mirror of
https://github.com/electron/electron.git
synced 2026-02-19 03:14:51 -05:00
a65cfed500
* chore: bump chromium in DEPS to 146.0.7652.0 * fix(patch-conflict): update mas_avoid_private_macos_api_usage context for constrainFrameRect method The upstream CL added a new constrainFrameRect:toScreen: method override to NativeWidgetMacNSWindow as part of headless mode window zoom implementation. The MAS patch's #endif for frameViewClassForStyleMask now correctly appears after that method, since constrainFrameRect is a public API override that doesn't need to be guarded. Ref: https://chromium-review.googlesource.com/c/chromium/src/+/7487666 * fix(patch-conflict): update printing.patch for base::DictValue rename Updated printing.patch to use the new base::DictValue type name instead of base::Value::Dict following Chromium's type renaming change. This affects CompleteUpdatePrintSettings() signature and related code. Ref: https://chromium-review.googlesource.com/c/chromium/src/+/7509820 * fix(patch-conflict): update accessibility_ui patch for base::DictValue/ListValue rename Updated adjust_accessibility_ui_for_electron.patch to use the new base::DictValue and base::ListValue type names instead of base::Value::Dict and base::Value::List following Chromium's type renaming change. Ref: https://chromium-review.googlesource.com/c/chromium/src/+/7509820 * chore: update patches * 6625736: Rename DURABLE_STORAGE to PERSISTENT_STORAGE for consistency | https://chromium-review.googlesource.com/c/chromium/src/+/6625736 * chore: bump chromium in DEPS to 146.0.7653.0 * chore: update patches * 7000847: add type tag to v8::External for gin_helper function templates The upstream gin function templates now use v8::ExternalPointerTypeTag for type safety when using v8::External. Updated Electron's forked gin_helper function template to use the same kGinInternalCallbackHolderBaseTag that Chromium's gin uses. Ref: https://chromium-review.googlesource.com/c/chromium/src/+/7000847 * fix(patch-update): extend V8 Object API deprecation patch for Node.js Extended the existing patch to cover additional files that use GetAlignedPointerFromInternalField and SetAlignedPointerInInternalField: - src/stream_base-inl.h - src/udp_wrap.cc - src/js_udp_wrap.cc - src/node_process_methods.cc - src/node_snapshotable.cc - src/base_object.cc These APIs now require an EmbedderDataTypeTag parameter. Ref: https://chromium-review.googlesource.com/c/v8/v8/+/7087956 * 7000847: add type tag to v8::External calls in shared_texture Updated v8::External::New and v8::External::Value calls to use the kExternalPointerTypeTagDefault tag as required by the V8 API change that deprecates the tagless versions. Ref: https://chromium-review.googlesource.com/c/chromium/src/+/7000847 * 7508687: use ChildProcessId for file permission APIs The ChildProcessSecurityPolicy::CanReadFile and GrantReadFile APIs now require ChildProcessId instead of int. Updated to use GetID() instead of GetDeprecatedID() for these specific calls. Ref: https://chromium-review.googlesource.com/c/chromium/src/+/7508687 * 7000847: add type tag to v8::External calls in callback and osr_converter The v8::External API now requires an EmbedderPointerTypeTag parameter for both New() and Value() methods to improve V8 sandbox type safety. Updated calls in: - callback.cc: TranslatorHolder constructor and CallTranslator - osr_converter.cc: OffscreenSharedTextureValue converter Ref: https://chromium-review.googlesource.com/c/v8/v8/+/7000847 * fixup! 7087956: [api] Promote deprecation of v8::Context and v8::Object API methods Extended the Node.js patch to cover histogram.cc which also uses SetAlignedPointerInInternalField and GetAlignedPointerFromInternalField APIs that now require the EmbedderDataTypeTag parameter. Ref: https://chromium-review.googlesource.com/c/v8/v8/+/7087956 * chore: bump chromium in DEPS to 146.0.7655.0 * chore: update patches * 7509043: update WebSpellingMarker type for API change The upstream Chromium API changed - WebSpellingMarker was moved from a nested type within WebTextCheckClient to a standalone type in the blink namespace. Ref: https://chromium-review.googlesource.com/c/chromium/src/+/7509043 * 7498491: update process_id to use OriginatingProcess type The upstream Chromium API changed - URLLoaderFactoryParams::process_id was changed from an integer to a union type network::OriginatingProcess that distinguishes between browser and renderer processes. - For browser process requests, use OriginatingProcess::browser() - For