OLD | NEW |
---|---|
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "content/browser/renderer_host/resource_loader.h" | 5 #include "content/browser/renderer_host/resource_loader.h" |
6 | 6 |
7 #include "base/message_loop.h" | 7 #include "base/message_loop.h" |
8 #include "base/time.h" | 8 #include "base/time.h" |
9 #include "content/browser/child_process_security_policy_impl.h" | 9 #include "content/browser/child_process_security_policy_impl.h" |
10 #include "content/browser/renderer_host/doomed_resource_handler.h" | 10 #include "content/browser/renderer_host/doomed_resource_handler.h" |
(...skipping 193 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
204 !ChildProcessSecurityPolicyImpl::GetInstance()-> | 204 !ChildProcessSecurityPolicyImpl::GetInstance()-> |
205 CanRequestURL(info->GetChildID(), new_url)) { | 205 CanRequestURL(info->GetChildID(), new_url)) { |
206 VLOG(1) << "Denied unauthorized request for " | 206 VLOG(1) << "Denied unauthorized request for " |
207 << new_url.possibly_invalid_spec(); | 207 << new_url.possibly_invalid_spec(); |
208 | 208 |
209 // Tell the renderer that this request was disallowed. | 209 // Tell the renderer that this request was disallowed. |
210 Cancel(); | 210 Cancel(); |
211 return; | 211 return; |
212 } | 212 } |
213 | 213 |
214 // This will block all of the Cross-site redirect for Sub_Frame. | |
215 // TODO(irobert): We should allow the following case: | |
216 // Iframe page (a.com/svrRedirect.php) in page (a.com/index.html) | |
217 // do the server-side redirect to page (b.com/svrRedirect.php) which | |
218 // eventually redirect the iframe back to page (a.com/static.html). | |
219 // Since server-side redirect does not load the page into the render | |
220 // process, we are safe in this situation and should allow it. | |
221 // | |
222 // But we need to block the following case: | |
223 // Iframe page (a.com/svrRedirect.php) in page (a.com/index.html) | |
224 // do the server-side redirect to page (b.com/clientRedirect.php) which | |
225 // eventually redirect the iframe back to page (a.com/static.html). | |
226 // Since client-side redirect DOES load the page into the render | |
227 // process, we should block it. | |
Charlie Reis
2012/11/29 22:00:54
This comment is correct. That makes me think we s
| |
228 if (!ChildProcessSecurityPolicyImpl::GetInstance()-> | |
229 CanLoadPage(info->GetChildID(), new_url, | |
230 info->GetResourceType())) { | |
231 // Tell the renderer that this request was disallowed. | |
232 Cancel(); | |
233 return; | |
234 } | |
235 | |
214 delegate_->DidReceiveRedirect(this, new_url); | 236 delegate_->DidReceiveRedirect(this, new_url); |
215 | 237 |
216 if (delegate_->HandleExternalProtocol(this, new_url)) { | 238 if (delegate_->HandleExternalProtocol(this, new_url)) { |
217 // The request is complete so we can remove it. | 239 // The request is complete so we can remove it. |
218 CancelAndIgnore(); | 240 CancelAndIgnore(); |
219 return; | 241 return; |
220 } | 242 } |
221 | 243 |
222 scoped_refptr<ResourceResponse> response(new ResourceResponse()); | 244 scoped_refptr<ResourceResponse> response(new ResourceResponse()); |
223 PopulateResourceResponse(request_.get(), response); | 245 PopulateResourceResponse(request_.get(), response); |
(...skipping 349 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
573 // we resume. | 595 // we resume. |
574 deferred_stage_ = DEFERRED_FINISH; | 596 deferred_stage_ = DEFERRED_FINISH; |
575 } | 597 } |
576 } | 598 } |
577 | 599 |
578 void ResourceLoader::CallDidFinishLoading() { | 600 void ResourceLoader::CallDidFinishLoading() { |
579 delegate_->DidFinishLoading(this); | 601 delegate_->DidFinishLoading(this); |
580 } | 602 } |
581 | 603 |
582 } // namespace content | 604 } // namespace content |
OLD | NEW |