Allow CrossSiteDocumentClassifier to operate on Origins

BUG=348655 Review-Url: https://codereview.chromium.org/2568133007 Cr-Commit-Position: refs/heads/master@{#441874}

Allow CrossSiteDocumentClassifier to operate on Origins
BUG=348655 Review-Url: https://codereview.chromium.org/2568133007 Cr-Commit-Position: refs/heads/master@{#441874}
3b8662f8 · csharrison · Commit bot · 90a3ce3d · 3b8662f8 · 3b8662f8
Commit 3b8662f8 authored Jan 05, 2017 by csharrison Committed by Commit bot Jan 06, 2017
7 changed files
--- a/content/child/site_isolation_stats_gatherer.cc
+++ b/content/child/site_isolation_stats_gatherer.cc
@@ -126,8 +126,7 @@ SiteIsolationStatsGatherer::OnReceivedResponse(

  // TODO(csharrison): Add a path for IsSameSite/IsValidCorsHeaderSet to take an
  // Origin.
-  GURL frame_origin_url = frame_origin.GetURL();
-  if (CrossSiteDocumentClassifier::IsSameSite(frame_origin_url, response_url))
+  if (CrossSiteDocumentClassifier::IsSameSite(frame_origin, response_url))
    return nullptr;

  CrossSiteDocumentMimeType canonical_mime_type =
@@ -146,8 +145,9 @@ SiteIsolationStatsGatherer::OnReceivedResponse(
  info.headers->EnumerateHeader(NULL, "access-control-allow-origin",
                                &access_control_origin);
  if (CrossSiteDocumentClassifier::IsValidCorsHeaderSet(
-          frame_origin_url, response_url, access_control_origin))
+          frame_origin, response_url, access_control_origin)) {
    return nullptr;
+  }

  // Real XSD data collection starts from here.
  std::string no_sniff;
@@ -155,7 +155,6 @@ SiteIsolationStatsGatherer::OnReceivedResponse(

  std::unique_ptr<SiteIsolationResponseMetaData> resp_data(
      new SiteIsolationResponseMetaData);
-  resp_data->frame_origin = frame_origin_url.spec();
  resp_data->response_url = response_url;
  resp_data->resource_type = resource_type;
  resp_data->canonical_mime_type = canonical_mime_type;

--- a/content/child/site_isolation_stats_gatherer.h
+++ b/content/child/site_isolation_stats_gatherer.h
@@ -54,7 +54,6 @@ struct ResourceResponseInfo;
 struct SiteIsolationResponseMetaData {
  SiteIsolationResponseMetaData();

-  std::string frame_origin;
  GURL response_url;
  ResourceType resource_type;
  CrossSiteDocumentMimeType canonical_mime_type;

--- a/content/common/cross_site_document_classifier.cc
+++ b/content/common/cross_site_document_classifier.cc
@@ -82,9 +82,9 @@ bool CrossSiteDocumentClassifier::IsBlockableScheme(const GURL& url) {
  return url.SchemeIs(url::kHttpScheme) || url.SchemeIs(url::kHttpsScheme);
 }

-bool CrossSiteDocumentClassifier::IsSameSite(const GURL& frame_origin,
+bool CrossSiteDocumentClassifier::IsSameSite(const url::Origin& frame_origin,
                                             const GURL& response_url) {
-  if (!frame_origin.is_valid() || !response_url.is_valid())
+  if (frame_origin.unique() || !response_url.is_valid())
    return false;

  if (frame_origin.scheme() != response_url.scheme())
@@ -93,7 +93,7 @@ bool CrossSiteDocumentClassifier::IsSameSite(const GURL& frame_origin,
  // SameDomainOrHost() extracts the effective domains (public suffix plus one)
  // from the two URLs and compare them.
  return net::registry_controlled_domains::SameDomainOrHost(
-      frame_origin, response_url,
+      response_url, frame_origin,
      net::registry_controlled_domains::INCLUDE_PRIVATE_REGISTRIES);
 }

