Use origin to check if the request to ImageLoader is from eligible clients.

When ImageLoader get requests to process image files, it checks message sender's id to disallow requests from unknown clients. However, sender's id is currently not trustworthy (issue 982361). We should use sender's origin instead as a short-term fix. Bug: 10321587 Test: Manual test on Files/Gallery to show thumbnails from ImageLoader. Change-Id: Idb61850795828a63b37aa43b66d4875ad7abbfc4 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1989728 Commit-Queue: Naoki Fukino <fukino@chromium.org> Reviewed-by: Noel Gordon <noel@chromium.org> Cr-Commit-Position: refs/heads/master@{#733918}

Use origin to check if the request to ImageLoader is from eligible clients.
When ImageLoader get requests to process image files, it checks message sender's id to disallow requests from unknown clients. However, sender's id is currently not trustworthy (issue 982361). We should use sender's origin instead as a short-term fix. Bug: 10321587 Test: Manual test on Files/Gallery to show thumbnails from ImageLoader. Change-Id: Idb61850795828a63b37aa43b66d4875ad7abbfc4 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1989728 Commit-Queue: Naoki Fukino <fukino@chromium.org> Reviewed-by: Noel Gordon <noel@chromium.org> Cr-Commit-Position: refs/heads/master@{#733918}
64bb5633 · Naoki Fukino · Commit Bot · 86119575 · 64bb5633
Commit 64bb5633 authored Jan 22, 2020 by Naoki Fukino Committed by Commit Bot Jan 22, 2020
Hide whitespace changes
Inline Side-by-side

Showing with 10 additions and 10 deletions

ui/file_manager/image_loader/image_loader.js ui/file_manager/image_loader/image_loader.js +10 -10

No files found.
--- a/ui/file_manager/image_loader/image_loader.js
+++ b/ui/file_manager/image_loader/image_loader.js
@@ -65,10 +65,10 @@ function ImageLoader() {
 * @const
 * @type {Array<string>}
 */
-ImageLoader.ALLOWED_CLIENTS = [
+ImageLoader.ALLOWED_CLIENT_ORIGINS = [
-  'hhaomjibdihmijegdhdafkllkbggdgoj',  // File Manager's extension id.
+  'chrome-extension://hhaomjibdihmijegdhdafkllkbggdgoj',  // File Manager
-  'nlkncpkkdoccmpiclbokaimcnedabhhm',  // Gallery's extension id.
+  'chrome-extension://nlkncpkkdoccmpiclbokaimcnedabhhm',  // Gallery
-  'jcgeabjmjgoblfofpppfkcoakmfobdko',  // Video Player's extension id.
+  'chrome-extension://jcgeabjmjgoblfofpppfkcoakmfobdko',  // Video Player
 ];
 /**
@@ -80,10 +80,10 @@ ImageLoader.ALLOWED_CLIENTS = [
 */
 ImageLoader.prototype.onIncomingRequest_ = function(
    request_data, sender, sendResponse) {
-  if (!sender.id || !request_data) {
+  if (!sender.origin || !request_data) {
    return;
  }
-  if (ImageLoader.ALLOWED_CLIENTS.indexOf(sender.id) === -1) {
+  if (ImageLoader.ALLOWED_CLIENT_ORIGINS.indexOf(sender.origin) === -1) {
    return;
  }
@@ -108,14 +108,14 @@ ImageLoader.prototype.onIncomingRequest_ = function(
  } else {
    request.orientation = new ImageOrientation(1, 0, 0, 1);
  }
-  return this.onMessage_(sender.id, request, failSafeSendResponse);
+  return this.onMessage_(sender.origin, request, failSafeSendResponse);
 };
 /**
 * Handles a request. Depending on type of the request, starts or stops
 * an image task.
 *
- * @param {string} senderId Sender's extension id.
+ * @param {string} senderOrigin Sender's extension origin.
 * @param {!LoadImageRequest} request Pre-processed request.
 * @param {function(!LoadImageResponse)} callback Callback to be called to
 *     return response.
@@ -123,8 +123,8 @@ ImageLoader.prototype.onIncomingRequest_ = function(
 *     callback is called.
 * @private
 */
-ImageLoader.prototype.onMessage_ = function(senderId, request, callback) {
+ImageLoader.prototype.onMessage_ = function(senderOrigin, request, callback) {
-  const requestId = senderId + ':' + request.taskId;
+  const requestId = senderOrigin + ':' + request.taskId;
  if (request.cancel) {
    // Cancel a task.
    this.scheduler_.remove(requestId);