blob: b70d6ced887d2a2ecb576b20d79e7fc4272e2054 [file] [log] [blame]
// Copyright 2015 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "chrome/common/secure_origin_whitelist.h"
#include "base/command_line.h"
#include "base/metrics/histogram_macros.h"
#include "base/numerics/safe_conversions.h"
#include "base/strings/string_split.h"
#include "base/strings/string_util.h"
#include "base/strings/stringprintf.h"
#include "chrome/common/chrome_switches.h"
#include "chrome/common/pref_names.h"
#include "components/prefs/pref_registry_simple.h"
#include "extensions/common/constants.h"
#include "net/base/registry_controlled_domains/registry_controlled_domain.h"
#include "url/gurl.h"
#include "url/origin.h"
#include "url/scheme_host_port.h"
namespace {
// Given a hostname pattern with a wildcard such as "*", returns
// true if |hostname_pattern| meets both of these conditions:
// 1.) A string matching |hostname_pattern| is a valid hostname.
// 2.) Wildcards only appear beyond the eTLD+1. "*" is considered
// valid but "*.com" is not.
bool IsValidWildcardPattern(const std::string& hostname_pattern) {
// Replace wildcards with dummy values to check whether a matching origin is
// valid.
std::string wildcards_replaced;
if (!base::ReplaceChars(hostname_pattern, "*", "a", &wildcards_replaced))
return false;
// Construct a SchemeHostPort with a dummy scheme and port to check that the
// hostname is valid.
url::SchemeHostPort scheme_host_port(
GURL(base::StringPrintf("http://%s:80", wildcards_replaced.c_str())));
if (scheme_host_port.IsInvalid())
return false;
// Check that wildcards only appear beyond the eTLD+1.
size_t registry_length =
// std::string::npos should only be returned for empty inputs, which should be
// filtered out by the IsInvalid() check above.
CHECK(registry_length != std::string::npos);
// If there is no registrar portion, the pattern is considered invalid.
if (registry_length == 0)
return false;
// If there is no component before the registrar portion, or if the component
// immediately preceding the registrar portion contains a wildcard, the
// pattern is not considered valid.
std::string host_before_registrar =
hostname_pattern.substr(0, hostname_pattern.size() - registry_length);
std::vector<std::string> components =
base::SplitString(host_before_registrar, ".", base::KEEP_WHITESPACE,
if (components.size() == 0)
return false;
if (components.back().find("*") != std::string::npos)
return false;
return true;
// Canonicalizes each component of |hostname_pattern|, making no changes to
// wildcard components or components that fail canonicalization. For example,
// given a |hostname_pattern| of "TeSt.*", the output will be
// "test.*".
std::string CanonicalizePatternComponents(const std::string& hostname_pattern) {
std::string canonical_host; // Do not modify outside of canon_output.
url::StdStringCanonOutput canon_output(&canonical_host);
for (size_t current = 0; current < hostname_pattern.length(); current++) {
size_t begin = current;
// Advance to next "." or end.
current = hostname_pattern.find('.', begin);
if (current == std::string::npos)
current = hostname_pattern.length();
// Try to append the canonicalized version of this component.
int current_len = base::checked_cast<int>(current - begin);
if (hostname_pattern.substr(begin, current_len) == "*" ||
url::Component(base::checked_cast<int>(begin), current_len),
&canon_output)) {
// Failed to canonicalize this component; append as-is.
canon_output.Append(hostname_pattern.substr(begin, current_len).data(),
if (current < hostname_pattern.length())
return canonical_host;
} // namespace
namespace secure_origin_whitelist {
std::vector<std::string> ParseWhitelist(const std::string& origins_str) {
std::vector<std::string> origin_patterns;
for (const std::string& origin_str : base::SplitString(
origins_str, ",", base::TRIM_WHITESPACE, base::SPLIT_WANT_ALL)) {
if (origin_str.find("*") != std::string::npos) {
if (IsValidWildcardPattern(origin_str)) {
std::string canonicalized_pattern =
if (!canonicalized_pattern.empty()) {
LOG(ERROR) << "Whitelisted secure origin pattern " << origin_str
<< " is not valid; ignoring.";
// Drop .unique() origins, as they are unequal to any other origins.
url::Origin origin(url::Origin::Create(GURL(origin_str)));
if (!origin.opaque())
#if defined(OS_CHROMEOS)
// For Crostini, we allow access to the default VM/container as a secure
// origin via the hostname penguin.linux.test. We are required to use a
// wildcard for the prefix because we do not know what the port number is.
return origin_patterns;
std::vector<std::string> GetWhitelist() {
// If kUnsafelyTreatInsecureOriginAsSecure option is given, then treat the
// value as a comma-separated list of origins or origin patterns. Callers that
// need to also check the kUnsafelyTreatInsecureOriginAsSecure pref value must
// instead use ParseWhitelist directly (as there is no way for GetWhitelist()
// to access prefs). For renderer processes the pref and the switch will
// match, but for non-renderer processes the switch may not be set.
const base::CommandLine& command_line =
std::string origins_str = "";
if (command_line.HasSwitch(switches::kUnsafelyTreatInsecureOriginAsSecure)) {
origins_str = command_line.GetSwitchValueASCII(
return ParseWhitelist(origins_str);
std::set<std::string> GetSchemesBypassingSecureContextCheck() {
std::set<std::string> schemes;
return schemes;
void RegisterProfilePrefs(PrefRegistrySimple* registry) {
/* default_value */ "");
} // namespace secure_origin_whitelist