@@ -102,7 +102,7 @@ bool CrossSiteDocumentClassifier::IsSameSite(const GURL& frame_origin,
 // when frame is sub.a.com and it is not allowed to access a document
 // with sub1.a.com. But under Site Isolation, it's allowed.
 bool CrossSiteDocumentClassifier::IsValidCorsHeaderSet(
-    const GURL& frame_origin,
+    const url::Origin& frame_origin,
    const GURL& website_origin,
    const std::string& access_control_origin) {
  // Many websites are sending back "\"*\"" instead of "*". This is

--- a/content/common/cross_site_document_classifier.h
+++ b/content/common/cross_site_document_classifier.h
@@ -9,6 +9,7 @@
 #include "base/strings/string_piece.h"
 #include "content/common/content_export.h"
 #include "url/gurl.h"
+#include "url/origin.h"

 namespace content {

@@ -40,7 +41,8 @@ class CONTENT_EXPORT CrossSiteDocumentClassifier {
  static bool IsBlockableScheme(const GURL& frame_origin);

  // Returns whether the two urls belong to the same sites.
-  static bool IsSameSite(const GURL& frame_origin, const GURL& response_url);
+  static bool IsSameSite(const url::Origin& frame_origin,
+                         const GURL& response_url);

  // Returns whether there's a valid CORS header for frame_origin.  This is
  // simliar to CrossOriginAccessControl::passesAccessControlCheck(), but we use
@@ -50,7 +52,7 @@ class CONTENT_EXPORT CrossSiteDocumentClassifier {
  // not allowed by actual CORS rules by ignoring 1) credentials and 2)
  // methods. Preflight requests don't matter here since they are not used to
  // decide whether to block a document or not on the client side.
-  static bool IsValidCorsHeaderSet(const GURL& frame_origin,
+  static bool IsValidCorsHeaderSet(const url::Origin& frame_origin,
                                   const GURL& website_origin,
                                   const std::string& access_control_origin);


--- a/content/common/cross_site_document_classifier_unittest.cc
+++ b/content/common/cross_site_document_classifier_unittest.cc
@@ -30,40 +30,47 @@ TEST(CrossSiteDocumentClassifierTest, IsSameSite) {
  GURL a_com_url0("https://mock1.a.com:8080/page1.html");
  GURL a_com_url1("https://mock2.a.com:9090/page2.html");
  GURL a_com_url2("https://a.com/page3.html");
-  EXPECT_TRUE(CrossSiteDocumentClassifier::IsSameSite(a_com_url0, a_com_url1));
-  EXPECT_TRUE(CrossSiteDocumentClassifier::IsSameSite(a_com_url1, a_com_url2));
-  EXPECT_TRUE(CrossSiteDocumentClassifier::IsSameSite(a_com_url2, a_com_url0));
+  url::Origin a_com_origin0(a_com_url0);
+  EXPECT_TRUE(
+      CrossSiteDocumentClassifier::IsSameSite(a_com_origin0, a_com_url1));
+  EXPECT_TRUE(CrossSiteDocumentClassifier::IsSameSite(url::Origin(a_com_url1),
+                                                      a_com_url2));
+  EXPECT_TRUE(CrossSiteDocumentClassifier::IsSameSite(url::Origin(a_com_url2),
+                                                      a_com_url0));

  GURL b_com_url0("https://mock1.b.com/index.html");
-  EXPECT_FALSE(CrossSiteDocumentClassifier::IsSameSite(a_com_url0, b_com_url0));
+  EXPECT_FALSE(
+      CrossSiteDocumentClassifier::IsSameSite(a_com_origin0, b_com_url0));

  GURL about_blank_url("about:blank");
  EXPECT_FALSE(
-      CrossSiteDocumentClassifier::IsSameSite(a_com_url0, about_blank_url));
+      CrossSiteDocumentClassifier::IsSameSite(a_com_origin0, about_blank_url));

