1// Copyright (c) 2012 The Chromium Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4
5#include "chrome/renderer/pepper/pepper_flash_renderer_host.h"
6
7#include <map>
8#include <vector>
9
10#include "base/lazy_instance.h"
11#include "base/metrics/histogram.h"
12#include "base/strings/string_util.h"
13#include "components/pdf/renderer/ppb_pdf_impl.h"
14#include "content/public/renderer/pepper_plugin_instance.h"
15#include "content/public/renderer/render_thread.h"
16#include "content/public/renderer/renderer_ppapi_host.h"
17#include "ipc/ipc_message_macros.h"
18#include "net/http/http_util.h"
19#include "ppapi/c/pp_errors.h"
20#include "ppapi/c/trusted/ppb_browser_font_trusted.h"
21#include "ppapi/host/dispatch_host_message.h"
22#include "ppapi/proxy/host_dispatcher.h"
23#include "ppapi/proxy/ppapi_messages.h"
24#include "ppapi/proxy/resource_message_params.h"
25#include "ppapi/proxy/serialized_structs.h"
26#include "ppapi/thunk/enter.h"
27#include "ppapi/thunk/ppb_image_data_api.h"
28#include "skia/ext/platform_canvas.h"
29#include "third_party/skia/include/core/SkCanvas.h"
30#include "third_party/skia/include/core/SkMatrix.h"
31#include "third_party/skia/include/core/SkPaint.h"
32#include "third_party/skia/include/core/SkPoint.h"
33#include "third_party/skia/include/core/SkTemplates.h"
34#include "third_party/skia/include/core/SkTypeface.h"
35#include "ui/gfx/rect.h"
36#include "url/gurl.h"
37
38using ppapi::thunk::EnterResourceNoLock;
39using ppapi::thunk::PPB_ImageData_API;
40
41namespace {
42
43// Some non-simple HTTP request headers that Flash may set.
44// (Please see http://www.w3.org/TR/cors/#simple-header for the definition of
45// simple headers.)
46//
47// The list and the enum defined below are used to collect data about request
48// headers used in PPB_Flash.Navigate() calls, in order to understand the impact
49// of rejecting PPB_Flash.Navigate() requests with non-simple headers.
50//
51// TODO(yzshen): We should be able to remove the histogram recording code once
52// we get the answer.
53const char* kRejectedHttpRequestHeaders[] = {
54    "authorization",     //
55    "cache-control",     //
56    "content-encoding",  //
57    "content-md5",       //
58    "content-type",      // If the media type is not one of those covered by the
59                         // simple header definition.
60    "expires",           //
61    "from",              //
62    "if-match",          //
63    "if-none-match",     //
64    "if-range",          //
65    "if-unmodified-since",  //
66    "pragma",               //
67    "referer"               //
68};
69
70// Please note that new entries should be added right above
71// FLASH_NAVIGATE_USAGE_ENUM_COUNT, and existing entries shouldn't be re-ordered
72// or removed, since this ordering is used in a histogram.
73enum FlashNavigateUsage {
74  // This section must be in the same order as kRejectedHttpRequestHeaders.
75  REJECT_AUTHORIZATION = 0,
76  REJECT_CACHE_CONTROL,
77  REJECT_CONTENT_ENCODING,
78  REJECT_CONTENT_MD5,
79  REJECT_CONTENT_TYPE,
80  REJECT_EXPIRES,
81  REJECT_FROM,
82  REJECT_IF_MATCH,
83  REJECT_IF_NONE_MATCH,
84  REJECT_IF_RANGE,
85  REJECT_IF_UNMODIFIED_SINCE,
86  REJECT_PRAGMA,
87  REJECT_REFERER,
88
89  // The navigate request is rejected because of headers not listed above
90  // (e.g., custom headers).
91  REJECT_OTHER_HEADERS,
92
93  // Total number of rejected navigate requests.
94  TOTAL_REJECTED_NAVIGATE_REQUESTS,
95
96  // Total number of navigate requests.
97  TOTAL_NAVIGATE_REQUESTS,
98  FLASH_NAVIGATE_USAGE_ENUM_COUNT
99};
100
101static base::LazyInstance<std::map<std::string, FlashNavigateUsage> >
102    g_rejected_headers = LAZY_INSTANCE_INITIALIZER;
103
104bool IsSimpleHeader(const std::string& lower_case_header_name,
105                    const std::string& header_value) {
106  if (lower_case_header_name == "accept" ||
107      lower_case_header_name == "accept-language" ||
108      lower_case_header_name == "content-language") {
109    return true;
110  }
111
112  if (lower_case_header_name == "content-type") {
113    std::string lower_case_mime_type;
114    std::string lower_case_charset;
115    bool had_charset = false;
116    net::HttpUtil::ParseContentType(header_value,
117                                    &lower_case_mime_type,
118                                    &lower_case_charset,
119                                    &had_charset,
120                                    NULL);
121    return lower_case_mime_type == "application/x-www-form-urlencoded" ||
122           lower_case_mime_type == "multipart/form-data" ||
123           lower_case_mime_type == "text/plain";
124  }
125
126  return false;
127}
128
129void RecordFlashNavigateUsage(FlashNavigateUsage usage) {
130  DCHECK_NE(FLASH_NAVIGATE_USAGE_ENUM_COUNT, usage);
131  UMA_HISTOGRAM_ENUMERATION(
132      "Plugin.FlashNavigateUsage", usage, FLASH_NAVIGATE_USAGE_ENUM_COUNT);
133}
134
135}  // namespace
136
137PepperFlashRendererHost::PepperFlashRendererHost(
138    content::RendererPpapiHost* host,
139    PP_Instance instance,
140    PP_Resource resource)
141    : ResourceHost(host->GetPpapiHost(), instance, resource),
142      host_(host),
143      weak_factory_(this) {}
144
145PepperFlashRendererHost::~PepperFlashRendererHost() {
146  // This object may be destroyed in the middle of a sync message. If that is
147  // the case, make sure we respond to all the pending navigate calls.
148  std::vector<ppapi::host::ReplyMessageContext>::reverse_iterator it;
149  for (it = navigate_replies_.rbegin(); it != navigate_replies_.rend(); ++it)
150    SendReply(*it, IPC::Message());
151}
152
153int32_t PepperFlashRendererHost::OnResourceMessageReceived(
154    const IPC::Message& msg,
155    ppapi::host::HostMessageContext* context) {
156  PPAPI_BEGIN_MESSAGE_MAP(PepperFlashRendererHost, msg)
157    PPAPI_DISPATCH_HOST_RESOURCE_CALL(PpapiHostMsg_Flash_GetProxyForURL,
158                                      OnGetProxyForURL)
159    PPAPI_DISPATCH_HOST_RESOURCE_CALL(PpapiHostMsg_Flash_SetInstanceAlwaysOnTop,
160                                      OnSetInstanceAlwaysOnTop)
161    PPAPI_DISPATCH_HOST_RESOURCE_CALL(PpapiHostMsg_Flash_DrawGlyphs,
162                                      OnDrawGlyphs)
163    PPAPI_DISPATCH_HOST_RESOURCE_CALL(PpapiHostMsg_Flash_Navigate, OnNavigate)
164    PPAPI_DISPATCH_HOST_RESOURCE_CALL(PpapiHostMsg_Flash_IsRectTopmost,
165                                      OnIsRectTopmost)
166    PPAPI_DISPATCH_HOST_RESOURCE_CALL_0(PpapiHostMsg_Flash_InvokePrinting,
167                                        OnInvokePrinting)
168  PPAPI_END_MESSAGE_MAP()
169  return PP_ERROR_FAILED;
170}
171
172int32_t PepperFlashRendererHost::OnGetProxyForURL(
173    ppapi::host::HostMessageContext* host_context,
174    const std::string& url) {
175  GURL gurl(url);
176  if (!gurl.is_valid())
177    return PP_ERROR_FAILED;
178  std::string proxy;
179  bool result = content::RenderThread::Get()->ResolveProxy(gurl, &proxy);
180  if (!result)
181    return PP_ERROR_FAILED;
182  host_context->reply_msg = PpapiPluginMsg_Flash_GetProxyForURLReply(proxy);
183  return PP_OK;
184}
185
186int32_t PepperFlashRendererHost::OnSetInstanceAlwaysOnTop(
187    ppapi::host::HostMessageContext* host_context,
188    bool on_top) {
189  content::PepperPluginInstance* plugin_instance =
190      host_->GetPluginInstance(pp_instance());
191  if (plugin_instance)
192    plugin_instance->SetAlwaysOnTop(on_top);
193  // Since no reply is sent for this message, it doesn't make sense to return an
194  // error.
