Check for secure context mismatches on SharedWorker creation

When a SharedWorker is created from a secure context, a non-secure
context shouldn't be able to connect to it, and vice versa.

BUG=561216

Review URL: https://codereview.chromium.org/1487143003

Cr-Commit-Position: refs/heads/master@{#363993}

5 files changed, 46 insertions, 29 deletions

diff --git a/content/browser/shared_worker/shared_worker_instance.cc b/content/browser/shared_worker/shared_worker_instance.cc
index ea8e02d..caa3876 100644
--- a/content/browser/shared_worker/shared_worker_instance.cc
+++ b/content/browser/shared_worker/shared_worker_instance.cc
@@ -14,13 +14,15 @@ SharedWorkerInstance::SharedWorkerInstance(
     const base::string16& content_security_policy,
     blink::WebContentSecurityPolicyType security_policy_type,
     ResourceContext* resource_context,
-    const WorkerStoragePartitionId& partition_id)
+    const WorkerStoragePartitionId& partition_id,
+    blink::WebSharedWorkerCreationContextType creation_context_type)
     : url_(url),
       name_(name),
       content_security_policy_(content_security_policy),
       security_policy_type_(security_policy_type),
       resource_context_(resource_context),
-      partition_id_(partition_id) {
+      partition_id_(partition_id),
+      creation_context_type_(creation_context_type) {
   DCHECK(resource_context_);
 }
 
@@ -30,8 +32,8 @@ SharedWorkerInstance::SharedWorkerInstance(const SharedWorkerInstance& other)
       content_security_policy_(other.content_security_policy_),
       security_policy_type_(other.security_policy_type_),
       resource_context_(other.resource_context_),
-      partition_id_(other.partition_id_) {
-}
+      partition_id_(other.partition_id_),
+      creation_context_type_(other.creation_context_type_) {}
 
 SharedWorkerInstance::~SharedWorkerInstance() {}
 
diff --git a/content/browser/shared_worker/shared_worker_instance.h b/content/browser/shared_worker/shared_worker_instance.h
index 5d650e5..f3b3be6 100644
--- a/content/browser/shared_worker/shared_worker_instance.h
+++ b/content/browser/shared_worker/shared_worker_instance.h
@@ -11,6 +11,7 @@
 #include "content/browser/shared_worker/worker_storage_partition.h"
 #include "content/common/content_export.h"
 #include "third_party/WebKit/public/web/WebContentSecurityPolicy.h"
+#include "third_party/WebKit/public/web/WebSharedWorkerCreationContextType.h"
 #include "url/gurl.h"
 
 namespace content {
@@ -20,12 +21,14 @@ class ResourceContext;
 // the UI thread and be used for comparison in SharedWorkerDevToolsManager.
 class CONTENT_EXPORT SharedWorkerInstance {
  public:
-  SharedWorkerInstance(const GURL& url,
-                       const base::string16& name,
-                       const base::string16& content_security_policy,
-                       blink::WebContentSecurityPolicyType security_policy_type,
-                       ResourceContext* resource_context,
-                       const WorkerStoragePartitionId& partition_id);
+  SharedWorkerInstance(
+      const GURL& url,
+      const base::string16& name,
+      const base::string16& content_security_policy,
+      blink::WebContentSecurityPolicyType security_policy_type,
+      ResourceContext* resource_context,
+      const WorkerStoragePartitionId& partition_id,
+      blink::WebSharedWorkerCreationContextType creation_context_type);
   SharedWorkerInstance(const SharedWorkerInstance& other);
   ~SharedWorkerInstance();
 
@@ -54,6 +57,9 @@ class CONTENT_EXPORT SharedWorkerInstance {
     return resource_context_;
   }
   const WorkerStoragePartitionId& partition_id() const { return partition_id_; }
+  blink::WebSharedWorkerCreationContextType creation_context_type() const {
+    return creation_context_type_;
+  }
 
  private:
   const GURL url_;
@@ -62,6 +68,7 @@ class CONTENT_EXPORT SharedWorkerInstance {
   const blink::WebContentSecurityPolicyType security_policy_type_;
   ResourceContext* const resource_context_;
   const WorkerStoragePartitionId partition_id_;
+  const blink::WebSharedWorkerCreationContextType creation_context_type_;
 };
 
 }  // namespace content
diff --git a/content/browser/shared_worker/shared_worker_instance_unittest.cc b/content/browser/shared_worker/shared_worker_instance_unittest.cc
index 7811e77..8991b05 100644
--- a/content/browser/shared_worker/shared_worker_instance_unittest.cc
+++ b/content/browser/shared_worker/shared_worker_instance_unittest.cc
@@ -47,12 +47,11 @@ class SharedWorkerInstanceTest : public testing::Test {
 };
 
