Fix Access-Control-Allow-Origin for chrome-untrusted://resources

This CL fixes a bug in chrome-untrusted://resources where the Access-Control-Allow-Origin policy would only allow for chrome:// origins. This changes it so that chrome-untrusted://resources only allows for chrome-untrusted:// origins and chrome://resources only allows for chrome:// origins. Bug: 1086327 Change-Id: Icbf05aa66e587ed3cb5d5f26ef2b46c0628641c1 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2216282 Commit-Queue: Tommy Steimel <steimel@chromium.org> Reviewed-by: dpapad <dpapad@chromium.org> Cr-Commit-Position: refs/heads/master@{#772326}

Fix Access-Control-Allow-Origin for chrome-untrusted://resources
This CL fixes a bug in chrome-untrusted://resources where the Access-Control-Allow-Origin policy would only allow for chrome:// origins. This changes it so that chrome-untrusted://resources only allows for chrome-untrusted:// origins and chrome://resources only allows for chrome:// origins. Bug: 1086327 Change-Id: Icbf05aa66e587ed3cb5d5f26ef2b46c0628641c1 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2216282 Commit-Queue: Tommy Steimel <steimel@chromium.org> Reviewed-by: dpapad <dpapad@chromium.org> Cr-Commit-Position: refs/heads/master@{#772326}
6ca3b1b2 · Tommy Steimel · Commit Bot · 9e5def3b · 6ca3b1b2 · 6ca3b1b2
Commit 6ca3b1b2 authored May 27, 2020 by Tommy Steimel Committed by Commit Bot May 27, 2020
2 changed files
--- a/content/browser/webui/shared_resources_data_source.cc
+++ b/content/browser/webui/shared_resources_data_source.cc
@@ -12,6 +12,7 @@
 #include "base/files/file_path.h"
 #include "base/memory/ref_counted_memory.h"
 #include "base/notreached.h"
+#include "base/strings/strcat.h"
 #include "base/strings/string_piece.h"
 #include "base/strings/string_util.h"
 #include "base/task/post_task.h"
@@ -295,25 +296,35 @@ int GetIdrForPath(const std::string& path) {
 std::unique_ptr<SharedResourcesDataSource>
 SharedResourcesDataSource::CreateForChromeScheme() {
  return std::make_unique<SharedResourcesDataSource>(PassKey(),
-                                                     kChromeUIResourcesHost);
+                                                     kChromeUIScheme);
 }

 // static
 std::unique_ptr<SharedResourcesDataSource>
 SharedResourcesDataSource::CreateForChromeUntrustedScheme() {
-  return std::make_unique<SharedResourcesDataSource>(
-      PassKey(), kChromeUIUntrustedResourcesURL);
+  return std::make_unique<SharedResourcesDataSource>(PassKey(),
+                                                     kChromeUIUntrustedScheme);
 }

-SharedResourcesDataSource::SharedResourcesDataSource(
-    PassKey,
-    const std::string& source_name)
-    : source_name_(source_name) {}
+SharedResourcesDataSource::SharedResourcesDataSource(PassKey,
+                                                     const std::string& scheme)
+    : scheme_(scheme) {}

 SharedResourcesDataSource::~SharedResourcesDataSource() = default;

 std::string SharedResourcesDataSource::GetSource() {
-  return source_name_;
+  // URLDataManagerBackend assumes that chrome:// data sources return just the
+  // hostname for GetSource().
+  if (scheme_ == kChromeUIScheme)
+    return kChromeUIResourcesHost;
+
+  // We only expect chrome-untrusted:// scheme at this point.
+  DCHECK_EQ(kChromeUIUntrustedScheme, scheme_);
+
+  // Other schemes (i.e. chrome-untrusted://) return the scheme and host
+  // together.
+  return base::StrCat(
+      {scheme_, url::kStandardSchemeSeparator, kChromeUIResourcesHost});
 }

 void SharedResourcesDataSource::StartDataRequest(
@@ -401,12 +412,12 @@ bool SharedResourcesDataSource::ShouldServeMimeTypeAsContentTypeHeader() {

 std::string SharedResourcesDataSource::GetAccessControlAllowOriginForOrigin(
    const std::string& origin) {
-  // For now we give access only for "chrome://*" origins.
+  // For now we give access only for origins with the allowed scheme.
  // According to CORS spec, Access-Control-Allow-Origin header doesn't support
  // wildcards, so we need to set its value explicitly by passing the |origin|
  // back.
-  std::string allowed_origin_prefix = kChromeUIScheme;
-  allowed_origin_prefix += "://";
+  const std::string allowed_origin_prefix =
+      base::StrCat({scheme_, url::kStandardSchemeSeparator});
  if (!base::StartsWith(origin, allowed_origin_prefix,
                        base::CompareCase::SENSITIVE)) {
    return "null";

--- a/content/browser/webui/shared_resources_data_source.h
+++ b/content/browser/webui/shared_resources_data_source.h
@@ -31,7 +31,7 @@ class SharedResourcesDataSource : public URLDataSource {
  static std::unique_ptr<SharedResourcesDataSource>
  CreateForChromeUntrustedScheme();

-  explicit SharedResourcesDataSource(PassKey, const std::string& source_name);
+  SharedResourcesDataSource(PassKey, const std::string& scheme);
  SharedResourcesDataSource(const SharedResourcesDataSource&) = delete;
  SharedResourcesDataSource& operator=(const SharedResourcesDataSource&) =
      delete;
@@ -59,7 +59,9 @@ class SharedResourcesDataSource : public URLDataSource {
  bool IsPolymer2DisabledForPage(const WebContents::Getter& wc_getter);
 #endif  // defined (OS_CHROMEOS)

-  const std::string source_name_;
+  // The URL scheme this data source is accessed from, e.g. "chrome" or
+  // "chrome-untrusted".
+  const std::string scheme_;
 };

 }  // namespace content