diff options
| author | jam@chromium.org <jam@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2009-05-15 20:49:52 +0000 |
|---|---|---|
| committer | jam@chromium.org <jam@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2009-05-15 20:49:52 +0000 |
| commit | a471822a16e726a817c95c625d20ccada8da36e0 (patch) | |
| tree | 1bbc559fa2525b29fc3a5d2a8480e52f88d9b2fc /chrome/browser/renderer_host | |
| parent | e445916dc8b2e7ea67c42f910316ed1964573c81 (diff) | |
| download | chromium_src-a471822a16e726a817c95c625d20ccada8da36e0.zip chromium_src-a471822a16e726a817c95c625d20ccada8da36e0.tar.gz chromium_src-a471822a16e726a817c95c625d20ccada8da36e0.tar.bz2 | |
Rename RendererSecurityPolicy and move it to browser\. No code change.
Review URL: http://codereview.chromium.org/113475
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@16181 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'chrome/browser/renderer_host')
7 files changed, 27 insertions, 714 deletions
diff --git a/chrome/browser/renderer_host/browser_render_process_host.cc b/chrome/browser/renderer_host/browser_render_process_host.cc index 6ae9d1b..e1c9bd9 100644 --- a/chrome/browser/renderer_host/browser_render_process_host.cc +++ b/chrome/browser/renderer_host/browser_render_process_host.cc @@ -27,6 +27,7 @@ #include "base/string_util.h" #include "base/thread.h" #include "chrome/browser/browser_process.h" +#include "chrome/browser/child_process_security_policy.h" #include "chrome/browser/extensions/extension_message_service.h" #include "chrome/browser/extensions/user_script_master.h" #include "chrome/browser/history/history.h" @@ -35,7 +36,6 @@ #include "chrome/browser/renderer_host/render_view_host.h" #include "chrome/browser/renderer_host/render_widget_helper.h" #include "chrome/browser/renderer_host/render_widget_host.h" -#include "chrome/browser/renderer_host/renderer_security_policy.h" #include "chrome/browser/renderer_host/resource_message_filter.h" #include "chrome/browser/renderer_host/web_cache_manager.h" #include "chrome/browser/visitedlink_master.h" @@ -155,7 +155,7 @@ BrowserRenderProcessHost::BrowserRenderProcessHost(Profile* profile) BrowserRenderProcessHost::~BrowserRenderProcessHost() { if (pid() >= 0) { WebCacheManager::GetInstance()->Remove(pid()); - RendererSecurityPolicy::GetInstance()->Remove(pid()); + ChildProcessSecurityPolicy::GetInstance()->Remove(pid()); } // We may have some unsent messages at this point, but that's OK. @@ -342,7 +342,7 @@ bool BrowserRenderProcessHost::Init() { resource_message_filter->Init(pid()); WebCacheManager::GetInstance()->Add(pid()); - RendererSecurityPolicy::GetInstance()->Add(pid()); + ChildProcessSecurityPolicy::GetInstance()->Add(pid()); // Now that the process is created, set its backgrounding accordingly. SetBackgrounded(backgrounded_); diff --git a/chrome/browser/renderer_host/render_view_host.cc b/chrome/browser/renderer_host/render_view_host.cc index 5fee2fb..11f8754 100644 --- a/chrome/browser/renderer_host/render_view_host.cc +++ b/chrome/browser/renderer_host/render_view_host.cc @@ -14,13 +14,13 @@ #include "base/time.h" #include "base/waitable_event.h" #include "chrome/browser/browser_process.h" +#include "chrome/browser/child_process_security_policy.h" #include "chrome/browser/cross_site_request_manager.h" #include "chrome/browser/debugger/debugger_wrapper.h" #include "chrome/browser/debugger/devtools_manager.h" #include "chrome/browser/extensions/extension_message_service.h" #include "chrome/browser/metrics/user_metrics.h" #include "chrome/browser/profile.h" -#include "chrome/browser/renderer_host/renderer_security_policy.h" #include "chrome/browser/renderer_host/render_process_host.h" #include "chrome/browser/renderer_host/render_view_host_delegate.h" #include "chrome/browser/renderer_host/render_widget_host.h" @@ -48,7 +48,7 @@ using WebKit::WebInputEvent; namespace { -void FilterURL(RendererSecurityPolicy* policy, int renderer_id, GURL* url) { +void FilterURL(ChildProcessSecurityPolicy* policy, int renderer_id, GURL* url) { if (!url->is_valid()) return; // We don't need to block invalid URLs. @@ -140,7 +140,7 @@ bool RenderViewHost::CreateRenderView() { DCHECK(process()->profile()); if (enabled_bindings_ & BindingsPolicy::DOM_UI) { - RendererSecurityPolicy::GetInstance()->GrantDOMUIBindings( + ChildProcessSecurityPolicy::GetInstance()->GrantDOMUIBindings( process()->pid()); } @@ -196,7 +196,7 @@ void RenderViewHost::NavigateToEntry(const NavigationEntry& entry, ViewMsg_Navigate_Params params; MakeNavigateParams(entry, is_reload, ¶ms); - RendererSecurityPolicy::GetInstance()->GrantRequestURL( + ChildProcessSecurityPolicy::GetInstance()->GrantRequestURL( process()->pid(), params.url); DoNavigate(entry.url(), new ViewMsg_Navigate(routing_id(), params)); @@ -209,7 +209,7 @@ void RenderViewHost::NavigateToURL(const