +272,8 @@ TEST_F(ChildProcessSecurityPolicyTest, ViewSource) { } TEST_F(ChildProcessSecurityPolicyTest, CanReadFiles) { - ChildProcessSecurityPolicy* p = ChildProcessSecurityPolicy::GetInstance(); + ChildProcessSecurityPolicyImpl* p = + ChildProcessSecurityPolicyImpl::GetInstance(); p->Add(kRendererID); @@ -287,7 +297,8 @@ TEST_F(ChildProcessSecurityPolicyTest, CanReadFiles) { } TEST_F(ChildProcessSecurityPolicyTest, CanReadDirectories) { - ChildProcessSecurityPolicy* p = ChildProcessSecurityPolicy::GetInstance(); + ChildProcessSecurityPolicyImpl* p = + ChildProcessSecurityPolicyImpl::GetInstance(); p->Add(kRendererID); @@ -319,7 +330,8 @@ TEST_F(ChildProcessSecurityPolicyTest, CanReadDirectories) { } TEST_F(ChildProcessSecurityPolicyTest, FilePermissions) { - ChildProcessSecurityPolicy* p = ChildProcessSecurityPolicy::GetInstance(); + ChildProcessSecurityPolicyImpl* p = + ChildProcessSecurityPolicyImpl::GetInstance(); // Grant permissions for a file. p->Add(kRendererID); @@ -418,7 +430,8 @@ TEST_F(ChildProcessSecurityPolicyTest, FilePermissions) { } TEST_F(ChildProcessSecurityPolicyTest, CanServiceWebUIBindings) { - ChildProcessSecurityPolicy* p = ChildProcessSecurityPolicy::GetInstance(); + ChildProcessSecurityPolicyImpl* p = + ChildProcessSecurityPolicyImpl::GetInstance(); GURL url("chrome://thumb/http://www.google.com/"); @@ -434,7 +447,8 @@ TEST_F(ChildProcessSecurityPolicyTest, CanServiceWebUIBindings) { } TEST_F(ChildProcessSecurityPolicyTest, RemoveRace) { - ChildProcessSecurityPolicy* p = ChildProcessSecurityPolicy::GetInstance(); + ChildProcessSecurityPolicyImpl* p = + ChildProcessSecurityPolicyImpl::GetInstance(); GURL url("file:///etc/passwd"); FilePath file(FILE_PATH_LITERAL("/etc/passwd")); diff --git a/content/browser/debugger/devtools_manager_impl.cc b/content/browser/debugger/devtools_manager_impl.cc index e60c357..7849912 100644 --- a/content/browser/debugger/devtools_manager_impl.cc +++ b/content/browser/debugger/devtools_manager_impl.cc @@ -8,7 +8,7 @@ #include "base/bind.h" #include "base/message_loop.h" -#include "content/browser/child_process_security_policy.h" +#include "content/browser/child_process_security_policy_impl.h" #include "content/browser/debugger/devtools_netlog_observer.h" #include "content/browser/debugger/render_view_devtools_agent_host.h" #include "content/browser/renderer_host/render_view_host.h" @@ -240,7 +240,8 @@ void DevToolsManagerImpl::BindClientHost( int process_id = agent_host->GetRenderProcessId(); if (process_id != -1) - ChildProcessSecurityPolicy::GetInstance()->GrantReadRawCookies(process_id); + ChildProcessSecurityPolicyImpl::GetInstance()->GrantReadRawCookies( + process_id); } void DevToolsManagerImpl::UnbindClientHost(DevToolsAgentHost* agent_host, @@ -274,7 +275,8 @@ void DevToolsManagerImpl::UnbindClientHost(DevToolsAgentHost* agent_host, return; } // We've disconnected from the last renderer -> revoke cookie permissions. - ChildProcessSecurityPolicy::GetInstance()->RevokeReadRawCookies(process_id); + ChildProcessSecurityPolicyImpl::GetInstance()->RevokeReadRawCookies( + process_id); } void DevToolsManagerImpl::CloseAllClientHosts() { diff --git a/content/browser/renderer_host/blob_message_filter.cc b/content/browser/renderer_host/blob_message_filter.cc index c5e74c4..e227c50 100644 --- a/content/browser/renderer_host/blob_message_filter.cc +++ b/content/browser/renderer_host/blob_message_filter.cc @@ -1,10 +1,10 @@ -// Copyright (c) 2011 The Chromium Authors. All rights reserved. +// Copyright (c) 2012 The Chromium Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #include "content/browser/renderer_host/blob_message_filter.h" -#include "content/browser/child_process_security_policy.h" +#include "content/browser/child_process_security_policy_impl.h" #include "content/browser/chrome_blob_storage_context.h" #include "content/common/webblob_messages.h" #include "googleurl/src/gurl.h" @@ -64,7 +64,7 @@ void BlobMessageFilter::OnAppendBlobDataItem( const GURL& url, const BlobData::Item& item) { DCHECK(BrowserThread::CurrentlyOn(BrowserThread::IO)); if (item.type == BlobData::TYPE_FILE && - !ChildProcessSecurityPolicy::GetInstance()->CanReadFile( + !ChildProcessSecurityPolicyImpl::GetInstance()->CanReadFile( process_id_, item.file_path)) { OnRemoveBlob(url); return; diff --git a/content/browser/renderer_host/file_utilities_message_filter.cc b/content/browser/renderer_host/file_utilities_message_filter.cc index 4cc2167..e72916c 100644 --- a/content/browser/renderer_host/file_utilities_message_filter.cc +++ b/content/browser/renderer_host/file_utilities_message_filter.cc @@ -1,11 +1,11 @@ -// Copyright (c) 2011 The Chromium Authors. All rights reserved. +// Copyright (c) 2012 The Chromium Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #include "content/browser/renderer_host/file_utilities_message_filter.h" #include "base/file_util.h" -#include "content/browser/child_process_security_policy.h" +#include "content/browser/child_process_security_policy_impl.h" #include "content/common/file_utilities_messages.h" using content::BrowserThread; @@ -43,7 +43,7 @@ void FileUtilitiesMessageFilter::OnGetFileSize(const FilePath& path, // Get file size only when the child process has been granted permission