195  return PP_OK;
196}
197
198int32_t PepperFlashRendererHost::OnDrawGlyphs(
199    ppapi::host::HostMessageContext* host_context,
200    ppapi::proxy::PPBFlash_DrawGlyphs_Params params) {
201  if (params.glyph_indices.size() != params.glyph_advances.size() ||
202      params.glyph_indices.empty())
203    return PP_ERROR_FAILED;
204
205  // Set up the typeface.
206  int style = SkTypeface::kNormal;
207  if (static_cast<PP_BrowserFont_Trusted_Weight>(params.font_desc.weight) >=
208      PP_BROWSERFONT_TRUSTED_WEIGHT_BOLD)
209    style |= SkTypeface::kBold;
210  if (params.font_desc.italic)
211    style |= SkTypeface::kItalic;
212  skia::RefPtr<SkTypeface> typeface = skia::AdoptRef(SkTypeface::CreateFromName(
213      params.font_desc.face.c_str(), static_cast<SkTypeface::Style>(style)));
214  if (!typeface)
215    return PP_ERROR_FAILED;
216
217  EnterResourceNoLock<PPB_ImageData_API> enter(
218      params.image_data.host_resource(), true);
219  if (enter.failed())
220    return PP_ERROR_FAILED;
221
222  // Set up the canvas.
223  PPB_ImageData_API* image = static_cast<PPB_ImageData_API*>(enter.object());
224  SkCanvas* canvas = image->GetPlatformCanvas();
225  bool needs_unmapping = false;
226  if (!canvas) {
227    needs_unmapping = true;
228    image->Map();
229    canvas = image->GetPlatformCanvas();
230    if (!canvas)
231      return PP_ERROR_FAILED;  // Failure mapping.
232  }
233
234  SkAutoCanvasRestore acr(canvas, true);
235
236  // Clip is applied in pixels before the transform.
237  SkRect clip_rect = {
238      SkIntToScalar(params.clip.point.x), SkIntToScalar(params.clip.point.y),
239      SkIntToScalar(params.clip.point.x + params.clip.size.width),
240      SkIntToScalar(params.clip.point.y + params.clip.size.height)};
241  canvas->clipRect(clip_rect);
242
243  // Convert & set the matrix.
244  SkMatrix matrix;
245  matrix.set(SkMatrix::kMScaleX, SkFloatToScalar(params.transformation[0][0]));
246  matrix.set(SkMatrix::kMSkewX, SkFloatToScalar(params.transformation[0][1]));
247  matrix.set(SkMatrix::kMTransX, SkFloatToScalar(params.transformation[0][2]));
248  matrix.set(SkMatrix::kMSkewY, SkFloatToScalar(params.transformation[1][0]));
249  matrix.set(SkMatrix::kMScaleY, SkFloatToScalar(params.transformation[1][1]));
250  matrix.set(SkMatrix::kMTransY, SkFloatToScalar(params.transformation[1][2]));
251  matrix.set(SkMatrix::kMPersp0, SkFloatToScalar(params.transformation[2][0]));
252  matrix.set(SkMatrix::kMPersp1, SkFloatToScalar(params.transformation[2][1]));
253  matrix.set(SkMatrix::kMPersp2, SkFloatToScalar(params.transformation[2][2]));
254  canvas->concat(matrix);
255
256  SkPaint paint;
257  paint.setColor(params.color);
258  paint.setTextEncoding(SkPaint::kGlyphID_TextEncoding);
259  paint.setAntiAlias(true);
260  paint.setHinting(SkPaint::kFull_Hinting);
261  paint.setTextSize(SkIntToScalar(params.font_desc.size));
262  paint.setTypeface(typeface.get());  // Takes a ref and manages lifetime.
263  if (params.allow_subpixel_aa) {
264    paint.setSubpixelText(true);
265    paint.setLCDRenderText(true);
266  }
267
268  SkScalar x = SkIntToScalar(params.position.x);
269  SkScalar y = SkIntToScalar(params.position.y);
270
271  // Build up the skia advances.
272  size_t glyph_count = params.glyph_indices.size();
273  if (glyph_count) {
274    std::vector<SkPoint> storage;
275    storage.resize(glyph_count);
276    SkPoint* sk_positions = &storage[0];
277    for (uint32_t i = 0; i < glyph_count; i++) {
278      sk_positions[i].set(x, y);
279      x += SkFloatToScalar(params.glyph_advances[i].x);
280      y += SkFloatToScalar(params.glyph_advances[i].y);
281    }
282
283    canvas->drawPosText(
284        &params.glyph_indices[0], glyph_count * 2, sk_positions, paint);
285  }
286
287  if (needs_unmapping)
288    image->Unmap();
289
290  return PP_OK;
291}
292
293// CAUTION: This code is subtle because Navigate is a sync call which may
294// cause re-entrancy or cause the instance to be destroyed. If the instance
295// is destroyed we need to ensure that we respond to all outstanding sync
296// messages so that the plugin process does not remain blocked.
