src/chrome/browser/renderer_security_policy.h - chromium/src - Git at Google

 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.

 #ifndef CHROME_BROWSER_RENDERER_SECURITY_POLICY_H__
 #define CHROME_BROWSER_RENDERER_SECURITY_POLICY_H__

 #include <string>
 #include <map>
 #include <set>

 #include "base/basictypes.h"
 #include "base/lock.h"
 #include "base/singleton.h"

 class GURL;

 // The RendererSecurityPolicy class is used to grant and revoke security
 // capabilities for renderers.  For example, it restricts whether a renderer
 // is permmitted to loaded file:// URLs based on whether the renderer has ever
 // been commanded to load file:// URLs by the browser.
 //
 // RendererSecurityPolicy is a singleton that may be used on any thread.
 //
 class RendererSecurityPolicy {
  public:
   // There is one global RendererSecurityPolicy object for the entire browser
   // processes.  The object returned by this method may be accessed on any
   // thread.
   static RendererSecurityPolicy* GetInstance();

   // Web-safe schemes can be requested by any renderer.  Once a web-safe scheme
   // has been registered, any renderer processes can request URLs with that
   // scheme.  There is no mechanism for revoking web-safe schemes.
   void RegisterWebSafeScheme(const std::string& scheme);

   // Returns true iff |scheme| has been registered as a web-safe scheme.
   bool IsWebSafeScheme(const std::string& scheme);

   // Pseudo schemes are treated differently than other schemes because they
   // cannot be requested like normal URLs.  There is no mechanism for revoking
   // pseudo schemes.
   void RegisterPseudoScheme(const std::string& scheme);

   // Returns true iff |scheme| has been registered as pseudo scheme.
   bool IsPseudoScheme(const std::string& scheme);

   // Upon creation, render processes should register themselves by calling this
   // this method exactly once.
   void Add(int renderer_id);

   // Upon destruction, render processess should unregister themselves by caling
   // this method exactly once.
   void Remove(int renderer_id);

   // Whenever the browser processes commands the renderer to request a URL, it
   // should call this method to grant the renderer process the capability to
   // request the URL.
   void GrantRequestURL(int renderer_id, const GURL& url);

   // Whenever the user picks a file from a <input type="file"> element, the
   // browser should call this function to grant the renderer the capability to
   // upload the file to the web.
   void GrantUploadFile(int renderer_id, const std::wstring& file);

   // Whenever the browser processes commands the renderer to run web inspector,
   // it should call this method to grant the renderer process the capability to
   // run the inspector.
   void GrantInspectElement(int renderer_id);

   // Grant this renderer the ability to use DOM UI Bindings.
   void GrantDOMUIBindings(int renderer_id);

   // Before servicing a renderer's request for a URL, the browser should call
   // this method to determine whether the renderer has the capability to
   // request the URL.
   bool CanRequestURL(int renderer_id, const GURL& url);

   // Before servicing a renderer's request to upload a file to the web, the
   // browser should call this method to determine whether the renderer has the
   // capability to upload the requested file.
   bool CanUploadFile(int renderer_id, const std::wstring& file);

   // Returns true of the specified renderer_id has been granted DOMUIBindings.
   // The browser should check this property before assuming the renderer is
   // allowed to use DOMUIBindings.
   bool HasDOMUIBindings(int renderer_id);

  private:
   class SecurityState;

   typedef std::set<std::string> SchemeSet;
   typedef std::map<int, SecurityState*> SecurityStateMap;

   // Obtain an instance of RendererSecurityPolicy via GetInstance().
   RendererSecurityPolicy();
   friend struct DefaultSingletonTraits<RendererSecurityPolicy>;

   // You must acquire this lock before reading or writing any members of this
   // class.  You must not block while holding this lock.
   Lock lock_;

   // These schemes are white-listed for all renderers.  This set is protected
   // by |lock_|.
   SchemeSet web_safe_schemes_;

   // These schemes do not actually represent retrievable URLs.  For example,
   // the the URLs in the "about" scheme are aliases to other URLs.  This set is
   // protected by |lock_|.
   SchemeSet pseudo_schemes_;

   // This map holds a SecurityState for each renderer process.  The key for the
   // map is the ID of the RenderProcessHost.  The SecurityState objects are
   // owned by this object and are protected by |lock_|.  References to them must
   // not escape this class.
   SecurityStateMap security_state_;

   DISALLOW_EVIL_CONSTRUCTORS(RendererSecurityPolicy);
 };

 #endif  // CHROME_BROWSER_RENDERER_SECURITY_POLICY_H__
	// Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
	// Use of this source code is governed by a BSD-style license that can be
	// found in the LICENSE file.

