From dd2acb8a0a5ccbbf34664987fdcf4b3a418c54f9 Mon Sep 17 00:00:00 2001 From: Allan Sandfeld Jensen Date: Thu, 15 Feb 2018 17:58:31 +0100 Subject: Tie worker rights to cookie policy like Chromium does Instead of always allowing all workers, disallow when similar cookies would have been disallowed. This is following the same logic as Chromium is using. Change-Id: I6b9d6c63b894287f64171b138fe03ec080af5115 Reviewed-by: Leena Miettinen Reviewed-by: Peter Varga --- src/core/api/qwebenginecookiestore.cpp | 4 +++ src/core/content_browser_client_qt.cpp | 45 ++++++++++++++++++++++++++++++++++ src/core/content_browser_client_qt.h | 19 ++++++++++++++ 3 files changed, 68 insertions(+) (limited to 'src/core') diff --git a/src/core/api/qwebenginecookiestore.cpp b/src/core/api/qwebenginecookiestore.cpp index adf0cc49e..76e79c570 100644 --- a/src/core/api/qwebenginecookiestore.cpp +++ b/src/core/api/qwebenginecookiestore.cpp @@ -353,6 +353,10 @@ void QWebEngineCookieStore::deleteAllCookies() The callback should not be used to execute heavy tasks since it is running on the IO thread and therefore blocks the Chromium networking. + \note The cookie filter also controls other features with tracking capabilities similar to + those of cookies; including IndexedDB, DOM storage, filesystem API, service workers, + and AppCache. + \sa deleteAllCookies(), loadAllCookies() */ void QWebEngineCookieStore::setCookieFilter(const std::function &filterCallback) diff --git a/src/core/content_browser_client_qt.cpp b/src/core/content_browser_client_qt.cpp index 1f5f76a4d..3e620bd1f 100644 --- a/src/core/content_browser_client_qt.cpp +++ b/src/core/content_browser_client_qt.cpp @@ -95,6 +95,7 @@ #include "media_capture_devices_dispatcher.h" #include "net/network_delegate_qt.h" #include "net/qrc_protocol_handler_qt.h" +#include "net/url_request_context_getter_qt.h" #if BUILDFLAG(ENABLE_BASIC_PRINTING) #include "printing/printing_message_filter_qt.h" #endif // BUILDFLAG(ENABLE_BASIC_PRINTING) @@ -740,6 +741,7 @@ bool ContentBrowserClientQt::AllowGetCookie(const GURL &url, int /*render_process_id*/, int /*render_frame_id*/) { + DCHECK_CURRENTLY_ON(content::BrowserThread::IO); NetworkDelegateQt *networkDelegate = static_cast(context->GetRequestContext()->network_delegate()); return networkDelegate->canGetCookies(first_party, url); } @@ -752,10 +754,53 @@ bool ContentBrowserClientQt::AllowSetCookie(const GURL &url, int /*render_frame_id*/, const net::CookieOptions& /*options*/) { + DCHECK_CURRENTLY_ON(content::BrowserThread::IO); NetworkDelegateQt *networkDelegate = static_cast(context->GetRequestContext()->network_delegate()); return networkDelegate->canSetCookies(first_party, url, std::string()); } +bool ContentBrowserClientQt::AllowAppCache(const GURL &manifest_url, + const GURL &first_party, + content::ResourceContext *context) +{ + DCHECK_CURRENTLY_ON(content::BrowserThread::IO); + NetworkDelegateQt *networkDelegate = static_cast(context->GetRequestContext()->network_delegate()); + return networkDelegate->canGetCookies(first_party, manifest_url); +} + +bool ContentBrowserClientQt::AllowServiceWorker(const GURL &scope, + const GURL &first_party, + content::ResourceContext *context, + const base::Callback &/*wc_getter*/) +{ + DCHECK_CURRENTLY_ON(content::BrowserThread::IO); + // FIXME: Chrome also checks if javascript is enabled here to check if has been disabled since the service worker + // was started. + NetworkDelegateQt *networkDelegate = static_cast(context->GetRequestContext()->network_delegate()); + return networkDelegate->canGetCookies(first_party, scope); +} + +// We control worker access to FS and indexed-db using cookie permissions, this is mirroring Chromium's logic. +void ContentBrowserClientQt::AllowWorkerFileSystem(const GURL &url, + content::ResourceContext *context, + const std::vector > &/*render_frames*/, + base::Callback callback) +{ + DCHECK_CURRENTLY_ON(content::BrowserThread::IO); + NetworkDelegateQt *networkDelegate = static_cast(context->GetRequestContext()->network_delegate()); + callback.Run(networkDelegate->canSetCookies(url, url, std::string())); +} + +bool ContentBrowserClientQt::AllowWorkerIndexedDB(const GURL &url, + const base::string16 &/*name*/, + content::ResourceContext *context, + const std::vector > &/*render_frames*/) +{ + DCHECK_CURRENTLY_ON(content::BrowserThread::IO); + NetworkDelegateQt *networkDelegate = static_cast(context->GetRequestContext()->network_delegate()); + return networkDelegate->canSetCookies(url, url, std::string()); +} + } // namespace QtWebEngineCore DEFINE_WEB_CONTENTS_USER_DATA_KEY(QtWebEngineCore::ServiceDriver); diff --git a/src/core/content_browser_client_qt.h b/src/core/content_browser_client_qt.h index 86bd2977c..5ef2cddfb 100644 --- a/src/core/content_browser_client_qt.h +++ b/src/core/content_browser_client_qt.h @@ -150,6 +150,25 @@ public: int render_frame_id, const net::CookieOptions& options) override; + bool AllowAppCache(const GURL& manifest_url, + const GURL& first_party, + content::ResourceContext* context) override; + + bool AllowServiceWorker(const GURL& scope, + const GURL& first_party, + content::ResourceContext* context, + const base::Callback& wc_getter) override; + + void AllowWorkerFileSystem(const GURL &url, + content::ResourceContext *context, + const std::vector > &render_frames, + base::Callback callback) override; + + bool AllowWorkerIndexedDB(const GURL &url, + const base::string16 &name, + content::ResourceContext *context, + const std::vector > &render_frames) override; + #if defined(Q_OS_LINUX) void GetAdditionalMappedFilesForChildProcess(const base::CommandLine& command_line, int child_process_id, content::PosixFileDescriptorInfo* mappings) override; #endif -- cgit v1.2.3