renderer process lookups, check !is_browser() and use renderer_process().value() to get the child_id Ref: https://chromium-review.googlesource.com/c/chromium/src/+/7498491 * 5710330: Add crash keys to debug NativeWidgetMacNSWindowBorderlessFrame exception | https://chromium-review.googlesource.com/c/chromium/src/+/5710330 5710330 added a new NSNextStepFrame interface extension and implementations for NativeWidgetMacNSWindowTitledFrame and NativeWidgetMacNSWindowBorderlessFrame. These use private macOS APIs that are not available in Mac App Store builds. * chore: update patches * chore: bump chromium in DEPS to 146.0.7661.0 * chore: bump chromium in DEPS to 146.0.7663.0 * fix(patch-conflict): update accessibility_ui for string_view API change Upstream removed redundant std::string(default_api_type) conversion as part of a string_view optimization cleanup. Updated patch context to match. Ref: https://chromium-review.googlesource.com/c/chromium/src/+/7514107 * fix(patch-conflict): update service process launch options for sandbox API refactor Upstream removed content/common/sandbox_init_win.cc and content/public/common/sandbox_init_win.h, moving the functionality directly into ChildProcessLauncherHelper. Updated patch to call sandbox::policy::SandboxWin::StartSandboxedProcess directly with the LaunchOptions pointer instead of going through the removed helper. Ref: https://chromium-review.googlesource.com/c/chromium/src/+/7528253 * fix(patch-conflict): update MAS safestorage for keychain API refactor Upstream refactored KeychainPassword::GetPassword() to use a new GetPasswordImpl() helper function with improved error tracking via base::expected<std::string, OSStatus>. Adapted patch to use the new GetPasswordImpl with the suffixed account name and handle migration from legacy accounts through the new API. Ref: https://chromium-review.googlesource.com/c/chromium/src/+/7516438 * chore: update patches * chore: bump chromium in DEPS to 146.0.7663.0 * fix: base::Value::Dict -> base::DictValue https://chromium-review.googlesource.com/c/chromium/src/+/7513889 * fix: include new cookie exclusion reason https://chromium-review.googlesource.com/c/chromium/src/+/7486527 * fix: enable libc++ ABI flag for trivially copyable std::vector<bool> Required for changes introduced in the following CL https://chromium-review.googlesource.com/c/chromium/src/+/7513653 * fixup! fix: base::Value::Dict -> base::DictValue https://chromium-review.googlesource.com/c/chromium/src/+/7513889 * fix: spellcheck not working in tests https://chromium-review.googlesource.com/c/chromium/src/+/7452579 * fix: cookie test failing due to multiple rejection reasons https://chromium-review.googlesource.com/c/chromium/src/+/7506629 * fix: macos sizing unmaximized window incorrectly https://chromium-review.googlesource.com/c/chromium/src/+/7487666 Changes to headless mode caused the unmaximized window to subtract the height of the menubar. * fix: skip tests for incompatible BoringSSL ML-DSA crypto https://boringssl-review.googlesource.com/c/boringssl/+/84929 * test: fix pseudonymization registration in utility process on Linux Ref: 7486913: Pass pseudonymization salt via shared memory at process launch | https://chromium-review.googlesource.com/c/chromium/src/+/7486913 * fix: restore MAS patch-outs Restores some `#if !IS_MAS_BUILD()` gates dropped in773054ad59* fixup! 7508687: use ChildProcessId for file permission APIs * fixup! fix(patch-conflict): update MAS safestorage for keychain API refactor * chore: add note about parallel upstream change * fixup! Merge remote-tracking branch 'origin/main' into roller/chromium/main * Revert "fixup! 7508687: use ChildProcessId for file permission APIs" This reverts commit05c43e4e5d. The _impl version has the signature, but not the public interface. :oof: * fixup! fix(patch-conflict): update MAS safestorage for keychain API refactor --------- Co-authored-by: electron-roller[bot] <84116207+electron-roller[bot]@users.noreply.github.com> Co-authored-by: Keeley Hammond <khammond@slack-corp.com> Co-authored-by: Samuel Maddock <samuelmaddock@electronjs.org> Co-authored-by: clavin <clavin@electronjs.org>
466 lines
21 KiB
Diff
466 lines
21 KiB
Diff
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
From: Cheng Zhao <zcbenz@gmail.com>
|
|
Date: Thu, 14 Dec 2023 21:16:53 +0900
|
|
Subject: Enable V8 code cache for custom schemes
|
|
|
|
Add a new category in ContentClient::AddAdditionalSchemes which allows
|
|
embedders to make custom schemes allow V8 code cache.