GURL& url) { params.transition = PageTransition::LINK; params.reload = false; - RendererSecurityPolicy::GetInstance()->GrantRequestURL( + ChildProcessSecurityPolicy::GetInstance()->GrantRequestURL( process()->pid(), params.url); DoNavigate(url, new ViewMsg_Navigate(routing_id(), params)); @@ -396,7 +396,7 @@ void RenderViewHost::DragTargetDragEnter( const gfx::Point& client_pt, const gfx::Point& screen_pt) { // Grant the renderer the ability to load the drop_data. - RendererSecurityPolicy* policy = RendererSecurityPolicy::GetInstance(); + ChildProcessSecurityPolicy* policy = ChildProcessSecurityPolicy::GetInstance(); policy->GrantRequestURL(process()->pid(), drop_data.url); for (std::vector<string16>::const_iterator iter(drop_data.filenames.begin()); iter != drop_data.filenames.end(); ++iter) { @@ -568,7 +568,7 @@ void RenderViewHost::InspectElementAt(int x, int y) { DevToolsManager* manager = g_browser_process->devtools_manager(); manager->InspectElement(this, x, y); } else { - RendererSecurityPolicy::GetInstance()-> + ChildProcessSecurityPolicy::GetInstance()-> GrantInspectElement(process()->pid()); Send(new ViewMsg_InspectElement(routing_id(), x, y)); } @@ -580,7 +580,7 @@ void RenderViewHost::ShowJavaScriptConsole() { DevToolsManager* manager = g_browser_process->devtools_manager(); manager->OpenDevToolsWindow(this); } else { - RendererSecurityPolicy::GetInstance()-> + ChildProcessSecurityPolicy::GetInstance()-> GrantInspectElement(process()->pid()); Send(new ViewMsg_ShowJavaScriptConsole(routing_id())); } @@ -668,7 +668,7 @@ void RenderViewHost::InstallMissingPlugin() { } void RenderViewHost::FileSelected(const FilePath& path) { - RendererSecurityPolicy::GetInstance()->GrantUploadFile(process()->pid(), + ChildProcessSecurityPolicy::GetInstance()->GrantUploadFile(process()->pid(), path); std::vector<FilePath> files; files.push_back(path); @@ -679,7 +679,7 @@ void RenderViewHost::MultiFilesSelected( const std::vector<FilePath>& files) { for (std::vector<FilePath>::const_iterator file = files.begin(); file != files.end(); ++file) { - RendererSecurityPolicy::GetInstance()->GrantUploadFile( + ChildProcessSecurityPolicy::GetInstance()->GrantUploadFile( process()->pid(), *file); } Send(new ViewMsg_RunFileChooserResponse(routing_id(), files)); @@ -906,7 +906,7 @@ void RenderViewHost::OnMsgNavigate(const IPC::Message& msg) { return; const int renderer_id = process()->pid(); - RendererSecurityPolicy* policy = RendererSecurityPolicy::GetInstance(); + ChildProcessSecurityPolicy* policy = ChildProcessSecurityPolicy::GetInstance(); // Without this check, an evil renderer can trick the browser into creating // a navigation entry for a banned URL. If the user clicks the back button // followed by the forward button (or clicks reload, or round-trips through @@ -1002,7 +1002,7 @@ void RenderViewHost::OnMsgDidLoadResourceFromMemoryCache( void RenderViewHost::OnMsgDidStartProvisionalLoadForFrame(bool is_main_frame, const GURL& url) { GURL validated_url(url); - FilterURL(RendererSecurityPolicy::GetInstance(), + FilterURL(ChildProcessSecurityPolicy::GetInstance(), process()->pid(), &validated_url); delegate_->DidStartProvisionalLoadForFrame(this, is_main_frame, @@ -1015,7 +1015,7 @@ void RenderViewHost::OnMsgDidFailProvisionalLoadWithError( const GURL& url, bool showing_repost_interstitial) { GURL validated_url(url); - FilterURL(RendererSecurityPolicy::GetInstance(), + FilterURL(ChildProcessSecurityPolicy::GetInstance(), process()->pid(), &validated_url); delegate_->DidFailProvisionalLoadWithError(this, is_main_frame, @@ -1062,7 +1062,7 @@ void RenderViewHost::OnMsgContextMenu(const ContextMenuParams& params) { // directly, don't show them in the context menu. ContextMenuParams validated_params(params); const int renderer_id = process()->pid(); - RendererSecurityPolicy* policy = RendererSecurityPolicy::GetInstance(); + ChildProcessSecurityPolicy* policy = ChildProcessSecurityPolicy::GetInstance(); // We don't validate |unfiltered_link_url| so that this field can be used // when users want to copy the original link URL. @@ -1078,7 +1078,7 @@ void RenderViewHost::OnMsgOpenURL(const GURL& url, const GURL& referrer, WindowOpenDisposition disposition) { GURL validated_url(url); - FilterURL(RendererSecurityPolicy::GetInstance(), + FilterURL(ChildProcessSecurityPolicy::GetInstance(), process()->pid(), &validated_url); delegate_->RequestOpenURL(validated_url, referrer, disposition); @@ -1098,7 +1098,7 @@ void RenderViewHost::OnMsgDomOperationResponse( void RenderViewHost::OnMsgDOMUISend( const std::string& message, const std::string& content) { - if (!RendererSecurityPolicy::GetInstance()-> + if (!ChildProcessSecurityPolicy::GetInstance()-> HasDOMUIBindings(process()->pid())) { NOTREACHED() << "Blocked unauthorized use of DOMUIBindings."; return; diff --git