Implement an IsAllowed function in the pepper PPB_Broker_Trusted API

Flash sometimes needs to synchronously know if it can launch the broker, otherwise it will try to launch the broker when it shouldn't, and end up popping an infobar. This adds an IsAllowed function to synchronously test whether the broker is allowed to launch without popping the infobar.

Note that the document URL of the plugin instance is needed in order to check the broker permissions in the browser process. This is only available in the renderer process. In order to avoid an extra hop to the renderer process just to get this URL, it is sent to the browser (with the render view ID) upon initialization of the instance when the instance is registered with the browser process.

BUG=163248


Review URL: https://chromiumcodereview.appspot.com/11316316

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@172104 0039d316-1c4b-4281-b951-d872f2087c98

12 files changed, 161 insertions, 63 deletions

diff --git a/content/browser/ppapi_plugin_process_host.cc b/content/browser/ppapi_plugin_process_host.cc
index db9f23d..1d7b5b5 100644
--- a/content/browser/ppapi_plugin_process_host.cc
+++ b/content/browser/ppapi_plugin_process_host.cc
@@ -101,14 +101,12 @@ PpapiPluginProcessHost* PpapiPluginProcessHost::CreateBrokerHost(
 void PpapiPluginProcessHost::DidCreateOutOfProcessInstance(
     int plugin_process_id,
     int32 pp_instance,
-    int render_process_id,
-    int render_view_id) {
+    const PepperRendererInstanceData& instance_data) {
   for (PpapiPluginProcessHostIterator iter; !iter.Done(); ++iter) {
     if (iter->process_.get() &&
         iter->process_->GetData().id == plugin_process_id) {
       // Found the plugin.
-      iter->host_impl_->AddInstanceForView(pp_instance,
-                                           render_process_id, render_view_id);
+      iter->host_impl_->AddInstance(pp_instance, instance_data);
       return;
     }
   }
@@ -130,7 +128,7 @@ void PpapiPluginProcessHost::DidDeleteOutOfProcessInstance(
     if (iter->process_.get() &&
         iter->process_->GetData().id == plugin_process_id) {
       // Found the plugin.
-      iter->host_impl_->DeleteInstanceForView(pp_instance);
+      iter->host_impl_->DeleteInstance(pp_instance);
       return;
     }
   }
diff --git a/content/browser/ppapi_plugin_process_host.h b/content/browser/ppapi_plugin_process_host.h
index 9dc3481..6b50856 100644
--- a/content/browser/ppapi_plugin_process_host.h
+++ b/content/browser/ppapi_plugin_process_host.h
@@ -78,14 +78,15 @@ class PpapiPluginProcessHost : public BrowserChildProcessHostDelegate,
   static PpapiPluginProcessHost* CreateBrokerHost(
       const PepperPluginInfo& info);
 
-  // Notification that a PP_Instance has been created for the given
-  // RenderView/Process pair for the given plugin. This is necessary so that
-  // when the plugin calls us with a PP_Instance we can find the RenderView
-  // associated with it without trusting the plugin.
-  static void DidCreateOutOfProcessInstance(int plugin_process_id,
-                                            int32 pp_instance,
-                                            int render_process_id,
-                                            int render_view_id);
+  // Notification that a PP_Instance has been created and the associated
+  // renderer related data including the RenderView/Process pair for the given
+  // plugin. This is necessary so that when the plugin calls us with a
+  // PP_Instance we can find the RenderView associated with it without trusting
+  // the plugin.
+  static void DidCreateOutOfProcessInstance(
+      int plugin_process_id,
+      int32 pp_instance,
+      const PepperRendererInstanceData& instance_data);
 
   // The opposite of DIdCreate... above.
   static void DidDeleteOutOfProcessInstance(int plugin_process_id,
diff --git a/content/browser/renderer_host/pepper/browser_ppapi_host_impl.cc b/content/browser/renderer_host/pepper/browser_ppapi_host_impl.cc
index 2b79f3b..d039c70 100644
--- a/content/browser/renderer_host/pepper/browser_ppapi_host_impl.cc
+++ b/content/browser/renderer_host/pepper/browser_ppapi_host_impl.cc
@@ -6,6 +6,7 @@
 
