Index: Source/core/loader/DocumentLoader.cpp |
diff --git a/Source/core/loader/DocumentLoader.cpp b/Source/core/loader/DocumentLoader.cpp |
index abb7134c095ce4873624fbdcb14be8b8a0ad2476..fb20e2d604c8e7240fd46ec4596ffb01d35d796a 100644 |
--- a/Source/core/loader/DocumentLoader.cpp |
+++ b/Source/core/loader/DocumentLoader.cpp |
@@ -469,21 +469,6 @@ void DocumentLoader::responseReceived(Resource* resource, const ResourceResponse |
if (response.appCacheID()) |
memoryCache()->remove(m_mainResource.get()); |
- DEFINE_STATIC_LOCAL(AtomicString, xFrameOptionHeader, ("x-frame-options", AtomicString::ConstructFromLiteral)); |
- HTTPHeaderMap::const_iterator it = response.httpHeaderFields().find(xFrameOptionHeader); |
- if (it != response.httpHeaderFields().end()) { |
- String content = it->value; |
- if (frameLoader()->shouldInterruptLoadForXFrameOptions(content, response.url(), mainResourceIdentifier())) { |
- String message = "Refused to display '" + response.url().elidedString() + "' in a frame because it set 'X-Frame-Options' to '" + content + "'."; |
- RefPtrWillBeRawPtr<ConsoleMessage> consoleMessage = ConsoleMessage::create(SecurityMessageSource, ErrorMessageLevel, message); |
- consoleMessage->setRequestIdentifier(mainResourceIdentifier()); |
- frame()->document()->addConsoleMessage(consoleMessage.release()); |
- |
- cancelLoadAfterXFrameOptionsOrCSPDenied(response); |
- return; |
- } |
- } |
- |
m_contentSecurityPolicy = ContentSecurityPolicy::create(); |
m_contentSecurityPolicy->setOverrideURLForSelf(response.url()); |
m_contentSecurityPolicy->didReceiveHeaders(ContentSecurityPolicyResponseHeaders(response)); |
@@ -492,6 +477,25 @@ void DocumentLoader::responseReceived(Resource* resource, const ResourceResponse |
return; |
} |
+ DEFINE_STATIC_LOCAL(AtomicString, xFrameOptionHeader, ("x-frame-options", AtomicString::ConstructFromLiteral)); |
+ |
+ // 'frame-ancestors' obviates 'x-frame-options': https://w3c.github.io/webappsec/specs/content-security-policy/#frame-ancestors-and-frame-options |
+ if (!m_contentSecurityPolicy->isFrameAncestorsEnforced()) { |
+ HTTPHeaderMap::const_iterator it = response.httpHeaderFields().find(xFrameOptionHeader); |
+ if (it != response.httpHeaderFields().end()) { |
+ String content = it->value; |
+ if (frameLoader()->shouldInterruptLoadForXFrameOptions(content, response.url(), mainResourceIdentifier())) { |
+ String message = "Refused to display '" + response.url().elidedString() + "' in a frame because it set 'X-Frame-Options' to '" + content + "'."; |
+ RefPtrWillBeRawPtr<ConsoleMessage> consoleMessage = ConsoleMessage::create(SecurityMessageSource, ErrorMessageLevel, message); |
+ consoleMessage->setRequestIdentifier(mainResourceIdentifier()); |
+ frame()->document()->addConsoleMessage(consoleMessage.release()); |
+ |
+ cancelLoadAfterXFrameOptionsOrCSPDenied(response); |
+ return; |
+ } |
+ } |
+ } |
+ |
ASSERT(!mainResourceLoader() || !mainResourceLoader()->defersLoading()); |
m_response = response; |