Add ppapi::PERMISSION_PDF and ppapi::PERMISSION_CROSS_ORIGIN_URL_LOADS

Create a PDF permission for APIs specific to the PDF plugin. Also remove PERMISSION_PRIVATE from PDF as it does not need most of those APIs. One exception is the PPB_URLLoader_Trusted API for which we move permission checking to happen inside ppb_url_loader.cc. Bug: 821266 Change-Id: I5f174d1fd2bff6fb7475956d9b9c772474648515 Reviewed-on: https://chromium-review.googlesource.com/967907 Reviewed-by: John Abd-El-Malek <jam@chromium.org> Reviewed-by: Bill Budge <bbudge@chromium.org> Reviewed-by: Tom Sepez <tsepez@chromium.org> Commit-Queue: Raymes Khoury <raymes@chromium.org> Cr-Commit-Position: refs/heads/master@{#546345}
marcosholgado · Mar 28, 2018 · 85d754a · 85d754a
1 parent 61c0d46
commit 85d754a
Show file tree

Hide file tree

Showing 18 changed files with 75 additions and 34 deletions.
diff --git a/chrome/common/chrome_content_client.cc b/chrome/common/chrome_content_client.cc
@@ -112,8 +112,8 @@ const char kPDFPluginExtension[] = "pdf";
 const char kPDFPluginDescription[] = "Portable Document Format";
 const char kPDFPluginOutOfProcessMimeType[] =
     "application/x-google-chrome-pdf";
-const uint32_t kPDFPluginPermissions =
-    ppapi::PERMISSION_PRIVATE | ppapi::PERMISSION_DEV;
+const uint32_t kPDFPluginPermissions = ppapi::PERMISSION_PDF |
+                                       ppapi::PERMISSION_DEV;
 #endif  // BUILDFLAG(ENABLE_PDF)
 
 content::PepperPluginInfo::GetInterfaceFunc g_pdf_get_interface;

diff --git a/chrome/common/pepper_flash.cc b/chrome/common/pepper_flash.cc
@@ -21,6 +21,7 @@
 const int32_t kPepperFlashPermissions =
     ppapi::PERMISSION_DEV | ppapi::PERMISSION_PRIVATE |
     ppapi::PERMISSION_BYPASS_USER_GESTURE | ppapi::PERMISSION_FLASH;
+
 namespace {
 
 // File name of the Pepper Flash component manifest on different platforms.

diff --git a/chrome/common/ppapi_utils.cc b/chrome/common/ppapi_utils.cc
@@ -119,6 +119,7 @@ bool IsSupportedPepperInterface(const char* name) {
 #include "ppapi/thunk/interfaces_ppb_private.h"
 #include "ppapi/thunk/interfaces_ppb_private_flash.h"
 #include "ppapi/thunk/interfaces_ppb_private_no_permissions.h"
+#include "ppapi/thunk/interfaces_ppb_private_pdf.h"
 #include "ppapi/thunk/interfaces_ppb_public_dev.h"
 #include "ppapi/thunk/interfaces_ppb_public_dev_channel.h"
 #include "ppapi/thunk/interfaces_ppb_public_stable.h"

diff --git a/chrome/renderer/pepper/chrome_renderer_pepper_host_factory.cc b/chrome/renderer/pepper/chrome_renderer_pepper_host_factory.cc
@@ -69,7 +69,7 @@ ChromeRendererPepperHostFactory::CreateResourceHost(
   if (host_->GetPpapiHost()->permissions().HasPermission(
           ppapi::PERMISSION_FLASH) ||
       host_->GetPpapiHost()->permissions().HasPermission(
-          ppapi::PERMISSION_PRIVATE)) {
+          ppapi::PERMISSION_PDF)) {
     switch (message.type()) {
       case PpapiHostMsg_FlashFontFile_Create::ID: {
         ppapi::proxy::SerializedFontDescription description;
@@ -88,7 +88,7 @@ ChromeRendererPepperHostFactory::CreateResourceHost(
   }
 