|
|
|
|
Chromium CL: https://chromium-review.googlesource.com/c/chromium/src/+/5019665
|
|
|
|
diff --git a/content/browser/code_cache/generated_code_cache.cc b/content/browser/code_cache/generated_code_cache.cc
|
|
index 7a775f9faac4296806ec1ab421da6dc7e9463a7a..251fdb8fb65e1b68056cb9c97a88a2da5450e380 100644
|
|
--- a/content/browser/code_cache/generated_code_cache.cc
|
|
+++ b/content/browser/code_cache/generated_code_cache.cc
|
|
@@ -4,6 +4,7 @@
|
|
|
|
#include "content/browser/code_cache/generated_code_cache.h"
|
|
|
|
+#include <algorithm>
|
|
#include <iostream>
|
|
#include <string_view>
|
|
|
|
@@ -33,6 +34,7 @@
|
|
#include "third_party/blink/public/common/loader/code_cache_util.h"
|
|
#include "third_party/blink/public/common/scheme_registry.h"
|
|
#include "url/gurl.h"
|
|
+#include "url/url_util.h"
|
|
|
|
using storage::BigIOBuffer;
|
|
|
|
@@ -54,13 +56,17 @@ void CheckValidResource(const GURL& resource_url,
|
|
GeneratedCodeCache::CodeCacheType cache_type) {
|
|
// If the resource url is invalid don't cache the code.
|
|
DCHECK(resource_url.is_valid());
|
|
- bool resource_url_is_chrome_or_chrome_untrusted =
|
|
+ // There are 3 kind of URL scheme compatible for the `resource_url`.
|
|
+ // 1. http: and https: URLs.
|
|
+ // 2. chrome: and chrome-untrusted: URLs.
|
|
+ // 3. URLs whose scheme are allowed by the content/ embedder.
|
|
+ const bool resource_url_http = resource_url.SchemeIsHTTPOrHTTPS();
|
|
+ const bool resource_url_webui =
|
|
resource_url.SchemeIs(content::kChromeUIScheme) ||
|
|
resource_url.SchemeIs(content::kChromeUIUntrustedScheme);
|
|
- DCHECK(
|
|
- resource_url.SchemeIsHTTPOrHTTPS() ||
|
|
- resource_url_is_chrome_or_chrome_untrusted ||
|
|
- blink::CommonSchemeRegistry::IsExtensionScheme(resource_url.GetScheme()));
|
|
+ const bool resource_url_embedder = std::ranges::contains(
|
|
+ url::GetCodeCacheSchemes(), resource_url.GetScheme());
|
|
+ DCHECK(resource_url_http || resource_url_webui || resource_url_embedder);
|
|
|
|
if (!blink::features::IsPersistentCacheForCodeCacheEnabled()) {
|
|
// The chrome and chrome-untrusted schemes are only used with the WebUI code
|
|
@@ -68,35 +74,51 @@ void CheckValidResource(const GURL& resource_url,
|
|
// segments WebUI from non-WebUI in multiple ways to prevent privilege
|
|
// escalation, using both `GetCacheId` and
|
|
// `CheckSecurityForAccessingCodeCacheData`.
|
|
- DCHECK_EQ(resource_url_is_chrome_or_chrome_untrusted,
|
|
+ DCHECK_EQ(resource_url_webui,
|
|
cache_type == GeneratedCodeCache::kWebUIJavaScript);
|
|
}
|
|
}
|
|
|
|
void CheckValidContext(const GURL& origin_lock,
|
|
GeneratedCodeCache::CodeCacheType cache_type) {
|
|
- // |origin_lock| should be either empty or should have
|
|
- // Http/Https/chrome/chrome-untrusted schemes and it should not be a URL with
|
|
- // opaque origin. Empty origin_locks are allowed when the renderer is not
|
|
- // locked to an origin.
|
|
- bool origin_lock_is_chrome_or_chrome_untrusted =
|
|
+ // |origin_lock| should be either empty or should have code cache allowed
|
|
+ // schemes (http/https/chrome/chrome-untrusted or other custom schemes added
|
|
+ // by url::AddCodeCacheScheme), and it should not be a URL with opaque
|
|
+ // origin. Empty origin_locks are allowed when the renderer is not locked to
|
|
+ // an origin.
