Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(631)

Unified Diff: Source/core/dom/Document.cpp

Issue 19940002: [HTML Import] Respect Content Security Policy Model (Closed) Base URL: svn://svn.chromium.org/blink/trunk
Patch Set: Fix mac build failure. Created 7 years, 5 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
Index: Source/core/dom/Document.cpp
diff --git a/Source/core/dom/Document.cpp b/Source/core/dom/Document.cpp
index 74fa3dadd01b7fd17f02e74f46a33b2782805bb2..4ee7388862e414246d8c7df31be04048f14fad1e 100644
--- a/Source/core/dom/Document.cpp
+++ b/Source/core/dom/Document.cpp
@@ -2637,7 +2637,20 @@ void Document::processHttpEquiv(const String& equiv, const String& content)
parseDNSPrefetchControlHeader(content);
else if (equalIgnoringCase(equiv, "x-frame-options"))
processHttpEquivXFrameOptions(content);
- else if (equalIgnoringCase(equiv, "content-security-policy"))
+ else if (equalIgnoringCase(equiv, "content-security-policy")
+ || equalIgnoringCase(equiv, "content-security-policy-report-only")
+ || equalIgnoringCase(equiv, "content-security-policy-report-only")
+ || equalIgnoringCase(equiv, "x-webkit-csp")
+ || equalIgnoringCase(equiv, "x-webkit-csp-report-only"))
+ processHttpEquivContentSecurityPolicy(equiv, content);
+}
+
+void Document::processHttpEquivContentSecurityPolicy(const String& equiv, const String& content)
Mike West 2013/07/22 14:39:42 I like this cleanup, but it's unrelated to the cor
+{
+ if (!this->frame())
+ return;
+
+ if (equalIgnoringCase(equiv, "content-security-policy"))
contentSecurityPolicy()->didReceiveHeader(content, ContentSecurityPolicy::Enforce);
else if (equalIgnoringCase(equiv, "content-security-policy-report-only"))
contentSecurityPolicy()->didReceiveHeader(content, ContentSecurityPolicy::Report);
@@ -2645,6 +2658,8 @@ void Document::processHttpEquiv(const String& equiv, const String& content)
contentSecurityPolicy()->didReceiveHeader(content, ContentSecurityPolicy::PrefixedEnforce);
else if (equalIgnoringCase(equiv, "x-webkit-csp-report-only"))
contentSecurityPolicy()->didReceiveHeader(content, ContentSecurityPolicy::PrefixedReport);
+ else
+ ASSERT_NOT_REACHED();
}
void Document::processHttpEquivDefaultStyle(const String& content)
@@ -4200,7 +4215,7 @@ void Document::initSecurityContext(const DocumentInit& initializer)
return;
}
- if (!initializer.frame()) {
+ if (!initializer.hasSecurityContext()) {
// No source for a security context.
// This can occur via document.implementation.createDocument().
m_cookieURL = KURL(ParsedURLString, emptyString());
@@ -4274,10 +4289,10 @@ void Document::initSecurityContext(const DocumentInit& initializer)
void Document::initContentSecurityPolicy()
{
- if (!m_frame->tree()->parent() || (!shouldInheritSecurityOriginFromOwner(m_url) && !isPluginDocument()))
- return;
-
- contentSecurityPolicy()->copyStateFrom(m_frame->tree()->parent()->document()->contentSecurityPolicy());
+ if (m_frame && m_frame->tree()->parent() && (shouldInheritSecurityOriginFromOwner(m_url) || isPluginDocument()))
+ contentSecurityPolicy()->copyStateFrom(m_frame->tree()->parent()->document()->contentSecurityPolicy());
+ if (HTMLImport* import = this->import())
+ contentSecurityPolicy()->copyStateFrom(import->master()->contentSecurityPolicy());
}
void Document::didUpdateSecurityOrigin()

Powered by Google App Engine
This is Rietveld 408576698