   if (host_->GetPpapiHost()->permissions().HasPermission(
-          ppapi::PERMISSION_PRIVATE)) {
+          ppapi::PERMISSION_PDF)) {
     switch (message.type()) {
       case PpapiHostMsg_PDF_Create::ID: {
         return std::make_unique<pdf::PepperPDFHost>(host_, instance, resource);

diff --git a/content/renderer/pepper/pepper_plugin_instance_impl.cc b/content/renderer/pepper/pepper_plugin_instance_impl.cc
@@ -1571,7 +1571,7 @@ void PepperPluginInstanceImpl::StopFind() {
 }
 
 bool PepperPluginInstanceImpl::LoadFindInterface() {
-  if (!module_->permissions().HasPermission(ppapi::PERMISSION_PRIVATE))
+  if (!module_->permissions().HasPermission(ppapi::PERMISSION_PDF))
     return false;
   if (!plugin_find_interface_) {
     plugin_find_interface_ = static_cast<const PPP_Find_Private*>(

diff --git a/content/renderer/pepper/pepper_url_loader_host.cc b/content/renderer/pepper/pepper_url_loader_host.cc
@@ -309,11 +309,13 @@ int32_t PepperURLLoaderHost::OnHostMsgClose(
 
 int32_t PepperURLLoaderHost::OnHostMsgGrantUniversalAccess(
     ppapi::host::HostMessageContext* context) {
-  // Only plugins with private permission can bypass same origin.
-  if (!host()->permissions().HasPermission(ppapi::PERMISSION_PRIVATE))
-    return PP_ERROR_FAILED;
-  has_universal_access_ = true;
-  return PP_OK;
+  // Only plugins with permission can bypass same origin.
+  if (host()->permissions().HasPermission(ppapi::PERMISSION_PDF) ||
+      host()->permissions().HasPermission(ppapi::PERMISSION_FLASH)) {
+    has_universal_access_ = true;
+    return PP_OK;
+  }
+  return PP_ERROR_FAILED;
 }
 
 void PepperURLLoaderHost::SendUpdateToPlugin(

diff --git a/content/renderer/pepper/plugin_module.cc b/content/renderer/pepper/plugin_module.cc
@@ -406,6 +406,7 @@ const void* InternalGetInterface(const char* name) {
 #include "ppapi/thunk/interfaces_ppb_private.h"
 #include "ppapi/thunk/interfaces_ppb_private_flash.h"
 #include "ppapi/thunk/interfaces_ppb_private_no_permissions.h"
+#include "ppapi/thunk/interfaces_ppb_private_pdf.h"
 #include "ppapi/thunk/interfaces_ppb_public_dev.h"
 #include "ppapi/thunk/interfaces_ppb_public_dev_channel.h"
 #include "ppapi/thunk/interfaces_ppb_public_stable.h"

diff --git a/ppapi/api/trusted/ppb_url_loader_trusted.idl b/ppapi/api/trusted/ppb_url_loader_trusted.idl
@@ -11,6 +11,12 @@ label Chrome {
   M14 = 0.3
 };
 
+/**
+ * NOTE: Permission checks for functions added to this file must be done in
+ * pepper_url_loader.cc.
+ *
+ */
+
 /**
  * Callback that indicates the status of the download and upload for the
  * given URLLoader resource.

diff --git a/ppapi/c/trusted/ppb_url_loader_trusted.h b/ppapi/c/trusted/ppb_url_loader_trusted.h
@@ -3,7 +3,7 @@
  * found in the LICENSE file.
  */
 
-/* From trusted/ppb_url_loader_trusted.idl modified Wed Oct  5 14:06:02 2011. */
+/* From trusted/ppb_url_loader_trusted.idl modified Mon Mar 19 13:26:48 2018. */
 
