diff options
Diffstat (limited to 'chrome')
4 files changed, 23 insertions, 3 deletions
diff --git a/chrome/browser/notifications/balloon_host.cc b/chrome/browser/notifications/balloon_host.cc index 05d7301..9c81d20 100644 --- a/chrome/browser/notifications/balloon_host.cc +++ b/chrome/browser/notifications/balloon_host.cc @@ -166,3 +166,14 @@ void BalloonHost::NotifyDisconnect() { bool BalloonHost::IsRenderViewReady() const { return should_notify_on_disconnect_; } + +bool BalloonHost::CanLoadDataURLsInWebUI() const { +#if defined(OS_CHROMEOS) + // Chrome OS uses data URLs in WebUI BalloonHosts. We normally do not allow + // data URLs in WebUI renderers, but normal pages cannot target BalloonHosts, + // so this should be safe. + return true; +#else + return false; +#endif +} diff --git a/chrome/browser/notifications/balloon_host.h b/chrome/browser/notifications/balloon_host.h index 00b1565..4fbb170 100644 --- a/chrome/browser/notifications/balloon_host.h +++ b/chrome/browser/notifications/balloon_host.h @@ -50,6 +50,9 @@ class BalloonHost : public content::WebContentsDelegate, // Returns whether the associated render view is ready. Used only for testing. bool IsRenderViewReady() const; + // content::WebContentsDelegate implementation: + virtual bool CanLoadDataURLsInWebUI() const OVERRIDE; + protected: virtual ~BalloonHost(); diff --git a/chrome/browser/ui/webui/chrome_web_ui_controller_factory.cc b/chrome/browser/ui/webui/chrome_web_ui_controller_factory.cc index ca12157..e2d49751 100644 --- a/chrome/browser/ui/webui/chrome_web_ui_controller_factory.cc +++ b/chrome/browser/ui/webui/chrome_web_ui_controller_factory.cc @@ -394,7 +394,8 @@ bool ChromeWebUIControllerFactory::UseWebUIBindingsForURL( bool ChromeWebUIControllerFactory::IsURLAcceptableForWebUI( content::BrowserContext* browser_context, - const GURL& url) const { + const GURL& url, + bool data_urls_allowed) const { return UseWebUIForURL(browser_context, url) || // javacsript: URLs are allowed to run in Web UI pages url.SchemeIs(chrome::kJavaScriptScheme) || @@ -405,7 +406,11 @@ bool ChromeWebUIControllerFactory::IsURLAcceptableForWebUI( url == GURL(chrome::kChromeUICrashURL) || url == GURL(chrome::kChromeUIKillURL) || url == GURL(chrome::kChromeUIHangURL) || - url == GURL(chrome::kChromeUIShorthangURL); + url == GURL(chrome::kChromeUIShorthangURL) || + // Data URLs are usually not allowed in WebUI for security reasons. + // BalloonHosts are one exception needed by ChromeOS, and are safe because + // they cannot be scripted by other pages. + (data_urls_allowed && url.SchemeIs(chrome::kDataScheme)); } WebUIController* ChromeWebUIControllerFactory::CreateWebUIControllerForURL( diff --git a/chrome/browser/ui/webui/chrome_web_ui_controller_factory.h b/chrome/browser/ui/webui/chrome_web_ui_controller_factory.h index e8891e42..1632bef 100644 --- a/chrome/browser/ui/webui/chrome_web_ui_controller_factory.h +++ b/chrome/browser/ui/webui/chrome_web_ui_controller_factory.h @@ -25,7 +25,8 @@ class ChromeWebUIControllerFactory : public content::WebUIControllerFactory { virtual bool UseWebUIBindingsForURL(content::BrowserContext* browser_context, const GURL& url) const OVERRIDE; virtual bool IsURLAcceptableForWebUI(content::BrowserContext* browser_context, - const GURL& url) const OVERRIDE; + const GURL& url, + bool data_urls_allowed) const OVERRIDE; virtual content::WebUIController* CreateWebUIControllerForURL( content::WebUI* web_ui, const GURL& url) const OVERRIDE; |