|
|
+ const bool origin_lock_empty = origin_lock.is_empty();
|
|
+ const bool origin_lock_for_http = origin_lock.SchemeIsHTTPOrHTTPS();
|
|
+ const bool origin_lock_for_webui =
|
|
origin_lock.SchemeIs(content::kChromeUIScheme) ||
|
|
origin_lock.SchemeIs(content::kChromeUIUntrustedScheme);
|
|
- DCHECK(origin_lock.is_empty() ||
|
|
- ((origin_lock.SchemeIsHTTPOrHTTPS() ||
|
|
- origin_lock_is_chrome_or_chrome_untrusted ||
|
|
- blink::CommonSchemeRegistry::IsExtensionScheme(
|
|
- origin_lock.GetScheme())) &&
|
|
- !url::Origin::Create(origin_lock).opaque()));
|
|
+ const bool origin_lock_for_embedder = std::ranges::contains(
|
|
+ url::GetCodeCacheSchemes(), origin_lock.GetScheme());
|
|
+
|
|
+ DCHECK(origin_lock_empty || ((origin_lock_for_http || origin_lock_for_webui ||
|
|
+ origin_lock_for_embedder) &&
|
|
+ !url::Origin::Create(origin_lock).opaque()));
|
|
|
|
if (!blink::features::IsPersistentCacheForCodeCacheEnabled()) {
|
|
- // The chrome and chrome-untrusted schemes are only used with the WebUI code
|
|
- // cache type when PersistentCache is not used. Otherwise, PersistentCache
|
|
+ // The chrome and chrome-untrusted schemes are only used with their dedicated
|
|
+ // code cache type when PersistentCache is not used. Otherwise, PersistentCache
|
|
// segments WebUI from non-WebUI in multiple ways to prevent privilege
|
|
// escalation, using both `GetCacheId` and
|
|
// `CheckSecurityForAccessingCodeCacheData`.
|
|
- DCHECK_EQ(origin_lock_is_chrome_or_chrome_untrusted,
|
|
- cache_type == GeneratedCodeCache::kWebUIJavaScript);
|
|
+ switch (cache_type) {
|
|
+ case GeneratedCodeCache::kJavaScript:
|
|
+ case GeneratedCodeCache::kWebAssembly:
|
|
+ DCHECK(!origin_lock_for_webui);
|
|
+ break;
|
|
+ case GeneratedCodeCache::kWebUIJavaScript:
|
|
+ DCHECK(origin_lock_for_webui);
|
|
+ break;
|
|
+ }
|
|
+
|
|
+ // The custom schemes share the cache type with http(s).
|
|
+ if (origin_lock_for_embedder) {
|
|
+ DCHECK(cache_type == GeneratedCodeCache::kJavaScript ||
|
|
+ cache_type == GeneratedCodeCache::kWebAssembly);
|
|
+ }
|
|
}
|
|
}
|
|
|
|
diff --git a/content/browser/code_cache/generated_code_cache.h b/content/browser/code_cache/generated_code_cache.h
|
|
index a01f0d96ef33ce9460a851b072b7ceed5227dee3..f7e39b28cc0ba2251123925c01083a7935f46f56 100644
|
|
--- a/content/browser/code_cache/generated_code_cache.h
|
|
+++ b/content/browser/code_cache/generated_code_cache.h
|
|
@@ -51,12 +51,14 @@ class CONTENT_EXPORT GeneratedCodeCache {
|
|
// Cache type. Used for collecting statistics for JS and Wasm in separate
|
|
// buckets.
|
|
enum CodeCacheType {
|
|
- // JavaScript from http(s) pages.
|
|
+ // JavaScript from pages of http(s) schemes or custom schemes registered by
|
|
+ // url::AddCodeCacheScheme.
|
|
kJavaScript,
|
|
|
|
- // WebAssembly from http(s) pages. This cache allows more total size and
|
|
- // more size per item than the JavaScript cache, since some
|
|
- // WebAssembly programs are very large.
|
|
+ // WebAssembly from pages of http(s) schemes or custom schemes registered by
|
|
+ // url::AddCodeCacheScheme. This cache allows more total size and more size
|
|
+ // per item than the JavaScript cache, since some WebAssembly programs are
|
|
+ // very large.