 #include "content/browser/renderer_host/pepper/pepper_message_filter.h"
 #include "content/browser/trace_message_filter.h"
+#include "content/common/pepper_renderer_instance_data.h"
 #include "content/public/browser/browser_thread.h"
 #include "content/public/browser/render_view_host.h"
 #include "ipc/ipc_message_macros.h"
@@ -73,22 +74,22 @@ base::ProcessHandle BrowserPpapiHostImpl::GetPluginProcessHandle() const {
 }
 
 bool BrowserPpapiHostImpl::IsValidInstance(PP_Instance instance) const {
-  return instance_to_view_.find(instance) != instance_to_view_.end();
+  return instance_map_.find(instance) != instance_map_.end();
 }
 
 bool BrowserPpapiHostImpl::GetRenderViewIDsForInstance(
     PP_Instance instance,
     int* render_process_id,
     int* render_view_id) const {
-  InstanceToViewMap::const_iterator found = instance_to_view_.find(instance);
-  if (found == instance_to_view_.end()) {
+  InstanceMap::const_iterator found = instance_map_.find(instance);
+  if (found == instance_map_.end()) {
     *render_process_id = 0;
     *render_view_id = 0;
     return false;
   }
 
-  *render_process_id = found->second.process_id;
-  *render_view_id = found->second.view_id;
+  *render_process_id = found->second.render_process_id;
+  *render_view_id = found->second.render_view_id;
   return true;
 }
 
@@ -100,24 +101,34 @@ const FilePath& BrowserPpapiHostImpl::GetProfileDataDirectory() {
   return profile_data_directory_;
 }
 
-void BrowserPpapiHostImpl::AddInstanceForView(PP_Instance instance,
-                                              int render_process_id,
-                                              int render_view_id) {
-  DCHECK(instance_to_view_.find(instance) == instance_to_view_.end());
+GURL BrowserPpapiHostImpl::GetDocumentURLForInstance(PP_Instance instance) {
+  InstanceMap::const_iterator found = instance_map_.find(instance);
+  if (found == instance_map_.end())
+    return GURL();
+  return found->second.document_url;
+}
+
+GURL BrowserPpapiHostImpl::GetPluginURLForInstance(PP_Instance instance) {
+  InstanceMap::const_iterator found = instance_map_.find(instance);
+  if (found == instance_map_.end())
+    return GURL();
+  return found->second.plugin_url;
+}
 
-  RenderViewIDs ids;
-  ids.process_id = render_process_id;
-  ids.view_id = render_view_id;
-  instance_to_view_[instance] = ids;
+void BrowserPpapiHostImpl::AddInstance(
+    PP_Instance instance,
+    const PepperRendererInstanceData& instance_data) {
+  DCHECK(instance_map_.find(instance) == instance_map_.end());
+  instance_map_[instance] = instance_data;
 }
 
-void BrowserPpapiHostImpl::DeleteInstanceForView(PP_Instance instance) {
-  InstanceToViewMap::iterator found = instance_to_view_.find(instance);
-  if (found == instance_to_view_.end()) {
+void BrowserPpapiHostImpl::DeleteInstance(PP_Instance instance) {
+  InstanceMap::iterator found = instance_map_.find(instance);
+  if (found == instance_map_.end()) {
     NOTREACHED();
     return;
   }
-  instance_to_view_.erase(found);
+  instance_map_.erase(found);
 }
 
 bool BrowserPpapiHostImpl::HostMessageFilter::OnMessageReceived(
diff --git a/content/browser/renderer_host/pepper/browser_ppapi_host_impl.h b/content/browser/renderer_host/pepper/browser_ppapi_host_impl.h
index 888bb7c..ce3560e 100644
--- a/content/browser/renderer_host/pepper/browser_ppapi_host_impl.h
+++ b/content/browser/renderer_host/pepper/browser_ppapi_host_impl.h
@@ -19,6 +19,8 @@
 
