Source/core/dom/Document.cpp - Issue 19940002: [HTML Import] Respect Content Security Policy Model

Unified Diff: Source/core/dom/Document.cpp

Issue 19940002: [HTML Import] Respect Content Security Policy Model (Closed) Base URL: svn://svn.chromium.org/blink/trunk

Patch Set: Fix mac build failure. Created 7 years, 5 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

« LayoutTests/http/tests/htmlimports/csp-block-import-in-import.html ('K') | « Source/core/dom/Document.h ('k') | Source/core/dom/DocumentInit.h » ('j') | Source/core/dom/DocumentInit.cpp » ('J')
Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

Index: Source/core/dom/Document.cpp

diff --git a/Source/core/dom/Document.cpp b/Source/core/dom/Document.cpp

index 74fa3dadd01b7fd17f02e74f46a33b2782805bb2..4ee7388862e414246d8c7df31be04048f14fad1e 100644

--- a/Source/core/dom/Document.cpp

+++ b/Source/core/dom/Document.cpp

@@ -2637,7 +2637,20 @@ void Document::processHttpEquiv(const String& equiv, const String& content)

parseDNSPrefetchControlHeader(content);

else if (equalIgnoringCase(equiv, "x-frame-options"))

processHttpEquivXFrameOptions(content);

- else if (equalIgnoringCase(equiv, "content-security-policy"))

+ else if (equalIgnoringCase(equiv, "content-security-policy")

+ || equalIgnoringCase(equiv, "content-security-policy-report-only")

+ || equalIgnoringCase(equiv, "x-webkit-csp")

+ || equalIgnoringCase(equiv, "x-webkit-csp-report-only"))

+ processHttpEquivContentSecurityPolicy(equiv, content);

+void Document::processHttpEquivContentSecurityPolicy(const String& equiv, const String& content)

Mike West 2013/07/22 14:39:42 I like this cleanup, but it's unrelated to the cor

+ if (!this->frame())

+ return;

+ if (equalIgnoringCase(equiv, "content-security-policy"))

contentSecurityPolicy()->didReceiveHeader(content, ContentSecurityPolicy::Enforce);

else if (equalIgnoringCase(equiv, "content-security-policy-report-only"))

contentSecurityPolicy()->didReceiveHeader(content, ContentSecurityPolicy::Report);

@@ -2645,6 +2658,8 @@ void Document::processHttpEquiv(const String& equiv, const String& content)

contentSecurityPolicy()->didReceiveHeader(content, ContentSecurityPolicy::PrefixedEnforce);

else if (equalIgnoringCase(equiv, "x-webkit-csp-report-only"))

contentSecurityPolicy()->didReceiveHeader(content, ContentSecurityPolicy::PrefixedReport);

+ else

+ ASSERT_NOT_REACHED();

}

void Document::processHttpEquivDefaultStyle(const String& content)

@@ -4200,7 +4215,7 @@ void Document::initSecurityContext(const DocumentInit& initializer)

return;

}

- if (!initializer.frame()) {

+ if (!initializer.hasSecurityContext()) {

// No source for a security context.

// This can occur via document.implementation.createDocument().

m_cookieURL = KURL(ParsedURLString, emptyString());

@@ -4274,10 +4289,10 @@ void Document::initSecurityContext(const DocumentInit& initializer)

void Document::initContentSecurityPolicy()

{

- if (!m_frame->tree()->parent() || (!shouldInheritSecurityOriginFromOwner(m_url) && !isPluginDocument()))

- return;

- contentSecurityPolicy()->copyStateFrom(m_frame->tree()->parent()->document()->contentSecurityPolicy());

+ if (m_frame && m_frame->tree()->parent() && (shouldInheritSecurityOriginFromOwner(m_url) || isPluginDocument()))

+ contentSecurityPolicy()->copyStateFrom(m_frame->tree()->parent()->document()->contentSecurityPolicy());

+ if (HTMLImport* import = this->import())

+ contentSecurityPolicy()->copyStateFrom(import->master()->contentSecurityPolicy());

}

void Document::didUpdateSecurityOrigin()

« LayoutTests/http/tests/htmlimports/csp-block-import-in-import.html ('K') | « Source/core/dom/Document.h ('k') | Source/core/dom/DocumentInit.h » ('j') | Source/core/dom/DocumentInit.cpp » ('J')