 TEST_F(SharedWorkerInstanceTest, MatchesTest) {
-  SharedWorkerInstance instance1(GURL("http://example.com/w.js"),
-                                 base::string16(),
-                                 base::string16(),
-                                 blink::WebContentSecurityPolicyTypeReport,
-                                 browser_context_->GetResourceContext(),
-                                 partition_id_);
+  SharedWorkerInstance instance1(
+      GURL("http://example.com/w.js"), base::string16(), base::string16(),
+      blink::WebContentSecurityPolicyTypeReport,
+      browser_context_->GetResourceContext(), partition_id_,
+      blink::WebSharedWorkerCreationContextTypeNonsecure);
   EXPECT_TRUE(Matches(instance1, "http://example.com/w.js", ""));
   EXPECT_FALSE(Matches(instance1, "http://example.com/w2.js", ""));
   EXPECT_FALSE(Matches(instance1, "http://example.net/w.js", ""));
@@ -62,12 +61,11 @@ TEST_F(SharedWorkerInstanceTest, MatchesTest) {
   EXPECT_FALSE(Matches(instance1, "http://example.net/w.js", "name"));
   EXPECT_FALSE(Matches(instance1, "http://example.net/w2.js", "name"));
 
-  SharedWorkerInstance instance2(GURL("http://example.com/w.js"),
-                                 base::ASCIIToUTF16("name"),
-                                 base::string16(),
-                                 blink::WebContentSecurityPolicyTypeReport,
-                                 browser_context_->GetResourceContext(),
-                                 partition_id_);
+  SharedWorkerInstance instance2(
+      GURL("http://example.com/w.js"), base::ASCIIToUTF16("name"),
+      base::string16(), blink::WebContentSecurityPolicyTypeReport,
+      browser_context_->GetResourceContext(), partition_id_,
+      blink::WebSharedWorkerCreationContextTypeNonsecure);
   EXPECT_FALSE(Matches(instance2, "http://example.com/w.js", ""));
   EXPECT_FALSE(Matches(instance2, "http://example.com/w2.js", ""));
   EXPECT_FALSE(Matches(instance2, "http://example.net/w.js", ""));
diff --git a/content/browser/shared_worker/shared_worker_service_impl.cc b/content/browser/shared_worker/shared_worker_service_impl.cc
index 4e71bde..91579b4 100644
--- a/content/browser/shared_worker/shared_worker_service_impl.cc
+++ b/content/browser/shared_worker/shared_worker_service_impl.cc
@@ -287,13 +287,10 @@ void SharedWorkerServiceImpl::CreateWorker(
     blink::WebWorkerCreationError* creation_error) {
   DCHECK_CURRENTLY_ON(BrowserThread::IO);
   *creation_error = blink::WebWorkerCreationErrorNone;
-  scoped_ptr<SharedWorkerInstance> instance(
-      new SharedWorkerInstance(params.url,
-                               params.name,
-                               params.content_security_policy,
-                               params.security_policy_type,
-                               resource_context,
-                               partition_id));
+  scoped_ptr<SharedWorkerInstance> instance(new SharedWorkerInstance(
+      params.url, params.name, params.content_security_policy,
+      params.security_policy_type, resource_context, partition_id,
+      params.creation_context_type));
   scoped_ptr<SharedWorkerPendingInstance::SharedWorkerPendingRequest> request(
       new SharedWorkerPendingInstance::SharedWorkerPendingRequest(
           filter,
@@ -306,6 +303,11 @@ void SharedWorkerServiceImpl::CreateWorker(
       *creation_error = blink::WebWorkerCreationErrorURLMismatch;
       return;
     }
+    if (params.creation_context_type !=
+        pending->instance()->creation_context_type()) {
+      *creation_error = blink::WebWorkerCreationErrorSecureContextMismatch;
+      return;
+    }
     pending->AddRequest(request.Pass());
     return;
   }
@@ -483,6 +485,12 @@ void SharedWorkerServiceImpl::ReserveRenderProcessToCreateWorker(
         *creation_error = blink::WebWorkerCreationErrorURLMismatch;
       return;
     }
+    if (pending_instance->instance()->creation_context_type() !=
+        host->instance()->creation_context_type()) {
+      if (creation_error)
+        *creation_error = blink::WebWorkerCreationErrorSecureContextMismatch;
+      return;
+    }
     worker_process_id = host->process_id();
     worker_route_id = host->worker_route_id();
     is_new_worker = false;
diff --git a/content/browser/shared_worker/shared_worker_service_impl_unittest.cc b/content/browser/shared_worker/shared_worker_service_impl_unittest.cc
index 6fe9757..332490a 100644
--- a/content/browser/shared_worker/shared_worker_service_impl_unittest.cc
+++ b/content/browser/shared_worker/shared_worker_service_impl_unittest.cc
@@ -251,6 +251,8 @@ void PostCreateWorker(MockRendererProcessHost* renderer,
   params.security_policy_type = blink::WebContentSecurityPolicyTypeReport;
   params.document_id = document_id;
   params.render_frame_route_id = render_frame_route_id;
+  params.creation_context_type =
+      blink::WebSharedWorkerCreationContextTypeSecure;
   EXPECT_TRUE(
       renderer->OnMessageReceived(new ViewHostMsg_CreateWorker(params, reply)));
 }