Home | History | Annotate | Download | only in loader 
      1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
      2 // Use of this source code is governed by a BSD-style license that can be
      3 // found in the LICENSE file.
      4 
      5 #include "content/browser/loader/cross_site_resource_handler.h"
      6 
      7 #include <string>
      8 
      9 #include "base/bind.h"
     10 #include "base/command_line.h"
     11 #include "base/logging.h"
     12 #include "content/browser/appcache/appcache_interceptor.h"
     13 #include "content/browser/child_process_security_policy_impl.h"
     14 #include "content/browser/cross_site_request_manager.h"
     15 #include "content/browser/frame_host/cross_site_transferring_request.h"
     16 #include "content/browser/frame_host/render_frame_host_impl.h"
     17 #include "content/browser/loader/resource_dispatcher_host_impl.h"
     18 #include "content/browser/loader/resource_request_info_impl.h"
     19 #include "content/public/browser/browser_thread.h"
     20 #include "content/public/browser/content_browser_client.h"
     21 #include "content/public/browser/global_request_id.h"
     22 #include "content/public/browser/resource_controller.h"
     23 #include "content/public/browser/site_instance.h"
     24 #include "content/public/common/content_switches.h"
     25 #include "content/public/common/resource_response.h"
     26 #include "content/public/common/url_constants.h"
     27 #include "net/http/http_response_headers.h"
     28 #include "net/url_request/url_request.h"
     29 
     30 namespace content {
     31 
     32 namespace {
     33 
     34 bool leak_requests_for_testing_ = false;
     35 
     36 // The parameters to OnCrossSiteResponseHelper exceed the number of arguments
     37 // base::Bind supports.
     38 struct CrossSiteResponseParams {
     39   CrossSiteResponseParams(
     40       int render_frame_id,
     41       const GlobalRequestID& global_request_id,
     42       bool is_transfer,
     43       const std::vector<GURL>& transfer_url_chain,
     44       const Referrer& referrer,
     45       PageTransition page_transition,
     46       bool should_replace_current_entry)
     47       : render_frame_id(render_frame_id),
     48         global_request_id(global_request_id),
     49         is_transfer(is_transfer),
     50         transfer_url_chain(transfer_url_chain),
     51         referrer(referrer),
     52         page_transition(page_transition),
     53         should_replace_current_entry(should_replace_current_entry) {
     54   }
     55 
     56   int render_frame_id;
     57   GlobalRequestID global_request_id;
     58   bool is_transfer;
     59   std::vector<GURL> transfer_url_chain;
     60   Referrer referrer;
     61   PageTransition page_transition;
     62   bool should_replace_current_entry;
     63 };
     64 
     65 void OnCrossSiteResponseHelper(const CrossSiteResponseParams& params) {
     66   scoped_ptr<CrossSiteTransferringRequest> cross_site_transferring_request;
     67   if (params.is_transfer) {
     68     cross_site_transferring_request.reset(new CrossSiteTransferringRequest(
     69         params.global_request_id));
     70   }
     71 
     72   RenderFrameHostImpl* rfh =
     73       RenderFrameHostImpl::FromID(params.global_request_id.child_id,
     74                                   params.render_frame_id);
     75   if (rfh) {
     76     rfh->OnCrossSiteResponse(
     77         params.global_request_id, cross_site_transferring_request.Pass(),
     78         params.transfer_url_chain, params.referrer,
     79         params.page_transition, params.should_replace_current_entry);
     80   } else if (leak_requests_for_testing_ && cross_site_transferring_request) {
     81     // Some unit tests expect requests to be leaked in this case, so they can
     82     // pass them along manually.
     83     cross_site_transferring_request->ReleaseRequest();
     84   }
     85 }
     86 
     87 bool CheckNavigationPolicyOnUI(GURL url, int process_id, int render_frame_id) {
     88   RenderFrameHostImpl* rfh =
     89       RenderFrameHostImpl::FromID(process_id, render_frame_id);
     90   if (!rfh)
     91     return false;
     92 
     93   // TODO(nasko): This check is very simplistic and is used temporarily only
     94   // for --site-per-process. It should be updated to match the check performed
     95   // by RenderFrameHostManager::UpdateStateForNavigate.
