Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(69)

Side by Side Diff: third_party/WebKit/Source/core/loader/FrameLoader.cpp

Issue 1617043002: Introduce AncestorThrottle, which will process 'X-Frame-Options' headers. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@block-response
Patch Set: DCHECK. Created 4 years, 7 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
OLDNEW
1 /* 1 /*
2 * Copyright (C) 2006, 2007, 2008, 2009, 2010, 2011 Apple Inc. All rights reserv ed. 2 * Copyright (C) 2006, 2007, 2008, 2009, 2010, 2011 Apple Inc. All rights reserv ed.
3 * Copyright (C) 2008 Nokia Corporation and/or its subsidiary(-ies) 3 * Copyright (C) 2008 Nokia Corporation and/or its subsidiary(-ies)
4 * Copyright (C) 2008, 2009 Torch Mobile Inc. All rights reserved. (http://www.t orchmobile.com/) 4 * Copyright (C) 2008, 2009 Torch Mobile Inc. All rights reserved. (http://www.t orchmobile.com/)
5 * Copyright (C) 2008 Alp Toker <alp@atoker.com> 5 * Copyright (C) 2008 Alp Toker <alp@atoker.com>
6 * Copyright (C) Research In Motion Limited 2009. All rights reserved. 6 * Copyright (C) Research In Motion Limited 2009. All rights reserved.
7 * Copyright (C) 2011 Kris Jordan <krisjordan@gmail.com> 7 * Copyright (C) 2011 Kris Jordan <krisjordan@gmail.com>
8 * Copyright (C) 2011 Google Inc. All rights reserved. 8 * Copyright (C) 2011 Google Inc. All rights reserved.
9 * 9 *
10 * Redistribution and use in source and binary forms, with or without 10 * Redistribution and use in source and binary forms, with or without
(...skipping 1413 matching lines...) Expand 10 before | Expand all | Expand 10 after
1424 m_provisionalDocumentLoader->startLoadingMainResource(); 1424 m_provisionalDocumentLoader->startLoadingMainResource();
1425 } 1425 }
1426 1426
1427 void FrameLoader::applyUserAgent(ResourceRequest& request) 1427 void FrameLoader::applyUserAgent(ResourceRequest& request)
1428 { 1428 {
1429 String userAgent = this->userAgent(); 1429 String userAgent = this->userAgent();
1430 ASSERT(!userAgent.isNull()); 1430 ASSERT(!userAgent.isNull());
1431 request.setHTTPUserAgent(AtomicString(userAgent)); 1431 request.setHTTPUserAgent(AtomicString(userAgent));
1432 } 1432 }
1433 1433
1434 bool FrameLoader::shouldInterruptLoadForXFrameOptions(const String& content, con st KURL& url, unsigned long requestIdentifier)
1435 {
1436 UseCounter::count(m_frame->domWindow()->document(), UseCounter::XFrameOption s);
1437
1438 Frame* topFrame = m_frame->tree().top();
1439 if (m_frame == topFrame)
1440 return false;
1441
1442 XFrameOptionsDisposition disposition = parseXFrameOptionsHeader(content);
1443
1444 switch (disposition) {
1445 case XFrameOptionsSameOrigin: {
1446 UseCounter::count(m_frame->domWindow()->document(), UseCounter::XFrameOp tionsSameOrigin);
1447 RefPtr<SecurityOrigin> origin = SecurityOrigin::create(url);
1448 // Out-of-process ancestors are always a different origin.
1449 if (!topFrame->isLocalFrame() || !origin->isSameSchemeHostPort(toLocalFr ame(topFrame)->document()->getSecurityOrigin()))
1450 return true;
1451 for (Frame* frame = m_frame->tree().parent(); frame; frame = frame->tree ().parent()) {
1452 if (!frame->isLocalFrame() || !origin->isSameSchemeHostPort(toLocalF rame(frame)->document()->getSecurityOrigin())) {
1453 UseCounter::count(m_frame->domWindow()->document(), UseCounter:: XFrameOptionsSameOriginWithBadAncestorChain);
1454 break;
1455 }
1456 }
1457 return false;
1458 }
1459 case XFrameOptionsDeny:
1460 return true;
1461 case XFrameOptionsAllowAll:
1462 return false;
1463 case XFrameOptionsConflict: {
1464 ConsoleMessage* consoleMessage = ConsoleMessage::create(JSMessageSource, ErrorMessageLevel, "Multiple 'X-Frame-Options' headers with conflicting values ('" + content + "') encountered when loading '" + url.elidedString() + "'. Falli ng back to 'DENY'.");
1465 consoleMessage->setRequestIdentifier(requestIdentifier);
1466 m_frame->document()->addConsoleMessage(consoleMessage);
1467 return true;
1468 }
1469 case XFrameOptionsInvalid: {
1470 ConsoleMessage* consoleMessage = ConsoleMessage::create(JSMessageSource, ErrorMessageLevel, "Invalid 'X-Frame-Options' header encountered when loading ' " + url.elidedString() + "': '" + content + "' is not a recognized directive. Th e header will be ignored.");
1471 consoleMessage->setRequestIdentifier(requestIdentifier);
1472 m_frame->document()->addConsoleMessage(consoleMessage);
1473 return false;
1474 }
1475 default:
1476 ASSERT_NOT_REACHED();
1477 return false;
1478 }
1479 }
1480
1481 bool FrameLoader::shouldTreatURLAsSameAsCurrent(const KURL& url) const 1434 bool FrameLoader::shouldTreatURLAsSameAsCurrent(const KURL& url) const
1482 { 1435 {
1483 return m_currentItem && url == m_currentItem->url(); 1436 return m_currentItem && url == m_currentItem->url();
1484 } 1437 }
1485 1438
1486 bool FrameLoader::shouldTreatURLAsSrcdocDocument(const KURL& url) const 1439 bool FrameLoader::shouldTreatURLAsSrcdocDocument(const KURL& url) const
1487 { 1440 {
1488 if (!url.isAboutSrcdocURL()) 1441 if (!url.isAboutSrcdocURL())
1489 return false; 1442 return false;
1490 HTMLFrameOwnerElement* ownerElement = m_frame->deprecatedLocalOwner(); 1443 HTMLFrameOwnerElement* ownerElement = m_frame->deprecatedLocalOwner();
(...skipping 87 matching lines...) Expand 10 before | Expand all | Expand 10 after
1578 // FIXME: We need a way to propagate insecure requests policy flags to 1531 // FIXME: We need a way to propagate insecure requests policy flags to
1579 // out-of-process frames. For now, we'll always use default behavior. 1532 // out-of-process frames. For now, we'll always use default behavior.
1580 if (!parentFrame->isLocalFrame()) 1533 if (!parentFrame->isLocalFrame())
1581 return nullptr; 1534 return nullptr;
1582 1535
1583 ASSERT(toLocalFrame(parentFrame)->document()); 1536 ASSERT(toLocalFrame(parentFrame)->document());
1584 return toLocalFrame(parentFrame)->document()->insecureNavigationsToUpgrade() ; 1537 return toLocalFrame(parentFrame)->document()->insecureNavigationsToUpgrade() ;
1585 } 1538 }
1586 1539
1587 } // namespace blink 1540 } // namespace blink
OLDNEW

Powered by Google App Engine
This is Rietveld 408576698