[DevTools] Whitelist remoteBase and loadNetworkResource schemes.

BUG=571121 Review URL: https://codereview.chromium.org/1586903002 Cr-Commit-Position: refs/heads/master@{#369327}

[DevTools] Whitelist remoteBase and loadNetworkResource schemes.
BUG=571121 Review URL: https://codereview.chromium.org/1586903002 Cr-Commit-Position: refs/heads/master@{#369327}
e8ecfb59 · dgozman · Commit bot · d7e370f5 · e8ecfb59 · e8ecfb59
Commit e8ecfb59 authored Jan 13, 2016 by dgozman Committed by Commit bot Jan 14, 2016
Showing with 9 additions and 1 deletion

chrome/browser/devtools/devtools_ui_bindings.cc chrome/browser/devtools/devtools_ui_bindings.cc +4 -1

third_party/WebKit/Source/devtools/front_end/Runtime.js third_party/WebKit/Source/devtools/front_end/Runtime.js +5 -0

No files found.
--- a/chrome/browser/devtools/devtools_ui_bindings.cc
+++ b/chrome/browser/devtools/devtools_ui_bindings.cc
@@ -652,7 +652,10 @@ void DevToolsUIBindings::LoadNetworkResource(const DispatchCallback& callback,
                                             const std::string& headers,
                                             int stream_id) {
  GURL gurl(url);
-  if (!gurl.is_valid()) {
+  bool schemeIsAllowed = gurl.is_valid() &&
+      (gurl.SchemeIs(url::kHttpScheme) || gurl.SchemeIs(url::kHttpsScheme) ||
+       gurl.SchemeIs(url::kDataScheme) || gurl.SchemeIs(url::kFtpScheme));
+  if (!gurl.is_valid() || !schemeIsAllowed) {
    base::DictionaryValue response;
    response.SetInteger("statusCode", 404);
    callback.Run(&response);

--- a/third_party/WebKit/Source/devtools/front_end/Runtime.js
+++ b/third_party/WebKit/Source/devtools/front_end/Runtime.js
@@ -1093,6 +1093,11 @@ Runtime.experiments = new Runtime.ExperimentsSupport();
 * @type {?string}
 */
 Runtime._remoteBase = Runtime.queryParam("remoteBase");
+{(function validateRemoteBase()
+{
+    if (Runtime._remoteBase && !Runtime._remoteBase.startsWith("https://chrome-devtools-frontend.appspot.com/"))
+        Runtime._remoteBase = null;
+})();}
 /**
 * @param {string} path