a/chrome/browser/renderer_host/renderer_security_policy.cc b/chrome/browser/renderer_host/renderer_security_policy.cc deleted file mode 100644 index dd988ff..0000000 --- a/chrome/browser/renderer_host/renderer_security_policy.cc +++ /dev/null @@ -1,292 +0,0 @@ -// Copyright (c) 2006-2008 The Chromium Authors. All rights reserved. -// Use of this source code is governed by a BSD-style license that can be -// found in the LICENSE file. - -#include "chrome/browser/renderer_host/renderer_security_policy.h" - -#include "base/file_path.h" -#include "base/logging.h" -#include "base/stl_util-inl.h" -#include "base/string_util.h" -#include "chrome/common/url_constants.h" -#include "googleurl/src/gurl.h" -#include "net/url_request/url_request.h" - -// The SecurityState class is used to maintain per-renderer security state -// information. -class RendererSecurityPolicy::SecurityState { - public: - SecurityState() : has_dom_ui_bindings_(false) { } - ~SecurityState() { - scheme_policy_.clear(); - } - - // Grant permission to request URLs with the specified scheme. - void GrantScheme(const std::string& scheme) { - scheme_policy_[scheme] = true; - } - - // Revoke permission to request URLs with the specified scheme. - void RevokeScheme(const std::string& scheme) { - scheme_policy_[scheme] = false; - } - - // Grant permission to upload the specified file to the web. - void GrantUploadFile(const FilePath& file) { - uploadable_files_.insert(file); - } - - void GrantDOMUIBindings() { - has_dom_ui_bindings_ = true; - } - - // Determine whether permission has been granted to request url. - // Schemes that have not been granted default to being denied. - bool CanRequestURL(const GURL& url) { - SchemeMap::const_iterator judgment(scheme_policy_.find(url.scheme())); - - if (judgment == scheme_policy_.end()) - return false; // Unmentioned schemes are disallowed. - - return judgment->second; - } - - // Determine whether permission has been granted to upload file. - // Files that have not been granted default to being denied. - bool CanUploadFile(const FilePath& file) { - return uploadable_files_.find(file) != uploadable_files_.end(); - } - - bool has_dom_ui_bindings() const { return has_dom_ui_bindings_; } - - private: - typedef std::map<std::string, bool> SchemeMap; - typedef std::set<FilePath> FileSet; - - // Maps URL schemes to whether permission has been granted or revoked: - // |true| means the scheme has been granted. - // |false| means the scheme has been revoked. - // If a scheme is not present in the map, then it has never been granted - // or revoked. - SchemeMap scheme_policy_; - - // The set of files the renderer is permited to upload to the web. - FileSet uploadable_files_; - - bool has_dom_ui_bindings_; - - DISALLOW_COPY_AND_ASSIGN(SecurityState); -}; - -RendererSecurityPolicy::RendererSecurityPolicy() { - // We know about these schemes and believe them to be safe. - RegisterWebSafeScheme(chrome::kHttpScheme); - RegisterWebSafeScheme(chrome::kHttpsScheme); - RegisterWebSafeScheme(chrome::kFtpScheme); - RegisterWebSafeScheme(chrome::kDataScheme); - RegisterWebSafeScheme("feed"); - RegisterWebSafeScheme("chrome-extension"); - - // We know about the following psuedo schemes and treat them specially. - RegisterPseudoScheme(chrome::kAboutScheme); - RegisterPseudoScheme(chrome::kJavaScriptScheme); - RegisterPseudoScheme(chrome::kViewSourceScheme); -} - -RendererSecurityPolicy::~RendererSecurityPolicy() { - web_safe_schemes_.clear(); - pseudo_schemes_.clear(); - STLDeleteContainerPairSecondPointers(security_state_.begin(), - security_state_.end()); - security_state_.clear(); -} - -// static -RendererSecurityPolicy* RendererSecurityPolicy::GetInstance() { - return Singleton<RendererSecurityPolicy>::get(); -} - -void RendererSecurityPolicy::Add(int renderer_id) { - AutoLock lock(lock_); - if (security_state_.count(renderer_id) != 0) { - NOTREACHED() << "Add renderers at most once."; - return; - } - - security_state_[renderer_id] = new SecurityState(); -} - -void RendererSecurityPolicy::Remove(int renderer_id) { - AutoLock lock(lock_); - if (security_state_.count(renderer_id) != 1) { - NOTREACHED() << "Remove renderers at most once."; - return; - } - - delete security_state_[renderer_id]; - security_state_.erase(renderer_id); -} - -void RendererSecurityPolicy::RegisterWebSafeScheme(const std::string& scheme) { - AutoLock lock(lock_); - DCHECK(web_safe_schemes_.count(scheme) == 0) << "Add schemes at most once."; - DCHECK(pseudo_schemes_.count(scheme) == 0) << "Web-safe implies not psuedo."; - - web_safe_schemes_.insert(scheme); -} - -bool RendererSecurityPolicy::IsWebSafeScheme(const std::string& scheme) { - AutoLock lock(lock_); - - return (web_safe_schemes_.find(scheme) != web_safe_schemes_.end()); -} - -void RendererSecurityPolicy::RegisterPseudoScheme(const std::string& scheme) { - AutoLock