Don't share PDF plugins across origin boundaries.

Controlled by --enable-features=PdfIsolation, default is off. Stricter than required (full origin, not eTLD+1). Add pdf_extension_test for multiple domains. A subsequent patch may attempt to apply this to secure origins only. Bug: 809614 Change-Id: Ic38c2c5074c7723210e38a754b930fb152c031b7 Reviewed-on: https://chromium-review.googlesource.com/953979Reviewed-by: John Abd-El-Malek <jam@chromium.org> Commit-Queue: Tom Sepez <tsepez@chromium.org> Cr-Commit-Position: refs/heads/master@{#542162}

Don't share PDF plugins across origin boundaries.
Controlled by --enable-features=PdfIsolation, default is off. Stricter than required (full origin, not eTLD+1). Add pdf_extension_test for multiple domains. A subsequent patch may attempt to apply this to secure origins only. Bug: 809614 Change-Id: Ic38c2c5074c7723210e38a754b930fb152c031b7 Reviewed-on: https://chromium-review.googlesource.com/953979Reviewed-by: John Abd-El-Malek <jam@chromium.org> Commit-Queue: Tom Sepez <tsepez@chromium.org> Cr-Commit-Position: refs/heads/master@{#542162}
ceae97b0 · Tom Sepez · Commit Bot · 1c5ec762 · ceae97b0 · ceae97b0
Commit ceae97b0 authored Mar 09, 2018 by Tom Sepez Committed by Commit Bot Mar 09, 2018
8 changed files
--- a/chrome/browser/pdf/pdf_extension_test.cc
+++ b/chrome/browser/pdf/pdf_extension_test.cc
@@ -55,6 +55,7 @@
 #include "content/public/browser/render_widget_host.h"
 #include "content/public/browser/render_widget_host_view.h"
 #include "content/public/browser/web_contents.h"
+#include "content/public/common/content_features.h"
 #include "content/public/common/context_menu_params.h"
 #include "content/public/test/browser_test_utils.h"
 #include "content/public/test/test_navigation_observer.h"
@@ -887,6 +888,42 @@ IN_PROC_BROWSER_TEST_F(PDFExtensionTest, OpenFromFTP) {
  EXPECT_EQ(base::ASCIIToUTF16("test.pdf"), GetActiveWebContents()->GetTitle());
 }
+IN_PROC_BROWSER_TEST_F(PDFExtensionTest, MultipleDomains) {
+  for (const auto& url :
+       {embedded_test_server()->GetURL("a.com", "/pdf/test.pdf"),
+        embedded_test_server()->GetURL("b.com", "/pdf/test.pdf"),
+        embedded_test_server()->GetURL("c.com", "/pdf/test.pdf"),
+        embedded_test_server()->GetURL("d.com", "/pdf/test.pdf")}) {
+    ASSERT_TRUE(LoadPdf(url));
+  }
+  EXPECT_EQ(1, CountPDFProcesses());
+}
+class PDFIsolatedExtensionTest : public PDFExtensionTest {
+ public:
+  PDFIsolatedExtensionTest() {}
+  ~PDFIsolatedExtensionTest() override {}
+  void SetUp() override {
+    features_.InitAndEnableFeature(features::kPdfIsolation);
+    PDFExtensionTest::SetUp();
+  }
+ private:
+  base::test::ScopedFeatureList features_;
+};
+IN_PROC_BROWSER_TEST_F(PDFIsolatedExtensionTest, MultipleDomains) {
+  for (const auto& url :
+       {embedded_test_server()->GetURL("a.com", "/pdf/test.pdf"),
+        embedded_test_server()->GetURL("b.com", "/pdf/test.pdf"),
+        embedded_test_server()->GetURL("c.com", "/pdf/test.pdf"),
+        embedded_test_server()->GetURL("d.com", "/pdf/test.pdf")}) {
+    ASSERT_TRUE(LoadPdf(url));
+  }
+  EXPECT_EQ(4, CountPDFProcesses());
+}
 class PDFExtensionLinkClickTest : public PDFExtensionTest {
 public:
  PDFExtensionLinkClickTest() : guest_contents_(nullptr) {}

--- a/chrome/renderer/chrome_content_renderer_client.cc
+++ b/chrome/renderer/chrome_content_renderer_client.cc
@@ -1372,6 +1372,12 @@ bool ChromeContentRendererClient::IsExternalPepperPlugin(
  return module_name == "Native Client";
 }
+bool ChromeContentRendererClient::IsOriginIsolatedPepperPlugin(
+    const base::FilePath& plugin_path) {
+  return plugin_path ==
+         base::FilePath::FromUTF8Unsafe(ChromeContentClient::kPDFPluginPath);
+}
 #if BUILDFLAG(ENABLE_PLUGINS) && BUILDFLAG(ENABLE_EXTENSIONS)
 bool ChromeContentRendererClient::IsExtensionOrSharedModuleWhitelisted(
    const GURL& url,