 namespace content {
 
+struct PepperRendererInstanceData;
+
 class CONTENT_EXPORT BrowserPpapiHostImpl : public BrowserPpapiHost {
  public:
   // The creator is responsible for calling set_plugin_process_handle as soon
@@ -39,18 +41,19 @@ class CONTENT_EXPORT BrowserPpapiHostImpl : public BrowserPpapiHost {
                                            int* render_view_id) const OVERRIDE;
   virtual const std::string& GetPluginName() OVERRIDE;
   virtual const FilePath& GetProfileDataDirectory() OVERRIDE;
+  virtual GURL GetDocumentURLForInstance(PP_Instance instance) OVERRIDE;
+  virtual GURL GetPluginURLForInstance(PP_Instance instance) OVERRIDE;
 
   void set_plugin_process_handle(base::ProcessHandle handle) {
     plugin_process_handle_ = handle;
   }
 
   // These two functions are notifications that an instance has been created
-  // or destroyed. They allow us to maintain a mapping of PP_Instance to view
-  // IDs in the browser process.
-  void AddInstanceForView(PP_Instance instance,
-                          int render_process_id,
-                          int render_view_id);
-  void DeleteInstanceForView(PP_Instance instance);
+  // or destroyed. They allow us to maintain a mapping of PP_Instance to data
+  // associated with the instance including view IDs in the browser process.
+  void AddInstance(PP_Instance instance,
+                   const PepperRendererInstanceData& instance_data);
+  void DeleteInstance(PP_Instance instance);
 
   scoped_refptr<IPC::ChannelProxy::MessageFilter> message_filter() {
     return message_filter_;
@@ -59,12 +62,6 @@ class CONTENT_EXPORT BrowserPpapiHostImpl : public BrowserPpapiHost {
  private:
   friend class BrowserPpapiHostTest;
 
-  struct RenderViewIDs {
-    int process_id;
-    int view_id;
-  };
-  typedef std::map<PP_Instance, RenderViewIDs> InstanceToViewMap;
-
   // Implementing MessageFilter on BrowserPpapiHostImpl makes it ref-counted,
   // preventing us from returning these to embedders without holding a
   // reference. To avoid that, define a message filter object.
@@ -88,9 +85,10 @@ class CONTENT_EXPORT BrowserPpapiHostImpl : public BrowserPpapiHost {
   std::string plugin_name_;
   FilePath profile_data_directory_;
 
-  // Tracks all PP_Instances in this plugin and maps them to
-  // RenderProcess/RenderView IDs.
-  InstanceToViewMap instance_to_view_;
+  // Tracks all PP_Instances in this plugin and associated renderer-related
+  // data.
+  typedef std::map<PP_Instance, PepperRendererInstanceData> InstanceMap;
+  InstanceMap instance_map_;
 
   scoped_refptr<HostMessageFilter> message_filter_;
 
diff --git a/content/browser/renderer_host/render_message_filter.cc b/content/browser/renderer_host/render_message_filter.cc
index 9bcd74e..0823310 100644
--- a/content/browser/renderer_host/render_message_filter.cc
+++ b/content/browser/renderer_host/render_message_filter.cc
@@ -711,7 +711,7 @@ void RenderMessageFilter::OnOpenChannelToPepperPlugin(
 void RenderMessageFilter::OnDidCreateOutOfProcessPepperInstance(
     int plugin_child_id,
     int32 pp_instance,
-    int render_view_id,
+    PepperRendererInstanceData instance_data,
     bool is_external) {
   // It's important that we supply the render process ID ourselves based on the
   // channel the message arrived on. We use the
@@ -719,16 +719,18 @@ void RenderMessageFilter::OnDidCreateOutOfProcessPepperInstance(
   // mapping to decide how to handle messages received from the (untrusted)
   // plugin, so an exploited renderer must not be able to insert fake mappings
   // that may allow it access to other render processes.
+  DCHECK(instance_data.render_process_id == 0);
+  instance_data.render_process_id = render_process_id_;
   if (is_external) {
     // We provide the BrowserPpapiHost to the embedder, so it's safe to cast.
     BrowserPpapiHostImpl* host = static_cast<BrowserPpapiHostImpl*>(
         GetContentClient()->browser()->GetExternalBrowserPpapiHost(
             plugin_child_id));
     if (host)
-      host->AddInstanceForView(pp_instance, render_process_id_, render_view_id);
+      host->AddInstance(pp_instance, instance_data);
   } else {
     PpapiPluginProcessHost::DidCreateOutOfProcessInstance(
-        plugin_child_id, pp_instance, render_process_id_, render_view_id);
+        plugin_child_id, pp_instance, instance_data);
   }
 }
 
