Disallow redirects to blob: URLs

Blob URLs are ephemeral, so it doesn't make much sense to allow redirecting to them. See comments on crrev.com/c/1277785 for more info. Change-Id: Iae31dc04f1ad4042d2b6861e05ca53699a3a31a6 Reviewed-on: https://chromium-review.googlesource.com/c/1278132Reviewed-by: Daniel Murphy <dmurph@chromium.org> Reviewed-by: Nasko Oskov <nasko@chromium.org> Commit-Queue: Clark DuVall <cduvall@chromium.org> Cr-Commit-Position: refs/heads/master@{#600454}

Disallow redirects to blob: URLs
Blob URLs are ephemeral, so it doesn't make much sense to allow redirecting to them. See comments on crrev.com/c/1277785 for more info. Change-Id: Iae31dc04f1ad4042d2b6861e05ca53699a3a31a6 Reviewed-on: https://chromium-review.googlesource.com/c/1278132Reviewed-by: Daniel Murphy <dmurph@chromium.org> Reviewed-by: Nasko Oskov <nasko@chromium.org> Commit-Queue: Clark DuVall <cduvall@chromium.org> Cr-Commit-Position: refs/heads/master@{#600454}
0f9781be · Clark DuVall · Commit Bot · 6896c8a2 · 0f9781be · 0f9781be
Commit 0f9781be authored Oct 17, 2018 by Clark DuVall Committed by Commit Bot Oct 17, 2018
4 changed files
--- a/content/public/common/url_utils.cc
+++ b/content/public/common/url_utils.cc
@@ -115,7 +115,7 @@ bool IsSafeRedirectTarget(const GURL& from_url, const GURL& to_url) {
  static base::NoDestructor<std::set<std::string>> kUnsafeSchemes(
      std::set<std::string>({
        url::kAboutScheme, url::kDataScheme, url::kFileScheme,
-            url::kFileSystemScheme,
+            url::kFileSystemScheme, url::kBlobScheme,
 #if defined(OS_ANDROID)
            url::kContentScheme,
 #endif

--- a/content/public/common/url_utils_unittest.cc
+++ b/content/public/common/url_utils_unittest.cc
@@ -43,6 +43,8 @@ TEST(UrlUtilsTest, IsSafeRedirectTarget) {
      GURL(), CreateValidURL("filesystem:http://foo.com/bar")));
  EXPECT_FALSE(
      IsSafeRedirectTarget(GURL(), CreateValidURL("data:text/plain,foo")));
+  EXPECT_FALSE(
+      IsSafeRedirectTarget(GURL(), CreateValidURL("blob:https://foo.com/bar")));
 #if defined(OS_ANDROID)
  EXPECT_FALSE(
      IsSafeRedirectTarget(GURL(), CreateValidURL("content://foo.bar")));

--- a/storage/browser/blob/blob_url_request_job_factory.cc
+++ b/storage/browser/blob/blob_url_request_job_factory.cc
@@ -89,6 +89,10 @@ net::URLRequestJob* BlobProtocolHandler::MaybeCreateJob(
                                        LookupBlobHandle(request));
 }
+bool BlobProtocolHandler::IsSafeRedirectTarget(const GURL& location) const {
+  return false;
+}
 BlobDataHandle* BlobProtocolHandler::LookupBlobHandle(
    net::URLRequest* request) const {
  BlobDataHandle* blob_data_handle = GetRequestBlobDataHandle(request);

--- a/storage/browser/blob/blob_url_request_job_factory.h
+++ b/storage/browser/blob/blob_url_request_job_factory.h
@@ -44,9 +44,11 @@ class STORAGE_EXPORT BlobProtocolHandler
  explicit BlobProtocolHandler(BlobStorageContext* context);
  ~BlobProtocolHandler() override;
+  // net::URLRequestJobFactory::ProtocolHandler implementation:
  net::URLRequestJob* MaybeCreateJob(
      net::URLRequest* request,
      net::NetworkDelegate* network_delegate) const override;
+  bool IsSafeRedirectTarget(const GURL& location) const override;
 private:
  BlobDataHandle* LookupBlobHandle(net::URLRequest* request) const;