Skip to content

GitLab

T
tangled
Commit 69354ff0 authored by horo's avatar horo Committed by Commit bot
Browse files
Options

[ServiceWorker] Set setSkipServiceWorker flag of the request from plugins with private permission. 

The plugins with private permission such as Flash plugin can bypass same origin checking by calling URLLoaderResource::GrantUniversalAccess().
They have their own origin checking logic (ex:cross-origin.xml).
If ServiceWorker can intercept the HTTP requests from them, they can be misled.

So ServiceWorker must be disabled for such plugins.

These plugins have PERMISSION_PRIVATE permissions.
 - PDF Viewer
 - Google Talk Plugin Video Renderer
 - Google Talk Effects Plugin
 - Google Talk Plugin
 - Chrome Remote Desktop Viewer
 - Pepper Flash
 - Widevine Cdm Plugin

BUG=413094

Review URL: https://codereview.chromium.org/606993002

Cr-Commit-Position: refs/heads/master@{#297396}
parent b0e6f3fc
Hide whitespace changes
Inline Side-by-side
Showing with 4 additions and 0 deletions
content/renderer/pepper/pepper_url_loader_host.cc
View file @ 69354ff0
...@@ -259,6 +259,10 @@ int32_t PepperURLLoaderHost::InternalOnHostMsgOpen( ...@@ -259,6 +259,10 @@ int32_t PepperURLLoaderHost::InternalOnHostMsgOpen(
web_request.setRequestContext(WebURLRequest::RequestContextPlugin); web_request.setRequestContext(WebURLRequest::RequestContextPlugin);
web_request.setRequestorProcessID(renderer_ppapi_host_->GetPluginPID()); web_request.setRequestorProcessID(renderer_ppapi_host_->GetPluginPID());
// The requests from the plugins with private permission which can bypass same
// origin must skip the ServiceWorker.
web_request.setSkipServiceWorker(
host()->permissions().HasPermission(ppapi::PERMISSION_PRIVATE));
WebURLLoaderOptions options; WebURLLoaderOptions options;
if (has_universal_access_) { if (has_universal_access_) {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment