Add chrome to the repository.

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@15 0039d316-1c4b-4281-b951-d872f2087c98

1 files changed, 296 insertions, 0 deletions

diff --git a/chrome/browser/renderer_security_policy.cc b/chrome/browser/renderer_security_policy.cc
new file mode 100644
index 0000000..2fba7de
--- /dev/null
+++ b/chrome/browser/renderer_security_policy.cc
@@ -0,0 +1,296 @@
+// Copyright 2008, Google Inc.
+// All rights reserved.
+//
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are
+// met:
+//
+//    * Redistributions of source code must retain the above copyright
+// notice, this list of conditions and the following disclaimer.
+//    * Redistributions in binary form must reproduce the above
+// copyright notice, this list of conditions and the following disclaimer
+// in the documentation and/or other materials provided with the
+// distribution.
+//    * Neither the name of Google Inc. nor the names of its
+// contributors may be used to endorse or promote products derived from
+// this software without specific prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+#include "chrome/browser/renderer_security_policy.h"
+
+#include "base/logging.h"
+#include "base/string_util.h"
+#include "net/url_request/url_request.h"
+
+// The SecurityState class is used to maintain per-renderer security state
+// information.
+class RendererSecurityPolicy::SecurityState {
+ public:
+  SecurityState() : has_dom_ui_bindings_(false) { }
+
+  // Grant permission to request URLs with the specified scheme.
+  void GrantScheme(const std::string& scheme) {
+    scheme_policy_[scheme] = true;
+  }
+
+  // Revoke permission to request URLs with the specified scheme.
+  void RevokeScheme(const std::string& scheme) {
+    scheme_policy_[scheme] = false;
+  }
+
+  // Grant permission to upload the specified file to the web.
+  void GrantUploadFile(const std::wstring& file) {
+    uploadable_files_.insert(file);
+  }
+
+  void GrantDOMUIBindings() {
+    has_dom_ui_bindings_ = true;
+  }
+
+  // Determine whether permission has been granted to request url.
+  // Schemes that have not been granted default to being denied.
+  bool CanRequestURL(const GURL& url) {
+    SchemeMap::const_iterator judgment(scheme_policy_.find(url.scheme()));
+
+    if (judgment == scheme_policy_.end())
+      return false;  // Unmentioned schemes are disallowed.
+
+    return judgment->second;
+  }
+
+  // Determine whether permission has been granted to upload file.
+  // Files that have not been granted default to being denied.
+  bool CanUploadFile(const std::wstring& file) {
+    return uploadable_files_.find(file) != uploadable_files_.end();
+  }
+
+  bool has_dom_ui_bindings() const { return has_dom_ui_bindings_; }
+
+ private:
+  typedef std::map<std::string, bool> SchemeMap;
+  typedef std::set<std::wstring> FileSet;
+
+  // Maps URL schemes to whether permission has been granted or revoked:
+  //   |true| means the scheme has been granted.
+  //   |false| means the scheme has been revoked.
+  // If a scheme is not present in the map, then it has never been granted
+  // or revoked.
+  SchemeMap scheme_policy_;
+
+  // The set of files the renderer is permited to upload to the web.
+  FileSet uploadable_files_;
+
+  bool has_dom_ui_bindings_;
+
+  DISALLOW_EVIL_CONSTRUCTORS(RendererSecurityPolicy::SecurityState);
+};
+
+RendererSecurityPolicy::RendererSecurityPolicy() {
+  // We know about these schemes and believe them to be safe.
+  RegisterWebSafeScheme("http");
+  RegisterWebSafeScheme("https");
+  RegisterWebSafeScheme("ftp");
+  RegisterWebSafeScheme("data");
+  RegisterWebSafeScheme("feed");
+
+  // We know about the following psuedo schemes and treat them specially.
+  RegisterPseudoScheme("about");
+  RegisterPseudoScheme("javascript");
+  RegisterPseudoScheme("view-source");
+}
+
+// static
+RendererSecurityPolicy* RendererSecurityPolicy::GetInstance() {
+  return Singleton<RendererSecurityPolicy>::get();
+}
+
+void RendererSecurityPolicy::Add(int renderer_id) {
+  AutoLock lock(lock_);
+  if (security_state_.count(renderer_id) != 0) {
+    NOTREACHED() << "Add renderers at most once.";
+    return;
+  }
+
+  security_state_[renderer_id] = new SecurityState();
+}
+
+void RendererSecurityPolicy::Remove(int renderer_id) {
+  AutoLock lock(lock_);
+  if (security_state_.count(renderer_id) != 1) {
+    NOTREACHED() << "Remove renderers at most once.";
+    return;
+  }
+
+  delete security_state_[renderer_id];
+  security_state_.erase(renderer_id);
+}
+
+void RendererSecurityPolicy::RegisterWebSafeScheme(const std::string& scheme) {
+  AutoLock lock(lock_);
+  DCHECK(web_safe_schemes_.count(scheme) == 0) << "Add schemes at most once.";
+  DCHECK(pseudo_schemes_.count(scheme) == 0) << "Web-safe implies not psuedo.";
+
+  web_safe_schemes_.insert(scheme);
+}
+
+bool RendererSecurityPolicy::IsWebSafeScheme(const std::string& scheme) {
+  AutoLock lock(lock_);
+
+  return (web_safe_schemes_.find(scheme) != web_safe_schemes_.end());