     96   return !SiteInstance::IsSameWebSite(
     97       rfh->GetSiteInstance()->GetBrowserContext(),
     98       rfh->GetSiteInstance()->GetSiteURL(), url);
     99 }
    100 
    101 }  // namespace
    102 
    103 CrossSiteResourceHandler::CrossSiteResourceHandler(
    104     scoped_ptr<ResourceHandler> next_handler,
    105     net::URLRequest* request)
    106     : LayeredResourceHandler(request, next_handler.Pass()),
    107       has_started_response_(false),
    108       in_cross_site_transition_(false),
    109       completed_during_transition_(false),
    110       did_defer_(false),
    111       weak_ptr_factory_(this) {
    112 }
    113 
    114 CrossSiteResourceHandler::~CrossSiteResourceHandler() {
    115   // Cleanup back-pointer stored on the request info.
    116   GetRequestInfo()->set_cross_site_handler(NULL);
    117 }
    118 
    119 bool CrossSiteResourceHandler::OnRequestRedirected(
    120     const GURL& new_url,
    121     ResourceResponse* response,
    122     bool* defer) {
    123   // Top-level requests change their cookie first-party URL on redirects, while
    124   // subframes retain the parent's value.
    125   if (GetRequestInfo()->GetResourceType() == ResourceType::MAIN_FRAME)
    126     request()->set_first_party_for_cookies(new_url);
    127 
    128   // We should not have started the transition before being redirected.
    129   DCHECK(!in_cross_site_transition_);
    130   return next_handler_->OnRequestRedirected(new_url, response, defer);
    131 }
    132 
    133 bool CrossSiteResourceHandler::OnResponseStarted(
    134     ResourceResponse* response,
    135     bool* defer) {
    136   // At this point, we know that the response is safe to send back to the
    137   // renderer: it is not a download, and it has passed the SSL and safe
    138   // browsing checks.
    139   // We should not have already started the transition before now.
    140   DCHECK(!in_cross_site_transition_);
    141   has_started_response_ = true;
    142 
    143   ResourceRequestInfoImpl* info = GetRequestInfo();
    144 
    145   // We will need to swap processes if either (1) a redirect that requires a
    146   // transfer occurred before we got here, or (2) a pending cross-site request
    147   // was already in progress.  Note that a swap may no longer be needed if we
    148   // transferred back into the original process due to a redirect.
    149   bool should_transfer =
    150       GetContentClient()->browser()->ShouldSwapProcessesForRedirect(
    151           info->GetContext(), request()->original_url(), request()->url());
    152 
    153   // When the --site-per-process flag is passed, we transfer processes for
    154   // cross-site navigations. This is skipped if a transfer is already required
    155   // or for WebUI processes for now, since pages like the NTP host multiple
    156   // cross-site WebUI iframes.
    157   if (!should_transfer &&
    158       CommandLine::ForCurrentProcess()->HasSwitch(switches::kSitePerProcess) &&
    159       !ChildProcessSecurityPolicyImpl::GetInstance()->HasWebUIBindings(
    160           info->GetChildID())) {
    161     return DeferForNavigationPolicyCheck(info, response, defer);
    162   }
    163 
    164   bool swap_needed = should_transfer ||
    165       CrossSiteRequestManager::GetInstance()->
    166           HasPendingCrossSiteRequest(info->GetChildID(), info->GetRouteID());
    167 
    168   // If this is a download, just pass the response through without doing a
    169   // cross-site check.  The renderer will see it is a download and abort the
    170   // request.
    171   //
    172   // Similarly, HTTP 204 (No Content) responses leave us showing the previous
    173   // page.  We should allow the navigation to finish without running the unload
    174   // handler or swapping in the pending RenderFrameHost.
    175   //
    176   // In both cases, any pending RenderFrameHost (if one was created for this
    177   // navigation) will stick around until the next cross-site navigation, since
    178   // we are unable to tell when to destroy it.
    179   // See RenderFrameHostManager::RendererAbortedProvisionalLoad.
    180   //
    181   // TODO(davidben): Unify IsDownload() and is_stream(). Several places need to
    182   // check for both and remembering about streams is error-prone.
