OLD | NEW |
---|---|
1 /* | 1 /* |
2 * Copyright (C) 2006, 2007, 2008, 2009, 2010, 2011 Apple Inc. All rights reserv ed. | 2 * Copyright (C) 2006, 2007, 2008, 2009, 2010, 2011 Apple Inc. All rights reserv ed. |
3 * Copyright (C) 2008 Nokia Corporation and/or its subsidiary(-ies) | 3 * Copyright (C) 2008 Nokia Corporation and/or its subsidiary(-ies) |
4 * Copyright (C) 2008, 2009 Torch Mobile Inc. All rights reserved. (http://www.t orchmobile.com/) | 4 * Copyright (C) 2008, 2009 Torch Mobile Inc. All rights reserved. (http://www.t orchmobile.com/) |
5 * Copyright (C) 2008 Alp Toker <alp@atoker.com> | 5 * Copyright (C) 2008 Alp Toker <alp@atoker.com> |
6 * Copyright (C) Research In Motion Limited 2009. All rights reserved. | 6 * Copyright (C) Research In Motion Limited 2009. All rights reserved. |
7 * Copyright (C) 2011 Kris Jordan <krisjordan@gmail.com> | 7 * Copyright (C) 2011 Kris Jordan <krisjordan@gmail.com> |
8 * Copyright (C) 2011 Google Inc. All rights reserved. | 8 * Copyright (C) 2011 Google Inc. All rights reserved. |
9 * | 9 * |
10 * Redistribution and use in source and binary forms, with or without | 10 * Redistribution and use in source and binary forms, with or without |
(...skipping 1328 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1339 bool FrameLoader::shouldContinueForNavigationPolicy(const ResourceRequest& reque st, const SubstituteData& substituteData, | 1339 bool FrameLoader::shouldContinueForNavigationPolicy(const ResourceRequest& reque st, const SubstituteData& substituteData, |
1340 DocumentLoader* loader, ContentSecurityPolicyDisposition shouldCheckMainWorl dContentSecurityPolicy, | 1340 DocumentLoader* loader, ContentSecurityPolicyDisposition shouldCheckMainWorl dContentSecurityPolicy, |
1341 NavigationType type, NavigationPolicy policy, bool replacesCurrentHistoryIte m, bool isClientRedirect) | 1341 NavigationType type, NavigationPolicy policy, bool replacesCurrentHistoryIte m, bool isClientRedirect) |
1342 { | 1342 { |
1343 // Don't ask if we are loading an empty URL. | 1343 // Don't ask if we are loading an empty URL. |
1344 if (request.url().isEmpty() || substituteData.isValid()) | 1344 if (request.url().isEmpty() || substituteData.isValid()) |
1345 return true; | 1345 return true; |
1346 | 1346 |
1347 // If we're loading content into a subframe, check against the parent's Cont ent Security Policy | 1347 // If we're loading content into a subframe, check against the parent's Cont ent Security Policy |
1348 // and kill the load if that check fails, unless we should bypass the main w orld's CSP. | 1348 // and kill the load if that check fails, unless we should bypass the main w orld's CSP. |
1349 // FIXME: CSP checks are broken for OOPI. For now, this policy always allows frames with a remote parent... | 1349 if (shouldCheckMainWorldContentSecurityPolicy == CheckContentSecurityPolicy) { |
1350 if ((shouldCheckMainWorldContentSecurityPolicy == CheckContentSecurityPolicy ) && (m_frame->deprecatedLocalOwner() && !m_frame->deprecatedLocalOwner()->docum ent().contentSecurityPolicy()->allowChildFrameFromSource(request.url(), request. followedRedirect() ? ContentSecurityPolicy::DidRedirect : ContentSecurityPolicy: :DidNotRedirect))) { | 1350 Frame* parentFrame = m_frame->tree().parent(); |
1351 // Fire a load event, as timing attacks would otherwise reveal that the | 1351 if (parentFrame) { |
1352 // frame was blocked. This way, it looks like every other cross-origin | 1352 ContentSecurityPolicy* parentPolicy = parentFrame->securityContext() ->contentSecurityPolicy(); |
1353 // page load. | 1353 ContentSecurityPolicy::RedirectStatus redirectStatus = request.follo wedRedirect() |
1354 m_frame->document()->enforceSandboxFlags(SandboxOrigin); | 1354 ? ContentSecurityPolicy::DidRedirect |
1355 m_frame->owner()->dispatchLoad(); | 1355 : ContentSecurityPolicy::DidNotRedirect; |
1356 return false; | 1356 if (!parentPolicy->allowChildFrameFromSource(request.url(), redirect Status)) { |
1357 // Fire a load event, as timing attacks would otherwise reveal t hat the | |
1358 // frame was blocked. This way, it looks like every other cross- origin | |
1359 // page load. | |
1360 m_frame->document()->enforceSandboxFlags(SandboxOrigin); | |
1361 m_frame->owner()->dispatchLoad(); | |
1362 return false; | |
1363 } | |
1364 } | |
1357 } | 1365 } |
1358 | 1366 |
1367 | |
alexmos
2016/05/11 19:46:41
nit: unnecessary blank line.
Łukasz Anforowicz
2016/05/11 23:14:48
Done.
| |
1359 bool isFormSubmission = type == NavigationTypeFormSubmitted || type == Navig ationTypeFormResubmitted; | 1368 bool isFormSubmission = type == NavigationTypeFormSubmitted || type == Navig ationTypeFormResubmitted; |
1360 if (isFormSubmission && !m_frame->document()->contentSecurityPolicy()->allow FormAction(request.url())) | 1369 if (isFormSubmission && !m_frame->document()->contentSecurityPolicy()->allow FormAction(request.url())) |
1361 return false; | 1370 return false; |
1362 | 1371 |
1363 policy = client()->decidePolicyForNavigation(request, loader, type, policy, replacesCurrentHistoryItem, isClientRedirect); | 1372 policy = client()->decidePolicyForNavigation(request, loader, type, policy, replacesCurrentHistoryItem, isClientRedirect); |
1364 if (policy == NavigationPolicyCurrentTab) | 1373 if (policy == NavigationPolicyCurrentTab) |
1365 return true; | 1374 return true; |
1366 if (policy == NavigationPolicyIgnore) | 1375 if (policy == NavigationPolicyIgnore) |
1367 return false; | 1376 return false; |
1368 if (policy == NavigationPolicyHandledByClient) { | 1377 if (policy == NavigationPolicyHandledByClient) { |
(...skipping 209 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1578 // FIXME: We need a way to propagate insecure requests policy flags to | 1587 // FIXME: We need a way to propagate insecure requests policy flags to |
1579 // out-of-process frames. For now, we'll always use default behavior. | 1588 // out-of-process frames. For now, we'll always use default behavior. |
1580 if (!parentFrame->isLocalFrame()) | 1589 if (!parentFrame->isLocalFrame()) |
1581 return nullptr; | 1590 return nullptr; |
1582 | 1591 |
1583 ASSERT(toLocalFrame(parentFrame)->document()); | 1592 ASSERT(toLocalFrame(parentFrame)->document()); |
1584 return toLocalFrame(parentFrame)->document()->insecureNavigationsToUpgrade() ; | 1593 return toLocalFrame(parentFrame)->document()->insecureNavigationsToUpgrade() ; |
1585 } | 1594 } |
1586 | 1595 |
1587 } // namespace blink | 1596 } // namespace blink |
OLD | NEW |