diff options
author | Allan Sandfeld Jensen <allan.jensen@theqtcompany.com> | 2015-01-22 11:30:24 +0100 |
---|---|---|
committer | Jocelyn Turcotte <jocelyn.turcotte@digia.com> | 2015-01-22 17:55:41 +0100 |
commit | 4c724c022664286191558803632d45cd28749ae4 (patch) | |
tree | 128ac4e844990fa1d85dfca446d54baf62918f7a /src/core | |
parent | b6c905a0616f3ed22e553171ad4f5667c1250941 (diff) |
Improve geolocation permission security
Ensure we only grant permission to the origin the user replied to,
otherwise we might get a race exploit.
Change-Id: I4f737148f4e41432c160b81c324531e9cde0edc6
Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
Diffstat (limited to 'src/core')
-rw-r--r-- | src/core/web_contents_adapter.cpp | 2 | ||||
-rw-r--r-- | src/core/web_contents_delegate_qt.cpp | 11 | ||||
-rw-r--r-- | src/core/web_contents_delegate_qt.h | 7 |
3 files changed, 16 insertions, 4 deletions
diff --git a/src/core/web_contents_adapter.cpp b/src/core/web_contents_adapter.cpp index 3f6d7060c..d7dfcb97c 100644 --- a/src/core/web_contents_adapter.cpp +++ b/src/core/web_contents_adapter.cpp @@ -773,7 +773,7 @@ void WebContentsAdapter::grantMediaAccessPermission(const QUrl &securityOrigin, void WebContentsAdapter::runGeolocationRequestCallback(const QUrl &securityOrigin, bool allowed) { Q_D(WebContentsAdapter); - d->webContentsDelegate->m_lastGeolocationRequestCallback.Run(allowed); + d->webContentsDelegate->geolocationPermissionReply(securityOrigin, allowed); } void WebContentsAdapter::grantMouseLockPermission(bool granted) diff --git a/src/core/web_contents_delegate_qt.cpp b/src/core/web_contents_delegate_qt.cpp index 92b61dcdd..18b61cd2d 100644 --- a/src/core/web_contents_delegate_qt.cpp +++ b/src/core/web_contents_delegate_qt.cpp @@ -314,6 +314,13 @@ void WebContentsDelegateQt::allowCertificateError(const QExplicitlySharedDataPoi void WebContentsDelegateQt::requestGeolocationPermission(const GURL &requestingFrameOrigin, base::Callback<void (bool)> resultCallback) { - m_lastGeolocationRequestCallback = resultCallback; - m_viewClient->runGeolocationPermissionRequest(toQt(requestingFrameOrigin)); + m_lastGeolocationPermissionRequest.url = toQt(requestingFrameOrigin); + m_lastGeolocationPermissionRequest.callback = resultCallback; + m_viewClient->runGeolocationPermissionRequest(m_lastGeolocationPermissionRequest.url); +} + +void WebContentsDelegateQt::geolocationPermissionReply(const QUrl &origin, bool permission) +{ + if (m_lastGeolocationPermissionRequest.url == origin) + m_lastGeolocationPermissionRequest.callback.Run(permission); } diff --git a/src/core/web_contents_delegate_qt.h b/src/core/web_contents_delegate_qt.h index 2a541a768..c57a2fc67 100644 --- a/src/core/web_contents_delegate_qt.h +++ b/src/core/web_contents_delegate_qt.h @@ -92,11 +92,16 @@ public: void overrideWebPreferences(content::WebContents *, content::WebPreferences*); void allowCertificateError(const QExplicitlySharedDataPointer<CertificateErrorController> &) ; void requestGeolocationPermission(const GURL &requestingFrameOrigin, base::Callback<void (bool)> resultCallback); + void geolocationPermissionReply(const QUrl&, bool permission); - base::Callback<void (bool)> m_lastGeolocationRequestCallback; private: WebContentsAdapter *createWindow(content::WebContents *new_contents, WindowOpenDisposition disposition, const gfx::Rect& initial_pos, bool user_gesture); + struct { + QUrl url; + base::Callback<void (bool)> callback; + } m_lastGeolocationPermissionRequest; + WebContentsAdapterClient *m_viewClient; QString m_lastSearchedString; int m_lastReceivedFindReply; |