lock(lock_); - DCHECK(pseudo_schemes_.count(scheme) == 0) << "Add schemes at most once."; - DCHECK(web_safe_schemes_.count(scheme) == 0) << - "Psuedo implies not web-safe."; - - pseudo_schemes_.insert(scheme); -} - -bool RendererSecurityPolicy::IsPseudoScheme(const std::string& scheme) { - AutoLock lock(lock_); - - return (pseudo_schemes_.find(scheme) != pseudo_schemes_.end()); -} - -void RendererSecurityPolicy::GrantRequestURL(int renderer_id, const GURL& url) { - - if (!url.is_valid()) - return; // Can't grant the capability to request invalid URLs. - - if (IsWebSafeScheme(url.scheme())) - return; // The scheme has already been white-listed for every renderer. - - if (IsPseudoScheme(url.scheme())) { - // The view-source scheme is a special case of a pseudo URL that eventually - // results in requesting its embedded URL. - if (url.SchemeIs(chrome::kViewSourceScheme)) { - // URLs with the view-source scheme typically look like: - // view-source:http://www.google.com/a - // In order to request these URLs, the renderer needs to be able to - // request the embedded URL. - GrantRequestURL(renderer_id, GURL(url.path())); - } - - return; // Can't grant the capability to request pseudo schemes. - } - - { - AutoLock lock(lock_); - SecurityStateMap::iterator state = security_state_.find(renderer_id); - if (state == security_state_.end()) - return; - - // If the renderer has been commanded to request a scheme, then we grant - // it the capability to request URLs of that scheme. - state->second->GrantScheme(url.scheme()); - } -} - -void RendererSecurityPolicy::GrantUploadFile(int renderer_id, - const FilePath& file) { - AutoLock lock(lock_); - - SecurityStateMap::iterator state = security_state_.find(renderer_id); - if (state == security_state_.end()) - return; - - state->second->GrantUploadFile(file); -} - -void RendererSecurityPolicy::GrantInspectElement(int renderer_id) { - AutoLock lock(lock_); - - SecurityStateMap::iterator state = security_state_.find(renderer_id); - if (state == security_state_.end()) - return; - - // The inspector is served from a chrome: URL. In order to run the - // inspector, the renderer needs to be able to load chrome: URLs. - state->second->GrantScheme(chrome::kChromeUIScheme); -} - -void RendererSecurityPolicy::GrantDOMUIBindings(int renderer_id) { - AutoLock lock(lock_); - - SecurityStateMap::iterator state = security_state_.find(renderer_id); - if (state == security_state_.end()) - return; - - state->second->GrantDOMUIBindings(); - - // DOM UI bindings need the ability to request chrome: URLs. - state->second->GrantScheme(chrome::kChromeUIScheme); - - // DOM UI pages can contain links to file:// URLs. - state->second->GrantScheme(chrome::kFileScheme); -} - -bool RendererSecurityPolicy::CanRequestURL(int renderer_id, const GURL& url) { - if (!url.is_valid()) - return false; // Can't request invalid URLs. - - if (IsWebSafeScheme(url.scheme())) - return true; // The scheme has been white-listed for every renderer. - - if (IsPseudoScheme(url.scheme())) { - // There are a number of special cases for pseudo schemes. - - if (url.SchemeIs(chrome::kViewSourceScheme)) { - // A view-source URL is allowed if the renderer is permitted to request - // the embedded URL. - return CanRequestURL(renderer_id, GURL(url.path())); - } - - if (LowerCaseEqualsASCII(url.spec(), chrome::kAboutBlankURL)) - return true; // Every renderer can request <about:blank>. - - // URLs like <about:memory> and <about:crash> shouldn't be requestable by - // any renderer. Also, this case covers <javascript:...>, which should be - // handled internally by the renderer and not kicked up to the browser. - return false; - } - - if (!URLRequest::IsHandledURL(url)) - return true; // This URL request is destined for ShellExecute. - - { - AutoLock lock(lock_); - - SecurityStateMap::iterator state = security_state_.find(renderer_id); - if (state == security_state_.end()) - return false; - - // Otherwise, we consult the renderer's security state to see if it is - // allowed to request the URL. - return state->second->CanRequestURL(url); - } -} - -bool RendererSecurityPolicy::CanUploadFile(int renderer_id, - const FilePath& file) { - AutoLock lock(lock_); - - SecurityStateMap::iterator state = security_state_.find(renderer_id); - if (state == security_state_.end()) - return false; - - return state->second->CanUploadFile(file); -} - -bool RendererSecurityPolicy::HasDOMUIBindings(int renderer_id) { - AutoLock lock(lock_); - - SecurityStateMap::iterator state = security_state_.find(renderer_id); - if (state == security_state_.end()) - return false; - - return state->second->has_dom_ui_bindings(); -} diff --git a/chrome/browser/renderer_host/renderer_security_policy.h b/chrome/browser/renderer_host/renderer_security_policy.h deleted file mode 100644 index 41cf04e..0000000 --- a/chrome/browser/renderer_host/renderer_security_policy.h +++ /dev/null @@ -1,127 +0,0 @@ -// Copyright (c) 2006-2008 The Chromium Authors. All rights reserved. -// Use of this source code is governed by a BSD-style license that can be -// found in the LICENSE file. - -#ifndef CHROME_BROWSER_RENDERER_HOST_RENDERER_SECURITY_POLICY_H_ -#define CHROME_BROWSER_RENDERER_HOST_RENDERER_SECURITY_POLICY_H_ - -#include <string> -#include <map> -#include <set> - -#include "base/basictypes.h" -#include "base/file_path.h" -#include "base/lock.h" -#include "base/singleton.h" - -class FilePath; -class GURL; - -// The RendererSecurityPolicy class is used to grant and revoke security -// capabilities for renderers. For example, it restricts whether a renderer -// is permmitted to loaded file:// URLs based on whether the renderer has ever -// been commanded to load file:// URLs by the browser. -// -// RendererSecurityPolicy is a singleton that may be used on any thread. -// -class RendererSecurityPolicy { - public: - // Object can only be created through GetInstance() so the constructor is - // private. - ~RendererSecurityPolicy(); - - // There is one global RendererSecurityPolicy object for the entire browser - // processes. The object returned by this method may be accessed on any - // thread. - static RendererSecurityPolicy* GetInstance(); - - // Web-safe schemes can be requested by any renderer. Once a web-safe scheme - // has been registered, any renderer processes can request URLs with that - // scheme. There is no mechanism for revoking web-safe schemes. - void RegisterWebSafeScheme(const std::string& scheme); - - // Returns true iff |scheme| has been registered as a web-safe scheme. - bool IsWebSafeScheme(const std::string& scheme); - - // Pseudo schemes are treated differently than other schemes because they - // cannot be requested like normal URLs. There is no mechanism for revoking - // pseudo schemes. - void RegisterPseudoScheme(const std::string& scheme); - - // Returns true iff |scheme| has been registered as pseudo scheme. - bool IsPseudoScheme(const std::string& scheme); - - // Upon creation, render processes should register themselves by calling this - // this method exactly once. - void Add(int renderer_id); - - // Upon destruction, render processess should unregister themselves by caling - // this method exactly once. - void Remove(int renderer_id); - - // Whenever the browser processes commands the renderer to request a URL, it - // should call this method to grant the renderer process the capability to - // request the URL. - void GrantRequestURL(int renderer_id, const GURL& url); - - // Whenever the user picks a file from a <input type="file"> element, the - // browser should call this function to grant the renderer the capability to - // upload the file to the web. - void GrantUploadFile(int renderer_id, const FilePath& file); - - // Whenever the browser processes commands the renderer to run web inspector, - // it should call this method to grant the renderer process the capability to - // run the inspector. - void GrantInspectElement(int renderer_id); - - // Grant this renderer the ability to use DOM UI Bindings. - void GrantDOMUIBindings(int renderer_id); - - // Before servicing a renderer's request for a URL, the browser should call - // this method to determine whether the renderer has the capability to - // request the URL. - bool CanRequestURL(int renderer_id, const GURL& url); - - // Before servicing a renderer's request to upload a file to the web, the - // browser should call this method to determine whether the renderer has the - // capability to upload the requested file. - bool CanUploadFile(int renderer_id, const FilePath& file); - - // Returns true of the specified renderer_id has been granted DOMUIBindings. - // The browser should check this property before assuming the renderer is - // allowed to use DOMUIBindings. - bool HasDOMUIBindings(int renderer_id); - - private: - class SecurityState; - - typedef std::set<std::string> SchemeSet; - typedef std::map<int, SecurityState*> SecurityStateMap; - - // Obtain an instance of RendererSecurityPolicy via GetInstance(). - RendererSecurityPolicy(); - friend struct DefaultSingletonTraits<RendererSecurityPolicy>; - - // You must acquire this lock before reading or writing any members of this - // class. You must not block while holding this lock. - Lock lock_; - - // These schemes are white-listed for all renderers. This set is protected - // by |lock_|. - SchemeSet web_safe_schemes_; - - // These schemes do not actually represent retrievable URLs. For example, - // the the URLs in the "about" scheme are aliases to other URLs. This set is - // protected by |lock_|. - SchemeSet pseudo_schemes_; - - // This map holds a SecurityState for each renderer process. The key for the - // map is