|
|
kWebAssembly,
|
|
|
|
// JavaScript from chrome and chrome-untrusted pages. The resource URLs are
|
|
diff --git a/content/browser/code_cache/generated_code_cache_browsertest.cc b/content/browser/code_cache/generated_code_cache_browsertest.cc
|
|
index 68a3095a49caf472c83b93b5cef66e5549a2d7cc..aa371ba5576f9fbaf5558e39704f7eb87ec7511e 100644
|
|
--- a/content/browser/code_cache/generated_code_cache_browsertest.cc
|
|
+++ b/content/browser/code_cache/generated_code_cache_browsertest.cc
|
|
@@ -16,17 +16,22 @@
|
|
#include "base/time/time.h"
|
|
#include "content/browser/code_cache/generated_code_cache_context.h"
|
|
#include "content/browser/renderer_host/code_cache_host_impl.h"
|
|
+#include "content/browser/storage_partition_impl.h"
|
|
#include "content/browser/web_contents/web_contents_impl.h"
|
|
#include "content/common/renderer.mojom.h"
|
|
+#include "content/common/url_schemes.h"
|
|
#include "content/public/browser/browser_context.h"
|
|
+#include "content/public/browser/browser_thread.h"
|
|
#include "content/public/browser/render_process_host.h"
|
|
#include "content/public/browser/storage_partition.h"
|
|
#include "content/public/test/browser_test.h"
|
|
#include "content/public/test/browser_test_utils.h"
|
|
#include "content/public/test/content_browser_test.h"
|
|
#include "content/public/test/content_browser_test_utils.h"
|
|
+#include "content/public/test/test_browser_context.h"
|
|
#include "content/shell/browser/shell.h"
|
|
#include "content/test/content_browser_test_utils_internal.h"
|
|
+#include "content/test/test_content_client.h"
|
|
#include "net/base/features.h"
|
|
#include "net/dns/mock_host_resolver.h"
|
|
#include "third_party/blink/public/common/features.h"
|
|
@@ -38,6 +43,8 @@ namespace content {
|
|
|
|
namespace {
|
|
|
|
+const std::string kCodeCacheScheme = "test-code-cache";
|
|
+
|
|
bool SupportsSharedWorker() {
|
|
return base::FeatureList::IsEnabled(blink::features::kSharedWorker);
|
|
}
|
|
@@ -1063,4 +1070,82 @@ IN_PROC_BROWSER_TEST_F(LocalCompileHintsBrowserTest, LocalCompileHints) {
|
|
}
|
|
}
|
|
|
|
+class CodeCacheInCustomSchemeBrowserTest : public ContentBrowserTest,
|
|
+ public TestContentClient {
|
|
+ public:
|
|
+ CodeCacheInCustomSchemeBrowserTest() {
|
|
+ SetContentClient(this);
|
|
+ ReRegisterContentSchemesForTests();
|
|
+ }
|
|
+
|
|
+ ~CodeCacheInCustomSchemeBrowserTest() override { SetContentClient(nullptr); }
|
|
+
|
|
+ private:
|
|
+ void AddAdditionalSchemes(Schemes* schemes) override {
|
|
+ schemes->standard_schemes.push_back(kCodeCacheScheme);
|
|
+ schemes->code_cache_schemes.push_back(kCodeCacheScheme);
|
|
+ }
|
|
+
|
|
+ url::ScopedSchemeRegistryForTests scheme_registry_;
|
|
+};
|
|
+
|
|
+IN_PROC_BROWSER_TEST_F(CodeCacheInCustomSchemeBrowserTest,
|
|
+ AllowedCustomSchemeCanGenerateCodeCache) {
|
|
+ StoragePartitionImpl* partition =
|
|
+ static_cast<StoragePartitionImpl*>(shell()
|
|
+ ->web_contents()
|
|
+ ->GetBrowserContext()
|
|
+ ->GetDefaultStoragePartition());
|
|
+ scoped_refptr<GeneratedCodeCacheContext> context =
|
|
+ partition->GetGeneratedCodeCacheContext();
|
|
+ EXPECT_NE(context, nullptr);
|
|
+
|
|
+ GURL url(kCodeCacheScheme + "://host4/script.js");
|
|
+ GURL origin(kCodeCacheScheme + "://host1:1/");
|
|
+ ASSERT_TRUE(url.is_valid());
|
|
+ ASSERT_TRUE(origin.is_valid());
|
|
+ std::string data("SomeData");
|
|
+
|
|
+ // Add a code cache entry for the custom scheme.
|
|
+ base::test::TestFuture<void> add_entry_future;
|
|
+ GeneratedCodeCacheContext::RunOrPostTask(
|
|
+ context.get(), FROM_HERE,
|
|
+ base::BindOnce(
|
|
+ [](scoped_refptr<GeneratedCodeCacheContext> context, const GURL& url,
|
|
+ const GURL& origin, const std::string& data,
|
|
+ base::OnceClosure callback) {
|
|
+ context->generated_js_code_cache()->WriteEntry(
|
|
+ url, origin, net::NetworkIsolationKey(), base::Time::Now(),
|
|
+ std::vector<uint8_t>(data.begin(), data.end()));
|
|
+ GetUIThreadTaskRunner({})->PostTask(FROM_HERE, std::move(callback));
|
|
+ },
|
|
+ context, url, origin, data, add_entry_future.GetCallback()));
|
|
+ ASSERT_TRUE(add_entry_future.Wait());
|
|
+
|
|
+ // Get the code cache entry.