--- a/chrome/renderer/chrome_content_renderer_client.h
+++ b/chrome/renderer/chrome_content_renderer_client.h
@@ -169,6 +169,7 @@ class ChromeContentRendererClient
      const content::RenderFrame* render_frame,
      blink::mojom::PageVisibilityState* override_state) override;
  bool IsExternalPepperPlugin(const std::string& module_name) override;
+  bool IsOriginIsolatedPepperPlugin(const base::FilePath& plugin_path) override;
  std::unique_ptr<blink::WebSocketHandshakeThrottle>
  CreateWebSocketHandshakeThrottle() override;
  std::unique_ptr<blink::WebSpeechSynthesizer> OverrideSpeechSynthesizer(

--- a/content/public/common/content_features.cc
+++ b/content/public/common/content_features.cc
@@ -257,6 +257,10 @@ const base::Feature kPassiveDocumentEventListeners{
 const base::Feature kPassiveEventListenersDueToFling{
    "PassiveEventListenersDueToFling", base::FEATURE_ENABLED_BY_DEFAULT};
+// Whether PDF files should be rendered in diffent processes based on origin.
+const base::Feature kPdfIsolation = {"PdfIsolation",
+                                     base::FEATURE_DISABLED_BY_DEFAULT};
 // If Pepper 3D Image Chromium is allowed, this feature controls whether it is
 // enabled.
 const base::Feature kPepper3DImageChromium {

--- a/content/public/common/content_features.h
+++ b/content/public/common/content_features.h
@@ -67,6 +67,7 @@ CONTENT_EXPORT extern const base::Feature kOriginTrials;
 CONTENT_EXPORT extern const base::Feature kParallelDownloading;
 CONTENT_EXPORT extern const base::Feature kPassiveDocumentEventListeners;
 CONTENT_EXPORT extern const base::Feature kPassiveEventListenersDueToFling;
+CONTENT_EXPORT extern const base::Feature kPdfIsolation;
 CONTENT_EXPORT extern const base::Feature kPepper3DImageChromium;
 CONTENT_EXPORT extern const base::Feature kPurgeAndSuspend;
 CONTENT_EXPORT extern const base::Feature kPWAFullCodeCache;

--- a/content/public/renderer/content_renderer_client.cc
+++ b/content/public/renderer/content_renderer_client.cc
@@ -173,6 +173,11 @@ bool ContentRendererClient::IsExternalPepperPlugin(
  return false;
 }
+bool ContentRendererClient::IsOriginIsolatedPepperPlugin(
+    const base::FilePath& plugin_path) {
+  return false;
+}
 bool ContentRendererClient::AllowPepperMediaStreamAPI(const GURL& url) {
  return false;
 }

--- a/content/public/renderer/content_renderer_client.h
+++ b/content/public/renderer/content_renderer_client.h
@@ -13,6 +13,7 @@
 #include <vector>
 #include "base/callback_forward.h"
+#include "base/files/file_path.h"
 #include "base/memory/ref_counted.h"
 #include "base/strings/string16.h"
 #include "base/task_scheduler/task_scheduler.h"
@@ -261,6 +262,12 @@ class CONTENT_EXPORT ContentRendererClient {
  // startup steps).
  virtual bool IsExternalPepperPlugin(const std::string& module_name);
+  // Returns true if the given Pepper plugin should process content from
+  // different origins in different PPAPI processes. This is generally a
+  // worthwhile precaution when the plugin provides an active scripting
+  // language.
+  virtual bool IsOriginIsolatedPepperPlugin(const base::FilePath& plugin_path);
  // Returns true if the page at |url| can use Pepper MediaStream APIs.
  virtual bool AllowPepperMediaStreamAPI(const GURL& url);

--- a/content/renderer/render_frame_impl.cc
+++ b/content/renderer/render_frame_impl.cc
@@ -2855,8 +2855,11 @@ blink::WebPlugin* RenderFrameImpl::CreatePlugin(
        this, delegate->GetWeakPtr());
  }
-  // TODO(tsepez): extract origin to lock from WebPluginParams url.
  base::Optional<url::Origin> origin_lock;
+  if (base::FeatureList::IsEnabled(features::kPdfIsolation) &&
+      GetContentClient()->renderer()->IsOriginIsolatedPepperPlugin(info.path)) {
+    origin_lock = url::Origin::Create(GURL(params.url));
+  }
  bool pepper_plugin_was_registered = false;
  scoped_refptr<PluginModule> pepper_module(PluginModule::Create(