Chromium Code Reviews Chromium Code Reviews
Issue 1957783002:
Replicate Content-Security-Policy into remote frame proxies. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "core/dom/RemoteSecurityContext.h" | 5 #include "core/dom/RemoteSecurityContext.h" |
| 6 | 6 |
| 7 #include "core/frame/csp/ContentSecurityPolicy.h" | 7 #include "core/frame/csp/ContentSecurityPolicy.h" |
| 8 #include "platform/weborigin/SecurityOrigin.h" | 8 #include "platform/weborigin/SecurityOrigin.h" |
| 9 | 9 |
| 10 namespace blink { | 10 namespace blink { |
| 11 | 11 |
| 12 RemoteSecurityContext::RemoteSecurityContext() | 12 RemoteSecurityContext::RemoteSecurityContext() |
| 13 : SecurityContext() | 13 : SecurityContext() |
| 14 { | 14 { |
| 15 // RemoteSecurityContext's origin is expected to stay uninitialized until | 15 // RemoteSecurityContext's origin is expected to stay uninitialized until |
| 16 // we set it using replicated origin data from the browser process. | 16 // we set it using replicated origin data from the browser process. |
| 17 DCHECK(!getSecurityOrigin()); | 17 DCHECK(!getSecurityOrigin()); |
| 18 | 18 |
| 19 // CSP will not be replicated for RemoteSecurityContexts, as it is moving | 19 // Start with a clean slate. |
| 20 // to the browser process. For now, initialize CSP to a default | 20 resetReplicatedContentSecurityPolicy(); |
| 21 // locked-down policy. | |
| 22 setContentSecurityPolicy(ContentSecurityPolicy::create()); | |
| 23 | 21 |
| 24 // FIXME: Document::initSecurityContext has a few other things we may | 22 // FIXME: Document::initSecurityContext has a few other things we may |
| 25 // eventually want here, such as enforcing a setting to | 23 // eventually want here, such as enforcing a setting to |
| 26 // grantUniversalAccess(). | 24 // grantUniversalAccess(). |
| 27 } | 25 } |
| 28 | 26 |
| 29 RemoteSecurityContext* RemoteSecurityContext::create() | 27 RemoteSecurityContext* RemoteSecurityContext::create() |
| 30 { | 28 { |
| 31 return new RemoteSecurityContext(); | 29 return new RemoteSecurityContext(); |
| 32 } | 30 } |
| 33 | 31 |
| 34 DEFINE_TRACE(RemoteSecurityContext) | 32 DEFINE_TRACE(RemoteSecurityContext) |
| 35 { | 33 { |
| 36 SecurityContext::trace(visitor); | 34 SecurityContext::trace(visitor); |
| 37 } | 35 } |
| 38 | 36 |
| 39 void RemoteSecurityContext::setReplicatedOrigin(PassRefPtr<SecurityOrigin> origi n) | 37 void RemoteSecurityContext::setReplicatedOrigin(PassRefPtr<SecurityOrigin> origi n) |
| 40 { | 38 { |
| 41 setSecurityOrigin(origin); | 39 setSecurityOrigin(origin); |
| 40 if (getSecurityOrigin()) | |
|
dcheng
2016/05/11 20:15:07
Is this ever actually null? it seems broken if it
Łukasz Anforowicz
2016/05/11 23:14:48
Done.
| |
| 41 contentSecurityPolicy()->bindToSecurityOrigin(*getSecurityOrigin()); | |
| 42 } | 42 } |
| 43 | 43 |
| 44 void RemoteSecurityContext::resetReplicatedContentSecurityPolicy() | |
| 45 { | |
| 46 setContentSecurityPolicy(ContentSecurityPolicy::create()); | |
| 47 if (getSecurityOrigin()) | |
| 48 contentSecurityPolicy()->bindToSecurityOrigin(*getSecurityOrigin()); | |
| 49 } | |
| 44 | 50 |
| 45 } // namespace blink | 51 } // namespace blink |
| OLD | NEW |