|
|
+ base::test::TestFuture<std::string> get_entry_future;
|
|
+ GeneratedCodeCacheContext::RunOrPostTask(
|
|
+ context.get(), FROM_HERE,
|
|
+ base::BindOnce(
|
|
+ [](scoped_refptr<GeneratedCodeCacheContext> context, const GURL& url,
|
|
+ const GURL& origin,
|
|
+ base::OnceCallback<void(std::string)> callback) {
|
|
+ context->generated_js_code_cache()->FetchEntry(
|
|
+ url, origin, net::NetworkIsolationKey(),
|
|
+ base::BindOnce(
|
|
+ [](base::OnceCallback<void(std::string)> callback,
|
|
+ const base::Time& response_time,
|
|
+ mojo_base::BigBuffer buffer) {
|
|
+ std::string data(buffer.data(),
|
|
+ buffer.data() + buffer.size());
|
|
+ GetUIThreadTaskRunner({})->PostTask(
|
|
+ FROM_HERE, base::BindOnce(std::move(callback), data));
|
|
+ },
|
|
+ std::move(callback)));
|
|
+ },
|
|
+ context, url, origin, get_entry_future.GetCallback()));
|
|
+ ASSERT_TRUE(get_entry_future.Wait());
|
|
+ ASSERT_EQ(data, get_entry_future.Get<0>());
|
|
+}
|
|
+
|
|
} // namespace content
|
|
diff --git a/content/browser/renderer_host/code_cache_host_impl.cc b/content/browser/renderer_host/code_cache_host_impl.cc
|
|
index ffc684ad1e2dfbf148bb01b4d185a44619a2dceb..39b15dd921539c17e1038fabc64bf20b0974e20a 100644
|
|
--- a/content/browser/renderer_host/code_cache_host_impl.cc
|
|
+++ b/content/browser/renderer_host/code_cache_host_impl.cc
|
|
@@ -4,6 +4,7 @@
|
|
|
|
#include "content/browser/renderer_host/code_cache_host_impl.h"
|
|
|
|
+#include <algorithm>
|
|
#include <optional>
|
|
#include <string_view>
|
|
#include <utility>
|
|
@@ -42,6 +43,7 @@
|
|
#include "third_party/perfetto/include/perfetto/tracing/track_event_args.h"
|
|
#include "url/gurl.h"
|
|
#include "url/origin.h"
|
|
+#include "url/url_util.h"
|
|
|
|
using blink::mojom::CacheStorageError;
|
|
|
|
@@ -56,6 +58,10 @@ enum class Operation {
|
|
kWrite,
|
|
};
|
|
|
|
+bool ProcessLockURLIsCodeCacheScheme(const ProcessLock& process_lock) {
|
|
+ return std::ranges::contains(url::GetCodeCacheSchemes(), process_lock.GetProcessLockURL().scheme());
|
|
+}
|
|
+
|
|
bool CheckSecurityForAccessingCodeCacheData(const GURL& resource_url,
|
|
int render_process_id,
|
|
Operation operation) {
|
|
@@ -67,42 +73,56 @@ bool CheckSecurityForAccessingCodeCacheData(const GURL& resource_url,
|
|
ChildProcessSecurityPolicyImpl::GetInstance()->GetProcessLock(
|
|
render_process_id);
|
|
|
|
- // Code caching is only allowed for http(s) and chrome/chrome-untrusted
|
|
- // scripts. Furthermore, there is no way for http(s) pages to load chrome or
|
|
+ // Code caching is only allowed for scripts from:
|
|
+ // 1. http: and https: schemes.
|
|
+ // 2. chrome: and chrome-untrusted: schemes.
|
|
+ // 3. Schemes registered by content/ embedder via url::AddCodeCacheScheme.
|
|
+ //
|
|
+ // Furthermore, we know there are no way for http(s) pages to load chrome or
|
|
// chrome-untrusted scripts, so any http(s) page attempting to store data
|
|
// about a chrome or chrome-untrusted script would be an indication of
|
|
// suspicious activity.
|
|
+ if (resource_url.SchemeIsHTTPOrHTTPS()) {
|
|
+ if (process_lock.MatchesScheme(url::kHttpScheme) ||
|
|
+ process_lock.MatchesScheme(url::kHttpsScheme)) {
|
|
+ return true;
|
|
+ }
|
|
+ // Pages in custom schemes like isolated-app: are allowed to load http(s)
|
|
+ // resources.
