| Index: Source/core/loader/DocumentLoader.cpp
|
| diff --git a/Source/core/loader/DocumentLoader.cpp b/Source/core/loader/DocumentLoader.cpp
|
| index abb7134c095ce4873624fbdcb14be8b8a0ad2476..fb20e2d604c8e7240fd46ec4596ffb01d35d796a 100644
|
| --- a/Source/core/loader/DocumentLoader.cpp
|
| +++ b/Source/core/loader/DocumentLoader.cpp
|
| @@ -469,21 +469,6 @@ void DocumentLoader::responseReceived(Resource* resource, const ResourceResponse
|
| if (response.appCacheID())
|
| memoryCache()->remove(m_mainResource.get());
|
|
|
| - DEFINE_STATIC_LOCAL(AtomicString, xFrameOptionHeader, ("x-frame-options", AtomicString::ConstructFromLiteral));
|
| - HTTPHeaderMap::const_iterator it = response.httpHeaderFields().find(xFrameOptionHeader);
|
| - if (it != response.httpHeaderFields().end()) {
|
| - String content = it->value;
|
| - if (frameLoader()->shouldInterruptLoadForXFrameOptions(content, response.url(), mainResourceIdentifier())) {
|
| - String message = "Refused to display '" + response.url().elidedString() + "' in a frame because it set 'X-Frame-Options' to '" + content + "'.";
|
| - RefPtrWillBeRawPtr<ConsoleMessage> consoleMessage = ConsoleMessage::create(SecurityMessageSource, ErrorMessageLevel, message);
|
| - consoleMessage->setRequestIdentifier(mainResourceIdentifier());
|
| - frame()->document()->addConsoleMessage(consoleMessage.release());
|
| -
|
| - cancelLoadAfterXFrameOptionsOrCSPDenied(response);
|
| - return;
|
| - }
|
| - }
|
| -
|
| m_contentSecurityPolicy = ContentSecurityPolicy::create();
|
| m_contentSecurityPolicy->setOverrideURLForSelf(response.url());
|
| m_contentSecurityPolicy->didReceiveHeaders(ContentSecurityPolicyResponseHeaders(response));
|
| @@ -492,6 +477,25 @@ void DocumentLoader::responseReceived(Resource* resource, const ResourceResponse
|
| return;
|
| }
|
|
|
| + DEFINE_STATIC_LOCAL(AtomicString, xFrameOptionHeader, ("x-frame-options", AtomicString::ConstructFromLiteral));
|
| +
|
| + // 'frame-ancestors' obviates 'x-frame-options': https://w3c.github.io/webappsec/specs/content-security-policy/#frame-ancestors-and-frame-options
|
| + if (!m_contentSecurityPolicy->isFrameAncestorsEnforced()) {
|
| + HTTPHeaderMap::const_iterator it = response.httpHeaderFields().find(xFrameOptionHeader);
|
| + if (it != response.httpHeaderFields().end()) {
|
| + String content = it->value;
|
| + if (frameLoader()->shouldInterruptLoadForXFrameOptions(content, response.url(), mainResourceIdentifier())) {
|
| + String message = "Refused to display '" + response.url().elidedString() + "' in a frame because it set 'X-Frame-Options' to '" + content + "'.";
|
| + RefPtrWillBeRawPtr<ConsoleMessage> consoleMessage = ConsoleMessage::create(SecurityMessageSource, ErrorMessageLevel, message);
|
| + consoleMessage->setRequestIdentifier(mainResourceIdentifier());
|
| + frame()->document()->addConsoleMessage(consoleMessage.release());
|
| +
|
| + cancelLoadAfterXFrameOptionsOrCSPDenied(response);
|
| + return;
|
| + }
|
| + }
|
| + }
|
| +
|
| ASSERT(!mainResourceLoader() || !mainResourceLoader()->defersLoading());
|
|
|
| m_response = response;
|
|
|
Chromium Code Reviews
Issue 1326823003:
CSP: 'frame-ancestors' should override 'x-frame-options'. (Closed)
Base URL: https://chromium.googlesource.com/chromium/blink.git@master