Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(235)

Unified Diff: third_party/WebKit/Source/core/dom/Document.cpp

Issue 1754713006: CORS-RFC1918: Introduce the 'addressSpace' IDL attributes. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: philip Created 4 years, 10 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
Index: third_party/WebKit/Source/core/dom/Document.cpp
diff --git a/third_party/WebKit/Source/core/dom/Document.cpp b/third_party/WebKit/Source/core/dom/Document.cpp
index 906c2c85b5b24d1e7d5c452315586983e93e74ba..a9a9c5d6401156a672d72fc4011c8a37da70080a 100644
--- a/third_party/WebKit/Source/core/dom/Document.cpp
+++ b/third_party/WebKit/Source/core/dom/Document.cpp
@@ -4917,8 +4917,6 @@ void Document::initSecurityContext(const DocumentInit& initializer)
{
ASSERT(!securityOrigin());
- setHostedInReservedIPRange(initializer.isHostedInReservedIPRange());
-
if (!initializer.hasSecurityContext()) {
// No source for a security context.
// This can occur via document.implementation.createDocument().
@@ -4959,6 +4957,15 @@ void Document::initSecurityContext(const DocumentInit& initializer)
setSecurityOrigin(SecurityOrigin::create(m_url));
}
+ // Set the address space before setting up CSP, as the latter may override
+ // the former via the 'treat-as-public-address' directive (see
+ // https://mikewest.github.io/cors-rfc1918/#csp).
+ if (initializer.isHostedInReservedIPRange()) {
+ setAddressSpace(securityOrigin()->isLocalhost() ? WebURLRequest::AddressSpaceLocal : WebURLRequest::AddressSpacePrivate);
+ } else {
+ setAddressSpace(WebURLRequest::AddressSpacePublic);
+ }
+
if (importsController()) {
// If this document is an HTML import, grab a reference to it's master document's Content
// Security Policy. We don't call 'initContentSecurityPolicy' in this case, as we can't

Powered by Google App Engine
This is Rietveld 408576698