commit 2a8ba8c4c186e5ea0a2ed938cc5d41441af64228
author nick <nick@chromium.org> Mon Oct 03 18:51:39 2016
committer Commit bot <commit-bot@chromium.org> Mon Oct 03 18:56:22 2016
tree 140c0bff214a3a192c973a9ec5310075a1509e1a
parent adef34433885f28130900a686c15f0d4ab99ba9a

Update ChildProcessSecurityPolicy so that the chrome-extension:// scheme
is considered "web safe" to be requestable from any process, but only
"web safe" to commit in extension processes.

In ChildProcessSecurityPolicy::CanRequestURL and CanCommitURL, when
seeing blob and filesystem urls, make a security decision based
on the inner origin rather than the scheme.

When the extensions ProcessManager (via ExtensionWebContentsObserver) notices a
RenderFrame being created in an extension SiteInstance, grant that process
permission to commit chrome-extension:// URLs.

In BlobDispatcherHost, only allow creation of blob URLs from processes that
would be able to commit them.

Add a security exploit browsertest that verifies the above mechanisms working
together.

BUG=644966

Committed: https://crrev.com/a411fd062bc68fc2b5fc3aca7e4cbb8e4a3e074e
Review-Url: https://codereview.chromium.org/2364633004
Cr-Original-Commit-Position: refs/heads/master@{#421964}
Cr-Commit-Position: refs/heads/master@{#422474}

chrome/browser/browser_process_impl.cc

diff --git a/chrome/browser/browser_process_impl.cc b/chrome/browser/browser_process_impl.cc
index 5a32e520..a8e47f1 100644
--- a/chrome/browser/browser_process_impl.cc
+++ b/chrome/browser/browser_process_impl.cc
@@ -78,6 +78,7 @@
 #include "chrome/common/chrome_paths.h"
 #include "chrome/common/chrome_switches.h"
 #include "chrome/common/extensions/chrome_extensions_client.h"
+#include "chrome/common/extensions/extension_process_policy.h"
 #include "chrome/common/features.h"
 #include "chrome/common/pref_names.h"
 #include "chrome/common/switch_utils.h"
@@ -220,10 +221,22 @@
       net_log_path, GetNetCaptureModeFromCommandLine(command_line),
       command_line.GetCommandLineString(), chrome::GetChannelString()));
 
-  ChildProcessSecurityPolicy::GetInstance()->RegisterWebSafeScheme(
-      extensions::kExtensionScheme);
-  ChildProcessSecurityPolicy::GetInstance()->RegisterWebSafeScheme(
-      extensions::kExtensionResourceScheme);
+#if defined(ENABLE_EXTENSIONS)
+  if (extensions::IsIsolateExtensionsEnabled()) {
+    // chrome-extension:// URLs are safe to request anywhere, but may only
+    // commit (including in iframes) in extension processes.
+    ChildProcessSecurityPolicy::GetInstance()->RegisterWebSafeIsolatedScheme(
+        extensions::kExtensionScheme, true);
+    // TODO(nick): Kill off kExtensionResourceScheme.
+    ChildProcessSecurityPolicy::GetInstance()->RegisterWebSafeIsolatedScheme(
+        extensions::kExtensionResourceScheme, false);
+  } else {
+    ChildProcessSecurityPolicy::GetInstance()->RegisterWebSafeScheme(
+        extensions::kExtensionScheme);
+    ChildProcessSecurityPolicy::GetInstance()->RegisterWebSafeScheme(
+        extensions::kExtensionResourceScheme);
+  }
+#endif
   ChildProcessSecurityPolicy::GetInstance()->RegisterWebSafeScheme(
       chrome::kChromeSearchScheme);