@@ -742,7 +744,7 @@ void RenderMessageFilter::OnDidDeleteOutOfProcessPepperInstance(
         GetContentClient()->browser()->GetExternalBrowserPpapiHost(
             plugin_child_id));
     if (host)
-      host->DeleteInstanceForView(pp_instance);
+      host->DeleteInstance(pp_instance);
   } else {
     PpapiPluginProcessHost::DidDeleteOutOfProcessInstance(
         plugin_child_id, pp_instance);
diff --git a/content/browser/renderer_host/render_message_filter.h b/content/browser/renderer_host/render_message_filter.h
index 2494aa1..fdc933f 100644
--- a/content/browser/renderer_host/render_message_filter.h
+++ b/content/browser/renderer_host/render_message_filter.h
@@ -19,6 +19,7 @@
 #include "base/shared_memory.h"
 #include "base/string16.h"
 #include "build/build_config.h"
+#include "content/common/pepper_renderer_instance_data.h"
 #include "content/public/browser/browser_message_filter.h"
 #include "content/public/common/three_d_api_types.h"
 #include "media/base/channel_layout.h"
@@ -167,10 +168,11 @@ class RenderMessageFilter : public BrowserMessageFilter {
                              IPC::Message* reply_msg);
   void OnOpenChannelToPepperPlugin(const FilePath& path,
                                    IPC::Message* reply_msg);
-  void OnDidCreateOutOfProcessPepperInstance(int plugin_child_id,
-                                             int32 pp_instance,
-                                             int render_view_id,
-                                             bool is_external);
+  void OnDidCreateOutOfProcessPepperInstance(
+      int plugin_child_id,
+      int32 pp_instance,
+      PepperRendererInstanceData instance_data,
+      bool is_external);
   void OnDidDeleteOutOfProcessPepperInstance(int plugin_child_id,
                                              int32 pp_instance,
                                              bool is_external);
diff --git a/content/common/pepper_renderer_instance_data.cc b/content/common/pepper_renderer_instance_data.cc
new file mode 100644
index 0000000..73b67a7
--- /dev/null
+++ b/content/common/pepper_renderer_instance_data.cc
@@ -0,0 +1,28 @@
+// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "content/common/pepper_renderer_instance_data.h"
+
+namespace content {
+
+PepperRendererInstanceData::PepperRendererInstanceData()
+    : render_process_id(0),
+      render_view_id(0) {
+}
+
+PepperRendererInstanceData::PepperRendererInstanceData(
+    int render_process,
+    int render_view,
+    const GURL& document,
+    const GURL& plugin)
+    : render_process_id(render_process),
+      render_view_id(render_view),
+      document_url(document),
+      plugin_url(plugin) {
+}
+
+PepperRendererInstanceData::~PepperRendererInstanceData() {
+}
+
+}  // namespace content
diff --git a/content/common/pepper_renderer_instance_data.h b/content/common/pepper_renderer_instance_data.h
new file mode 100644
index 0000000..b912792
--- /dev/null
+++ b/content/common/pepper_renderer_instance_data.h
@@ -0,0 +1,31 @@
+// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef CONTENT_COMMON_PEPPER_RENDERER_INSTANCE_DATA_H_
+#define CONTENT_COMMON_PEPPER_RENDERER_INSTANCE_DATA_H_
+
+#include "googleurl/src/gurl.h"
+
+namespace content {
+
+// This struct contains data which is associated with a particular plugin
+// instance and is related to the renderer in which the plugin instance lives.
+// This data is transferred to the browser process from the renderer when the
+// instance is created and is stored in the BrowserPpapiHost.
+struct PepperRendererInstanceData {
+  PepperRendererInstanceData();
+  PepperRendererInstanceData(int render_process,
+                             int render_view,
+                             const GURL& document,
+                             const GURL& plugin);
+  ~PepperRendererInstanceData();
+  int render_process_id;
+  int render_view_id;
+  GURL document_url;
+  GURL plugin_url;
+};
+
+}  // namespace content
+
+#endif  // CONTENT_COMMON_PEPPER_RENDERER_INSTANCE_DATA_H_
diff --git a/content/common/view_messages.h b/content/common/view_messages.h
index 2727d49..5956f0d 100644
--- a/content/common/view_messages.h
+++ b/content/common/view_messages.h
@@ -12,6 +12,7 @@
 #include "content/common/content_param_traits.h"
 #include "content/common/edit_command.h"
 #include "content/common/navigation_gesture.h"
+#include "content/common/pepper_renderer_instance_data.h"
 #include "content/common/view_message_enums.h"
 #include "content/port/common/input_event_ack_state.h"
 #include "content/public/common/common_param_traits.h"
@@ -327,6 +328,13 @@ IPC_STRUCT_TRAITS_BEGIN(content::FrameNavigateParams)
   IPC_STRUCT_TRAITS_MEMBER(socket_address)
 IPC_STRUCT_TRAITS_END()
 
