Index: third_party/WebKit/Source/core/loader/HttpEquiv.cpp |
diff --git a/third_party/WebKit/Source/core/loader/HttpEquiv.cpp b/third_party/WebKit/Source/core/loader/HttpEquiv.cpp |
index d4ff0b76de7a5ea1fac42d64be47af26308844c5..1298ad21930590876aa0166d7c10894f646ed60e 100644 |
--- a/third_party/WebKit/Source/core/loader/HttpEquiv.cpp |
+++ b/third_party/WebKit/Source/core/loader/HttpEquiv.cpp |
@@ -35,7 +35,7 @@ void HttpEquiv::process(Document& document, const AtomicString& equiv, const Ato |
} else if (equalIgnoringCase(equiv, "x-dns-prefetch-control")) { |
document.parseDNSPrefetchControlHeader(content); |
} else if (equalIgnoringCase(equiv, "x-frame-options")) { |
- processHttpEquivXFrameOptions(document, content); |
+ document.addConsoleMessage(ConsoleMessage::create(SecurityMessageSource, ErrorMessageLevel, "X-Frame-Options may only be set via an HTTP header sent along with a document. It may not be set inside <meta>.")); |
} else if (equalIgnoringCase(equiv, "accept-ch")) { |
processHttpEquivAcceptCH(document, content); |
} else if (equalIgnoringCase(equiv, "content-security-policy") || equalIgnoringCase(equiv, "content-security-policy-report-only")) { |
@@ -92,28 +92,4 @@ void HttpEquiv::processHttpEquivSetCookie(Document& document, const AtomicString |
toHTMLDocument(document).setCookie(content, IGNORE_EXCEPTION); |
} |
-void HttpEquiv::processHttpEquivXFrameOptions(Document& document, const AtomicString& content) |
-{ |
- LocalFrame* frame = document.frame(); |
- if (!frame) |
- return; |
- |
- unsigned long requestIdentifier = document.loader()->mainResourceIdentifier(); |
- if (!frame->loader().shouldInterruptLoadForXFrameOptions(content, document.url(), requestIdentifier)) |
- return; |
- |
- ConsoleMessage* consoleMessage = ConsoleMessage::create(SecurityMessageSource, ErrorMessageLevel, |
- "Refused to display '" + document.url().elidedString() + "' in a frame because it set 'X-Frame-Options' to '" + content + "'."); |
- consoleMessage->setRequestIdentifier(requestIdentifier); |
- document.addConsoleMessage(consoleMessage); |
- |
- frame->loader().stopAllLoaders(); |
- // Stopping the loader isn't enough, as we're already parsing the document; to honor the header's |
- // intent, we must navigate away from the possibly partially-rendered document to a location that |
- // doesn't inherit the parent's SecurityOrigin. |
- // TODO(dglazkov): This should probably check document lifecycle instead. |
- if (document.frame()) |
- frame->navigate(document, SecurityOrigin::urlWithUniqueSecurityOrigin(), true, UserGestureStatus::None); |
-} |
- |
} // namespace blink |