to // upload the file. - if (!ChildProcessSecurityPolicy::GetInstance()->CanReadFile( + if (!ChildProcessSecurityPolicyImpl::GetInstance()->CanReadFile( process_id_, path)) { return; } @@ -60,7 +60,7 @@ void FileUtilitiesMessageFilter::OnGetFileModificationTime( // Get file modification time only when the child process has been granted // permission to upload the file. - if (!ChildProcessSecurityPolicy::GetInstance()->CanReadFile( + if (!ChildProcessSecurityPolicyImpl::GetInstance()->CanReadFile( process_id_, path)) { return; } @@ -78,7 +78,7 @@ void FileUtilitiesMessageFilter::OnOpenFile( // Open the file only when the child process has been granted permission to // upload the file. // TODO(jianli): Do we need separate permission to control opening the file? - if (!ChildProcessSecurityPolicy::GetInstance()->CanReadFile( + if (!ChildProcessSecurityPolicyImpl::GetInstance()->CanReadFile( process_id_, path)) { #if defined(OS_WIN) *result = base::kInvalidPlatformFileValue; diff --git a/content/browser/renderer_host/mock_render_process_host.cc b/content/browser/renderer_host/mock_render_process_host.cc index 60cd0b7..c376f09 100644 --- a/content/browser/renderer_host/mock_render_process_host.cc +++ b/content/browser/renderer_host/mock_render_process_host.cc @@ -7,7 +7,7 @@ #include "base/lazy_instance.h" #include "base/message_loop.h" #include "base/time.h" -#include "content/browser/child_process_security_policy.h" +#include "content/browser/child_process_security_policy_impl.h" #include "content/browser/renderer_host/render_process_host_impl.h" #include "content/common/child_process_host_impl.h" #include "content/public/browser/notification_service.h" @@ -25,13 +25,13 @@ MockRenderProcessHost::MockRenderProcessHost( fast_shutdown_started_(false) { // Child process security operations can't be unit tested unless we add // ourselves as an existing child process. - ChildProcessSecurityPolicy::GetInstance()->Add(GetID()); + ChildProcessSecurityPolicyImpl::GetInstance()->Add(GetID()); RenderProcessHostImpl::RegisterHost(GetID(), this); } MockRenderProcessHost::~MockRenderProcessHost() { - ChildProcessSecurityPolicy::GetInstance()->Remove(GetID()); + ChildProcessSecurityPolicyImpl::GetInstance()->Remove(GetID()); delete transport_dib_; if (factory_) factory_->Remove(this); diff --git a/content/browser/renderer_host/pepper_file_message_filter.cc b/content/browser/renderer_host/pepper_file_message_filter.cc index fc01a16..d6abca9 100644 --- a/content/browser/renderer_host/pepper_file_message_filter.cc +++ b/content/browser/renderer_host/pepper_file_message_filter.cc @@ -1,4 +1,4 @@ -// Copyright (c) 2011 The Chromium Authors. All rights reserved. +// Copyright (c) 2012 The Chromium Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -9,7 +9,7 @@ #include "base/file_util.h" #include "base/platform_file.h" #include "base/process_util.h" -#include "content/browser/child_process_security_policy.h" +#include "content/browser/child_process_security_policy_impl.h" #include "content/browser/renderer_host/render_process_host_impl.h" #include "content/common/pepper_file_messages.h" #include "content/public/browser/browser_context.h" @@ -224,7 +224,7 @@ FilePath PepperFileMessageFilter::ValidateAndConvertPepperFilePath( switch(pepper_path.domain()) { case webkit::ppapi::PepperFilePath::DOMAIN_ABSOLUTE: if (pepper_path.path().IsAbsolute() && - ChildProcessSecurityPolicy::GetInstance()->HasPermissionsForFile( + ChildProcessSecurityPolicyImpl::GetInstance()->HasPermissionsForFile( child_id(), pepper_path.path(), flags)) file_path = pepper_path.path(); break; diff --git a/content/browser/renderer_host/render_message_filter.cc b/content/browser/renderer_host/render_message_filter.cc index 6f1aa93..0e71899 100644 --- a/content/browser/renderer_host/render_message_filter.cc +++ b/content/browser/renderer_host/render_message_filter.cc @@ -16,7 +16,7 @@ #include "base/threading/thread.h" #include "base/threading/worker_pool.h" #include "base/utf_string_conversions.h" -#include "content/browser/child_process_security_policy.h" +#include "content/browser/child_process_security_policy_impl.h" #include "content/browser/download/download_stats.h" #include "content/browser/download/download_types.h" #include "content/browser/plugin_process_host.h" @@ -433,8 +433,8 @@ void RenderMessageFilter::OnSetCookie(const IPC::Message& message, const GURL& url, const GURL& first_party_for_cookies, const std::string& cookie) { - ChildProcessSecurityPolicy* policy = - ChildProcessSecurityPolicy::GetInstance(); + ChildProcessSecurityPolicyImpl* policy = + ChildProcessSecurityPolicyImpl::GetInstance(); if (!policy->CanUseCookiesForOrigin(render_process_id_, url)) return; @@ -453,8 +453,8 @@ void RenderMessageFilter::OnSetCookie(const IPC::Message& message, void RenderMessageFilter::OnGetCookies(const GURL& url, const GURL& first_party_for_cookies, IPC::Message* reply_msg) { - ChildProcessSecurityPolicy* policy = - ChildProcessSecurityPolicy::GetInstance(); + ChildProcessSecurityPolicyImpl* policy = + ChildProcessSecurityPolicyImpl::GetInstance(); if (!policy->CanUseCookiesForOrigin(render_process_id_, url)) { SendGetCookiesResponse(reply_msg, std::string()); return; @@ -478,8 +478,8 @@ void