File: bad_message.h

package info (click to toggle)
chromium 138.0.7204.183-1~deb12u1
  • links: PTS, VCS
  • area: main
  • in suites: bookworm-proposed-updates
  • size: 6,080,960 kB
  • sloc: cpp: 34,937,079; ansic: 7,176,967; javascript: 4,110,704; python: 1,419,954; asm: 946,768; xml: 739,971; pascal: 187,324; sh: 89,623; perl: 88,663; objc: 79,944; sql: 50,304; cs: 41,786; fortran: 24,137; makefile: 21,811; php: 13,980; tcl: 13,166; yacc: 8,925; ruby: 7,485; awk: 3,720; lisp: 3,096; lex: 1,327; ada: 727; jsp: 228; sed: 36
file content (90 lines) | stat: -rw-r--r-- 4,416 bytes parent folder | download | duplicates (5) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
 
// Copyright 2015 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#ifndef COMPONENTS_PASSWORD_MANAGER_CONTENT_BROWSER_BAD_MESSAGE_H_
#define COMPONENTS_PASSWORD_MANAGER_CONTENT_BROWSER_BAD_MESSAGE_H_

#include "components/autofill/core/common/form_data.h"

namespace content {
class RenderFrameHost;
}

namespace password_manager {

// The browser process often chooses to terminate a renderer if it receives
// a bad IPC message. The reasons are tracked for metrics.
//
// See also content/browser/bad_message.h.
//
// NOTE: Do not remove or reorder elements in this list. Add new entries at the
// end. Items may be renamed but do not change the values. We rely on the enum
// values in histograms.
enum class BadMessageReason {
  CPMD_BAD_ORIGIN_FORMS_PARSED_OBSOLETE = 1,    // obsolete
  CPMD_BAD_ORIGIN_FORMS_RENDERED_OBSOLETE = 2,  // obsolete
  CPMD_BAD_ORIGIN_FORM_SUBMITTED = 3,
  CPMD_BAD_ORIGIN_FOCUSED_PASSWORD_FORM_FOUND_OBSOLETE = 4,  // obsolete
  CPMD_BAD_ORIGIN_IN_PAGE_NAVIGATION_OBSOLETE = 5,           // obsolete
  CPMD_BAD_ORIGIN_PASSWORD_NO_LONGER_GENERATED = 6,
  CPMD_BAD_ORIGIN_PRESAVE_GENERATED_PASSWORD = 7,
  CPMD_BAD_ORIGIN_SAVE_GENERATION_FIELD_DETECTED_BY_CLASSIFIER_OBSOLETE =
      8,                                                // obsolete
  CPMD_BAD_ORIGIN_UPON_USER_INPUT_CHANGE_OBSOLETE = 9,  // obsolete
  CPMD_BAD_ORIGIN_AUTOMATIC_GENERATION_STATUS_CHANGED = 10,
  CPMD_BAD_ORIGIN_SHOW_MANUAL_PASSWORD_GENERATION_POPUP = 11,
  CPMD_BAD_ORIGIN_SHOW_PASSWORD_EDITING_POPUP_OBSOLETE = 12,    // obsolete
  CPMD_BAD_ORIGIN_GENERATION_AVAILABLE_FOR_FORM_OBSOLETE = 13,  // obsolete
  CPMD_BAD_ORIGIN_PRERENDERING = 14,
  CPMD_BAD_ORIGIN_NO_GENERATED_PASSWORD_TO_EDIT = 15,

  // Please add new elements here. The naming convention is abbreviated class
  // name (e.g. ContentPasswordManagerDriver becomes CPMD) plus a unique
  // description of the reason. After making changes, you MUST update
  // histograms.xml by running:
  // "python3 tools/metrics/histograms/update_bad_message_reasons.py"
  BAD_MESSAGE_MAX
};

// TODO(crbug.com/398857496): Add unit tests for the functions.
namespace bad_message {

// Returns true if a password form operation is allowed to be performed on the
// URL specified by `form_url`, in the specified `frame`.  In particular,
// renderer-side logic should prevent any password manager usage for about:blank
// as well as data URLs, so this function returns false for those URLs and kills
// the renderer, as it might be exploited. Used as part of
// `CheckChildProcessSecurityPolicyForURL()` below. That function should be used
// for checking URLs sent in IPCs from the renderer to perform additional
// validation on the URL, whereas this function can be used on URLs retrieved
// from trusted browser-side state, such as from the RenderFrameHost itself.
bool CheckForIllegalURL(content::RenderFrameHost* frame,
                        const GURL& form_url,
                        BadMessageReason reason);

// Returns true if the renderer for `frame` is allowed to perform an operation
// on a password form with the provided URL. This performs a security check
// using content::ChildProcessSecurityPolicy to make sure that `frame`'s process
// is allowed to access `form_url`, and also uses `CheckForIllegalURL()` to
// check for URLs that should be blocked on the renderer side, such as about:
// and data: URLs. If either check fails, terminates the renderer, as it might
// be exploited. This function should always be used to validate URLs that are
// sent in IPCs from the renderer.
bool CheckChildProcessSecurityPolicyForURL(content::RenderFrameHost* frame,
                                           const GURL& form_url,
                                           BadMessageReason reason);

// Returns true if frame is not prerendering (when password manager updates
// are disallowed). Kills the renderer if we are prerendering.
bool CheckFrameNotPrerendering(content::RenderFrameHost* frame);

// Returns true if the generated_password isn't empty. Otherwise, kills the
// renderer.
bool CheckGeneratedPassword(content::RenderFrameHost* frame,
                            const std::u16string& generated_password);

}  // namespace bad_message
}  // namespace password_manager

#endif  // COMPONENTS_PASSWORD_MANAGER_CONTENT_BROWSER_BAD_MESSAGE_H_