+IPC_STRUCT_TRAITS_BEGIN(content::PepperRendererInstanceData)
+  IPC_STRUCT_TRAITS_MEMBER(render_process_id)
+  IPC_STRUCT_TRAITS_MEMBER(render_view_id)
+  IPC_STRUCT_TRAITS_MEMBER(document_url)
+  IPC_STRUCT_TRAITS_MEMBER(plugin_url)
+IPC_STRUCT_TRAITS_END()
+
 IPC_STRUCT_TRAITS_BEGIN(content::RendererPreferences)
   IPC_STRUCT_TRAITS_MEMBER(can_accept_load_drops)
   IPC_STRUCT_TRAITS_MEMBER(should_antialias_text)
@@ -1953,21 +1961,25 @@ IPC_SYNC_MESSAGE_CONTROL1_2(ViewHostMsg_OpenChannelToPepperPlugin,
                             int /* plugin_child_id */)
 
 // Notification that a plugin has created a new plugin instance. The parameters
-// indicate the plugin process ID that we're creating the instance for, and the
-// routing ID of the render view that the plugin instance is associated with.
-// This allows us to create a mapping in the browser process for what objects a
-// given PP_Instance is associated with.
+// indicate:
+// -The plugin process ID that we're creating the instance for.
+// -The instance ID of the instance being created.
+// -A PepperRendererInstanceData struct which contains properties from the
+// renderer which are associated with the plugin instance. This includes the
+// routing ID of the associated render view and the URL of plugin.
+// -Whether the plugin we're creating an instance for is external or internal.
 //
 // This message must be sync even though it returns no parameters to avoid
 // a race condition with the plugin process. The plugin process sends messages
 // to the browser that assume the browser knows about the instance. We need to
 // make sure that the browser actually knows about the instance before we tell
 // the plugin to run.
-IPC_SYNC_MESSAGE_CONTROL4_0(ViewHostMsg_DidCreateOutOfProcessPepperInstance,
-                            int /* plugin_child_id */,
-                            int32 /* pp_instance */,
-                            int /* view_routing_id */,
-                            bool /* is_external */)
+IPC_SYNC_MESSAGE_CONTROL4_0(
+    ViewHostMsg_DidCreateOutOfProcessPepperInstance,
+    int /* plugin_child_id */,
+    int32 /* pp_instance */,
+    content::PepperRendererInstanceData /* creation_data */,
+    bool /* is_external */)
 