    183   if (!swap_needed || info->IsDownload() || info->is_stream() ||
    184       (response->head.headers.get() &&
    185        response->head.headers->response_code() == 204)) {
    186     return next_handler_->OnResponseStarted(response, defer);
    187   }
    188 
    189   // Now that we know a swap is needed and we have something to commit, we
    190   // pause to let the UI thread run the unload handler of the previous page
    191   // and set up a transfer if needed.
    192   StartCrossSiteTransition(response, should_transfer);
    193 
    194   // Defer loading until after the onunload event handler has run.
    195   *defer = true;
    196   OnDidDefer();
    197   return true;
    198 }
    199 
    200 void CrossSiteResourceHandler::ResumeOrTransfer(bool is_transfer) {
    201   if (is_transfer) {
    202     StartCrossSiteTransition(response_, is_transfer);
    203   } else {
    204     ResumeResponse();
    205   }
    206 }
    207 
    208 bool CrossSiteResourceHandler::OnReadCompleted(int bytes_read, bool* defer) {
    209   CHECK(!in_cross_site_transition_);
    210   return next_handler_->OnReadCompleted(bytes_read, defer);
    211 }
    212 
    213 void CrossSiteResourceHandler::OnResponseCompleted(
    214     const net::URLRequestStatus& status,
    215     const std::string& security_info,
    216     bool* defer) {
    217   if (!in_cross_site_transition_) {
    218     ResourceRequestInfoImpl* info = GetRequestInfo();
    219     // If we've already completed the transition, or we're canceling the
    220     // request, or an error occurred with no cross-process navigation in
    221     // progress, then we should just pass this through.
    222     if (has_started_response_ ||
    223         status.status() != net::URLRequestStatus::FAILED ||
    224         !CrossSiteRequestManager::GetInstance()->HasPendingCrossSiteRequest(
    225             info->GetChildID(), info->GetRouteID())) {
    226       next_handler_->OnResponseCompleted(status, security_info, defer);
    227       return;
    228     }
    229 
    230     // An error occurred. We should wait now for the cross-process transition,
    231     // so that the error message (e.g., 404) can be displayed to the user.
    232     // Also continue with the logic below to remember that we completed
    233     // during the cross-site transition.
    234     StartCrossSiteTransition(NULL, false);
    235   }
    236 
    237   // We have to buffer the call until after the transition completes.
    238   completed_during_transition_ = true;
    239   completed_status_ = status;
    240   completed_security_info_ = security_info;
    241 
    242   // Defer to tell RDH not to notify the world or clean up the pending request.
    243   // We will do so in ResumeResponse.
    244   *defer = true;
    245   OnDidDefer();
    246 }
    247 
    248 // We can now send the response to the new renderer, which will cause
    249 // WebContentsImpl to swap in the new renderer and destroy the old one.
    250 void CrossSiteResourceHandler::ResumeResponse() {
    251   DCHECK(request());
    252   in_cross_site_transition_ = false;
    253   ResourceRequestInfoImpl* info = GetRequestInfo();
    254 
    255   if (has_started_response_) {
    256     // Send OnResponseStarted to the new renderer.
    257     DCHECK(response_);
    258     bool defer = false;
    259     if (!next_handler_->OnResponseStarted(response_.get(), &defer)) {
    260       controller()->Cancel();
    261     } else if (!defer) {
    262       // Unpause the request to resume reading.  Any further reads will be
    263       // directed toward the new renderer.
    264       ResumeIfDeferred();
    265     }
    266   }
    267 
    268   // Remove ourselves from the ExtraRequestInfo.
    269   info->set_cross_site_handler(NULL);
    270 
    271   // If the response completed during the transition, notify the next
    272   // event handler.
    273   if (completed_during_transition_) {
    274     bool defer = false;
    275     next_handler_->OnResponseCompleted(completed_status_,
    276                                        completed_security_info_,
    277                                        &defer);
    278     if (!defer)
    279       ResumeIfDeferred();
    280   }
    281 }
    282 
    283 // static
    284 void CrossSiteResourceHandler::SetLeakRequestsForTesting(
    285     bool leak_requests_for_testing) {
    286   leak_requests_for_testing_ = leak_requests_for_testing;
    287 }
    288 
    289 // Prepare to render the cross-site response in a new RenderFrameHost, by
    290 // telling the old RenderFrameHost to run its onunload handler.
