-
Lukasz Anforowicz authored
Overview ======== Flash has its own CORS-like mechanism (crossdomain.xml-based) and therefore CORB (Cross-Origin Read Blocking) cannot be enforced for requests initiated by Flash. This CL avoids making an exception for plugins, unless the given renderer process is actually hosting a Flash plugin (and is therefore capable of proxying network requests on behalf of Flash). This means that the exception won't take place unless the user has approved running Flash (via click-to-play / content settings / enterprise policy - see the bug for more details). Details ======= This CL introduces a global set that stores process IDs of renderers that host Flash. This set lives either in the NetworkService process or (if NetworkService feature is disabled) in the IO thread of the browser process. In both cases the global set is implemented and exposed by new static methods of network::CrossOriginReadBlocking class. The CL populates the global set from PluginServiceImpl::FindOrStartPpapiPluginProcess after all the security checks have been done and the plugin process is ready to be used or launched. The CL consults the global set before deciding to make a CORB exception for a plugin request. This is done from network::URLLoader (used if NetworkService feature is enabled) and from CrossSiteDocumentResourceHandler (used otherwise). The CL removes items from the global set when RenderProcessHostImpl is destroyed. Bug: 874515 Cq-Include-Trybots: luci.chromium.try:linux_mojo Change-Id: I50484807c921a4daea08be8a00c67a3cf9c82cf0 Reviewed-on: https://chromium-review.googlesource.com/1178885 Commit-Queue: Łukasz Anforowicz <lukasza@chromium.org> Reviewed-by:
Nasko Oskov <nasko@chromium.org> Reviewed-by:
John Abd-El-Malek <jam@chromium.org> Cr-Commit-Position: refs/heads/master@{#585124}
bc4a7725
