Index: content/browser/renderer_host/resource_loader.cc |
diff --git a/content/browser/renderer_host/resource_loader.cc b/content/browser/renderer_host/resource_loader.cc |
index be893d7c97440ff2068932fe1b17f50374fdd48b..f167ad440e95c57f016845ee99ba4ff503c0e19a 100644 |
--- a/content/browser/renderer_host/resource_loader.cc |
+++ b/content/browser/renderer_host/resource_loader.cc |
@@ -211,6 +211,28 @@ void ResourceLoader::OnReceivedRedirect(net::URLRequest* unused, |
return; |
} |
+ // This will block all of the Cross-site redirect for Sub_Frame. |
+ // TODO(irobert): We should allow the following case: |
+ // Iframe page (a.com/svrRedirect.php) in page (a.com/index.html) |
+ // do the server-side redirect to page (b.com/svrRedirect.php) which |
+ // eventually redirect the iframe back to page (a.com/static.html). |
+ // Since server-side redirect does not load the page into the render |
+ // process, we are safe in this situation and should allow it. |
+ // |
+ // But we need to block the following case: |
+ // Iframe page (a.com/svrRedirect.php) in page (a.com/index.html) |
+ // do the server-side redirect to page (b.com/clientRedirect.php) which |
+ // eventually redirect the iframe back to page (a.com/static.html). |
+ // Since client-side redirect DOES load the page into the render |
+ // process, we should block it. |
Charlie Reis
2012/11/29 22:00:54
This comment is correct. That makes me think we s
|
+ if (!ChildProcessSecurityPolicyImpl::GetInstance()-> |
+ CanLoadPage(info->GetChildID(), new_url, |
+ info->GetResourceType())) { |
+ // Tell the renderer that this request was disallowed. |
+ Cancel(); |
+ return; |
+ } |
+ |
delegate_->DidReceiveRedirect(this, new_url); |
if (delegate_->HandleExternalProtocol(this, new_url)) { |