    291 void CrossSiteResourceHandler::StartCrossSiteTransition(
    292     ResourceResponse* response,
    293     bool should_transfer) {
    294   in_cross_site_transition_ = true;
    295   response_ = response;
    296 
    297   // Store this handler on the ExtraRequestInfo, so that RDH can call our
    298   // ResumeResponse method when we are ready to resume.
    299   ResourceRequestInfoImpl* info = GetRequestInfo();
    300   info->set_cross_site_handler(this);
    301 
    302   GlobalRequestID global_id(info->GetChildID(), info->GetRequestID());
    303 
    304   // Tell the contents responsible for this request that a cross-site response
    305   // is starting, so that it can tell its old renderer to run its onunload
    306   // handler now.  We will wait until the unload is finished and (if a transfer
    307   // is needed) for the new renderer's request to arrive.
    308   // The |transfer_url_chain| contains any redirect URLs that have already
    309   // occurred, plus the destination URL at the end.
    310   std::vector<GURL> transfer_url_chain;
    311   Referrer referrer;
    312   int render_frame_id = info->GetRenderFrameID();
    313   if (should_transfer) {
    314     transfer_url_chain = request()->url_chain();
    315     referrer = Referrer(GURL(request()->referrer()), info->GetReferrerPolicy());
    316 
    317     AppCacheInterceptor::PrepareForCrossSiteTransfer(
    318         request(), global_id.child_id);
    319     ResourceDispatcherHostImpl::Get()->MarkAsTransferredNavigation(global_id);
    320   }
    321   BrowserThread::PostTask(
    322       BrowserThread::UI,
    323       FROM_HERE,
    324       base::Bind(
    325           &OnCrossSiteResponseHelper,
    326           CrossSiteResponseParams(render_frame_id,
    327                                   global_id,
    328                                   should_transfer,
    329                                   transfer_url_chain,
    330                                   referrer,
    331                                   info->GetPageTransition(),
    332                                   info->should_replace_current_entry())));
    333 }
    334 
    335 bool CrossSiteResourceHandler::DeferForNavigationPolicyCheck(
    336     ResourceRequestInfoImpl* info,
    337     ResourceResponse* response,
    338     bool* defer) {
    339   // Store the response_ object internally, since the navigation is deferred
    340   // regardless of whether it will be a transfer or not.
    341   response_ = response;
    342 
    343   // Always defer the navigation to the UI thread to make a policy decision.
    344   // It will send the result back to the IO thread to either resume or
    345   // transfer it to a new renderer.
    346   // TODO(nasko): If the UI thread result is that transfer is required, the
    347   // IO thread will defer to the UI thread again through
    348   // StartCrossSiteTransition. This is unnecessary and the policy check on the
    349   // UI thread should be refactored to avoid the extra hop.
    350   BrowserThread::PostTaskAndReplyWithResult(
    351       BrowserThread::UI,
    352       FROM_HERE,
    353       base::Bind(&CheckNavigationPolicyOnUI,
    354                  request()->url(),
    355                  info->GetChildID(),
    356                  info->GetRenderFrameID()),
    357       base::Bind(&CrossSiteResourceHandler::ResumeOrTransfer,
    358                  weak_ptr_factory_.GetWeakPtr()));
    359 
    360   // Defer loading until it is known whether the navigation will transfer
    361   // to a new process or continue in the existing one.
    362   *defer = true;
    363   OnDidDefer();
    364   return true;
    365 }
    366 
    367 void CrossSiteResourceHandler::ResumeIfDeferred() {
    368   if (did_defer_) {
    369     request()->LogUnblocked();
    370     did_defer_ = false;
    371     controller()->Resume();
    372   }
    373 }
    374 
    375 void CrossSiteResourceHandler::OnDidDefer() {
    376   did_defer_ = true;
    377   request()->LogBlockedBy("CrossSiteResourceHandler");
    378 }
    379 
    380 }  // namespace content
    381