Chromium Code Reviews Chromium Code Reviews
Issue 1957783002:
Replicate Content-Security-Policy into remote frame proxies. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "core/dom/RemoteSecurityContext.h" | 5 #include "core/dom/RemoteSecurityContext.h" |
| 6 | 6 |
| 7 #include "core/frame/csp/ContentSecurityPolicy.h" | 7 #include "core/frame/csp/ContentSecurityPolicy.h" |
| 8 #include "platform/weborigin/SecurityOrigin.h" | 8 #include "platform/weborigin/SecurityOrigin.h" |
| 9 #include "wtf/Assertions.h" | |
| 9 | 10 |
| 10 namespace blink { | 11 namespace blink { |
| 11 | 12 |
| 12 RemoteSecurityContext::RemoteSecurityContext() | 13 RemoteSecurityContext::RemoteSecurityContext() |
| 13 : SecurityContext() | 14 : SecurityContext() |
| 14 { | 15 { |
| 15 // RemoteSecurityContext's origin is expected to stay uninitialized until | 16 // RemoteSecurityContext's origin is expected to stay uninitialized until |
| 16 // we set it using replicated origin data from the browser process. | 17 // we set it using replicated origin data from the browser process. |
| 17 DCHECK(!getSecurityOrigin()); | 18 DCHECK(!getSecurityOrigin()); |
| 18 | 19 |
| 19 // CSP will not be replicated for RemoteSecurityContexts, as it is moving | 20 // Start with a clean slate. |
| 20 // to the browser process. For now, initialize CSP to a default | 21 resetReplicatedContentSecurityPolicy(); |
| 21 // locked-down policy. | |
| 22 setContentSecurityPolicy(ContentSecurityPolicy::create()); | |
| 23 | 22 |
| 24 // FIXME: Document::initSecurityContext has a few other things we may | 23 // FIXME: Document::initSecurityContext has a few other things we may |
| 25 // eventually want here, such as enforcing a setting to | 24 // eventually want here, such as enforcing a setting to |
| 26 // grantUniversalAccess(). | 25 // grantUniversalAccess(). |
| 27 } | 26 } |
| 28 | 27 |
| 29 RemoteSecurityContext* RemoteSecurityContext::create() | 28 RemoteSecurityContext* RemoteSecurityContext::create() |
| 30 { | 29 { |
| 31 return new RemoteSecurityContext(); | 30 return new RemoteSecurityContext(); |
| 32 } | 31 } |
| 33 | 32 |
| 34 DEFINE_TRACE(RemoteSecurityContext) | 33 DEFINE_TRACE(RemoteSecurityContext) |
| 35 { | 34 { |
| 36 SecurityContext::trace(visitor); | 35 SecurityContext::trace(visitor); |
| 37 } | 36 } |
| 38 | 37 |
| 39 void RemoteSecurityContext::setReplicatedOrigin(PassRefPtr<SecurityOrigin> origi n) | 38 void RemoteSecurityContext::setReplicatedOrigin(PassRefPtr<SecurityOrigin> origi n) |
| 40 { | 39 { |
| 40 DCHECK(origin); | |
| 41 setSecurityOrigin(origin); | 41 setSecurityOrigin(origin); |
| 42 contentSecurityPolicy()->setupSelf(*getSecurityOrigin()); | |
| 42 } | 43 } |
| 43 | 44 |
| 45 void RemoteSecurityContext::resetReplicatedContentSecurityPolicy() | |
| 46 { | |
| 47 setContentSecurityPolicy(ContentSecurityPolicy::create()); | |
| 48 if (getSecurityOrigin()) | |
|
dcheng
2016/05/17 05:57:15
Is it possible to call this when the security orig
Łukasz Anforowicz
2016/05/17 17:01:23
When this is called from the constructor, then the
| |
| 49 contentSecurityPolicy()->setupSelf(*getSecurityOrigin()); | |
| 50 } | |
| 44 | 51 |
| 45 } // namespace blink | 52 } // namespace blink |
| OLD | NEW |
