OLD | NEW |
1 // Copyright 2015 The Chromium Authors. All rights reserved. | 1 // Copyright 2015 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "core/loader/HttpEquiv.h" | 5 #include "core/loader/HttpEquiv.h" |
6 | 6 |
7 #include "core/dom/Document.h" | 7 #include "core/dom/Document.h" |
8 #include "core/dom/ScriptableDocumentParser.h" | 8 #include "core/dom/ScriptableDocumentParser.h" |
9 #include "core/dom/StyleEngine.h" | 9 #include "core/dom/StyleEngine.h" |
10 #include "core/fetch/ClientHintsPreferences.h" | 10 #include "core/fetch/ClientHintsPreferences.h" |
(...skipping 17 matching lines...) Expand all Loading... |
28 processHttpEquivDefaultStyle(document, content); | 28 processHttpEquivDefaultStyle(document, content); |
29 } else if (equalIgnoringCase(equiv, "refresh")) { | 29 } else if (equalIgnoringCase(equiv, "refresh")) { |
30 processHttpEquivRefresh(document, content); | 30 processHttpEquivRefresh(document, content); |
31 } else if (equalIgnoringCase(equiv, "set-cookie")) { | 31 } else if (equalIgnoringCase(equiv, "set-cookie")) { |
32 processHttpEquivSetCookie(document, content); | 32 processHttpEquivSetCookie(document, content); |
33 } else if (equalIgnoringCase(equiv, "content-language")) { | 33 } else if (equalIgnoringCase(equiv, "content-language")) { |
34 document.setContentLanguage(content); | 34 document.setContentLanguage(content); |
35 } else if (equalIgnoringCase(equiv, "x-dns-prefetch-control")) { | 35 } else if (equalIgnoringCase(equiv, "x-dns-prefetch-control")) { |
36 document.parseDNSPrefetchControlHeader(content); | 36 document.parseDNSPrefetchControlHeader(content); |
37 } else if (equalIgnoringCase(equiv, "x-frame-options")) { | 37 } else if (equalIgnoringCase(equiv, "x-frame-options")) { |
38 processHttpEquivXFrameOptions(document, content); | 38 document.addConsoleMessage(ConsoleMessage::create(SecurityMessageSource,
ErrorMessageLevel, "X-Frame-Options may only be set via an HTTP header sent alo
ng with a document. It may not be set inside <meta>.")); |
39 } else if (equalIgnoringCase(equiv, "accept-ch")) { | 39 } else if (equalIgnoringCase(equiv, "accept-ch")) { |
40 processHttpEquivAcceptCH(document, content); | 40 processHttpEquivAcceptCH(document, content); |
41 } else if (equalIgnoringCase(equiv, "content-security-policy") || equalIgnor
ingCase(equiv, "content-security-policy-report-only")) { | 41 } else if (equalIgnoringCase(equiv, "content-security-policy") || equalIgnor
ingCase(equiv, "content-security-policy-report-only")) { |
42 if (inDocumentHeadElement) | 42 if (inDocumentHeadElement) |
43 processHttpEquivContentSecurityPolicy(document, equiv, content); | 43 processHttpEquivContentSecurityPolicy(document, equiv, content); |
44 else | 44 else |
45 document.contentSecurityPolicy()->reportMetaOutsideHead(content); | 45 document.contentSecurityPolicy()->reportMetaOutsideHead(content); |
46 } else if (equalIgnoringCase(equiv, "suborigin")) { | 46 } else if (equalIgnoringCase(equiv, "suborigin")) { |
47 document.addConsoleMessage(ConsoleMessage::create(SecurityMessageSource,
ErrorMessageLevel, "Error with Suborigin header: Suborigin header with value '"
+ content + "' was delivered via a <meta> element and not an HTTP header, which
is disallowed. The Suborigin has been ignored.")); | 47 document.addConsoleMessage(ConsoleMessage::create(SecurityMessageSource,
ErrorMessageLevel, "Error with Suborigin header: Suborigin header with value '"
+ content + "' was delivered via a <meta> element and not an HTTP header, which
is disallowed. The Suborigin has been ignored.")); |
48 } else if (equalIgnoringCase(equiv, HTTPNames::Origin_Trial)) { | 48 } else if (equalIgnoringCase(equiv, HTTPNames::Origin_Trial)) { |
(...skipping 36 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
85 void HttpEquiv::processHttpEquivSetCookie(Document& document, const AtomicString
& content) | 85 void HttpEquiv::processHttpEquivSetCookie(Document& document, const AtomicString
& content) |
86 { | 86 { |
87 // FIXME: make setCookie work on XML documents too; e.g. in case of <html:me
ta .....> | 87 // FIXME: make setCookie work on XML documents too; e.g. in case of <html:me
ta .....> |
88 if (!document.isHTMLDocument()) | 88 if (!document.isHTMLDocument()) |
89 return; | 89 return; |
90 | 90 |
91 // Exception (for sandboxed documents) ignored. | 91 // Exception (for sandboxed documents) ignored. |
92 toHTMLDocument(document).setCookie(content, IGNORE_EXCEPTION); | 92 toHTMLDocument(document).setCookie(content, IGNORE_EXCEPTION); |
93 } | 93 } |
94 | 94 |
95 void HttpEquiv::processHttpEquivXFrameOptions(Document& document, const AtomicSt
ring& content) | |
96 { | |
97 LocalFrame* frame = document.frame(); | |
98 if (!frame) | |
99 return; | |
100 | |
101 unsigned long requestIdentifier = document.loader()->mainResourceIdentifier(
); | |
102 if (!frame->loader().shouldInterruptLoadForXFrameOptions(content, document.u
rl(), requestIdentifier)) | |
103 return; | |
104 | |
105 ConsoleMessage* consoleMessage = ConsoleMessage::create(SecurityMessageSourc
e, ErrorMessageLevel, | |
106 "Refused to display '" + document.url().elidedString() + "' in a frame b
ecause it set 'X-Frame-Options' to '" + content + "'."); | |
107 consoleMessage->setRequestIdentifier(requestIdentifier); | |
108 document.addConsoleMessage(consoleMessage); | |
109 | |
110 frame->loader().stopAllLoaders(); | |
111 // Stopping the loader isn't enough, as we're already parsing the document;
to honor the header's | |
112 // intent, we must navigate away from the possibly partially-rendered docume
nt to a location that | |
113 // doesn't inherit the parent's SecurityOrigin. | |
114 // TODO(dglazkov): This should probably check document lifecycle instead. | |
115 if (document.frame()) | |
116 frame->navigate(document, SecurityOrigin::urlWithUniqueSecurityOrigin(),
true, UserGestureStatus::None); | |
117 } | |
118 | |
119 } // namespace blink | 95 } // namespace blink |
OLD | NEW |