 #ifndef PPAPI_C_TRUSTED_PPB_URL_LOADER_TRUSTED_H_
 #define PPAPI_C_TRUSTED_PPB_URL_LOADER_TRUSTED_H_
@@ -25,6 +25,11 @@
  * @addtogroup Typedefs
  * @{
  */
+/**
+ * NOTE: Permission checks for functions added to this file must be done in
+ * pepper_url_loader.cc.
+ *
+ */
 /**
  * Callback that indicates the status of the download and upload for the
  * given URLLoader resource.

diff --git a/ppapi/proxy/interface_list.cc b/ppapi/proxy/interface_list.cc
@@ -203,12 +203,16 @@ InterfaceList::InterfaceList() {
     Permission current_required_permission = PERMISSION_PRIVATE;
     #include "ppapi/thunk/interfaces_ppb_private.h"
   }
-  {
 #if !defined(OS_NACL)
+  {
     Permission current_required_permission = PERMISSION_FLASH;
     #include "ppapi/thunk/interfaces_ppb_private_flash.h"
-#endif  // !defined(OS_NACL)
   }
+  {
+    Permission current_required_permission = PERMISSION_PDF;
+    #include "ppapi/thunk/interfaces_ppb_private_pdf.h"
+  }
+#endif  // !defined(OS_NACL)
   {
     Permission current_required_permission = PERMISSION_DEV_CHANNEL;
     #include "ppapi/thunk/interfaces_ppb_public_dev_channel.h"
@@ -267,12 +271,11 @@ InterfaceList::InterfaceList() {
   // TODO(brettw) remove these.
   AddProxy(API_ID_PPB_INSTANCE_PRIVATE, &ProxyFactory<PPB_Instance_Proxy>);
   AddPPB(PPB_INSTANCE_PRIVATE_INTERFACE_0_1,
-         thunk::GetPPB_Instance_Private_0_1_Thunk(),
-         PERMISSION_PRIVATE);
+         thunk::GetPPB_Instance_Private_0_1_Thunk(), PERMISSION_PRIVATE);
 
   AddProxy(API_ID_PPB_VAR_DEPRECATED, &ProxyFactory<PPB_Var_Deprecated_Proxy>);
   AddPPB(PPB_VAR_DEPRECATED_INTERFACE,
-         PPB_Var_Deprecated_Proxy::GetProxyInterface(), PERMISSION_DEV);
+         PPB_Var_Deprecated_Proxy::GetProxyInterface(), PERMISSION_FLASH);
 
   // TODO(tomfinegan): Figure out where to put these once we refactor things
   // to load the PPP interface struct from the PPB interface.

diff --git a/ppapi/proxy/ppb_instance_proxy.cc b/ppapi/proxy/ppb_instance_proxy.cc
@@ -1003,7 +1003,7 @@ void PPB_Instance_Proxy::OnHostMsgGetDefaultCharSet(
 
 void PPB_Instance_Proxy::OnHostMsgSetPluginToHandleFindRequests(
     PP_Instance instance) {
-  if (!dispatcher()->permissions().HasPermission(PERMISSION_PRIVATE))
+  if (!dispatcher()->permissions().HasPermission(PERMISSION_PDF))
     return;
   EnterInstanceNoLock enter(instance);
   if (enter.succeeded())
@@ -1014,7 +1014,7 @@ void PPB_Instance_Proxy::OnHostMsgNumberOfFindResultsChanged(
     PP_Instance instance,
     int32_t total,
     PP_Bool final_result) {
-  if (!dispatcher()->permissions().HasPermission(PERMISSION_PRIVATE))
+  if (!dispatcher()->permissions().HasPermission(PERMISSION_PDF))
     return;
   EnterInstanceNoLock enter(instance);
   if (enter.succeeded()) {
@@ -1026,7 +1026,7 @@ void PPB_Instance_Proxy::OnHostMsgNumberOfFindResultsChanged(
 void PPB_Instance_Proxy::OnHostMsgSelectFindResultChanged(
     PP_Instance instance,
     int32_t index) {
-  if (!dispatcher()->permissions().HasPermission(PERMISSION_PRIVATE))
+  if (!dispatcher()->permissions().HasPermission(PERMISSION_PDF))
     return;
   EnterInstanceNoLock enter(instance);
   if (enter.succeeded())
@@ -1036,7 +1036,7 @@ void PPB_Instance_Proxy::OnHostMsgSelectFindResultChanged(
 void PPB_Instance_Proxy::OnHostMsgSetTickmarks(
     PP_Instance instance,
     const std::vector<PP_Rect>& tickmarks) {
-  if (!dispatcher()->permissions().HasPermission(PERMISSION_PRIVATE))
+  if (!dispatcher()->permissions().HasPermission(PERMISSION_PDF))
     return;
   const PP_Rect* array = tickmarks.empty() ? NULL : &tickmarks[0];
   EnterInstanceNoLock enter(instance);

