XFO: Bypass ancestor checks for 'Content-Disposition: attachment; ...'

content/browser/frame_host/ancestor_throttle.cc

Index: content/browser/frame_host/ancestor_throttle.cc
diff --git a/content/browser/frame_host/ancestor_throttle.cc b/content/browser/frame_host/ancestor_throttle.cc
index 0a148c08386c27a660ae38974e27a6f02e6885df..03f183937ec428d810bfc941186705ebe01e7c2f 100644
--- a/content/browser/frame_host/ancestor_throttle.cc
+++ b/content/browser/frame_host/ancestor_throttle.cc
@@ -14,6 +14,7 @@
 #include "content/public/browser/navigation_handle.h"
 #include "content/public/browser/navigation_throttle.h"
 #include "content/public/common/console_message_level.h"
+#include "net/http/http_content_disposition.h"
 #include "net/http/http_response_headers.h"
 #include "url/origin.h"
 
@@ -159,7 +160,8 @@ AncestorThrottle::HeaderDisposition AncestorThrottle::ParseHeader(
 
   // If 'X-Frame-Options' would potentially block the response, check whether
   // the 'frame-ancestors' CSP directive should take effect instead. See
-  // https://www.w3.org/TR/CSP/#frame-ancestors-and-frame-options
+  // https://www.w3.org/TR/CSP/#frame-ancestors-and-frame-options. Also, check
+  // whether the response should be treated as a download.
   if (result != HeaderDisposition::NONE &&
       result != HeaderDisposition::ALLOWALL) {
     iter = 0;
@@ -179,6 +181,13 @@ AncestorThrottle::HeaderDisposition AncestorThrottle::ParseHeader(
         return HeaderDisposition::BYPASS;
       }
     }
+
+    iter = 0;
+    value = std::string();
+    while (headers->EnumerateHeader(&iter, "content-disposition", &value)) {
+      if (net::HttpContentDisposition(value, std::string()).is_attachment())
+        return HeaderDisposition::BYPASS;
+    }
   }
   return result;
 }