Remove ChildProcessSecurityPolicyImpl::CanSetAsOriginHeader.

This method has no callers (outside of unittests). The last caller (ResourceDispatcherHostImpl::ShouldServiceRequest) has been removed in r682144. The removal is especially desirable, given that CanSetAsOriginHeader is one of few places which used to call CanAccessDataForOrigin from an IO thread (making it difficult to introduce Citadel-style Site Isolation enforcements). Bug: 764958 Change-Id: I9d38e00c29fc7d391cfdbbde17987b9c2e1b66a0 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1824145 Commit-Queue: Łukasz Anforowicz <lukasza@chromium.org> Reviewed-by: Alex Moshchuk <alexmos@chromium.org> Cr-Commit-Position: refs/heads/master@{#700004}

Remove ChildProcessSecurityPolicyImpl::CanSetAsOriginHeader.
This method has no callers (outside of unittests). The last caller (ResourceDispatcherHostImpl::ShouldServiceRequest) has been removed in r682144. The removal is especially desirable, given that CanSetAsOriginHeader is one of few places which used to call CanAccessDataForOrigin from an IO thread (making it difficult to introduce Citadel-style Site Isolation enforcements). Bug: 764958 Change-Id: I9d38e00c29fc7d391cfdbbde17987b9c2e1b66a0 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1824145 Commit-Queue: Łukasz Anforowicz <lukasza@chromium.org> Reviewed-by: Alex Moshchuk <alexmos@chromium.org> Cr-Commit-Position: refs/heads/master@{#700004}
abc752d2 · Lukasz Anforowicz · Commit Bot · 89d38d15 · abc752d2 · abc752d2
Commit abc752d2 authored Sep 25, 2019 by Lukasz Anforowicz Committed by Commit Bot Sep 25, 2019
5 changed files
--- a/content/browser/bad_message.h
+++ b/content/browser/bad_message.h
@@ -119,7 +119,7 @@ enum BadMessageReason {
  OBSOLETE_WC_RENDERER_DID_NAVIGATE_BAD_SECURITY_INFO = 92,
  OBSOLETE_BDH_DUPLICATE_REQUEST_DEVICE_ID = 93,
  CSDH_INVALID_ORIGIN = 94,
-  RDH_ILLEGAL_ORIGIN = 95,
+  OBSOLETE_RDH_ILLEGAL_ORIGIN = 95,
  OBSOLETE_RDH_UNAUTHORIZED_HEADER_REQUEST = 96,
  RDH_INVALID_URL = 97,
  OBSOLETE_BDH_CHARACTERISTIC_ALREADY_SUBSCRIBED = 98,

--- a/content/browser/child_process_security_policy_impl.cc
+++ b/content/browser/child_process_security_policy_impl.cc
@@ -947,8 +947,7 @@ bool ChildProcessSecurityPolicyImpl::CanRedirectToURL(const GURL& url) {
 }
 bool ChildProcessSecurityPolicyImpl::CanCommitURL(int child_id,
-                                                  const GURL& url,
+                                                  const GURL& url) {
-                                                  bool check_origin_locks) {
  if (!url.is_valid())
    return false;  // Can't commit invalid URLs.
@@ -966,17 +965,13 @@ bool ChildProcessSecurityPolicyImpl::CanCommitURL(int child_id,
      return false;
    url::Origin origin = url::Origin::Create(url);
-    return origin.opaque() ||
+    return origin.opaque() || CanCommitURL(child_id, GURL(origin.Serialize()));
-           CanCommitURL(child_id, GURL(origin.Serialize()), check_origin_locks);
  }
  // With site isolation, a URL from a site may only be committed in a process
  // dedicated to that site.  This check will ensure that |url| can't commit if
-  // the process is locked to a different site.  Note that this check is only
+  // the process is locked to a different site.
-  // effective for processes that are locked to a site, but even with strict
+  if (!CanAccessDataForOrigin(child_id, url))
-  // site isolation, currently not all processes are locked (e.g., extensions
-  // or <webview> tags - see ShouldLockToOrigin()).
-  if (check_origin_locks && !CanAccessDataForOrigin(child_id, url))
    return false;
  {
@@ -1001,43 +996,6 @@ bool ChildProcessSecurityPolicyImpl::CanCommitURL(int child_id,
  }
 }
-bool ChildProcessSecurityPolicyImpl::CanCommitURL(int child_id,
-                                                  const GURL& url) {
-  return CanCommitURL(child_id, url, true /* check_origin_lock */);
-}
-bool ChildProcessSecurityPolicyImpl::CanSetAsOriginHeader(int child_id,
-                                                          const GURL& url) {
-  if (!url.is_valid())
-    return false;  // Can't set invalid URLs as origin headers.
-  // about:srcdoc cannot be used as an origin
-  if (url.IsAboutSrcdoc())
-    return false;
-  // If this process can commit |url|, it can use |url| as an origin for
-  // outbound requests.
-  //
-  // TODO(alexmos): This should eventually also check the origin lock, but
-  // currently this is not done due to certain corner cases involving HTML
-  // imports and web tests that simulate requests from isolated worlds.  See
-  // https://crbug.com/515309.
-  if (CanCommitURL(child_id, url, false /* check_origin_lock */))
-    return true;
-  // Allow schemes which may come from scripts executing in isolated worlds;
-  // XHRs issued by such scripts reflect the script origin rather than the
-  // document origin.
-  {
-    base::AutoLock lock(lock_);
-    if (base::Contains(schemes_okay_to_appear_as_origin_headers_,
-                       url.scheme())) {
-      return true;
-    }
-  }
-  return false;
-}
 bool ChildProcessSecurityPolicyImpl::CanReadFile(int child_id,
                                                 const base::FilePath& file) {
  return HasPermissionsForFile(child_id, file, READ_FILE_GRANT);

