diff options
| author | creis@chromium.org <creis@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-04-08 17:26:39 +0000 |
|---|---|---|
| committer | creis@chromium.org <creis@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-04-08 17:26:39 +0000 |
| commit | 30179971b444e7d025733f2d8fad24e88d2ba7c2 (patch) | |
| tree | daf680d3ca54d4f58f76ac3b57f946ae131d217a /chrome | |
| parent | 90ae6d032f7f3455747072fbd55dee07cdc16620 (diff) | |
| download | chromium_src-30179971b444e7d025733f2d8fad24e88d2ba7c2.zip chromium_src-30179971b444e7d025733f2d8fad24e88d2ba7c2.tar.gz chromium_src-30179971b444e7d025733f2d8fad24e88d2ba7c2.tar.bz2 | |
Adds a safety check for DOM UI renderers.
We should not be passing web URLs to DOM UI renderers. This CL adds a
check to ensure that we only navigate to DOM UI URLs in such renderers.
BUG=40575
TEST=none
Review URL: http://codereview.chromium.org/1549027
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@43962 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'chrome')
| -rw-r--r-- | chrome/browser/renderer_host/render_view_host.h | 4 | ||||
| -rw-r--r-- | chrome/browser/tab_contents/tab_contents.cc | 7 |
2 files changed, 11 insertions, 0 deletions
diff --git a/chrome/browser/renderer_host/render_view_host.h b/chrome/browser/renderer_host/render_view_host.h index 83fd216..1a24783 100644 --- a/chrome/browser/renderer_host/render_view_host.h +++ b/chrome/browser/renderer_host/render_view_host.h @@ -323,6 +323,10 @@ class RenderViewHost : public RenderWidgetHost { // should be a combination of values from BindingsPolicy. void AllowBindings(int binding_flags); + // Returns a bitwise OR of bindings types that have been enabled for this + // RenderView. See BindingsPolicy for details. + int enabled_bindings() { return enabled_bindings_; } + // Sets a property with the given name and value on the DOM UI binding object. // Must call AllowDOMUIBindings() on this renderer first. void SetDOMUIProperty(const std::string& name, const std::string& value); diff --git a/chrome/browser/tab_contents/tab_contents.cc b/chrome/browser/tab_contents/tab_contents.cc index 27d67ec..e35ab19 100644 --- a/chrome/browser/tab_contents/tab_contents.cc +++ b/chrome/browser/tab_contents/tab_contents.cc @@ -64,6 +64,7 @@ #include "chrome/browser/tab_contents/thumbnail_generator.h" #include "chrome/browser/thumbnail_store.h" #include "chrome/browser/translate/page_translated_details.h" +#include "chrome/common/bindings_policy.h" #include "chrome/common/chrome_switches.h" #include "chrome/common/extensions/extension.h" #include "chrome/common/extensions/extension_action.h" @@ -757,6 +758,12 @@ bool TabContents::NavigateToPendingEntry( if (!dest_render_view_host) return false; // Unable to create the desired render view host. + // For security, we should never send non-DOM-UI URLs to a DOM UI renderer. + // Double check that here. + int enabled_bindings = dest_render_view_host->enabled_bindings(); + CHECK(!BindingsPolicy::is_dom_ui_enabled(enabled_bindings) || + DOMUIFactory::HasDOMUIScheme(entry.url())); + // Tell DevTools agent that it is attached prior to the navigation. DevToolsManager* devtools_manager = DevToolsManager::GetInstance(); if (devtools_manager) { // NULL in unit tests. |