the ID of the RenderProcessHost. The SecurityState objects are - // owned by this object and are protected by |lock_|. References to them must - // not escape this class. - SecurityStateMap security_state_; - - DISALLOW_COPY_AND_ASSIGN(RendererSecurityPolicy); -}; - -#endif // CHROME_BROWSER_RENDERER_HOST_RENDERER_SECURITY_POLICY_H_ diff --git a/chrome/browser/renderer_host/renderer_security_policy_unittest.cc b/chrome/browser/renderer_host/renderer_security_policy_unittest.cc deleted file mode 100644 index 2144229..0000000 --- a/chrome/browser/renderer_host/renderer_security_policy_unittest.cc +++ /dev/null @@ -1,268 +0,0 @@ -// Copyright (c) 2006-2008 The Chromium Authors. All rights reserved. -// Use of this source code is governed by a BSD-style license that can be -// found in the LICENSE file. - -#include <string> - -#include "base/basictypes.h" -#include "base/file_path.h" -#include "chrome/browser/renderer_host/renderer_security_policy.h" -#include "chrome/common/url_constants.h" -#include "net/url_request/url_request.h" -#include "net/url_request/url_request_test_job.h" -#include "testing/gtest/include/gtest/gtest.h" - -class RendererSecurityPolicyTest : public testing::Test { -protected: - // testing::Test - virtual void SetUp() { - // In the real world, "chrome:" is a handled scheme. - URLRequest::RegisterProtocolFactory(chrome::kChromeUIScheme, - &URLRequestTestJob::Factory); - } - virtual void TearDown() { - URLRequest::RegisterProtocolFactory(chrome::kChromeUIScheme, NULL); - } -}; - -static int kRendererID = 42; - -TEST_F(RendererSecurityPolicyTest, IsWebSafeSchemeTest) { - RendererSecurityPolicy* p = RendererSecurityPolicy::GetInstance(); - - EXPECT_TRUE(p->IsWebSafeScheme("http")); - EXPECT_TRUE(p->IsWebSafeScheme("https")); - EXPECT_TRUE(p->IsWebSafeScheme("ftp")); - EXPECT_TRUE(p->IsWebSafeScheme("data")); - EXPECT_TRUE(p->IsWebSafeScheme("feed")); - EXPECT_TRUE(p->IsWebSafeScheme("chrome-extension")); - - EXPECT_FALSE(p->IsWebSafeScheme("registered-web-safe-scheme")); - p->RegisterWebSafeScheme("registered-web-safe-scheme"); - EXPECT_TRUE(p->IsWebSafeScheme("registered-web-safe-scheme")); -} - -TEST_F(RendererSecurityPolicyTest, IsPseudoSchemeTest) { - RendererSecurityPolicy* p = RendererSecurityPolicy::GetInstance(); - - EXPECT_TRUE(p->IsPseudoScheme("about")); - EXPECT_TRUE(p->IsPseudoScheme("javascript")); - EXPECT_TRUE(p->IsPseudoScheme("view-source")); - - EXPECT_FALSE(p->IsPseudoScheme("registered-psuedo-scheme")); - p->RegisterPseudoScheme("registered-psuedo-scheme"); - EXPECT_TRUE(p->IsPseudoScheme("registered-psuedo-scheme")); -} - -TEST_F(RendererSecurityPolicyTest, StandardSchemesTest) { - RendererSecurityPolicy* p = RendererSecurityPolicy::GetInstance(); - - p->Add(kRendererID); - - // Safe - EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("http://www.google.com/"))); - EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("https://www.paypal.com/"))); - EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("ftp://ftp.gnu.org/"))); - EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("data:text/html,<b>Hi</b>"))); - EXPECT_TRUE(p->CanRequestURL(kRendererID, - GURL("view-source:http://www.google.com/"))); - EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("chrome-extension://xy/z"))); - - // Dangerous - EXPECT_FALSE(p->CanRequestURL(kRendererID, - GURL("file:///etc/passwd"))); - EXPECT_FALSE(p->CanRequestURL(kRendererID, - GURL("view-cache:http://www.google.com/"))); - EXPECT_FALSE(p->CanRequestURL(kRendererID, - GURL("chrome://foo/bar"))); - - p->Remove(kRendererID); -} - -TEST_F(RendererSecurityPolicyTest, AboutTest) { - RendererSecurityPolicy* p = RendererSecurityPolicy::GetInstance(); - - p->Add(kRendererID); - - EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("about:blank"))); - EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("about:BlAnK"))); - EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("aBouT:BlAnK"))); - EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("aBouT:blank"))); - - EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("about:memory"))); - EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("about:crash"))); - EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("about:cache"))); - EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("about:hang"))); - - EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("aBoUt:memory"))); - EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("about:CrASh"))); - EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("abOuT:cAChe"))); - - p->GrantRequestURL(kRendererID, GURL("about:memory")); - EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("about:memory"))); - - p->GrantRequestURL(kRendererID, GURL("about:crash")); - EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("about:crash"))); - - p->GrantRequestURL(kRendererID, GURL("about:cache")); - EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("about:cache"))); - - p->GrantRequestURL(kRendererID, GURL("about:hang")); - EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("about:hang"))); - - p->Remove(kRendererID); -} - -TEST_F(RendererSecurityPolicyTest, JavaScriptTest) { - RendererSecurityPolicy* p = RendererSecurityPolicy::GetInstance(); - - p->Add(kRendererID); - - EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("javascript:alert('xss')"))); - p->GrantRequestURL(kRendererID, GURL("javascript:alert('xss')")); - EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("javascript:alert('xss')"))); - - p->Remove(kRendererID); -} - -TEST_F(RendererSecurityPolicyTest, RegisterWebSafeSchemeTest) { - RendererSecurityPolicy* p = RendererSecurityPolicy::GetInstance(); - - p->Add(kRendererID); - - // Currently, "asdf" is destined for ShellExecute, so it is allowed. - EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("asdf:rockers"))); - - // Once we register a ProtocolFactory for "asdf", we default to deny. - URLRequest::RegisterProtocolFactory("asdf", &URLRequestTestJob::Factory); - EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("asdf:rockers"))); - - // We can allow new schemes by adding them to the whitelist. - p->RegisterWebSafeScheme("asdf"); - EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("asdf:rockers"))); - - // Cleanup. - URLRequest::RegisterProtocolFactory("asdf", NULL); - EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("asdf:rockers"))); - - p->Remove(kRendererID); -} - -TEST_F(RendererSecurityPolicyTest, CanServiceCommandsTest) { - RendererSecurityPolicy* p = RendererSecurityPolicy::GetInstance(); - - p->Add(kRendererID); - - EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("file:///etc/passwd"))); - p->GrantRequestURL(kRendererID, GURL("file:///etc/passwd")); - EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("file:///etc/passwd"))); - - // We should forget our state if we repeat a renderer id. - p->Remove(kRendererID); - p->Add(kRendererID); - EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("file:///etc/passwd"))); - p->Remove(kRendererID); -} - -TEST_F(RendererSecurityPolicyTest, ViewSource) { - RendererSecurityPolicy* p = RendererSecurityPolicy::GetInstance(); - - p->Add(kRendererID); - - // View source is determined by the embedded scheme. - EXPECT_TRUE(p->CanRequestURL(kRendererID, - GURL("view-source:http://www.google.com/"))); - EXPECT_FALSE(p->CanRequestURL(kRendererID, - GURL("view-source:file:///etc/passwd"))); - EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("file:///etc/passwd"))); - - p->GrantRequestURL(kRendererID, GURL("view-source:file:///etc/passwd")); - // View source needs to be able to request the embedded scheme. - EXPECT_TRUE(p->CanRequestURL(kRendererID, - GURL("view-source:file:///etc/passwd"))); - EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("file:///etc/passwd"))); - - p->Remove(kRendererID); -} - -TEST_F(RendererSecurityPolicyTest, CanUploadFiles) { - RendererSecurityPolicy* p = RendererSecurityPolicy::GetInstance(); - - p->Add(kRendererID); - - EXPECT_FALSE(p->CanUploadFile(kRendererID, - FilePath(FILE_PATH_LITERAL("/etc/passwd")))); - p->GrantUploadFile(kRendererID, FilePath(FILE_PATH_LITERAL("/etc/passwd"))); - EXPECT_TRUE(p->CanUploadFile(kRendererID, - FilePath(FILE_PATH_LITERAL("/etc/passwd")))); - EXPECT_FALSE(p->CanUploadFile(kRendererID, - FilePath(FILE_PATH_LITERAL("/etc/shadow")))); - - p->Remove(kRendererID); - p->Add(kRendererID); - - EXPECT_FALSE(p->CanUploadFile(kRendererID, - FilePath(FILE_PATH_LITERAL("/etc/passwd")))); - EXPECT_FALSE(p->CanUploadFile(kRendererID, - FilePath(FILE_PATH_LITERAL("/etc/shadow")))); - - p->Remove(kRendererID); -} - -TEST_F(RendererSecurityPolicyTest, CanServiceInspectElement) { - RendererSecurityPolicy* p = RendererSecurityPolicy::GetInstance(); - - GURL url("chrome://inspector/inspector.html"); - - p->Add(kRendererID); - - EXPECT_FALSE(p->CanRequestURL(kRendererID, url)); - p->GrantInspectElement(kRendererID); - EXPECT_TRUE(p->CanRequestURL(kRendererID, url)); - - p->Remove(kRendererID); -} - -TEST_F(RendererSecurityPolicyTest, CanServiceDOMUIBindings) { - RendererSecurityPolicy* p = RendererSecurityPolicy::GetInstance(); - - GURL url("chrome://thumb/http://www.google.com/"); - - p->Add(kRendererID); - - EXPECT_FALSE(p->HasDOMUIBindings(kRendererID)); - EXPECT_FALSE(p->CanRequestURL(kRendererID, url)); - p->GrantDOMUIBindings(kRendererID); - EXPECT_TRUE(p->HasDOMUIBindings(kRendererID)); - EXPECT_TRUE(p->CanRequestURL(kRendererID, url)); - - p->Remove(kRendererID); -} - -TEST_F(RendererSecurityPolicyTest, RemoveRace) { - RendererSecurityPolicy* p = RendererSecurityPolicy::GetInstance(); - - GURL url("file:///etc/passwd"); - FilePath