diff --git a/ppapi/proxy/ppb_var_deprecated_proxy.cc b/ppapi/proxy/ppb_var_deprecated_proxy.cc
@@ -317,7 +317,7 @@ const PPB_Var_Deprecated* PPB_Var_Deprecated_Proxy::GetProxyInterface() {
 }
 
 bool PPB_Var_Deprecated_Proxy::OnMessageReceived(const IPC::Message& msg) {
-  if (!dispatcher()->permissions().HasPermission(PERMISSION_DEV))
+  if (!dispatcher()->permissions().HasPermission(PERMISSION_FLASH))
     return false;
 
   // Prevent the dispatcher from going away during a call to Call or other

diff --git a/ppapi/proxy/ppp_class_proxy.cc b/ppapi/proxy/ppp_class_proxy.cc
@@ -36,7 +36,7 @@ ObjectProxy* ToObjectProxy(void* data) {
   ObjectProxy* obj = reinterpret_cast<ObjectProxy*>(data);
   if (!obj || !obj->dispatcher)
     return NULL;
-  if (!obj->dispatcher->permissions().HasPermission(PERMISSION_DEV))
+  if (!obj->dispatcher->permissions().HasPermission(PERMISSION_FLASH))
     return NULL;
   return obj;
 }

diff --git a/ppapi/shared_impl/ppapi_permissions.h b/ppapi/shared_impl/ppapi_permissions.h
@@ -37,15 +37,17 @@ enum Permission {
   // Chrome.
   PERMISSION_DEV_CHANNEL = 1 << 5,
 
+  // PDF-related interfaces.
+  PERMISSION_PDF = 1 << 6,
+
   // NOTE: If you add stuff be sure to update PERMISSION_ALL_BITS.
 
   // Meta permission for initializing plugins registered on the command line
   // that get all permissions.
   PERMISSION_ALL_BITS = PERMISSION_DEV | PERMISSION_PRIVATE |
-                        PERMISSION_BYPASS_USER_GESTURE |
-                        PERMISSION_TESTING |
-                        PERMISSION_FLASH |
-                        PERMISSION_DEV_CHANNEL
+                        PERMISSION_BYPASS_USER_GESTURE | PERMISSION_TESTING |
+                        PERMISSION_FLASH | PERMISSION_DEV_CHANNEL |
+                        PERMISSION_PDF
 };
 
 class PPAPI_SHARED_EXPORT PpapiPermissions {

diff --git a/ppapi/thunk/interfaces_ppb_private.h b/ppapi/thunk/interfaces_ppb_private.h
@@ -5,6 +5,8 @@
 // Please see inteface_ppb_public_stable for the documentation on the format of
 // this file.
 