--- a/content/browser/child_process_security_policy_impl.h
+++ b/content/browser/child_process_security_policy_impl.h
@@ -219,24 +219,6 @@ class CONTENT_EXPORT ChildProcessSecurityPolicyImpl
  // Revoke read raw cookies permission.
  void RevokeReadRawCookies(int child_id);
-  // A version of the public ChildProcessSecurityPolicy::CanCommitURL() which
-  // takes an additional bool |check_origin_lock|, specifying whether to
-  // reject |url| if it does not match the origin lock on process |child_id|.
-  // Passing true for |check_origin_lock| provides stronger enforcement with
-  // strict site isolation; it is only set to false by features (e.g., Origin
-  // header validation) that aren't yet ready for this enforcement. This
-  // function should *not* be used by new features; use the public
-  // ChildProcessSecurityPolicy::CanCommitURL() instead, which internally calls
-  // this with |check_origin_lock| being true.
-  //
-  // TODO(alexmos): Remove |check_origin_lock| and check origin locks
-  // unconditionally once https://crbug.com/515309 is fixed.
-  bool CanCommitURL(int child_id, const GURL& url, bool check_origin_lock);
-  // Whether the given origin is valid for an origin header. Valid origin
-  // headers are commitable URLs.
-  bool CanSetAsOriginHeader(int child_id, const GURL& url);
  // Explicit permissions checks for FileSystemURL specified files.
  bool CanReadFileSystemFile(int child_id,
                             const storage::FileSystemURL& filesystem_url);

--- a/content/browser/child_process_security_policy_unittest.cc
+++ b/content/browser/child_process_security_policy_unittest.cc
--- a/tools/metrics/histograms/enums.xml
+++ b/tools/metrics/histograms/enums.xml
@@ -4923,7 +4923,7 @@ Unknown properties are collapsed to zero. -->
  <int value="92" label="OBSOLETE_WC_RENDERER_DID_NAVIGATE_BAD_SECURITY_INFO"/>
  <int value="93" label="OBSOLETE_BDH_DUPLICATE_REQUEST_DEVICE_ID"/>
  <int value="94" label="CSDH_INVALID_ORIGIN"/>
-  <int value="95" label="RDH_ILLEGAL_ORIGIN"/>
+  <int value="95" label="OBSOLETE_RDH_ILLEGAL_ORIGIN"/>
  <int value="96" label="OBSOLETE_RDH_UNAUTHORIZED_HEADER_REQUEST"/>
  <int value="97" label="RDH_INVALID_URL"/>
  <int value="98" label="OBSOLETE_BDH_CHARACTERISTIC_ALREADY_SUBSCRIBED"/>