third_party/WebKit/Source/core/dom/DocumentInit.cpp - Issue 1742923002: Commit empty document instead of canceling the load for blocked CSP/XFO responses.

Side by Side Diff: third_party/WebKit/Source/core/dom/DocumentInit.cpp

Issue 1742923002: Commit empty document instead of canceling the load for blocked CSP/XFO responses. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: Update expectations for XFO layout tests Created 4 years, 9 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

« no previous file with comments | « third_party/WebKit/LayoutTests/http/tests/security/XFrameOptions/x-frame-options-parent-same-origin-deny-expected.txt ('k') | third_party/WebKit/Source/core/loader/DocumentLoader.h » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

OLD	NEW
1 /*	1 /*

2 * Copyright (C) 1999 Lars Knoll (knoll@kde.org)	2 * Copyright (C) 1999 Lars Knoll (knoll@kde.org)

3 * (C) 1999 Antti Koivisto (koivisto@kde.org)	3 * (C) 1999 Antti Koivisto (koivisto@kde.org)

4 * (C) 2001 Dirk Mueller (mueller@kde.org)	4 * (C) 2001 Dirk Mueller (mueller@kde.org)

5 * (C) 2006 Alexey Proskuryakov (ap@webkit.org)	5 * (C) 2006 Alexey Proskuryakov (ap@webkit.org)

6 * Copyright (C) 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2012 Apple Inc. All r ights reserved.	6 * Copyright (C) 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2012 Apple Inc. All r ights reserved.

7 * Copyright (C) 2008, 2009 Torch Mobile Inc. All rights reserved. (http://www.t orchmobile.com/)	7 * Copyright (C) 2008, 2009 Torch Mobile Inc. All rights reserved. (http://www.t orchmobile.com/)

8 * Copyright (C) 2010 Nokia Corporation and/or its subsidiary(-ies)	8 * Copyright (C) 2010 Nokia Corporation and/or its subsidiary(-ies)

9 * Copyright (C) 2013 Google Inc. All rights reserved.	9 * Copyright (C) 2013 Google Inc. All rights reserved.

10 *	10 *

(...skipping 86 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
97 if (m_frame)	97 if (m_frame)

98 return m_frame;	98 return m_frame;

99 if (m_importsController)	99 if (m_importsController)

100 return m_importsController->master()->frame();	100 return m_importsController->master()->frame();

101 return 0;	101 return 0;

102 }	102 }

103	103

104 SandboxFlags DocumentInit::getSandboxFlags() const	104 SandboxFlags DocumentInit::getSandboxFlags() const

105 {	105 {

106 ASSERT(frameForSecurityContext());	106 ASSERT(frameForSecurityContext());

107 return frameForSecurityContext()->loader().effectiveSandboxFlags();	107 FrameLoader* loader = &frameForSecurityContext()->loader();

	108 SandboxFlags flags = loader->effectiveSandboxFlags();

	109

	110 // If the load was blocked by X-Frame-Options or CSP, force the Document's

	111 // origin to be unique, so that the blocked document appears to be a normal

	112 // cross-origin document's load per CSP spec:

	113 // https://www.w3.org/TR/CSP2/#directive-frame-ancestors

	114 DocumentLoader* documentLoader = loader->provisionalDocumentLoader() ? loade r->provisionalDocumentLoader() : loader->documentLoader();
	Nate Chapin 2016/03/01 20:26:11 Is it really possible for this to be either docume Is it really possible for this to be either document loader? I would have thought it's always one or the other. alexmos 2016/03/02 01:30:55 Good point. Looking closer I think this should ju Show quoted text On 2016/03/01 20:26:11, Nate Chapin wrote: > Is it really possible for this to be either document loader? I would have > thought it's always one or the other. Good point. Looking closer I think this should just use documentLoader(). (This is called after FrameLoader::prepareForCommit, which releases the provisional one.) I've changed it and things still work. That said, I based this off of DocumentInit::isHostedInReservedIPRange(), which has this check and is also used solely in Document::initSecurityContext. Mike, you added it in https://codereview.chromium.org/845303003 - was there a reason for checking both loaders?
	115 if (documentLoader && documentLoader->wasBlockedAfterXFrameOptionsOrCSP())

	116 flags \|= SandboxOrigin;

	117

	118 return flags;

108 }	119 }

109	120

110 bool DocumentInit::shouldEnforceStrictMixedContentChecking() const	121 bool DocumentInit::shouldEnforceStrictMixedContentChecking() const

111 {	122 {

112 ASSERT(frameForSecurityContext());	123 ASSERT(frameForSecurityContext());

113 return frameForSecurityContext()->loader().shouldEnforceStrictMixedContentCh ecking();	124 return frameForSecurityContext()->loader().shouldEnforceStrictMixedContentCh ecking();

114 }	125 }

115	126

116 SecurityContext::InsecureRequestsPolicy DocumentInit::getInsecureRequestsPolicy( ) const	127 SecurityContext::InsecureRequestsPolicy DocumentInit::getInsecureRequestsPolicy( ) const

117 {	128 {

(...skipping 59 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
177 return m_contextDocument;	188 return m_contextDocument;

178 }	189 }

179	190

180 DocumentInit DocumentInit::fromContext(WeakPtrWillBeRawPtr<Document> contextDocu ment, const KURL& url)	191 DocumentInit DocumentInit::fromContext(WeakPtrWillBeRawPtr<Document> contextDocu ment, const KURL& url)

181 {	192 {

182 return DocumentInit(url, 0, contextDocument, 0);	193 return DocumentInit(url, 0, contextDocument, 0);

183 }	194 }

184	195

185 } // namespace blink	196 } // namespace blink

186	197

OLD	NEW