| Index: third_party/WebKit/Source/core/loader/FrameFetchContext.cpp
|
| diff --git a/third_party/WebKit/Source/core/loader/FrameFetchContext.cpp b/third_party/WebKit/Source/core/loader/FrameFetchContext.cpp
|
| index c08ee5f31a0503f3eaff2cf213ad4023c961e87e..68e7e5c3a133597070058aef6f9ac4de7f781300 100644
|
| --- a/third_party/WebKit/Source/core/loader/FrameFetchContext.cpp
|
| +++ b/third_party/WebKit/Source/core/loader/FrameFetchContext.cpp
|
| @@ -515,18 +515,8 @@ ResourceRequestBlockedReason FrameFetchContext::canRequestInternal(Resource::Typ
|
| break;
|
| }
|
|
|
| - // FIXME: Convert this to check the isolated world's Content Security Policy once webkit.org/b/104520 is solved.
|
| - bool shouldBypassMainWorldCSP = frame()->script().shouldBypassMainWorldCSP() || options.contentSecurityPolicyOption == DoNotCheckContentSecurityPolicy;
|
| -
|
| - // Don't send CSP messages for preloads, we might never actually display those items.
|
| - ContentSecurityPolicy::ReportingStatus cspReporting = forPreload ?
|
| - ContentSecurityPolicy::SuppressReport : ContentSecurityPolicy::SendReport;
|
| -
|
| - if (m_document) {
|
| - DCHECK(m_document->contentSecurityPolicy());
|
| - if (!shouldBypassMainWorldCSP && !m_document->contentSecurityPolicy()->allowRequest(resourceRequest.requestContext(), url, options.contentSecurityPolicyNonce, redirectStatus, cspReporting))
|
| - return ResourceRequestBlockedReasonCSP;
|
| - }
|
| + if (contentSecurityPolicyBlocksRequest(type, resourceRequest, url, options, forPreload, redirectStatus))
|
| + return ResourceRequestBlockedReasonCSP;
|
|
|
| if (type == Resource::Script || type == Resource::ImportResource) {
|
| ASSERT(frame());
|
| @@ -570,6 +560,37 @@ ResourceRequestBlockedReason FrameFetchContext::canRequestInternal(Resource::Typ
|
| return ResourceRequestBlockedReasonNone;
|
| }
|
|
|
| +bool FrameFetchContext::contentSecurityPolicyBlocksRequest(Resource::Type type, const ResourceRequest& resourceRequest, const KURL& url, const ResourceLoaderOptions& options, bool forPreload, ResourceRequest::RedirectStatus redirectStatus) const
|
| +{
|
| + // FIXME: Convert this to check the isolated world's Content Security Policy once webkit.org/b/104520 is solved.
|
| + if (!frame()->script().shouldBypassMainWorldCSP() && options.contentSecurityPolicyOption == CheckContentSecurityPolicy) {
|
| + // Don't send CSP messages for preloads, we might never actually display those items.
|
| + ContentSecurityPolicy::ReportingStatus cspReporting = forPreload ? ContentSecurityPolicy::SuppressReport : ContentSecurityPolicy::SendReport;
|
| + if (m_document) {
|
| + DCHECK(m_document->contentSecurityPolicy());
|
| + if (!m_document->contentSecurityPolicy()->allowRequest(resourceRequest.requestContext(), url, options.contentSecurityPolicyNonce, redirectStatus, cspReporting))
|
| + return true;
|
| + } else if (type == Resource::MainResource) {
|
| + // When loading the main document of an iframe, we won't have a document
|
| + // yet. We instead need to grab the frame's parent's policy in order to
|
| + // perform 'frame-src' checks:
|
| + if (Frame* parentFrame = frame()->tree().parent()) {
|
| + if (!parentFrame->securityContext()->contentSecurityPolicy()->allowChildFrameFromSource(url, redirectStatus, cspReporting)) {
|
| + // TODO(mkwst): If we cancel the request after a redirect, we never instantiate
|
| + // a document, and therefore don't inherit the loader's sandbox flags, or trigger
|
| + // a load event. This is strange.
|
| + if (redirectStatus == ResourceRequest::RedirectStatus::FollowedRedirect) {
|
| + frame()->document()->enforceSandboxFlags(SandboxOrigin);
|
| + frame()->owner()->dispatchLoad();
|
| + }
|
| + return true;
|
| + }
|
| + }
|
| + }
|
| + }
|
| + return false;
|
| +}
|
| +
|
| bool FrameFetchContext::isControlledByServiceWorker() const
|
| {
|
| ASSERT(m_documentLoader || frame()->loader().documentLoader());
|
|
|
Chromium Code Reviews
Issue 2022083002:
Move 'frame-src' CSP checks into FrameFetchContext. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master