CORS-RFC1918: Introduce the 'addressSpace' IDL attributes.

third_party/WebKit/Source/core/dom/Document.cpp

 /*
  * Copyright (C) 1999 Lars Knoll (knoll@kde.org)
  *           (C) 1999 Antti Koivisto (koivisto@kde.org)
  *           (C) 2001 Dirk Mueller (mueller@kde.org)
  *           (C) 2006 Alexey Proskuryakov (ap@webkit.org)
  * Copyright (C) 2004, 2005, 2006, 2007, 2008, 2009, 2011, 2012 Apple Inc. All rights reserved.
  * Copyright (C) 2008, 2009 Torch Mobile Inc. All rights reserved. (http://www.torchmobile.com/)
  * Copyright (C) 2008, 2009, 2011, 2012 Google Inc. All rights reserved.
  * Copyright (C) 2010 Nokia Corporation and/or its subsidiary(-ies)
  * Copyright (C) Research In Motion Limited 2010-2011. All rights reserved.
@@ skipping 4899 matching lines @@
 
 bool Document::useSecureKeyboardEntryWhenActive() const
 {
     return m_useSecureKeyboardEntryWhenActive;
 }
 
 void Document::initSecurityContext(const DocumentInit& initializer)
 {
     ASSERT(!securityOrigin());
 
-    setHostedInReservedIPRange(initializer.isHostedInReservedIPRange());
-
     if (!initializer.hasSecurityContext()) {
         // No source for a security context.
         // This can occur via document.implementation.createDocument().
         m_cookieURL = KURL(ParsedURLString, emptyString());
         setSecurityOrigin(SecurityOrigin::createUnique());
         initContentSecurityPolicy();
         // Unique security origins cannot have a suborigin
         return;
     }
 
@@ skipping 20 matching lines @@
     } else if (initializer.owner()) {
         m_cookieURL = initializer.owner()->cookieURL();
         // We alias the SecurityOrigins to match Firefox, see Bug 15313
         // https://bugs.webkit.org/show_bug.cgi?id=15313
         setSecurityOrigin(initializer.owner()->securityOrigin());
     } else {
         m_cookieURL = m_url;
         setSecurityOrigin(SecurityOrigin::create(m_url));
     }
 
+    // Set the address space before setting up CSP, as the latter may override
+    // the former via the 'treat-as-public-address' directive (see
+    // https://mikewest.github.io/cors-rfc1918/#csp).
+    if (initializer.isHostedInReservedIPRange()) {
+        setAddressSpace(securityOrigin()->isLocalhost() ? WebURLRequest::AddressSpaceLocal : WebURLRequest::AddressSpacePrivate);
+    } else {
+        setAddressSpace(WebURLRequest::AddressSpacePublic);
+    }
+
     if (importsController()) {
         // If this document is an HTML import, grab a reference to it's master document's Content
         // Security Policy. We don't call 'initContentSecurityPolicy' in this case, as we can't
         // rebind the master document's policy object: its ExecutionContext needs to remain tied
         // to the master document.
         setContentSecurityPolicy(importsController()->master()->contentSecurityPolicy());
     } else {
         initContentSecurityPolicy();
     }
 
@@ skipping 1016 matching lines @@
 #ifndef NDEBUG
 using namespace blink;
 void showLiveDocumentInstances()
 {
     Document::WeakDocumentSet& set = Document::liveDocumentSet();
     fprintf(stderr, "There are %u documents currently alive:\n", set.size());
     for (Document* document : set)
         fprintf(stderr, "- Document %p URL: %s\n", document, document->url().getString().utf8().data());
 }
 #endif