RenderMessageFilter::OnGetRawCookies( const GURL& url, const GURL& first_party_for_cookies, IPC::Message* reply_msg) { - ChildProcessSecurityPolicy* policy = - ChildProcessSecurityPolicy::GetInstance(); + ChildProcessSecurityPolicyImpl* policy = + ChildProcessSecurityPolicyImpl::GetInstance(); // Only return raw cookies to trusted renderers or if this request is // not targeted to an an external host like ChromeFrame. // TODO(ananta) We need to support retreiving raw cookies from external @@ -503,8 +503,8 @@ void RenderMessageFilter::OnGetRawCookies( void RenderMessageFilter::OnDeleteCookie(const GURL& url, const std::string& cookie_name) { - ChildProcessSecurityPolicy* policy = - ChildProcessSecurityPolicy::GetInstance(); + ChildProcessSecurityPolicyImpl* policy = + ChildProcessSecurityPolicyImpl::GetInstance(); if (!policy->CanUseCookiesForOrigin(render_process_id_, url)) return; @@ -826,7 +826,7 @@ void RenderMessageFilter::OnAsyncOpenFile(const IPC::Message& msg, int message_id) { DCHECK(BrowserThread::CurrentlyOn(BrowserThread::IO)); - if (!ChildProcessSecurityPolicy::GetInstance()->HasPermissionsForFile( + if (!ChildProcessSecurityPolicyImpl::GetInstance()->HasPermissionsForFile( render_process_id_, path, flags)) { DLOG(ERROR) << "Bad flags in ViewMsgHost_AsyncOpenFile message: " << flags; content::RecordAction(UserMetricsAction("BadMessageTerminate_AOF")); diff --git a/content/browser/renderer_host/render_process_host_impl.cc b/content/browser/renderer_host/render_process_host_impl.cc index 1f0baee..4796585 100644 --- a/content/browser/renderer_host/render_process_host_impl.cc +++ b/content/browser/renderer_host/render_process_host_impl.cc @@ -40,7 +40,7 @@ #include "base/tracked_objects.h" #include "content/browser/appcache/appcache_dispatcher_host.h" #include "content/browser/browser_main.h" -#include "content/browser/child_process_security_policy.h" +#include "content/browser/child_process_security_policy_impl.h" #include "content/browser/device_orientation/message_filter.h" #include "content/browser/download/mhtml_generation_manager.h" #include "content/browser/file_system/file_system_dispatcher_host.h" @@ -277,14 +277,14 @@ RenderProcessHostImpl::RenderProcessHostImpl( ignore_input_events_(false) { widget_helper_ = new RenderWidgetHelper(); - ChildProcessSecurityPolicy::GetInstance()->Add(GetID()); + ChildProcessSecurityPolicyImpl::GetInstance()->Add(GetID()); // Grant most file permissions to this renderer. // PLATFORM_FILE_TEMPORARY, PLATFORM_FILE_HIDDEN and // PLATFORM_FILE_DELETE_ON_CLOSE are not granted, because no existing API // requests them. // This is for the filesystem sandbox. - ChildProcessSecurityPolicy::GetInstance()->GrantPermissionsForFile( + ChildProcessSecurityPolicyImpl::GetInstance()->GrantPermissionsForFile( GetID(), browser_context->GetPath().Append( fileapi::SandboxMountPointProvider::kNewFileSystemDirectory), base::PLATFORM_FILE_OPEN | @@ -301,14 +301,14 @@ RenderProcessHostImpl::RenderProcessHostImpl( base::PLATFORM_FILE_ENUMERATE); // This is so that we can read and move stuff out of the old filesystem // sandbox. - ChildProcessSecurityPolicy::GetInstance()->GrantPermissionsForFile( + ChildProcessSecurityPolicyImpl::GetInstance()->GrantPermissionsForFile( GetID(), browser_context->GetPath().Append( fileapi::SandboxMountPointProvider::kOldFileSystemDirectory), base::PLATFORM_FILE_READ | base::PLATFORM_FILE_WRITE | base::PLATFORM_FILE_WRITE_ATTRIBUTES | base::PLATFORM_FILE_ENUMERATE); // This is so that we can rename the old sandbox out of the way so that we // know we've taken care of it. - ChildProcessSecurityPolicy::GetInstance()->GrantPermissionsForFile( + ChildProcessSecurityPolicyImpl::GetInstance()->GrantPermissionsForFile( GetID(), browser_context->GetPath().Append( fileapi::SandboxMountPointProvider::kRenamedOldFileSystemDirectory), base::PLATFORM_FILE_CREATE | base::PLATFORM_FILE_CREATE_ALWAYS | @@ -326,7 +326,7 @@ RenderProcessHostImpl::RenderProcessHostImpl( } RenderProcessHostImpl::~RenderProcessHostImpl() { - ChildProcessSecurityPolicy::GetInstance()->Remove(GetID()); + ChildProcessSecurityPolicyImpl::GetInstance()->Remove(GetID()); // We may have some unsent messages at this point, but that's OK. channel_.reset(); @@ -1096,7 +1096,7 @@ bool RenderProcessHostImpl::IsSuitableHost( WebUIControllerFactory* factory = content::GetContentClient()->browser()->GetWebUIControllerFactory(); if (factory && - ChildProcessSecurityPolicy::GetInstance()->HasWebUIBindings( + ChildProcessSecurityPolicyImpl::GetInstance()->HasWebUIBindings( host->GetID()) != factory->UseWebUIBindingsForURL(browser_context, site_url)) { return false; @@ -1291,7 +1291,8 @@ void RenderProcessHostImpl::OnUserMetricsRecordAction( void RenderProcessHostImpl::OnRevealFolderInOS(const FilePath& path) { // Only honor the request if appropriate persmissions are granted. - if (ChildProcessSecurityPolicy::GetInstance()->CanReadFile(GetID(), path)) + if (ChildProcessSecurityPolicyImpl::GetInstance()->CanReadFile(GetID(), + path)) content::GetContentClient()->browser()->OpenItem(path); } diff --git a/content/browser/renderer_host/render_view_host.cc b/content/browser/renderer_host/render_view_host.cc index 9ae93a4..729fc68 100644 --- a/content/browser/renderer_host/render_view_host.cc +++ b/content/browser/renderer_host/render_view_host.cc @@ -18,7 +18,7 @@ #include "base/time.h" #include "base/utf_string_conversions.h" #include "base/values.h" -#include "content/browser/child_process_security_policy.h" +#include "content/browser/child_process_security_policy_impl.h" #include "content/browser/cross_site_request_manager.h" #include "content/browser/gpu/gpu_surface_tracker.h" #include "content/browser/host_zoom_map_impl.h" @@ -226,7 +226,7 @@ void RenderViewHost::SyncRendererPrefs() { } void RenderViewHost::Navigate(const ViewMsg_Navigate_Params& params) { - ChildProcessSecurityPolicy::GetInstance()->GrantRequestURL( + ChildProcessSecurityPolicyImpl::GetInstance()->GrantRequestURL( process()->GetID(), params.url); ViewMsg_Navigate* nav_message = new ViewMsg_Navigate(routing_id(), params); @@ -428,8 +428,8 @@ void RenderViewHost::DragTargetDragEnter( const gfx::Point& screen_pt, WebDragOperationsMask operations_allowed) { const int renderer_id = process()->GetID(); - ChildProcessSecurityPolicy* policy = - ChildProcessSecurityPolicy::GetInstance(); + ChildProcessSecurityPolicyImpl* policy = + ChildProcessSecurityPolicyImpl::GetInstance(); // The URL could have been cobbled together from any highlighted text string, // and can't be interpreted as a capability. @@ -606,7 +606,7 @@ void RenderViewHost::DragSourceSystemDragEnded() { void RenderViewHost::AllowBindings(int bindings_flags) { if (bindings_flags & content::BINDINGS_POLICY_WEB_UI) { - ChildProcessSecurityPolicy::GetInstance()->GrantWebUIBindings( + ChildProcessSecurityPolicyImpl::GetInstance()->GrantWebUIBindings( process()->GetID()); } @@ -649,7 +649,7 @@ void RenderViewHost::FilesSelectedInChooser( // Grant the security access requested to the given files. for (std::vector<FilePath>::const_iterator file = files.begin(); file != files.end(); ++file) { - ChildProcessSecurityPolicy::GetInstance()->GrantPermissionsForFile( + ChildProcessSecurityPolicyImpl::GetInstance()->GrantPermissionsForFile( process()->GetID(), *file, permissions); } Send(new ViewMsg_RunFileChooserResponse(routing_id(), files)); @@ -661,7 +661,7 @@ void RenderViewHost::DirectoryEnumerationFinished( // Grant the security access requested to the given files. for (std::vector<FilePath>::const_iterator file = files.begin(); file != files.end(); ++file) { - ChildProcessSecurityPolicy::GetInstance()->GrantReadFile( + ChildProcessSecurityPolicyImpl::GetInstance()->GrantReadFile( process()->GetID(), *file); } Send(new ViewMsg_EnumerateDirectoryResponse(routing_id(), @@ -938,8 +938,8 @@ void RenderViewHost::OnMsgNavigate(const IPC::Message& msg) { return; const int renderer_id = process()->GetID(); - ChildProcessSecurityPolicy* policy = - ChildProcessSecurityPolicy::GetInstance(); + ChildProcessSecurityPolicyImpl* policy = + ChildProcessSecurityPolicyImpl::GetInstance(); // Without this check, an evil renderer can trick the browser into creating // a navigation entry for a banned URL. If the user clicks the back button // followed by the forward button (or clicks reload, or round-trips through @@ -1040,8 +1040,8 @@ void RenderViewHost::OnMsgContextMenu(const ContextMenuParams& params) { // directly, don't show them in the context menu. ContextMenuParams validated_params(params); int renderer_id = process()->GetID(); - ChildProcessSecurityPolicy* policy = - ChildProcessSecurityPolicy::GetInstance(); + ChildProcessSecurityPolicyImpl* policy = + ChildProcessSecurityPolicyImpl::GetInstance(); // We don't validate |unfiltered_link_url| so that this field can be used // when users want to copy the original link URL. @@ -1063,7 +1063,7 @@ void RenderViewHost::OnMsgOpenURL(const GURL& url, WindowOpenDisposition disposition, int64 source_frame_id) { GURL validated_url(url); - FilterURL(ChildProcessSecurityPolicy::GetInstance(), + FilterURL(ChildProcessSecurityPolicyImpl::GetInstance(), process()->GetID(), &validated_url); delegate_->RequestOpenURL( @@ -1143,8 +1143,8 @@ void RenderViewHost::OnMsgStartDragging( return; WebDropData filtered_data(drop_data); - ChildProcessSecurityPolicy* policy = - ChildProcessSecurityPolicy::GetInstance(); + ChildProcessSecurityPolicyImpl* policy = + ChildProcessSecurityPolicyImpl::GetInstance(); // Allow drag of Javascript URLs to enable bookmarklet drag to bookmark bar. if (!filtered_data.url.SchemeIs(chrome::kJavaScriptScheme)) @@ -1326,7 +1326,7 @@ void RenderViewHost::ToggleSpeechInput() { Send(new SpeechInputMsg_ToggleSpeechInput(routing_id())); } -void RenderViewHost::FilterURL(ChildProcessSecurityPolicy* policy, +void RenderViewHost::FilterURL(ChildProcessSecurityPolicyImpl* policy, int renderer_id, GURL* url) { if (!url->is_valid()) diff --git a/content/browser/renderer_host/render_view_host.h b/content/browser/renderer_host/render_view_host.h index f979d40..9a17429 100644 --- a/content/browser/renderer_host/render_view_host.h +++ b/content/browser/renderer_host/render_view_host.h @@ -30,7 +30,7 @@ #include "webkit/glue/webaccessibility.h" #include "webkit/glue/window_open_disposition.h" -class ChildProcessSecurityPolicy; +class ChildProcessSecurityPolicyImpl; class FilePath; class GURL; class PowerSaveBlocker; @@ -407,7 +407,7 @@ class CONTENT_EXPORT RenderViewHost : public RenderWidgetHost { // Checks that the given renderer can request |url|, if not it sets it to an // empty url. - static void FilterURL(ChildProcessSecurityPolicy* policy, + static void FilterURL(ChildProcessSecurityPolicyImpl* policy, int renderer_id, GURL* url); diff --git a/content/browser/renderer_host/render_view_host_unittest.cc b/content/browser/renderer_host/render_view_host_unittest.cc index e56e4cc..f1f7d8b 100644 --- a/content/browser/renderer_host/render_view_host_unittest.cc +++ b/content/browser/renderer_host/render_view_host_unittest.cc @@ -2,7 +2,7 @@ // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. -#include "content/browser/child_process_security_policy.h" +#include "content/browser/child_process_security_policy_impl.h" #include "content/browser/renderer_host/test_render_view_host.h" #include "content/browser/tab_contents/navigation_controller_impl.h" #include "content/browser/tab_contents/test_tab_contents.h" @@ -152,7 +152,7 @@ TEST_F(RenderViewHostTest, DragEnteredFileURLsStillBlocked) { dropped_data.url = file_url; rvh()->DragTargetDragEnter(dropped_data, client_point, screen_point, WebKit::WebDragOperationNone); - EXPECT_FALSE(ChildProcessSecurityPolicy::GetInstance()->CanRequestURL( + EXPECT_FALSE(ChildProcessSecurityPolicyImpl::GetInstance()->CanRequestURL( process()->GetID(), file_url)); } diff --git a/content/browser/renderer_host/resource_dispatcher_host.cc b/content/browser/renderer_host/resource_dispatcher_host.cc index c253224..b925a85 100644 --- a/content/browser/renderer_host/resource_dispatcher_host.cc +++ b/content/browser/renderer_host/resource_dispatcher_host.cc @@ -23,7 +23,7 @@ #include "base/third_party/dynamic_annotations/dynamic_annotations.h" #include "content/browser/appcache/chrome_appcache_service.h" #include "content/browser/cert_store.h" -#include "content/browser/child_process_security_policy.h" +#include "content/browser/child_process_security_policy_impl.h" #include "content/browser/chrome_blob_storage_context.h" #include "content/browser/cross_site_request_manager.h" #include "content/browser/download/download_file_manager.h" @@ -168,8 +168,8 @@ bool ShouldServiceRequest(content::ProcessType process_type, if (process_type == content::PROCESS_TYPE_PLUGIN) return true; - ChildProcessSecurityPolicy* policy = - ChildProcessSecurityPolicy::GetInstance(); + ChildProcessSecurityPolicyImpl* policy = + ChildProcessSecurityPolicyImpl::GetInstance(); // Check if the renderer is permitted to request the requested URL. if (!policy->CanRequestURL(child_id, request_data.url)) { @@ -218,7 +218,7 @@ void PopulateResourceResponse(net::URLRequest* request, void RemoveDownloadFileFromChildSecurityPolicy(int child_id, const FilePath& path) { - ChildProcessSecurityPolicy::GetInstance()->RevokeAllPermissionsForFile( + ChildProcessSecurityPolicyImpl::GetInstance()->RevokeAllPermissionsForFile( child_id, path); } @@ -620,8 +620,8 @@ void ResourceDispatcherHost::BeginRequest( if (sync_result) load_flags |= net::LOAD_IGNORE_LIMITS; - ChildProcessSecurityPolicy* policy = - ChildProcessSecurityPolicy::GetInstance(); + ChildProcessSecurityPolicyImpl* policy = + ChildProcessSecurityPolicyImpl::GetInstance(); if (!policy->CanUseCookiesForOrigin(child_id, request_data.url)) { load_flags |= (net::LOAD_DO_NOT_SEND_COOKIES | net::LOAD_DO_NOT_SEND_AUTH_DATA | @@ -774,7 +774,7 @@ void ResourceDispatcherHost::OnDataDownloadedACK(int request_id) { void ResourceDispatcherHost::RegisterDownloadedTempFile( int child_id, int request_id, DeletableFileReference* reference) { registered_temp_files_[child_id][request_id] = reference; - ChildProcessSecurityPolicy::GetInstance()->GrantReadFile( + ChildProcessSecurityPolicyImpl::GetInstance()->GrantReadFile( child_id, reference->path()); // When the temp file is deleted, revoke permissions that the renderer has @@ -942,7 +942,7 @@ net::Error ResourceDispatcherHost::BeginDownload( } request->set_load_flags(request->load_flags() | extra_load_flags); // Check if the renderer is permitted to request the requested URL. - if (!ChildProcessSecurityPolicy::GetInstance()-> + if (!ChildProcessSecurityPolicyImpl::GetInstance()-> CanRequestURL(child_id, url)) { VLOG(1) << "Denied unauthorized download request for " << url.possibly_invalid_spec(); @@ -1322,7 +1322,7 @@ void ResourceDispatcherHost::OnReceivedRedirect(net::URLRequest* request, DCHECK(request->status().is_success()); if (info->process_type() != content::PROCESS_TYPE_PLUGIN && - !ChildProcessSecurityPolicy::GetInstance()-> + !ChildProcessSecurityPolicyImpl::GetInstance()-> CanRequestURL(info->child_id(), new_url)) { VLOG(1) << "Denied unauthorized request for " << new_url.possibly_invalid_spec(); diff --git a/content/browser/renderer_host/resource_dispatcher_host_unittest.cc b/content/browser/renderer_host/resource_dispatcher_host_unittest.cc index a378e37..e01752d 100644 --- a/content/browser/renderer_host/resource_dispatcher_host_unittest.cc +++ b/content/browser/renderer_host/resource_dispatcher_host_unittest.cc @@ -12,7 +12,7 @@ #include "base/message_loop.h" #include "base/process_util.h" #include "content/browser/browser_thread_impl.h" -#include "content/browser/child_process_security_policy.h" +#include "content/browser/child_process_security_policy_impl.h" #include "content/browser/mock_resource_context.h" #include "content/browser/renderer_host/dummy_resource_handler.h" #include "content/browser/renderer_host/layered_resource_handler.h" @@ -346,7 +346,7 @@ class ResourceDispatcherHostTest : public testing::Test, virtual void SetUp() { DCHECK(!test_fixture_); test_fixture_ = this; - ChildProcessSecurityPolicy::GetInstance()->Add(0); + ChildProcessSecurityPolicyImpl::GetInstance()->Add(0); net::URLRequest::Deprecated::RegisterProtocolFactory( "test", &ResourceDispatcherHostTest::Factory); @@ -368,7 +368,7 @@ class ResourceDispatcherHostTest : public testing::Test, host_.Shutdown(); - ChildProcessSecurityPolicy::GetInstance()->Remove(0); + ChildProcessSecurityPolicyImpl::GetInstance()->Remove(0); // Flush the message loop to make application verifiers happy. message_loop_.RunAllPending(); @@ -395,8 +395,8 @@ class ResourceDispatcherHostTest : public testing::Test, void CompleteStartRequest(int request_id); void EnsureTestSchemeIsAllowed() { - ChildProcessSecurityPolicy* policy = - ChildProcessSecurityPolicy::GetInstance(); + ChildProcessSecurityPolicyImpl* policy = + ChildProcessSecurityPolicyImpl::GetInstance(); if (!policy->IsWebSafeScheme("test")) policy->RegisterWebSafeScheme("test"); } diff --git a/content/browser/site_instance_impl.cc b/content/browser/site_instance_impl.cc index 1212c17..ee9d042 100644 --- a/content/browser/site_instance_impl.cc +++ b/content/browser/site_instance_impl.cc @@ -6,7 +6,7 @@ #include "base/command_line.h" #include "content/browser/browsing_instance.h" -#include "content/browser/child_process_security_policy.h" +#include "content/browser/child_process_security_policy_impl.h" #include "content/browser/renderer_host/render_process_host_impl.h" #include "content/public/browser/content_browser_client.h" #include "content/public/browser/notification_service.h" @@ -263,8 +263,8 @@ void SiteInstanceImpl::Observe(int type, void SiteInstanceImpl::LockToOrigin() { const CommandLine& command_line = *CommandLine::ForCurrentProcess(); if (command_line.HasSwitch(switches::kEnableStrictSiteIsolation)) { - ChildProcessSecurityPolicy* policy = - ChildProcessSecurityPolicy::GetInstance(); + ChildProcessSecurityPolicyImpl* policy = + ChildProcessSecurityPolicyImpl::GetInstance(); policy->LockToOrigin(process_->GetID(), site_); } } diff --git a/content/browser/site_instance_impl_unittest.cc b/content/browser/site_instance_impl_unittest.cc index c04b819..1f56a2f 100644 --- a/content/browser/site_instance_impl_unittest.cc +++ b/content/browser/site_instance_impl_unittest.cc @@ -7,7 +7,7 @@ #include "base/string16.h" #include "content/browser/browser_thread_impl.h" #include "content/browser/browsing_instance.h" -#include "content/browser/child_process_security_policy.h" +#include "content/browser/child_process_security_policy_impl.h" #include "content/browser/mock_content_browser_client.h" #include "content/browser/renderer_host/render_process_host_impl.h" #include "content/browser/renderer_host/render_view_host.h" @@ -527,8 +527,8 @@ static SiteInstanceImpl* CreateSiteInstance( // in processes with similar pages. TEST_F(SiteInstanceTest, ProcessSharingByType) { MockRenderProcessHostFactory rph_factory; - ChildProcessSecurityPolicy* policy = - ChildProcessSecurityPolicy::GetInstance(); + ChildProcessSecurityPolicyImpl* policy = + ChildProcessSecurityPolicyImpl::GetInstance(); // Make a bunch of mock renderers so that we hit the limit. std::vector<MockRenderProcessHost*> hosts; diff --git a/content/browser/tab_contents/navigation_controller_impl.cc b/content/browser/tab_contents/navigation_controller_impl.cc index ac97791..7b0f5e0 100644 --- a/content/browser/tab_contents/navigation_controller_impl.cc +++ b/content/browser/tab_contents/navigation_controller_impl.cc @@ -11,7 +11,7 @@ #include "base/time.h" #include "base/utf_string_conversions.h" #include "content/browser/browser_url_handler.h" -#include "content/browser/child_process_security_policy.h" +#include "content/browser/child_process_security_policy_impl.h" #include "content/browser/in_process_webkit/session_storage_namespace.h" #include "content/browser/renderer_host/render_view_host.h" // Temporary #include "content/browser/site_instance_impl.h" @@ -331,8 +331,8 @@ void NavigationControllerImpl::LoadEntry(NavigationEntryImpl* entry) { // Don't navigate to URLs disabled by policy. This prevents showing the URL // on the Omnibar when it is also going to be blocked by // ChildProcessSecurityPolicy::CanRequestURL. - ChildProcessSecurityPolicy *policy = - ChildProcessSecurityPolicy::GetInstance(); + ChildProcessSecurityPolicyImpl* policy = + ChildProcessSecurityPolicyImpl::GetInstance(); if (policy->IsDisabledScheme(entry->GetURL().scheme()) || policy->IsDisabledScheme(entry->GetVirtualURL().scheme())) { VLOG(1) << "URL not loaded because the scheme is blocked by policy: " diff --git a/content/browser/tab_contents/tab_contents.cc b/content/browser/tab_contents/tab_contents.cc index 0440149..f70a699 100644 --- a/content/browser/tab_contents/tab_contents.cc +++ b/content/browser/tab_contents/tab_contents.cc @@ -13,7 +13,7 @@ #include "base/string_util.h" #include "base/time.h" #include "base/utf_string_conversions.h" -#include "content/browser/child_process_security_policy.h" +#include "content/browser/child_process_security_policy_impl.h" #include "content/browser/debugger/devtools_manager_impl.h" #include "content/browser/download/download_stats.h" #include "content/browser/download/save_package.h" @@ -426,7 +426,7 @@ WebPreferences TabContents::GetWebkitPrefs(RenderViewHost* rvh, } } - if (ChildProcessSecurityPolicy::GetInstance()->HasWebUIBindings( + if (ChildProcessSecurityPolicyImpl::GetInstance()->HasWebUIBindings( rvh->process()->GetID())) { prefs.loads_images_automatically = true; prefs.javascript_enabled = true; @@ -1346,7 +1346,7 @@ void TabContents::OnDidStartProvisionalLoadForFrame(int64 frame_id, const GURL& url) { bool is_error_page = (url.spec() == chrome::kUnreachableWebDataURL); GURL validated_url(url); - GetRenderViewHost()->FilterURL(ChildProcessSecurityPolicy::GetInstance(), + GetRenderViewHost()->FilterURL(ChildProcessSecurityPolicyImpl::GetInstance(), GetRenderProcessHost()->GetID(), &validated_url); RenderViewHost* rvh = @@ -1395,7 +1395,7 @@ void TabContents::OnDidFailProvisionalLoadWithError( params.showing_repost_interstitial << ", frame_id: " << params.frame_id; GURL validated_url(params.url); - GetRenderViewHost()->FilterURL(ChildProcessSecurityPolicy::GetInstance(), + GetRenderViewHost()->FilterURL(ChildProcessSecurityPolicyImpl::GetInstance(), GetRenderProcessHost()->GetID(), &validated_url); if (net::ERR_ABORTED == params.error_code) { @@ -1581,7 +1581,10 @@ void TabContents::OnSaveURL(const GURL& url) { void TabContents::OnEnumerateDirectory(int request_id, const FilePath& path) { - delegate_->EnumerateDirectory(this, request_id, path); + ChildProcessSecurityPolicyImpl* policy = + ChildProcessSecurityPolicyImpl::GetInstance(); + if (policy->CanReadDirectory(GetRenderProcessHost()->GetID(), path)) + delegate_->EnumerateDirectory(this, request_id, path); } void TabContents::OnJSOutOfMemory() { @@ -1591,6 +1594,10 @@ void TabContents::OnJSOutOfMemory() { void TabContents::OnRegisterProtocolHandler(const std::string& protocol, const GURL& url, const string16& title) { + ChildProcessSecurityPolicyImpl* policy = + ChildProcessSecurityPolicyImpl::GetInstance(); + if (policy->IsPseudoScheme(protocol) || policy->IsDisabledScheme(protocol)) + return; delegate_->RegisterProtocolHandler(this, protocol, url, title); } diff --git a/content/browser/webui/web_ui_impl.cc b/content/browser/webui/web_ui_impl.cc index 36e021d..3b1713f 100644 --- a/content/browser/webui/web_ui_impl.cc +++ b/content/browser/webui/web_ui_impl.cc @@ -9,7 +9,7 @@ #include "base/stl_util.h" #include "base/utf_string_conversions.h" #include "base/values.h" -#include "content/browser/child_process_security_policy.h" +#include "content/browser/child_process_security_policy_impl.h" #include "content/browser/renderer_host/render_process_host_impl.h" #include "content/browser/renderer_host/render_view_host.h" #include "content/browser/tab_contents/tab_contents.h" @@ -79,7 +79,7 @@ bool WebUIImpl::OnMessageReceived(const IPC::Message& message) { void WebUIImpl::OnWebUISend(const GURL& source_url, const std::string& message, const ListValue& args) { - if (!ChildProcessSecurityPolicy::GetInstance()-> + if (!ChildProcessSecurityPolicyImpl::GetInstance()-> HasWebUIBindings(web_contents_->GetRenderProcessHost()->GetID())) { NOTREACHED() << "Blocked unauthorized use of WebUIBindings."; return; diff --git a/content/browser/worker_host/worker_process_host.cc b/content/browser/worker_host/worker_process_host.cc index c900893..f84bff0 100644 --- a/content/browser/worker_host/worker_process_host.cc +++ b/content/browser/worker_host/worker_process_host.cc @@ -17,7 +17,7 @@ #include "base/utf_string_conversions.h" #include "content/browser/appcache/appcache_dispatcher_host.h" #include "content/browser/browser_child_process_host_impl.h" -#include "content/browser/child_process_security_policy.h" +#include "content/browser/child_process_security_policy_impl.h" #include "content/browser/debugger/worker_devtools_manager.h" #include "content/browser/debugger/worker_devtools_message_filter.h" #include "content/browser/file_system/file_system_dispatcher_host.h" @@ -113,7 +113,8 @@ WorkerProcessHost::~WorkerProcessHost() { this, i->worker_route_id()); } - ChildProcessSecurityPolicy::GetInstance()->Remove(process_->GetData().id); + ChildProcessSecurityPolicyImpl::GetInstance()->Remove( + process_->GetData().id); } bool WorkerProcessHost::Send(IPC::Message* message) { @@ -193,7 +194,7 @@ bool WorkerProcessHost::Init(int render_process_id) { #endif cmd_line); - ChildProcessSecurityPolicy::GetInstance()->AddWorker( + ChildProcessSecurityPolicyImpl::GetInstance()->AddWorker( process_->GetData().id, render_process_id); if (!CommandLine::ForCurrentProcess()->HasSwitch( switches::kDisableFileSystem)) { @@ -202,7 +203,7 @@ bool WorkerProcessHost::Init(int render_process_id) { // PLATFORM_FILE_DELETE_ON_CLOSE are not granted, because no existing API // requests them. // This is for the filesystem sandbox. - ChildProcessSecurityPolicy::GetInstance()->GrantPermissionsForFile( + ChildProcessSecurityPolicyImpl::GetInstance()->GrantPermissionsForFile( process_->GetData().id, resource_context_->file_system_context()-> sandbox_provider()->new_base_path(), base::PLATFORM_FILE_OPEN | @@ -219,7 +220,7 @@ bool WorkerProcessHost::Init(int render_process_id) { base::PLATFORM_FILE_ENUMERATE); // This is so that we can read and move stuff out of the old filesystem // sandbox. - ChildProcessSecurityPolicy::GetInstance()->GrantPermissionsForFile( + ChildProcessSecurityPolicyImpl::GetInstance()->GrantPermissionsForFile( process_->GetData().id, resource_context_->file_system_context()-> sandbox_provider()->old_base_path(), base::PLATFORM_FILE_READ | base::PLATFORM_FILE_WRITE | @@ -227,7 +228,7 @@ bool WorkerProcessHost::Init(int render_process_id) { base::PLATFORM_FILE_ENUMERATE); // This is so that we can rename the old sandbox out of the way so that // we know we've taken care of it. - ChildProcessSecurityPolicy::GetInstance()->GrantPermissionsForFile( + ChildProcessSecurityPolicyImpl::GetInstance()->GrantPermissionsForFile( process_->GetData().id, resource_context_->file_system_context()-> sandbox_provider()->renamed_old_base_path(), base::PLATFORM_FILE_CREATE | base::PLATFORM_FILE_CREATE_ALWAYS | @@ -275,7 +276,7 @@ void WorkerProcessHost::CreateMessageFilters(int render_process_id) { } void WorkerProcessHost::CreateWorker(const WorkerInstance& instance) { - ChildProcessSecurityPolicy::GetInstance()->GrantRequestURL( + ChildProcessSecurityPolicyImpl::GetInstance()->GrantRequestURL( process_->GetData().id, instance.url()); instances_.push_back(instance); diff --git a/content/content_browser.gypi b/content/content_browser.gypi index 3e191b4..9719def 100644 --- a/content/content_browser.gypi +++ b/content/content_browser.gypi @@ -40,6 +40,7 @@ 'public/browser/browser_thread.h', 'public/browser/browser_thread_delegate.h', 'public/browser/child_process_data.h', + 'public/browser/child_process_security_policy.h', 'public/browser/content_browser_client.h', 'public/browser/content_ipc_logging.h', 'public/browser/devtools_agent_host_registry.h', @@ -158,8 +159,8 @@ 'browser/cert_store.h', 'browser/child_process_launcher.cc', 'browser/child_process_launcher.h', - 'browser/child_process_security_policy.cc', - 'browser/child_process_security_policy.h', + 'browser/child_process_security_policy_impl.cc', + 'browser/child_process_security_policy_impl.h', 'browser/chrome_blob_storage_context.cc', 'browser/chrome_blob_storage_context.h', 'browser/content_ipc_logging.cc', diff --git a/content/public/browser/child_process_security_policy.h b/content/public/browser/child_process_security_policy.h new file mode 100644 index 0000000..eccd9d3 --- /dev/null +++ b/content/public/browser/child_process_security_policy.h @@ -0,0 +1,68 @@ +// Copyright (c) 2012 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#ifndef CONTENT_PUBLIC_BROWSER_CHILD_PROCESS_SECURITY_POLICY_H_ +#define CONTENT_PUBLIC_BROWSER_CHILD_PROCESS_SECURITY_POLICY_H_ +#pragma once + +#include <set> +#include <string> + +#include "base/basictypes.h" +#include "content/common/content_export.h" + +class FilePath; + +namespace content { + +// The ChildProcessSecurityPolicy class is used to grant and revoke security +// capabilities for child processes. For example, it restricts whether a child +// process is permitted to load file:// URLs based on whether the process +// has ever been commanded to load file:// URLs by the browser. +// +// ChildProcessSecurityPolicy is a singleton that may be used on any thread. +// +class ChildProcessSecurityPolicy { + public: + virtual ~ChildProcessSecurityPolicy() {} + + // There is one global ChildProcessSecurityPolicy object for the entire + // browser process. The object returned by this method may be accessed on + // any thread. + static CONTENT_EXPORT ChildProcessSecurityPolicy* GetInstance(); + + // Web-safe schemes can be requested by any child process. Once a web-safe + // scheme has been registered, any child process can request URLs with + // that scheme. There is no mechanism for revoking web-safe schemes. + virtual void RegisterWebSafeScheme(const std::string& scheme) = 0; + + // Returns true iff |scheme| has been registered as a web-safe scheme. + virtual bool IsWebSafeScheme(const std::string& scheme) = 0; + + // Sets the list of disabled schemes. + // URLs using these schemes won't be loaded at all. The previous list of + // schemes is overwritten. An empty |schemes| disables this feature. + // Schemes listed as disabled take precedence over Web-safe schemes. + virtual void RegisterDisabledSchemes( + const std::set<std::string>& schemes) = 0; + + // Grants certain permissions to a file. |permissions| must be a bit-set of + // base::PlatformFileFlags. + virtual void GrantPermissionsForFile(int child_id, + const FilePath& file, + int permissions) = 0; + + // Whenever the user picks a file from a <input type="file"> element, the + // browser should call this function to grant the child process the capability + // to upload the file to the web. + virtual void GrantReadFile(int child_id, const FilePath& file) = 0; + + // Grants the child process the capability to access URLs of the provided + // scheme. + virtual void GrantScheme(int child_id, const std::string& scheme) = 0; +}; + +}; // namespace content + +#endif // CONTENT_PUBLIC_BROWSER_CHILD_PROCESS_SECURITY_POLICY_H_ |