|
|
+ if (ProcessLockURLIsCodeCacheScheme(process_lock)) {
|
|
+ return true;
|
|
+ }
|
|
+ // It is possible for WebUI pages to include open-web content, but such
|
|
+ // usage is rare and we've decided that reasoning about security is easier
|
|
+ // if the WebUI code cache includes only WebUI scripts.
|
|
+ return false;
|
|
+ }
|
|
+
|
|
if (resource_url.SchemeIs(content::kChromeUIScheme) ||
|
|
resource_url.SchemeIs(content::kChromeUIUntrustedScheme)) {
|
|
- if (!process_lock.IsLockedToSite()) {
|
|
- // We can't tell for certain whether this renderer is doing something
|
|
- // malicious, but we don't trust it enough to store data.
|
|
- return false;
|
|
+ if (process_lock.MatchesScheme(content::kChromeUIScheme) ||
|
|
+ process_lock.MatchesScheme(content::kChromeUIUntrustedScheme)) {
|
|
+ return true;
|
|
}
|
|
- if (process_lock.MatchesScheme(url::kHttpScheme) ||
|
|
- process_lock.MatchesScheme(url::kHttpsScheme)) {
|
|
- if (operation == Operation::kWrite) {
|
|
+ if (operation == Operation::kWrite) {
|
|
+ if (process_lock.MatchesScheme(url::kHttpScheme) ||
|
|
+ process_lock.MatchesScheme(url::kHttpsScheme)) {
|
|
mojo::ReportBadMessage("HTTP(S) pages cannot cache WebUI code");
|
|
}
|
|
+ if (ProcessLockURLIsCodeCacheScheme(process_lock)) {
|
|
+ mojo::ReportBadMessage(
|
|
+ "Page whose scheme are allowed by content/ embedders cannot cache "
|
|
+ "WebUI code. Did the embedder misconfigured content/?");
|
|
+ }
|
|
return false;
|
|
}
|
|
// Other schemes which might successfully load chrome or chrome-untrusted
|
|
// scripts, such as the PDF viewer, are unsupported but not considered
|
|
- // dangerous.
|
|
- return process_lock.MatchesScheme(content::kChromeUIScheme) ||
|
|
- process_lock.MatchesScheme(content::kChromeUIUntrustedScheme);
|
|
+ // dangerous. Similarly, the process might not be locked to a site.
|
|
+ return false;
|
|
}
|
|
- if (resource_url.SchemeIsHTTPOrHTTPS() ||
|
|
- blink::CommonSchemeRegistry::IsExtensionScheme(
|
|
- resource_url.GetScheme())) {
|
|
- if (process_lock.MatchesScheme(content::kChromeUIScheme) ||
|
|
- process_lock.MatchesScheme(content::kChromeUIUntrustedScheme)) {
|
|
- // It is possible for WebUI pages to include open-web content, but such
|
|
- // usage is rare and we've decided that reasoning about security is easier
|
|
- // if the WebUI code cache includes only WebUI scripts.
|
|
- return false;
|
|
- }
|
|
- return true;
|
|
+ if (std::ranges::contains(url::GetCodeCacheSchemes(), resource_url.GetScheme())) {
|
|
+ return ProcessLockURLIsCodeCacheScheme(process_lock);
|
|
}
|
|
|
|
if (operation == Operation::kWrite) {
|
|
@@ -180,6 +200,7 @@ std::optional<GURL> GetOriginLock(int render_process_id) {
|
|
process_lock.MatchesScheme(url::kHttpsScheme) ||
|
|
process_lock.MatchesScheme(content::kChromeUIScheme) ||
|
|
process_lock.MatchesScheme(content::kChromeUIUntrustedScheme) ||
|
|
+ ProcessLockURLIsCodeCacheScheme(process_lock) ||
|
|
blink::CommonSchemeRegistry::IsExtensionScheme(
|
|
process_lock.GetProcessLockURL().GetScheme())) {
|
|
return process_lock.GetProcessLockURL();
|
|
diff --git a/content/common/url_schemes.cc b/content/common/url_schemes.cc
|
|
index 225e017909b8869231b870eaaf161a0b5e93e2a0..846a5251429630b8528a84a3d67ed56cb28df5a1 100644
|
|
--- a/content/common/url_schemes.cc
|
|
+++ b/content/common/url_schemes.cc
|
|
@@ -102,6 +102,14 @@ void RegisterContentSchemes(bool should_lock_registry) {
|
|
for (auto& scheme : schemes.empty_document_schemes)
|
|
url::AddEmptyDocumentScheme(scheme.c_str());
|
|
|
|
+ for (auto& scheme : schemes.code_cache_schemes) {
|
|
+ CHECK_NE(scheme, kChromeUIScheme);
|
|
+ CHECK_NE(scheme, kChromeUIUntrustedScheme);
|
|
+ CHECK_NE(scheme, url::kHttpScheme);
|
|
+ CHECK_NE(scheme, url::kHttpsScheme);
|
|
+ url::AddCodeCacheScheme(scheme.c_str());
|
|
+ }
|
|
+
|
|
#if BUILDFLAG(IS_ANDROID)
|
|
if (schemes.allow_non_standard_schemes_in_origins)
|
|
url::EnableNonStandardSchemesForAndroidWebView();
|
|
diff --git a/content/public/common/content_client.h b/content/public/common/content_client.h
|
|
index 33e2ff42e4d9da442d522b959a4a21c2f7032b6b..a0d81212327fc17e1f4704e78803c1d7d82b2016 100644
|
|
--- a/content/public/common/content_client.h
|
|
+++ b/content/public/common/content_client.h
|
|
@@ -139,6 +139,9 @@ class CONTENT_EXPORT ContentClient {
|
|
// Registers a URL scheme as strictly empty documents, allowing them to
|
|
// commit synchronously.
