Introduce AncestorThrottle, which will process 'X-Frame-Options' headers.

third_party/WebKit/Source/core/loader/DocumentLoader.cpp

 /*
  * Copyright (C) 2006, 2007, 2008 Apple Inc. All rights reserved.
  * Copyright (C) 2011 Google Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  *
  * 1.  Redistributions of source code must retain the above copyright
  *     notice, this list of conditions and the following disclaimer.
@@ skipping 89 matching lines @@
     , m_fetcher(FrameFetchContext::createContextAndFetcher(this, nullptr))
     , m_originalRequest(req)
     , m_substituteData(substituteData)
     , m_request(req)
     , m_isClientRedirect(false)
     , m_replacesCurrentHistoryItem(false)
     , m_navigationType(NavigationTypeOther)
     , m_documentLoadTiming(*this)
     , m_timeOfLastDataReceived(0.0)
     , m_applicationCacheHost(ApplicationCacheHost::create(this))
-    , m_wasBlockedAfterXFrameOptionsOrCSP(false)
+    , m_wasBlockedAfterCSP(false)
     , m_state(NotStarted)
     , m_inDataReceived(false)
     , m_dataBuffer(SharedBuffer::create())
 {
 }
 
 FrameLoader* DocumentLoader::frameLoader() const
 {
     if (!m_frame)
         return nullptr;
@@ skipping 222 matching lines @@
         // Downloading is handled by the embedder, but we still get the initial
         // response so that we can ignore it and clean up properly.
         return false;
     }
 
     if (!canShowMIMEType(m_response.mimeType(), m_frame->page()))
         return false;
     return true;
 }
 
-void DocumentLoader::cancelLoadAfterXFrameOptionsOrCSPDenied(const ResourceResponse& response)
+void DocumentLoader::cancelLoadAfterCSPDenied(const ResourceResponse& response)
 {
-    InspectorInstrumentation::continueAfterXFrameOptionsDenied(m_frame, this, mainResourceIdentifier(), response);
+    InspectorInstrumentation::continueAfterCSPDenied(m_frame, this, mainResourceIdentifier(), response);
 
-    setWasBlockedAfterXFrameOptionsOrCSP();
+    setWasBlockedAfterCSP();
 
     // Pretend that this was an empty HTTP 200 response.
     clearMainResourceHandle();
     m_response = ResourceResponse(blankURL(), "text/html", 0, nullAtom, String());
     finishedLoading(monotonicallyIncreasingTime());
 
     return;
 }
 
 void DocumentLoader::responseReceived(Resource* resource, const ResourceResponse& response, PassOwnPtr<WebDataConsumerHandle> handle)
 {
     ASSERT_UNUSED(resource, m_mainResource == resource);
     ASSERT_UNUSED(handle, !handle);
     ASSERT(frame());
 
     m_applicationCacheHost->didReceiveResponseForMainResource(response);
 
     // The memory cache doesn't understand the application cache or its caching rules. So if a main resource is served
     // from the application cache, ensure we don't save the result for future use. All responses loaded
     // from appcache will have a non-zero appCacheID().
     if (response.appCacheID())
         memoryCache()->remove(m_mainResource.get());
 
     m_contentSecurityPolicy = ContentSecurityPolicy::create();
     m_contentSecurityPolicy->setOverrideURLForSelf(response.url());
     m_contentSecurityPolicy->didReceiveHeaders(ContentSecurityPolicyResponseHeaders(response));
     if (!m_contentSecurityPolicy->allowAncestors(m_frame, response.url())) {
-        cancelLoadAfterXFrameOptionsOrCSPDenied(response);
+        cancelLoadAfterCSPDenied(response);
         return;
     }
 
-    // 'frame-ancestors' obviates 'x-frame-options': https://w3c.github.io/webappsec/specs/content-security-policy/#frame-ancestors-and-frame-options
-    if (!m_contentSecurityPolicy->isFrameAncestorsEnforced()) {
-        HTTPHeaderMap::const_iterator it = response.httpHeaderFields().find(HTTPNames::X_Frame_Options);
-        if (it != response.httpHeaderFields().end()) {
-            String content = it->value;
-            if (frameLoader()->shouldInterruptLoadForXFrameOptions(content, response.url(), mainResourceIdentifier())) {
-                String message = "Refused to display '" + response.url().elidedString() + "' in a frame because it set 'X-Frame-Options' to '" + content + "'.";
-                ConsoleMessage* consoleMessage = ConsoleMessage::create(SecurityMessageSource, ErrorMessageLevel, message);
-                consoleMessage->setRequestIdentifier(mainResourceIdentifier());
-                frame()->document()->addConsoleMessage(consoleMessage);
-
-                cancelLoadAfterXFrameOptionsOrCSPDenied(response);
-                return;
-            }
-        }
-    }
-
     ASSERT(!m_frame->page()->defersLoading());
 
     m_response = response;
 
     if (isArchiveMIMEType(m_response.mimeType()) && m_mainResource->getDataBufferingPolicy() != BufferData)
         m_mainResource->setDataBufferingPolicy(BufferData);
 
     if (!shouldContinueForResponse()) {
         InspectorInstrumentation::continueWithPolicyIgnore(m_frame, this, m_mainResource->identifier(), m_response);
         m_fetcher->stopFetching();
@@ skipping 269 matching lines @@
 {
     m_writer = createWriterFor(init, mimeType(), m_writer ? m_writer->encoding() : emptyAtom, true, ForceSynchronousParsing);
     if (!source.isNull())
         m_writer->appendReplacingData(source);
     endWriting(m_writer.get());
 }
 
 DEFINE_WEAK_IDENTIFIER_MAP(DocumentLoader);
 
 } // namespace blink