Blink: Plumb correct security origin for isolated world CSPs.

https://chromium-review.googlesource.com/c/chromium/src/+/1395190
This commit is contained in:
deepak1556 2019-01-22 02:15:15 +05:30
parent 2c282203b5
commit 606c84b302
3 changed files with 23 additions and 45 deletions

View file

@ -22,6 +22,7 @@
#include "native_mate/dictionary.h"
#include "native_mate/object_template_builder.h"
#include "third_party/blink/public/platform/web_cache.h"
#include "third_party/blink/public/platform/web_isolated_world_info.h"
#include "third_party/blink/public/web/web_custom_element.h"
#include "third_party/blink/public/web/web_document.h"
#include "third_party/blink/public/web/web_element.h"
@ -377,46 +378,27 @@ void ExecuteJavaScriptInIsolatedWorld(
scriptExecutionType, callback.release());
}
void SetIsolatedWorldSecurityOrigin(v8::Local<v8::Value> window,
int world_id,
const std::string& origin_url) {
GetRenderFrame(window)->GetWebFrame()->SetIsolatedWorldSecurityOrigin(
world_id, blink::WebSecurityOrigin::CreateFromString(
blink::WebString::FromUTF8(origin_url)));
}
void SetIsolatedWorldContentSecurityPolicy(v8::Local<v8::Value> window,
int world_id,
const std::string& security_policy) {
GetRenderFrame(window)->GetWebFrame()->SetIsolatedWorldContentSecurityPolicy(
world_id, blink::WebString::FromUTF8(security_policy));
}
void SetIsolatedWorldHumanReadableName(v8::Local<v8::Value> window,
int world_id,
const std::string& name) {
GetRenderFrame(window)->GetWebFrame()->SetIsolatedWorldHumanReadableName(
world_id, blink::WebString::FromUTF8(name));
}
void SetIsolatedWorldInfo(v8::Local<v8::Value> window,
int world_id,
const mate::Dictionary& options,
mate::Arguments* args) {
std::string origin, csp, name;
options.Get("securityOrigin", &origin);
options.Get("csp", &csp);
std::string origin_url, security_policy, name;
options.Get("securityOrigin", &origin_url);
options.Get("csp", &security_policy);
options.Get("name", &name);
if (!csp.empty() && origin.empty()) {
if (!security_policy.empty() && origin_url.empty()) {
args->ThrowError(
"If csp is specified, securityOrigin should also be specified");
return;
}
SetIsolatedWorldSecurityOrigin(window, world_id, origin);
SetIsolatedWorldContentSecurityPolicy(window, world_id, csp);
SetIsolatedWorldHumanReadableName(window, world_id, name);
blink::WebIsolatedWorldInfo info;
info.security_origin = blink::WebSecurityOrigin::CreateFromString(
blink::WebString::FromUTF8(origin_url));
info.content_security_policy = blink::WebString::FromUTF8(security_policy);
info.human_readable_name = blink::WebString::FromUTF8(name);
GetRenderFrame(window)->GetWebFrame()->SetIsolatedWorldInfo(world_id, info);
}
blink::WebCache::ResourceTypeStats GetResourceUsage(v8::Isolate* isolate) {
@ -550,12 +532,6 @@ void Initialize(v8::Local<v8::Object> exports,
dict.SetMethod("executeJavaScript", &ExecuteJavaScript);
dict.SetMethod("executeJavaScriptInIsolatedWorld",
&ExecuteJavaScriptInIsolatedWorld);
dict.SetMethod("_setIsolatedWorldSecurityOrigin",
&SetIsolatedWorldSecurityOrigin);
dict.SetMethod("_setIsolatedWorldContentSecurityPolicy",
&SetIsolatedWorldContentSecurityPolicy);
dict.SetMethod("_setIsolatedWorldHumanReadableName",
&SetIsolatedWorldHumanReadableName);
dict.SetMethod("setIsolatedWorldInfo", &SetIsolatedWorldInfo);
dict.SetMethod("getResourceUsage", &GetResourceUsage);
dict.SetMethod("clearCache", &ClearCache);

View file

@ -21,6 +21,7 @@
#include "native_mate/dictionary.h"
#include "net/base/net_module.h"
#include "net/grit/net_resources.h"
#include "third_party/blink/public/platform/web_isolated_world_info.h"
#include "third_party/blink/public/web/blink.h"
#include "third_party/blink/public/web/web_document.h"
#include "third_party/blink/public/web/web_draggable_region.h"
@ -131,16 +132,14 @@ void AtomRenderFrameObserver::OnDestruct() {
void AtomRenderFrameObserver::CreateIsolatedWorldContext() {
auto* frame = render_frame_->GetWebFrame();
blink::WebIsolatedWorldInfo info;
// This maps to the name shown in the context combo box in the Console tab
// of the dev tools.
frame->SetIsolatedWorldHumanReadableName(
World::ISOLATED_WORLD,
blink::WebString::FromUTF8("Electron Isolated Context"));
info.human_readable_name =
blink::WebString::FromUTF8("Electron Isolated Context");
// Setup document's origin policy in isolated world
frame->SetIsolatedWorldSecurityOrigin(
World::ISOLATED_WORLD, frame->GetDocument().GetSecurityOrigin());
info.security_origin = frame->GetDocument().GetSecurityOrigin();
frame->SetIsolatedWorldInfo(World::ISOLATED_WORLD, info);
// Create initial script context in isolated world
blink::WebScriptSource source("void 0");

View file

@ -53,17 +53,20 @@ class WebFrame extends EventEmitter {
// TODO(nitsakh): Remove in 6.0
setIsolatedWorldSecurityOrigin (worldId, securityOrigin) {
deprecate.warn('webFrame.setIsolatedWorldSecurityOrigin', 'webFrame.setIsolatedWorldInfo')
binding._setIsolatedWorldSecurityOrigin(this.context, worldId, securityOrigin)
binding.setIsolatedWorldInfo(this.context, worldId, { securityOrigin })
}
setIsolatedWorldContentSecurityPolicy (worldId, csp) {
deprecate.warn('webFrame.setIsolatedWorldContentSecurityPolicy', 'webFrame.setIsolatedWorldInfo')
binding._setIsolatedWorldContentSecurityPolicy(this.context, worldId, csp)
binding.setIsolatedWorldInfo(this.context, worldId, {
securityOrigin: window.location.origin,
csp
})
}
setIsolatedWorldHumanReadableName (worldId, name) {
deprecate.warn('webFrame.setIsolatedWorldHumanReadableName', 'webFrame.setIsolatedWorldInfo')
binding._setIsolatedWorldHumanReadableName(this.context, worldId, name)
binding.setIsolatedWorldInfo(this.context, worldId, { name })
}
}