+}
+
+void RendererSecurityPolicy::RegisterPseudoScheme(const std::string& scheme) {
+  AutoLock lock(lock_);
+  DCHECK(pseudo_schemes_.count(scheme) == 0) << "Add schemes at most once.";
+  DCHECK(web_safe_schemes_.count(scheme) == 0) << "Psuedo implies not web-safe.";
+
+  pseudo_schemes_.insert(scheme);
+}
+
+bool RendererSecurityPolicy::IsPseudoScheme(const std::string& scheme) {
+  AutoLock lock(lock_);
+
+  return (pseudo_schemes_.find(scheme) != pseudo_schemes_.end());
+}
+
+void RendererSecurityPolicy::GrantRequestURL(int renderer_id, const GURL& url) {
+  AutoLock lock(lock_);
+
+  if (!url.is_valid())
+    return;  // Can't grant the capability to request invalid URLs.
+
+  if (IsWebSafeScheme(url.scheme()))
+    return;  // The scheme has already been white-listed for every renderer.
+
+  if (IsPseudoScheme(url.scheme())) {
+    // The view-source scheme is a special case of a pseudo URL that eventually
+    // results in requesting its embedded URL.
+    if (url.SchemeIs("view-source")) {
+      // URLs with the view-source scheme typically look like:
+      //   view-source:http://www.google.com/a
+      // In order to request these URLs, the renderer needs to be able to request
+      // the embedded URL.
+      GrantRequestURL(renderer_id, GURL(url.path()));
+    }
+
+    return;  // Can't grant the capability to request pseudo schemes.
+  }
+
+  SecurityStateMap::iterator state = security_state_.find(renderer_id);
+  if (state == security_state_.end())
+    return;
+
+  // If the renderer has been commanded to request a scheme, then we grant
+  // it the capability to request URLs of that scheme.
+  state->second->GrantScheme(url.scheme());
+}
+
+void RendererSecurityPolicy::GrantUploadFile(int renderer_id,
+                                             const std::wstring& file) {
+  AutoLock lock(lock_);
+
+  SecurityStateMap::iterator state = security_state_.find(renderer_id);
+  if (state == security_state_.end())
+    return;
+
+  state->second->GrantUploadFile(file);
+}
+
+void RendererSecurityPolicy::GrantInspectElement(int renderer_id) {
+  AutoLock lock(lock_);
+
+  SecurityStateMap::iterator state = security_state_.find(renderer_id);
+  if (state == security_state_.end())
+    return;
+
+  // The inspector is served from a chrome-resource: URL.  In order to run the
+  // inspector, the renderer needs to be able to load chrome-resource URLs.
+  state->second->GrantScheme("chrome-resource");
+}
+
+void RendererSecurityPolicy::GrantDOMUIBindings(int renderer_id) {
+  AutoLock lock(lock_);
+
+  SecurityStateMap::iterator state = security_state_.find(renderer_id);
+  if (state == security_state_.end())
+    return;
+
+  state->second->GrantDOMUIBindings();
+
+  // DOM UI bindings need the ability to request chrome-resource URLs.
+  state->second->GrantScheme("chrome-resource");
+
+  // DOM UI pages can contain links to file:// URLs.
+  state->second->GrantScheme("file");
+}
+
+bool RendererSecurityPolicy::CanRequestURL(int renderer_id, const GURL& url) {
+  AutoLock lock(lock_);
+
+  if (!url.is_valid())
+    return false;  // Can't request invalid URLs.
+
+  if (IsWebSafeScheme(url.scheme()))
+    return true;  // The scheme has been white-listed for every renderer.
+
+  if (IsPseudoScheme(url.scheme())) {
+    // There are a number of special cases for pseudo schemes.
+
+    if (url.SchemeIs("view-source")) {
+      // A view-source URL is allowed if the renderer is permited to request the
+      // embedded URL.
+      return CanRequestURL(renderer_id, GURL(url.path()));
+    }
+
+    if (LowerCaseEqualsASCII(url.spec(), "about:blank"))
+      return true;  // Every renderer can request <about:blank>.
+
+    // URLs like <about:memory> and <about:crash> shouldn't be requestable by
+    // any renderer.  Also, this case covers <javascript:...>, which should be
+    // handled internally by the renderer and not kicked up to the browser.
+    return false;
+  }
+
+  if (!URLRequest::IsHandledURL(url))
+    return true;  // This URL request is destined for ShellExecute.
+
+  SecurityStateMap::iterator state = security_state_.find(renderer_id);
+  if (state == security_state_.end())
+    return false;
+
+  // Otherwise, we consult the renderer's security state to see if it is
+  // allowed to request the URL.
+  return state->second->CanRequestURL(url);
+}
+
+bool RendererSecurityPolicy::CanUploadFile(int renderer_id,
+                                           const std::wstring& file) {
+  AutoLock lock(lock_);
+
+  SecurityStateMap::iterator state = security_state_.find(renderer_id);
+  if (state == security_state_.end())
+    return false;
+
+  return state->second->CanUploadFile(file);
+}
+
+bool RendererSecurityPolicy::HasDOMUIBindings(int renderer_id) {
+  AutoLock lock(lock_);
+
+  SecurityStateMap::iterator state = security_state_.find(renderer_id);
+  if (state == security_state_.end())
+    return false;
+
+  return state->second->has_dom_ui_bindings();
+}