diff options
author | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2020-03-11 11:32:04 +0100 |
---|---|---|
committer | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2020-03-18 13:40:17 +0000 |
commit | 31ccca0778db85c159634478b4ec7997f6704860 (patch) | |
tree | 3d33fc3afd9d5ec95541e1bbe074a9cf8da12a0e /chromium/third_party/blink/renderer/platform/weborigin/security_origin.cc | |
parent | 248b70b82a40964d5594eb04feca0fa36716185d (diff) | |
download | qtwebengine-chromium-31ccca0778db85c159634478b4ec7997f6704860.tar.gz |
BASELINE: Update Chromium to 80.0.3987.136
Change-Id: I98e1649aafae85ba3a83e67af00bb27ef301db7b
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
Diffstat (limited to 'chromium/third_party/blink/renderer/platform/weborigin/security_origin.cc')
-rw-r--r-- | chromium/third_party/blink/renderer/platform/weborigin/security_origin.cc | 48 |
1 files changed, 21 insertions, 27 deletions
diff --git a/chromium/third_party/blink/renderer/platform/weborigin/security_origin.cc b/chromium/third_party/blink/renderer/platform/weborigin/security_origin.cc index 922fbdee70a..e71853c7d3c 100644 --- a/chromium/third_party/blink/renderer/platform/weborigin/security_origin.cc +++ b/chromium/third_party/blink/renderer/platform/weborigin/security_origin.cc @@ -35,13 +35,14 @@ #include <utility> #include "net/base/url_util.h" +#include "third_party/blink/renderer/platform/blob/blob_url.h" +#include "third_party/blink/renderer/platform/blob/blob_url_null_origin_map.h" #include "third_party/blink/renderer/platform/runtime_enabled_features.h" #include "third_party/blink/renderer/platform/weborigin/known_ports.h" #include "third_party/blink/renderer/platform/weborigin/kurl.h" #include "third_party/blink/renderer/platform/weborigin/origin_access_entry.h" #include "third_party/blink/renderer/platform/weborigin/scheme_registry.h" #include "third_party/blink/renderer/platform/weborigin/security_policy.h" -#include "third_party/blink/renderer/platform/weborigin/url_security_origin_map.h" #include "third_party/blink/renderer/platform/wtf/std_lib_extras.h" #include "third_party/blink/renderer/platform/wtf/text/string_builder.h" #include "third_party/blink/renderer/platform/wtf/text/string_utf8_adaptor.h" @@ -63,15 +64,6 @@ const String& EnsureNonNull(const String& string) { } // namespace -static URLSecurityOriginMap* g_blob_url_null_origin_map = nullptr; - -static SecurityOrigin* GetNullOriginFromBlobURL(const KURL& blob_url) { - DCHECK(blob_url.ProtocolIs("blob")); - if (g_blob_url_null_origin_map) - return g_blob_url_null_origin_map->GetOrigin(blob_url); - return nullptr; -} - bool SecurityOrigin::ShouldUseInnerURL(const KURL& url) { // FIXME: Blob URLs don't have inner URLs. Their form is // "blob:<inner-origin>/<UUID>", so treating the part after "blob:" as a URL @@ -94,12 +86,6 @@ KURL SecurityOrigin::ExtractInnerURL(const KURL& url) { return KURL(url.GetPath()); } -void SecurityOrigin::SetBlobURLNullOriginMap( - URLSecurityOriginMap* blob_url_null_origin_map) { - DCHECK(!g_blob_url_null_origin_map); - g_blob_url_null_origin_map = blob_url_null_origin_map; -} - static bool ShouldTreatAsOpaqueOrigin(const KURL& url) { if (!url.IsValid()) return true; @@ -205,8 +191,9 @@ SecurityOrigin::SecurityOrigin(const SecurityOrigin* other, scoped_refptr<SecurityOrigin> SecurityOrigin::CreateWithReferenceOrigin( const KURL& url, const SecurityOrigin* reference_origin) { - if (url.ProtocolIs("blob")) { - if (scoped_refptr<SecurityOrigin> origin = GetNullOriginFromBlobURL(url)) + if (url.ProtocolIs("blob") && BlobURL::GetOrigin(url) == "null") { + if (scoped_refptr<SecurityOrigin> origin = + BlobURLNullOriginMap::GetInstance()->Get(url)) return origin; } @@ -419,9 +406,16 @@ bool SecurityOrigin::CanRequest(const KURL& url) const { if (SerializesAsNull()) { // Allow the request if the URL is blob and it has the same "null" origin // with |this|. - // TODO(nhiroki): Probably we should check the equality by - // SecurityOrigin::IsSameSchemeHostPort(). - if (url.ProtocolIs("blob") && GetNullOriginFromBlobURL(url) == this) + if (!url.ProtocolIs("blob") || BlobURL::GetOrigin(url) != "null") + return false; + if (BlobURLNullOriginMap::GetInstance()->Get(url) == this) + return true; + // BlobURLNullOriginMap doesn't work for cross-thread blob URL loading + // (e.g., top-level worker script loading) because SecurityOrigin and + // BlobURLNullOriginMap are thread-specific. For the case, check + // BlobURLOpaqueOriginNonceMap. + base::Optional<base::UnguessableToken> nonce = GetNonceForSerialization(); + if (nonce && BlobURLOpaqueOriginNonceMap::GetInstance().Get(url) == nonce) return true; return false; } @@ -432,9 +426,9 @@ bool SecurityOrigin::CanRequest(const KURL& url) const { if (target_origin->IsOpaque()) return false; - // We call isSameSchemeHostPort here instead of canAccess because we want - // to ignore document.domain effects. - if (IsSameSchemeHostPort(target_origin.get())) + // We call IsSameOriginWith here instead of canAccess because we want to + // ignore `document.domain` effects. + if (IsSameOriginWith(target_origin.get())) return true; if (SecurityPolicy::IsOriginAccessAllowed(this, target_origin.get())) @@ -603,7 +597,7 @@ scoped_refptr<SecurityOrigin> SecurityOrigin::Create(const String& protocol, return Create(KURL(NullURL(), protocol + "://" + host + port_part + "/")); } -bool SecurityOrigin::IsSameSchemeHostPort(const SecurityOrigin* other) const { +bool SecurityOrigin::IsSameOriginWith(const SecurityOrigin* other) const { // This is needed to ensure a local origin considered to have the same scheme, // host, and port to itself. // TODO(tzik): Make the local origin unique but not opaque, and remove this @@ -629,10 +623,10 @@ bool SecurityOrigin::IsSameSchemeHostPort(const SecurityOrigin* other) const { return true; } -bool SecurityOrigin::AreSameSchemeHostPort(const KURL& a, const KURL& b) { +bool SecurityOrigin::AreSameOrigin(const KURL& a, const KURL& b) { scoped_refptr<const SecurityOrigin> origin_a = SecurityOrigin::Create(a); scoped_refptr<const SecurityOrigin> origin_b = SecurityOrigin::Create(b); - return origin_b->IsSameSchemeHostPort(origin_a.get()); + return origin_b->IsSameOriginWith(origin_a.get()); } const KURL& SecurityOrigin::UrlWithUniqueOpaqueOrigin() { |