 // Notification that a plugin has destroyed an instance. This is the opposite of
 // the "DidCreate" message above.
diff --git a/content/content_common.gypi b/content/content_common.gypi
index 3f74f0b..64fc871 100644
--- a/content/content_common.gypi
+++ b/content/content_common.gypi
@@ -321,6 +321,8 @@
     'common/pepper_messages.h',
     'common/pepper_plugin_registry.cc',
     'common/pepper_plugin_registry.h',
+    'common/pepper_renderer_instance_data.cc',
+    'common/pepper_renderer_instance_data.h',
     'common/plugin_carbon_interpose_constants_mac.cc',
     'common/plugin_carbon_interpose_constants_mac.h',
     'common/plugin_messages.h',
diff --git a/content/public/browser/browser_ppapi_host.h b/content/public/browser/browser_ppapi_host.h
index f5aa11c..08c5f07 100644
--- a/content/public/browser/browser_ppapi_host.h
+++ b/content/public/browser/browser_ppapi_host.h
@@ -10,6 +10,7 @@
 #include "content/common/content_export.h"
 #include "content/public/browser/browser_thread.h"
 #include "content/public/browser/render_view_host.h"
+#include "googleurl/src/gurl.h"
 #include "ppapi/c/pp_instance.h"
 
 namespace IPC {
@@ -72,11 +73,16 @@ class CONTENT_EXPORT BrowserPpapiHost {
   virtual bool GetRenderViewIDsForInstance(PP_Instance instance,
                                            int* render_process_id,
                                            int* render_view_id) const = 0;
+
   // Returns the name of the plugin.
   virtual const std::string& GetPluginName() = 0;
 
   // Returns the user's profile data directory.
   virtual const FilePath& GetProfileDataDirectory() = 0;
+
+  // Get the Document/Plugin URLs for the given PP_Instance.
+  virtual GURL GetDocumentURLForInstance(PP_Instance instance) = 0;
+  virtual GURL GetPluginURLForInstance(PP_Instance instance) = 0;
 };
 
 }  // namespace content
diff --git a/content/renderer/pepper/pepper_plugin_delegate_impl.cc b/content/renderer/pepper/pepper_plugin_delegate_impl.cc
index eba8ee3..8bb4767 100644
--- a/content/renderer/pepper/pepper_plugin_delegate_impl.cc
+++ b/content/renderer/pepper/pepper_plugin_delegate_impl.cc
@@ -73,6 +73,7 @@
 #include "ppapi/thunk/ppb_tcp_server_socket_private_api.h"
 #include "third_party/WebKit/Source/WebKit/chromium/public/WebCursorInfo.h"
 #include "third_party/WebKit/Source/WebKit/chromium/public/WebDocument.h"
+#include "third_party/WebKit/Source/WebKit/chromium/public/WebElement.h"
 #include "third_party/WebKit/Source/WebKit/chromium/public/WebFrame.h"
 #include "third_party/WebKit/Source/WebKit/chromium/public/WebInputEvent.h"
 #include "third_party/WebKit/Source/WebKit/chromium/public/WebPluginContainer.h"
@@ -161,10 +162,16 @@ class HostDispatcherWrapper
     // isn't true for browser tag support.
     if (host) {
       RenderView* render_view = host->GetRenderViewForInstance(instance);
+      webkit::ppapi::PluginInstance* plugin_instance =
+          host->GetPluginInstance(instance);
       render_view->Send(new ViewHostMsg_DidCreateOutOfProcessPepperInstance(
           plugin_child_id_,
           instance,
-          render_view->GetRoutingID(),
+          PepperRendererInstanceData(
+              0,  // The render process id will be supplied in the browser.
+              render_view->GetRoutingID(),
+              plugin_instance->container()->element().document().url(),
+              plugin_instance->plugin_url()),
           is_external_));
     }
   }