|
|
std::vector<std::string> empty_document_schemes;
|
|
+ // Registers a URL scheme whose js and wasm scripts have V8 code cache
|
|
+ // enabled.
|
|
+ std::vector<std::string> code_cache_schemes;
|
|
// Registers a URL scheme as extension scheme.
|
|
std::vector<std::string> extension_schemes;
|
|
// Registers a URL scheme with a predefined default custom handler.
|
|
diff --git a/url/url_util.cc b/url/url_util.cc
|
|
index 7578135ca53c4421cfc08c722d9471f376a0673c..cd136b7a978adb4fb8f293015817eb55a06f1176 100644
|
|
--- a/url/url_util.cc
|
|
+++ b/url/url_util.cc
|
|
@@ -131,6 +131,9 @@ struct SchemeRegistry {
|
|
kMaterializedViewScheme,
|
|
};
|
|
|
|
+ // Embedder schemes that have V8 code cache enabled in js and wasm scripts.
|
|
+ std::vector<std::string> code_cache_schemes = {};
|
|
+
|
|
// Schemes with a predefined default custom handler.
|
|
std::vector<SchemeWithHandler> predefined_handler_schemes;
|
|
|
|
@@ -667,6 +670,15 @@ const std::vector<std::string>& GetEmptyDocumentSchemes() {
|
|
return GetSchemeRegistry().empty_document_schemes;
|
|
}
|
|
|
|
+void AddCodeCacheScheme(const std::string_view new_scheme) {
|
|
+ DoAddScheme(new_scheme,
|
|
+ &GetSchemeRegistryWithoutLocking()->code_cache_schemes);
|
|
+}
|
|
+
|
|
+const std::vector<std::string>& GetCodeCacheSchemes() {
|
|
+ return GetSchemeRegistry().code_cache_schemes;
|
|
+}
|
|
+
|
|
void AddPredefinedHandlerScheme(std::string_view new_scheme,
|
|
std::string_view handler) {
|
|
DoAddSchemeWithHandler(
|
|
diff --git a/url/url_util.h b/url/url_util.h
|
|
index 1f9304c7ea5488a1c50891e3dabfa3a61af97b7b..f965c1dbd47781748d3091209d140a128ca7192f 100644
|
|
--- a/url/url_util.h
|
|
+++ b/url/url_util.h
|
|
@@ -115,6 +115,15 @@ COMPONENT_EXPORT(URL) const std::vector<std::string>& GetCSPBypassingSchemes();
|
|
COMPONENT_EXPORT(URL) void AddEmptyDocumentScheme(std::string_view new_scheme);
|
|
COMPONENT_EXPORT(URL) const std::vector<std::string>& GetEmptyDocumentSchemes();
|
|
|
|
+// Adds an application-defined scheme to the list of schemes that have V8 code
|
|
+// cache enabled for the js and wasm scripts.
|
|
+// The WebUI schemes (chrome/chrome-untrusted) do not belong to this list, as
|
|
+// they are treated as a separate cache type for security purpose.
|
|
+// The http(s) schemes do not belong to this list neither, they always have V8
|
|
+// code cache enabled.
|
|
+COMPONENT_EXPORT(URL) void AddCodeCacheScheme(std::string_view new_scheme);
|
|
+COMPONENT_EXPORT(URL) const std::vector<std::string>& GetCodeCacheSchemes();
|
|
+
|
|
// Adds a scheme with a predefined default handler.
|
|
//
|
|
// This pair of strings must be normalized protocol handler parameters as
|