	#ifndef CHROME_BROWSER_RENDERER_SECURITY_POLICY_H__
	#define CHROME_BROWSER_RENDERER_SECURITY_POLICY_H__

	#include <string>
	#include <map>
	#include <set>

	#include "base/basictypes.h"
	#include "base/lock.h"
	#include "base/singleton.h"

	class GURL;

	// The RendererSecurityPolicy class is used to grant and revoke security
	// capabilities for renderers. For example, it restricts whether a renderer
	// is permmitted to loaded file:// URLs based on whether the renderer has ever
	// been commanded to load file:// URLs by the browser.
	//
	// RendererSecurityPolicy is a singleton that may be used on any thread.
	//
	class RendererSecurityPolicy {
	public:
	// There is one global RendererSecurityPolicy object for the entire browser
	// processes. The object returned by this method may be accessed on any
	// thread.
	static RendererSecurityPolicy* GetInstance();

	// Web-safe schemes can be requested by any renderer. Once a web-safe scheme
	// has been registered, any renderer processes can request URLs with that
	// scheme. There is no mechanism for revoking web-safe schemes.
	void RegisterWebSafeScheme(const std::string& scheme);

	// Returns true iff \|scheme\| has been registered as a web-safe scheme.
	bool IsWebSafeScheme(const std::string& scheme);

	// Pseudo schemes are treated differently than other schemes because they
	// cannot be requested like normal URLs. There is no mechanism for revoking
	// pseudo schemes.
	void RegisterPseudoScheme(const std::string& scheme);

	// Returns true iff \|scheme\| has been registered as pseudo scheme.
	bool IsPseudoScheme(const std::string& scheme);

	// Upon creation, render processes should register themselves by calling this
	// this method exactly once.
	void Add(int renderer_id);

	// Upon destruction, render processess should unregister themselves by caling
	// this method exactly once.
	void Remove(int renderer_id);

	// Whenever the browser processes commands the renderer to request a URL, it
	// should call this method to grant the renderer process the capability to
	// request the URL.
	void GrantRequestURL(int renderer_id, const GURL& url);

	// Whenever the user picks a file from a <input type="file"> element, the
	// browser should call this function to grant the renderer the capability to
	// upload the file to the web.
	void GrantUploadFile(int renderer_id, const std::wstring& file);

	// Whenever the browser processes commands the renderer to run web inspector,
	// it should call this method to grant the renderer process the capability to
	// run the inspector.
	void GrantInspectElement(int renderer_id);

	// Grant this renderer the ability to use DOM UI Bindings.
	void GrantDOMUIBindings(int renderer_id);

	// Before servicing a renderer's request for a URL, the browser should call
	// this method to determine whether the renderer has the capability to
	// request the URL.
	bool CanRequestURL(int renderer_id, const GURL& url);

	// Before servicing a renderer's request to upload a file to the web, the
	// browser should call this method to determine whether the renderer has the
	// capability to upload the requested file.
	bool CanUploadFile(int renderer_id, const std::wstring& file);

	// Returns true of the specified renderer_id has been granted DOMUIBindings.
	// The browser should check this property before assuming the renderer is
	// allowed to use DOMUIBindings.
	bool HasDOMUIBindings(int renderer_id);

	private:
	class SecurityState;

	typedef std::set<std::string> SchemeSet;
	typedef std::map<int, SecurityState*> SecurityStateMap;

	// Obtain an instance of RendererSecurityPolicy via GetInstance().
	RendererSecurityPolicy();
	friend struct DefaultSingletonTraits<RendererSecurityPolicy>;

	// You must acquire this lock before reading or writing any members of this
	// class. You must not block while holding this lock.
	Lock lock_;

	// These schemes are white-listed for all renderers. This set is protected
	// by \|lock_\|.
	SchemeSet web_safe_schemes_;

	// These schemes do not actually represent retrievable URLs. For example,
	// the the URLs in the "about" scheme are aliases to other URLs. This set is
	// protected by \|lock_\|.
	SchemeSet pseudo_schemes_;

	// This map holds a SecurityState for each renderer process. The key for the
	// map is the ID of the RenderProcessHost. The SecurityState objects are
	// owned by this object and are protected by \|lock_\|. References to them must
	// not escape this class.
	SecurityStateMap security_state_;

	DISALLOW_EVIL_CONSTRUCTORS(RendererSecurityPolicy);
	};

	#endif // CHROME_BROWSER_RENDERER_SECURITY_POLICY_H__