297int32_t PepperFlashRendererHost::OnNavigate(
298    ppapi::host::HostMessageContext* host_context,
299    const ppapi::URLRequestInfoData& data,
300    const std::string& target,
301    bool from_user_action) {
302  // If our PepperPluginInstance is already destroyed, just return a failure.
303  content::PepperPluginInstance* plugin_instance =
304      host_->GetPluginInstance(pp_instance());
305  if (!plugin_instance)
306    return PP_ERROR_FAILED;
307
308  std::map<std::string, FlashNavigateUsage>& rejected_headers =
309      g_rejected_headers.Get();
310  if (rejected_headers.empty()) {
311    for (size_t i = 0; i < arraysize(kRejectedHttpRequestHeaders); ++i)
312      rejected_headers[kRejectedHttpRequestHeaders[i]] =
313          static_cast<FlashNavigateUsage>(i);
314  }
315
316  net::HttpUtil::HeadersIterator header_iter(
317      data.headers.begin(), data.headers.end(), "\n\r");
318  bool rejected = false;
319  while (header_iter.GetNext()) {
320    std::string lower_case_header_name =
321        base::StringToLowerASCII(header_iter.name());
322    if (!IsSimpleHeader(lower_case_header_name, header_iter.values())) {
323      rejected = true;
324
325      std::map<std::string, FlashNavigateUsage>::const_iterator iter =
326          rejected_headers.find(lower_case_header_name);
327      FlashNavigateUsage usage =
328          iter != rejected_headers.end() ? iter->second : REJECT_OTHER_HEADERS;
329      RecordFlashNavigateUsage(usage);
330    }
331  }
332
333  RecordFlashNavigateUsage(TOTAL_NAVIGATE_REQUESTS);
334  if (rejected) {
335    RecordFlashNavigateUsage(TOTAL_REJECTED_NAVIGATE_REQUESTS);
336    return PP_ERROR_NOACCESS;
337  }
338
339  // Navigate may call into Javascript (e.g. with a "javascript:" URL),
340  // or do things like navigate away from the page, either one of which will
341  // need to re-enter into the plugin. It is safe, because it is essentially
342  // equivalent to NPN_GetURL, where Flash would expect re-entrancy.
343  ppapi::proxy::HostDispatcher* host_dispatcher =
344      ppapi::proxy::HostDispatcher::GetForInstance(pp_instance());
345  host_dispatcher->set_allow_plugin_reentrancy();
346
347  // Grab a weak pointer to ourselves on the stack so we can check if we are
348  // still alive.
349  base::WeakPtr<PepperFlashRendererHost> weak_ptr = weak_factory_.GetWeakPtr();
350  // Keep track of reply contexts in case we are destroyed during a Navigate
351  // call. Even if we are destroyed, we still need to send these replies to
352  // unblock the plugin process.
353  navigate_replies_.push_back(host_context->MakeReplyMessageContext());
354  plugin_instance->Navigate(data, target.c_str(), from_user_action);
355  // This object might have been destroyed by this point. If it is destroyed
356  // the reply will be sent in the destructor. Otherwise send the reply here.
357  if (weak_ptr.get()) {
358    SendReply(navigate_replies_.back(), IPC::Message());
359    navigate_replies_.pop_back();
360  }
361
362  // Return PP_OK_COMPLETIONPENDING so that no reply is automatically sent.
363  return PP_OK_COMPLETIONPENDING;
364}
365
366int32_t PepperFlashRendererHost::OnIsRectTopmost(
367    ppapi::host::HostMessageContext* host_context,
368    const PP_Rect& rect) {
369  content::PepperPluginInstance* plugin_instance =
370      host_->GetPluginInstance(pp_instance());
371  if (plugin_instance &&
372      plugin_instance->IsRectTopmost(gfx::Rect(
373          rect.point.x, rect.point.y, rect.size.width, rect.size.height)))
374    return PP_OK;
375  return PP_ERROR_FAILED;
376}
377
378int32_t PepperFlashRendererHost::OnInvokePrinting(
379    ppapi::host::HostMessageContext* host_context) {
380  pdf::PPB_PDF_Impl::InvokePrintingForInstance(pp_instance());
381  return PP_OK;
382}
383