diff options
| author | jww <jww@chromium.org> | 2015-08-20 18:05:47 -0700 |
|---|---|---|
| committer | Commit bot <commit-bot@chromium.org> | 2015-08-21 01:06:18 +0000 |
| commit | 8440052c7882f61cfde793f687e72717c85e0d8f (patch) | |
| tree | 05acae389199afddda69bf87918d5f3a0502aeb8 /extensions/renderer | |
| parent | 3538199987e27b6bf98e8e15421d5f8f8722ab3d (diff) | |
| download | chromium_src-8440052c7882f61cfde793f687e72717c85e0d8f.zip chromium_src-8440052c7882f61cfde793f687e72717c85e0d8f.tar.gz chromium_src-8440052c7882f61cfde793f687e72717c85e0d8f.tar.bz2 | |
Setup for moving getUserMedia to secure origins only
This makes two notable changes:
* Removes the browser tests that verify that the getUserMedia
permission is not "sticky" on insecure origins.
* Moves the addition of the chrome-extension: and
chrome-extension-resource: schemes to extensions::Dispatcher.
The former is necessary because once getUserMedia is removed from
insecure origins, the browser test will (correctly) fail. Thus this is
part of a two sided patch.
The later is necessary because extension browser tests that use
getUserMedia will start failing once the change is made, because the
tests use ShellContentRendererClient, which doesn't currently treat
chrome-extension: schemes as secure, so getUserMedia will be disallowed
by the renderer. By marking the scheme as secure in
extensions::Dispatcher instead of in
ChromeContentRendererClient::RenderThreadStarted, the schemes will be
marked as secure in ShellContentRendererClient as well, so getUserMedia
will be allowed in the browser tests.
BUG=520765
Review URL: https://codereview.chromium.org/1301653005
Cr-Commit-Position: refs/heads/master@{#344635}
Diffstat (limited to 'extensions/renderer')
| -rw-r--r-- | extensions/renderer/dispatcher.cc | 24 |
1 files changed, 24 insertions, 0 deletions
diff --git a/extensions/renderer/dispatcher.cc b/extensions/renderer/dispatcher.cc index abf92a9..ed64dfd 100644 --- a/extensions/renderer/dispatcher.cc +++ b/extensions/renderer/dispatcher.cc @@ -210,6 +210,30 @@ Dispatcher::Dispatcher(DispatcherDelegate* delegate) user_script_set_manager_observer_.Add(user_script_set_manager_.get()); request_sender_.reset(new RequestSender(this)); PopulateSourceMap(); + + // chrome-extensions: and chrome-extensions-resource: schemes should be + // treated as secure because communication with them is entirely in the + // browser, so there is no danger of manipulation or eavesdropping on + // communication with them by third parties. + WebString extension_scheme(base::ASCIIToUTF16(kExtensionScheme)); + blink::WebSecurityPolicy::registerURLSchemeAsSecure(extension_scheme); + + WebString extension_resource_scheme(base::ASCIIToUTF16( + kExtensionResourceScheme)); + blink::WebSecurityPolicy::registerURLSchemeAsSecure( + extension_resource_scheme); + + // chrome-extension: and chrome-extension-resource: resources should be + // allowed to receive CORS requests. + WebSecurityPolicy::registerURLSchemeAsCORSEnabled(extension_scheme); + WebSecurityPolicy::registerURLSchemeAsCORSEnabled(extension_resource_scheme); + + // chrome-extension: resources should bypass Content Security Policy checks + // when included in protected resources. + WebSecurityPolicy::registerURLSchemeAsBypassingContentSecurityPolicy( + extension_scheme); + WebSecurityPolicy::registerURLSchemeAsBypassingContentSecurityPolicy( + extension_resource_scheme); } Dispatcher::~Dispatcher() { |