+// no-include-guard-because-multiply-included
+
 #include "ppapi/thunk/interfaces_preamble.h"
 
 // See interfaces_ppb_private_no_permissions.h for other private interfaces.
@@ -33,20 +35,14 @@ PROXIED_IFACE(PPB_FILECHOOSER_TRUSTED_INTERFACE_0_6,
               PPB_FileChooserTrusted_0_6)
 PROXIED_IFACE(PPB_FILEREFPRIVATE_INTERFACE_0_1,
               PPB_FileRefPrivate_0_1)
-PROXIED_IFACE(PPB_FIND_PRIVATE_INTERFACE_0_3,
-              PPB_Find_Private_0_3)
 PROXIED_IFACE(PPB_FLASHFULLSCREEN_INTERFACE_0_1,
               PPB_FlashFullscreen_0_1)
 PROXIED_IFACE(PPB_FLASHFULLSCREEN_INTERFACE_1_0,
               PPB_FlashFullscreen_0_1)
 PROXIED_IFACE(PPB_OUTPUTPROTECTION_PRIVATE_INTERFACE_0_1,
               PPB_OutputProtection_Private_0_1)
-PROXIED_IFACE(PPB_PDF_INTERFACE,
-              PPB_PDF)
 PROXIED_IFACE(PPB_PLATFORMVERIFICATION_PRIVATE_INTERFACE_0_3,
               PPB_PlatformVerification_Private_0_3)
-PROXIED_IFACE(PPB_URLLOADERTRUSTED_INTERFACE_0_3,
-              PPB_URLLoaderTrusted_0_3)
 #endif  // !defined(OS_NACL)
 
 #include "ppapi/thunk/interfaces_postamble.h"
diff --git a/ppapi/thunk/interfaces_ppb_private_no_permissions.h b/ppapi/thunk/interfaces_ppb_private_no_permissions.h
@@ -56,4 +56,8 @@ PROXIED_IFACE(PPB_VIDEOSOURCE_PRIVATE_INTERFACE_0_1,
 PROXIED_IFACE(PPB_UMA_PRIVATE_INTERFACE_0_3,
               PPB_UMA_Private_0_3)
 
+// This has permission checks done in pepper_url_loader_host.cc
+PROXIED_IFACE(PPB_URLLOADERTRUSTED_INTERFACE_0_3,
+              PPB_URLLoaderTrusted_0_3)
+
 #include "ppapi/thunk/interfaces_postamble.h"
diff --git a/ppapi/thunk/interfaces_ppb_private_pdf.h b/ppapi/thunk/interfaces_ppb_private_pdf.h
@@ -0,0 +1,19 @@
+// Copyright 2018 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Please see inteface_ppb_public_stable for the documentation on the format of
+// this file.
+
+// no-include-guard-because-multiply-included
+
+#include "ppapi/thunk/interfaces_preamble.h"
+
+// See interfaces_ppb_private_no_permissions.h for other private interfaces.
+
+#if !defined(OS_NACL)
+PROXIED_IFACE(PPB_PDF_INTERFACE, PPB_PDF)
+PROXIED_IFACE(PPB_FIND_PRIVATE_INTERFACE_0_3, PPB_Find_Private_0_3)
+#endif  // !defined(OS_NACL)
+
+#include "ppapi/thunk/interfaces_postamble.h"
diff --git a/ppapi/thunk/thunk.h b/ppapi/thunk/thunk.h
@@ -19,11 +19,12 @@
   } }
 
 #include "ppapi/thunk/interfaces_ppb_private.h"
-#include "ppapi/thunk/interfaces_ppb_private_no_permissions.h"
 #include "ppapi/thunk/interfaces_ppb_private_flash.h"
-#include "ppapi/thunk/interfaces_ppb_public_stable.h"
+#include "ppapi/thunk/interfaces_ppb_private_no_permissions.h"
+#include "ppapi/thunk/interfaces_ppb_private_pdf.h"
 #include "ppapi/thunk/interfaces_ppb_public_dev.h"
 #include "ppapi/thunk/interfaces_ppb_public_dev_channel.h"
+#include "ppapi/thunk/interfaces_ppb_public_stable.h"
 
 #undef PROXIED_IFACE