Chromium Code Reviews Chromium Code Reviews
Issue 2009453002:
service worker: Don't control a subframe of an insecure context (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| Index: content/browser/service_worker/service_worker_controllee_request_handler.cc |
| diff --git a/content/browser/service_worker/service_worker_controllee_request_handler.cc b/content/browser/service_worker/service_worker_controllee_request_handler.cc |
| index 1187e94b3c0af5e11cd92a30733303c54dd10fcc..a770172e60534cf7c3c72b0af0962ce3bc1fc3a7 100644 |
| --- a/content/browser/service_worker/service_worker_controllee_request_handler.cc |
| +++ b/content/browser/service_worker/service_worker_controllee_request_handler.cc |
| @@ -212,6 +212,24 @@ ServiceWorkerControlleeRequestHandler::DidLookupRegistrationForMainResource( |
| return; |
| } |
| + if (!provider_host_->is_parent_frame_secure()) { |
| + std::set<std::string> schemes; |
| + GetContentClient() |
| + ->browser() |
| + ->GetSchemesBypassingSecureContextCheckWhitelist(&schemes); |
| + if (schemes.find(provider_host_->document_url().scheme()) == |
|
Marijn Kruisselbrink
2016/06/02 22:44:43
Would it make sense to combine both the is_parent_
falken
2016/06/03 08:22:05
I like that and ended up adopting your patch, than
|
| + schemes.end()) { |
| + // TODO(falken): Figure out a way to surface in the page's DevTools |
| + // console that the service worker was blocked for security. |
| + job_->FallbackToNetwork(); |
| + TRACE_EVENT_ASYNC_END1( |
| + "ServiceWorker", |
| + "ServiceWorkerControlleeRequestHandler::PrepareForMainResource", |
| + job_.get(), "Info", "Insecure context"); |
| + return; |
| + } |
| + } |
| + |
| if (need_to_update) { |
| force_update_started_ = true; |
| context_->UpdateServiceWorker( |
