Disallow redirects to blob: URLs
Blob URLs are ephemeral, so it doesn't make much sense to allow redirecting to them. See comments on crrev.com/c/1277785 for more info. Change-Id: Iae31dc04f1ad4042d2b6861e05ca53699a3a31a6 Reviewed-on: https://chromium-review.googlesource.com/c/1278132 Reviewed-by: Daniel Murphy <dmurph@chromium.org> Reviewed-by: Nasko Oskov <nasko@chromium.org> Commit-Queue: Clark DuVall <cduvall@chromium.org> Cr-Commit-Position: refs/heads/master@{#600454}
This commit is contained in:
content/public/common
storage/browser/blob
@ -115,7 +115,7 @@ bool IsSafeRedirectTarget(const GURL& from_url, const GURL& to_url) {
|
||||
static base::NoDestructor<std::set<std::string>> kUnsafeSchemes(
|
||||
std::set<std::string>({
|
||||
url::kAboutScheme, url::kDataScheme, url::kFileScheme,
|
||||
url::kFileSystemScheme,
|
||||
url::kFileSystemScheme, url::kBlobScheme,
|
||||
#if defined(OS_ANDROID)
|
||||
url::kContentScheme,
|
||||
#endif
|
||||
|
@ -43,6 +43,8 @@ TEST(UrlUtilsTest, IsSafeRedirectTarget) {
|
||||
GURL(), CreateValidURL("filesystem:http://foo.com/bar")));
|
||||
EXPECT_FALSE(
|
||||
IsSafeRedirectTarget(GURL(), CreateValidURL("data:text/plain,foo")));
|
||||
EXPECT_FALSE(
|
||||
IsSafeRedirectTarget(GURL(), CreateValidURL("blob:https://foo.com/bar")));
|
||||
#if defined(OS_ANDROID)
|
||||
EXPECT_FALSE(
|
||||
IsSafeRedirectTarget(GURL(), CreateValidURL("content://foo.bar")));
|
||||
|
@ -89,6 +89,10 @@ net::URLRequestJob* BlobProtocolHandler::MaybeCreateJob(
|
||||
LookupBlobHandle(request));
|
||||
}
|
||||
|
||||
bool BlobProtocolHandler::IsSafeRedirectTarget(const GURL& location) const {
|
||||
return false;
|
||||
}
|
||||
|
||||
BlobDataHandle* BlobProtocolHandler::LookupBlobHandle(
|
||||
net::URLRequest* request) const {
|
||||
BlobDataHandle* blob_data_handle = GetRequestBlobDataHandle(request);
|
||||
|
@ -44,9 +44,11 @@ class STORAGE_EXPORT BlobProtocolHandler
|
||||
explicit BlobProtocolHandler(BlobStorageContext* context);
|
||||
~BlobProtocolHandler() override;
|
||||
|
||||
// net::URLRequestJobFactory::ProtocolHandler implementation:
|
||||
net::URLRequestJob* MaybeCreateJob(
|
||||
net::URLRequest* request,
|
||||
net::NetworkDelegate* network_delegate) const override;
|
||||
bool IsSafeRedirectTarget(const GURL& location) const override;
|
||||
|
||||
private:
|
||||
BlobDataHandle* LookupBlobHandle(net::URLRequest* request) const;
|
||||
|
Reference in New Issue
Block a user