OLD | NEW |
---|---|
(Empty) | |
1 // Copyright 2015 The Chromium Authors. All rights reserved. | |
2 // Use of this source code is governed by a BSD-style license that can be | |
3 // found in the LICENSE file. | |
4 | |
5 #include "content/browser/frame_host/xfo_throttle.h" | |
6 | |
7 #include "base/strings/string_util.h" | |
8 #include "base/strings/stringprintf.h" | |
9 #include "content/browser/frame_host/frame_tree.h" | |
10 #include "content/browser/frame_host/frame_tree_node.h" | |
11 #include "content/browser/frame_host/navigation_handle_impl.h" | |
12 #include "content/public/browser/browser_thread.h" | |
13 #include "content/public/browser/navigation_handle.h" | |
14 #include "content/public/browser/navigation_throttle.h" | |
15 #include "content/public/common/console_message_level.h" | |
16 #include "net/http/http_response_headers.h" | |
17 #include "url/origin.h" | |
18 | |
19 namespace content { | |
20 | |
21 // static | |
22 scoped_ptr<NavigationThrottle> XFOThrottle::MaybeCreateThrottleFor( | |
23 NavigationHandle* handle) { | |
24 DCHECK_CURRENTLY_ON(content::BrowserThread::UI); | |
25 | |
26 if (handle->IsInMainFrame()) | |
27 return nullptr; | |
28 | |
29 return scoped_ptr<NavigationThrottle>(new XFOThrottle(handle)); | |
30 } | |
31 | |
32 XFOThrottle::XFOThrottle(NavigationHandle* handle) | |
33 : NavigationThrottle(handle) {} | |
34 | |
35 XFOThrottle::~XFOThrottle() {} | |
36 | |
37 NavigationThrottle::ThrottleCheckResult XFOThrottle::WillProcessResponse() { | |
38 DCHECK(!navigation_handle()->IsInMainFrame()); | |
39 | |
40 NavigationHandleImpl* handle = | |
41 static_cast<NavigationHandleImpl*>(navigation_handle()); | |
42 | |
43 std::string header_value; | |
44 HeaderDisposition disposition = | |
45 ParseHeader(handle->GetResponseHeaders(), &header_value); | |
46 switch (disposition) { | |
47 case CONFLICT: | |
48 ParseError(header_value, disposition); | |
49 return NavigationThrottle::BLOCK; | |
50 | |
51 case INVALID: | |
52 ParseError(header_value, disposition); | |
53 // TODO(mkwst): Consider failing here. | |
54 return NavigationThrottle::PROCEED; | |
55 | |
56 case DENY: | |
57 ConsoleError(disposition); | |
58 return NavigationThrottle::BLOCK; | |
59 | |
60 case SAMEORIGIN: { | |
61 url::Origin current_origin(navigation_handle()->GetURL()); | |
nasko
2016/01/20 23:15:07
Shouldn't we be using the GetOrigin() from the cur
Mike West
2016/01/21 14:51:24
XFO looks at the origin of the URL, not the origin
| |
62 url::Origin top_origin = | |
63 handle->frame_tree_node()->frame_tree()->root()->current_origin(); | |
64 if (top_origin.IsSameOriginWith(current_origin)) | |
65 return NavigationThrottle::PROCEED; | |
66 ConsoleError(disposition); | |
67 return NavigationThrottle::BLOCK; | |
68 } | |
69 | |
70 case NOT_PRESENT: | |
71 case ALLOWALL: | |
72 return NavigationThrottle::PROCEED; | |
73 } | |
74 NOTREACHED(); | |
75 return NavigationThrottle::PROCEED; | |
76 } | |
77 | |
78 void XFOThrottle::ParseError(const std::string& value, | |
79 HeaderDisposition disposition) { | |
80 DCHECK(disposition == CONFLICT || disposition == INVALID); | |
81 | |
82 std::string message; | |
83 if (disposition == CONFLICT) { | |
84 message = base::StringPrintf( | |
85 "Refused to display '%s' in a frame because it set multiple " | |
86 "'X-Frame-Options' headers with conflicting values " | |
87 "('%s'). Falling back to 'deny'.", | |
88 navigation_handle()->GetURL().spec().c_str(), value.c_str()); | |
89 } else { | |
90 message = base::StringPrintf( | |
91 "Invalid 'X-Frame-Options' header encountered when loading '%s': " | |
92 "'%s' is not a recognized directive. The header will be ignored.", | |
93 navigation_handle()->GetURL().spec().c_str(), value.c_str()); | |
94 } | |
95 | |
96 NavigationHandleImpl* handle = | |
97 static_cast<NavigationHandleImpl*>(navigation_handle()); | |
98 // Log a console error in the parent of the current RenderFrameHost (as | |
99 // the current RenderFrameHost itself doesn't yet have a document). | |
100 handle->GetRenderFrameHost()->GetParent()->AddMessageToConsole( | |
101 CONSOLE_MESSAGE_LEVEL_ERROR, message); | |
102 } | |
103 | |
104 void XFOThrottle::ConsoleError(HeaderDisposition disposition) { | |
105 DCHECK(disposition == DENY || disposition == SAMEORIGIN); | |
106 std::string message = base::StringPrintf( | |
107 "Refused to display '%s' in a frame because it set 'X-Frame-Options' " | |
108 "to '%s'.", | |
109 navigation_handle()->GetURL().spec().c_str(), | |
110 disposition == DENY ? "deny" : "sameorigin"); | |
111 | |
112 NavigationHandleImpl* handle = | |
113 static_cast<NavigationHandleImpl*>(navigation_handle()); | |
114 // Log a console error in the parent of the current RenderFrameHost (as | |
115 // the current RenderFrameHost itself doesn't yet have a document). | |
116 handle->GetRenderFrameHost()->GetParent()->AddMessageToConsole( | |
117 CONSOLE_MESSAGE_LEVEL_ERROR, message); | |
118 } | |
119 | |
120 // static | |
121 XFOThrottle::HeaderDisposition XFOThrottle::ParseHeader( | |
122 const net::HttpResponseHeaders* headers, | |
123 std::string* header_value) { | |
124 DCHECK(header_value); | |
125 if (!headers) | |
126 return NOT_PRESENT; | |
127 | |
128 void* iter = nullptr; | |
129 std::string value; | |
130 HeaderDisposition result = NOT_PRESENT; | |
131 while (headers->EnumerateHeader(&iter, "x-frame-options", &value)) { | |
132 HeaderDisposition current = INVALID; | |
133 | |
134 base::StringPiece trimmed = | |
135 base::TrimWhitespaceASCII(value, base::TRIM_ALL); | |
136 if (!header_value->empty()) | |
137 header_value->append(", "); | |
138 header_value->append(trimmed.as_string()); | |
139 | |
140 if (base::LowerCaseEqualsASCII(trimmed, "deny")) | |
141 current = DENY; | |
142 else if (base::LowerCaseEqualsASCII(trimmed, "allowall")) | |
143 current = ALLOWALL; | |
144 else if (base::LowerCaseEqualsASCII(trimmed, "sameorigin")) | |
145 current = SAMEORIGIN; | |
146 else | |
147 current = INVALID; | |
148 | |
149 if (result == NOT_PRESENT) | |
150 result = current; | |
151 else if (result != current) | |
152 result = CONFLICT; | |
153 } | |
154 return result; | |
155 } | |
156 | |
157 } // namespace content | |
OLD | NEW |