0

Disallow redirects to blob: URLs

Blob URLs are ephemeral, so it doesn't make much sense to allow
redirecting to them.

See comments on crrev.com/c/1277785 for more info.

Change-Id: Iae31dc04f1ad4042d2b6861e05ca53699a3a31a6
Reviewed-on: https://chromium-review.googlesource.com/c/1278132
Reviewed-by: Daniel Murphy <dmurph@chromium.org>
Reviewed-by: Nasko Oskov <nasko@chromium.org>
Commit-Queue: Clark DuVall <cduvall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#600454}
This commit is contained in:
Clark DuVall
2018-10-17 17:38:40 +00:00
committed by Commit Bot
parent 6896c8a254
commit 0f9781bed1
4 changed files with 9 additions and 1 deletions

@ -115,7 +115,7 @@ bool IsSafeRedirectTarget(const GURL& from_url, const GURL& to_url) {
static base::NoDestructor<std::set<std::string>> kUnsafeSchemes(
std::set<std::string>({
url::kAboutScheme, url::kDataScheme, url::kFileScheme,
url::kFileSystemScheme,
url::kFileSystemScheme, url::kBlobScheme,
#if defined(OS_ANDROID)
url::kContentScheme,
#endif

@ -43,6 +43,8 @@ TEST(UrlUtilsTest, IsSafeRedirectTarget) {
GURL(), CreateValidURL("filesystem:http://foo.com/bar")));
EXPECT_FALSE(
IsSafeRedirectTarget(GURL(), CreateValidURL("data:text/plain,foo")));
EXPECT_FALSE(
IsSafeRedirectTarget(GURL(), CreateValidURL("blob:https://foo.com/bar")));
#if defined(OS_ANDROID)
EXPECT_FALSE(
IsSafeRedirectTarget(GURL(), CreateValidURL("content://foo.bar")));

@ -89,6 +89,10 @@ net::URLRequestJob* BlobProtocolHandler::MaybeCreateJob(
LookupBlobHandle(request));
}
bool BlobProtocolHandler::IsSafeRedirectTarget(const GURL& location) const {
return false;
}
BlobDataHandle* BlobProtocolHandler::LookupBlobHandle(
net::URLRequest* request) const {
BlobDataHandle* blob_data_handle = GetRequestBlobDataHandle(request);

@ -44,9 +44,11 @@ class STORAGE_EXPORT BlobProtocolHandler
explicit BlobProtocolHandler(BlobStorageContext* context);
~BlobProtocolHandler() override;
// net::URLRequestJobFactory::ProtocolHandler implementation:
net::URLRequestJob* MaybeCreateJob(
net::URLRequest* request,
net::NetworkDelegate* network_delegate) const override;
bool IsSafeRedirectTarget(const GURL& location) const override;
private:
BlobDataHandle* LookupBlobHandle(net::URLRequest* request) const;