Chromium Code Reviews
DescriptionUse RequestContext to apply CSP in FrameFetchContext
Instead of a big switch statement on Resource::Type in
FrameFetchContext::canRequest(), use
ContentSecurityPolicy::allowRequest(), which decides which directives to
apply based on the RequestContext.
A nice-ish side effect of this is that DocumentThreadableLoader no
longer needs to know about (much less be responsible for enforcing)
CSP. Previously, DocumentThreadableLoader needed to enforce CSP because
Resource::Type doesn't cover things like EventSource, so
FrameFetchContext::canRequest() just let them pass through as raw
resources. Now that FrameFetchContext::canRequest() is based on
RequestContext, and RequestContext covers things like EventSource, the
proper CSP directive can be applied, instead of DocumentThreadableLoader
needing to do special CSP checks.
I say "nice-ish" instead of "nice" because kicking CSP checks out of
DocumentThreadableLoader introduces a slight complication: EventSource
and friends want to know about redirects that are blocked, so that they
can product an error for Javascript to consume. (We have layout tests
that test for this error.) So I introduced a new set of hooks for
RawResourceClients to get notified when ResourceFetcher declines to
follow a redirect. (The previous flow for EventSource and friends was
that ResourceFetcher would agree to follow the redirect, but
DocumentThreadableLoader would block it and notify the
RawResourceClient. Now that ResourceFetcher is deciding based on
RequestContexts, ResourceFetcher will want to block the redirect.)
BUG=474412
Committed: https://crrev.com/077fcfa04ed8d166cdd51bfd6f9ac36a2ccb8b5d
Cr-Commit-Position: refs/heads/master@{#385669}
Patch Set 1 #
Total comments: 2
Patch Set 2 : rename redirectReceivedAndNotFollowed() to redirectBlocked() #Messages
Total messages: 18 (8 generated)
|