file(FILE_PATH_LITERAL("/etc/passwd")); - - p->Add(kRendererID); - - p->GrantRequestURL(kRendererID, url); - p->GrantUploadFile(kRendererID, file); - p->GrantDOMUIBindings(kRendererID); - - EXPECT_TRUE(p->CanRequestURL(kRendererID, url)); - EXPECT_TRUE(p->CanUploadFile(kRendererID, file)); - EXPECT_TRUE(p->HasDOMUIBindings(kRendererID)); - - p->Remove(kRendererID); - - // Renderers are added and removed on the UI thread, but the policy can be - // queried on the IO thread. The RendererSecurityPolicy needs to be prepared - // to answer policy questions about renderers who no longer exist. - - // In this case, we default to secure behavior. - EXPECT_FALSE(p->CanRequestURL(kRendererID, url)); - EXPECT_FALSE(p->CanUploadFile(kRendererID, file)); - EXPECT_FALSE(p->HasDOMUIBindings(kRendererID)); -} diff --git a/chrome/browser/renderer_host/resource_dispatcher_host.cc b/chrome/browser/renderer_host/resource_dispatcher_host.cc index 3f0075b..e091819 100644 --- a/chrome/browser/renderer_host/resource_dispatcher_host.cc +++ b/chrome/browser/renderer_host/resource_dispatcher_host.cc @@ -13,6 +13,7 @@ #include "base/stl_util-inl.h" #include "base/time.h" #include "chrome/browser/cert_store.h" +#include "chrome/browser/child_process_security_policy.h" #include "chrome/browser/cross_site_request_manager.h" #include "chrome/browser/download/download_file.h" #include "chrome/browser/download/download_manager.h" @@ -27,7 +28,6 @@ #include "chrome/browser/renderer_host/download_resource_handler.h" #include "chrome/browser/renderer_host/media_resource_handler.h" #include "chrome/browser/renderer_host/render_view_host.h" -#include "chrome/browser/renderer_host/renderer_security_policy.h" #include "chrome/browser/renderer_host/resource_request_details.h" #include "chrome/browser/renderer_host/safe_browsing_resource_handler.h" #include "chrome/browser/renderer_host/save_file_resource_handler.h" @@ -109,7 +109,7 @@ bool ShouldServiceRequest(ChildProcessInfo::ProcessType process_type, if (process_type != ChildProcessInfo::RENDER_PROCESS) return true; - RendererSecurityPolicy* policy = RendererSecurityPolicy::GetInstance(); + ChildProcessSecurityPolicy* policy = ChildProcessSecurityPolicy::GetInstance(); // Check if the renderer is permitted to request the requested URL. if (!policy->CanRequestURL(process_id, request_data.url)) { @@ -484,7 +484,7 @@ void ResourceDispatcherHost::BeginDownload(const GURL& url, return; // Check if the renderer is permitted to request the requested URL. - if (!RendererSecurityPolicy::GetInstance()-> + if (!ChildProcessSecurityPolicy::GetInstance()-> CanRequestURL(process_id, url)) { LOG(INFO) << "Denied unauthorized download request for " << url.possibly_invalid_spec(); @@ -821,7 +821,7 @@ void ResourceDispatcherHost::OnReceivedRedirect(URLRequest* request, DCHECK(request->status().is_success()); if (info->process_type == ChildProcessInfo::RENDER_PROCESS && - !RendererSecurityPolicy::GetInstance()-> + !ChildProcessSecurityPolicy::GetInstance()-> CanRequestURL(info->process_id, new_url)) { LOG(INFO) << "Denied unauthorized request for " << new_url.possibly_invalid_spec(); diff --git a/chrome/browser/renderer_host/resource_dispatcher_host_unittest.cc b/chrome/browser/renderer_host/resource_dispatcher_host_unittest.cc index 1e2b458..6278d3e 100644 --- a/chrome/browser/renderer_host/resource_dispatcher_host_unittest.cc +++ b/chrome/browser/renderer_host/resource_dispatcher_host_unittest.cc @@ -7,7 +7,7 @@ #include "base/file_path.h" #include "base/message_loop.h" #include "base/process_util.h" -#include "chrome/browser/renderer_host/renderer_security_policy.h" +#include "chrome/browser/child_process_security_policy.h" #include "chrome/browser/renderer_host/resource_dispatcher_host.h" #include "chrome/common/chrome_plugin_lib.h" #include "chrome/common/render_messages.h" @@ -112,13 +112,13 @@ class ResourceDispatcherHostTest : public testing::Test, protected: // testing::Test virtual void SetUp() { - RendererSecurityPolicy::GetInstance()->Add(0); + ChildProcessSecurityPolicy::GetInstance()->Add(0); URLRequest::RegisterProtocolFactory("test", &URLRequestTestJob::Factory); EnsureTestSchemeIsAllowed(); } virtual void TearDown() { URLRequest::RegisterProtocolFactory("test", NULL); - RendererSecurityPolicy::GetInstance()->Remove(0); + ChildProcessSecurityPolicy::GetInstance()->Remove(0); // The plugin lib is automatically loaded during these test // and we want a clean environment for other tests. @@ -143,7 +143,7 @@ class ResourceDispatcherHostTest : public testing::Test, static bool have_white_listed_test_scheme = false; if (!have_white_listed_test_scheme) { - RendererSecurityPolicy::GetInstance()->RegisterWebSafeScheme("test"); + ChildProcessSecurityPolicy::GetInstance()->RegisterWebSafeScheme("test"); have_white_listed_test_scheme = true; } } |