Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(116)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: third_party/WebKit/Source/core/dom/Document.cpp

Issue 1783813002: SameSite: Strict/Lax behavior. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@strict-lax
Patch Set: Comment. Created 4 years, 9 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « third_party/WebKit/Source/core/dom/Document.h ('k') | no next file » | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: third_party/WebKit/Source/core/dom/Document.cpp
diff --git a/third_party/WebKit/Source/core/dom/Document.cpp b/third_party/WebKit/Source/core/dom/Document.cpp
index 92c4893c36f140b1d1cb595b9380417f7b131353..aab6d6131606636130017206ae48a3328711d9f7 100644
--- a/third_party/WebKit/Source/core/dom/Document.cpp
+++ b/third_party/WebKit/Source/core/dom/Document.cpp
@@ -4233,31 +4233,38 @@ String Document::lastModified() const
return String::format("%02d/%02d/%04d %02d:%02d:%02d", date.month() + 1, date.monthDay(), date.fullYear(), date.hour(), date.minute(), date.second());
}
-const KURL& Document::firstPartyForCookies() const
+const KURL Document::firstPartyForCookies() const
{
- if (SchemeRegistry::shouldTreatURLSchemeAsFirstPartyWhenTopLevel(topDocument().url().protocol()))
- return topDocument().url();
+ // TODO(mkwst): This doesn't correctly handle sandboxed documents; we want to look at their URL,
+ // but we can't because we don't know what it is.
+ KURL topDocumentURL = frame()->tree().top()->isLocalFrame()
+ ? topDocument().url()
+ : KURL(KURL(), frame()->securityContext()->getSecurityOrigin()->toString());
+ if (SchemeRegistry::shouldTreatURLSchemeAsFirstPartyWhenTopLevel(topDocumentURL.protocol()))
+ return topDocumentURL;
// We're intentionally using the URL of each document rather than the document's SecurityOrigin.
// Sandboxing a document into a unique origin shouldn't effect first-/third-party status for
// cookies and site data.
- const OriginAccessEntry& accessEntry = topDocument().accessEntryFromURL();
- const Document* currentDocument = this;
- while (currentDocument) {
+ const OriginAccessEntry& accessEntry = frame()->tree().top()->isLocalFrame()
+ ? topDocument().accessEntryFromURL()
+ : OriginAccessEntry(topDocumentURL.protocol(), topDocumentURL.host(), OriginAccessEntry::AllowRegisterableDomains);
+ const Frame* currentFrame = frame();
+ while (currentFrame) {
// Skip over srcdoc documents, as they are always same-origin with their closest non-srcdoc parent.
- while (currentDocument->isSrcdocDocument())
- currentDocument = currentDocument->parentDocument();
- ASSERT(currentDocument);
+ while (currentFrame->isLocalFrame() && toLocalFrame(currentFrame)->document()->isSrcdocDocument())
+ currentFrame = currentFrame->tree().parent();
+ ASSERT(currentFrame);
// We use 'matchesDomain' here, as it turns out that some folks embed HTTPS login forms
// into HTTP pages; we should allow this kind of upgrade.
- if (accessEntry.matchesDomain(*currentDocument->getSecurityOrigin()) == OriginAccessEntry::DoesNotMatchOrigin)
+ if (accessEntry.matchesDomain(*currentFrame->securityContext()->getSecurityOrigin()) == OriginAccessEntry::DoesNotMatchOrigin)
return SecurityOrigin::urlWithUniqueSecurityOrigin();
- currentDocument = currentDocument->parentDocument();
+ currentFrame = currentFrame->tree().parent();
}
- return topDocument().url();
+ return topDocumentURL;
}
static bool isValidNameNonASCII(const LChar* characters, unsigned length)
« no previous file with comments | « third_party/WebKit/Source/core/dom/Document.h ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698