  GURL chrome_url("chrome://extension");
-  EXPECT_FALSE(CrossSiteDocumentClassifier::IsSameSite(a_com_url0, chrome_url));
+  EXPECT_FALSE(
+      CrossSiteDocumentClassifier::IsSameSite(a_com_origin0, chrome_url));

  GURL empty_url("");
-  EXPECT_FALSE(CrossSiteDocumentClassifier::IsSameSite(a_com_url0, empty_url));
+  EXPECT_FALSE(
+      CrossSiteDocumentClassifier::IsSameSite(a_com_origin0, empty_url));
 }

 TEST(CrossSiteDocumentClassifierTest, IsValidCorsHeaderSet) {
-  GURL frame_origin("http://www.google.com");
-  GURL site_origin("http://www.yahoo.com");
+  url::Origin frame_origin(GURL("http://www.google.com"));
+  GURL site_origin_url("http://www.yahoo.com");

  EXPECT_TRUE(CrossSiteDocumentClassifier::IsValidCorsHeaderSet(
-      frame_origin, site_origin, "*"));
+      frame_origin, site_origin_url, "*"));
  EXPECT_FALSE(CrossSiteDocumentClassifier::IsValidCorsHeaderSet(
-      frame_origin, site_origin, "\"*\""));
+      frame_origin, site_origin_url, "\"*\""));
  EXPECT_TRUE(CrossSiteDocumentClassifier::IsValidCorsHeaderSet(
-      frame_origin, site_origin, "http://mail.google.com"));
+      frame_origin, site_origin_url, "http://mail.google.com"));
  EXPECT_FALSE(CrossSiteDocumentClassifier::IsValidCorsHeaderSet(
-      frame_origin, site_origin, "https://mail.google.com"));
+      frame_origin, site_origin_url, "https://mail.google.com"));
  EXPECT_FALSE(CrossSiteDocumentClassifier::IsValidCorsHeaderSet(
-      frame_origin, site_origin, "http://yahoo.com"));
+      frame_origin, site_origin_url, "http://yahoo.com"));
  EXPECT_FALSE(CrossSiteDocumentClassifier::IsValidCorsHeaderSet(
-      frame_origin, site_origin, "www.google.com"));
+      frame_origin, site_origin_url, "www.google.com"));
 }

 TEST(CrossSiteDocumentClassifierTest, SniffForHTML) {

--- a/net/base/registry_controlled_domains/registry_controlled_domain.cc
+++ b/net/base/registry_controlled_domains/registry_controlled_domain.cc
@@ -365,6 +365,12 @@ bool SameDomainOrHost(const url::Origin& origin1,
         SameDomainOrHost(origin1, origin2.value(), filter);
 }

+bool SameDomainOrHost(const GURL& gurl,
+                      const url::Origin& origin,
+                      PrivateRegistryFilter filter) {
+  return SameDomainOrHost(gurl.host_piece(), origin.host(), filter);
+}
+
 size_t GetRegistryLength(
    const GURL& gurl,
    UnknownRegistryFilter unknown_filter,

--- a/net/base/registry_controlled_domains/registry_controlled_domain.h
+++ b/net/base/registry_controlled_domains/registry_controlled_domain.h
@@ -204,6 +204,9 @@ NET_EXPORT bool SameDomainOrHost(const url::Origin& origin1,
 NET_EXPORT bool SameDomainOrHost(const url::Origin& origin1,
                                 const base::Optional<url::Origin>& origin2,
                                 PrivateRegistryFilter filter);
+NET_EXPORT bool SameDomainOrHost(const GURL& gurl,
+                                 const url::Origin& origin,
+                                 PrivateRegistryFilter filter);

 // Finds the length in bytes of the registrar portion of the host in the
 // given GURL.  Returns std::string::npos if the GURL is invalid or has no