| OLD | NEW |
|---|
| 1 /* | 1 /* |
| 2 * Copyright (C) 2013 Google Inc. All rights reserved. | 2 * Copyright (C) 2013 Google Inc. All rights reserved. |
| 3 * | 3 * |
| 4 * Redistribution and use in source and binary forms, with or without | 4 * Redistribution and use in source and binary forms, with or without |
| 5 * modification, are permitted provided that the following conditions are | 5 * modification, are permitted provided that the following conditions are |
| 6 * met: | 6 * met: |
| 7 * | 7 * |
| 8 * * Redistributions of source code must retain the above copyright | 8 * * Redistributions of source code must retain the above copyright |
| 9 * notice, this list of conditions and the following disclaimer. | 9 * notice, this list of conditions and the following disclaimer. |
| 10 * * Redistributions in binary form must reproduce the above | 10 * * Redistributions in binary form must reproduce the above |
| (...skipping 428 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 439 else if (url.isLocalFile() || m_document->url().isLocalFile()) | 439 else if (url.isLocalFile() || m_document->url().isLocalFile()) |
| 440 message = "Unsafe attempt to load URL " + url.elidedString() + " from fr
ame with URL " + m_document->url().elidedString() + ". 'file:' URLs are treated
as unique security origins.\n"; | 440 message = "Unsafe attempt to load URL " + url.elidedString() + " from fr
ame with URL " + m_document->url().elidedString() + ". 'file:' URLs are treated
as unique security origins.\n"; |
| 441 else | 441 else |
| 442 message = "Unsafe attempt to load URL " + url.elidedString() + " from fr
ame with URL " + m_document->url().elidedString() + ". Domains, protocols and po
rts must match.\n"; | 442 message = "Unsafe attempt to load URL " + url.elidedString() + " from fr
ame with URL " + m_document->url().elidedString() + ". Domains, protocols and po
rts must match.\n"; |
| 443 | 443 |
| 444 frame()->document()->addConsoleMessage(ConsoleMessage::create(SecurityMessag
eSource, ErrorMessageLevel, message)); | 444 frame()->document()->addConsoleMessage(ConsoleMessage::create(SecurityMessag
eSource, ErrorMessageLevel, message)); |
| 445 } | 445 } |
| 446 | 446 |
| 447 bool FrameFetchContext::canRequest(Resource::Type type, const ResourceRequest& r
esourceRequest, const KURL& url, const ResourceLoaderOptions& options, bool forP
reload, FetchRequest::OriginRestriction originRestriction) const | 447 bool FrameFetchContext::canRequest(Resource::Type type, const ResourceRequest& r
esourceRequest, const KURL& url, const ResourceLoaderOptions& options, bool forP
reload, FetchRequest::OriginRestriction originRestriction) const |
| 448 { | 448 { |
| 449 // As of CSP2, for requests that are the results of redirects, the match | 449 ResourceRequestBlockedReason reason = canRequestInternal(type, resourceReque
st, url, options, forPreload, originRestriction, resourceRequest.redirectStatus(
)); |
| 450 // algorithm should ignore the path component of the URL. | |
| 451 ContentSecurityPolicy::RedirectStatus redirectStatus = resourceRequest.follo
wedRedirect() ? ContentSecurityPolicy::DidRedirect : ContentSecurityPolicy::DidN
otRedirect; | |
| 452 | |
| 453 ResourceRequestBlockedReason reason = canRequestInternal(type, resourceReque
st, url, options, forPreload, originRestriction, redirectStatus); | |
| 454 if (reason != ResourceRequestBlockedReasonNone) { | 450 if (reason != ResourceRequestBlockedReasonNone) { |
| 455 if (!forPreload) | 451 if (!forPreload) |
| 456 InspectorInstrumentation::didBlockRequest(frame(), resourceRequest,
ensureLoaderForNotifications(), options.initiatorInfo, reason); | 452 InspectorInstrumentation::didBlockRequest(frame(), resourceRequest,
ensureLoaderForNotifications(), options.initiatorInfo, reason); |
| 457 return false; | 453 return false; |
| 458 } | 454 } |
| 459 return true; | 455 return true; |
| 460 } | 456 } |
| 461 | 457 |
| 462 bool FrameFetchContext::allowResponse(Resource::Type type, const ResourceRequest
& resourceRequest, const KURL& url, const ResourceLoaderOptions& options) const | 458 bool FrameFetchContext::allowResponse(Resource::Type type, const ResourceRequest
& resourceRequest, const KURL& url, const ResourceLoaderOptions& options) const |
| 463 { | 459 { |
| 464 ResourceRequestBlockedReason reason = canRequestInternal(type, resourceReque
st, url, options, false, FetchRequest::UseDefaultOriginRestrictionForType, Conte
ntSecurityPolicy::DidRedirect); | 460 ResourceRequestBlockedReason reason = canRequestInternal(type, resourceReque
st, url, options, false, FetchRequest::UseDefaultOriginRestrictionForType, Redir
ectStatus::FollowedRedirect); |
| 465 if (reason != ResourceRequestBlockedReasonNone) { | 461 if (reason != ResourceRequestBlockedReasonNone) { |
| 466 InspectorInstrumentation::didBlockRequest(frame(), resourceRequest, ensu
reLoaderForNotifications(), options.initiatorInfo, reason); | 462 InspectorInstrumentation::didBlockRequest(frame(), resourceRequest, ensu
reLoaderForNotifications(), options.initiatorInfo, reason); |
| 467 return false; | 463 return false; |
| 468 } | 464 } |
| 469 return true; | 465 return true; |
| 470 } | 466 } |
| 471 | 467 |
| 472 ResourceRequestBlockedReason FrameFetchContext::canRequestInternal(Resource::Typ
e type, const ResourceRequest& resourceRequest, const KURL& url, const ResourceL
oaderOptions& options, bool forPreload, FetchRequest::OriginRestriction originRe
striction, ContentSecurityPolicy::RedirectStatus redirectStatus) const | 468 ResourceRequestBlockedReason FrameFetchContext::canRequestInternal(Resource::Typ
e type, const ResourceRequest& resourceRequest, const KURL& url, const ResourceL
oaderOptions& options, bool forPreload, FetchRequest::OriginRestriction originRe
striction, ResourceRequest::RedirectStatus redirectStatus) const |
| 473 { | 469 { |
| 474 if (InspectorInstrumentation::shouldBlockRequest(frame(), resourceRequest)) | 470 if (InspectorInstrumentation::shouldBlockRequest(frame(), resourceRequest)) |
| 475 return ResourceRequestBlockedReasonInspector; | 471 return ResourceRequestBlockedReasonInspector; |
| 476 | 472 |
| 477 SecurityOrigin* securityOrigin = options.securityOrigin.get(); | 473 SecurityOrigin* securityOrigin = options.securityOrigin.get(); |
| 478 if (!securityOrigin && m_document) | 474 if (!securityOrigin && m_document) |
| 479 securityOrigin = m_document->getSecurityOrigin(); | 475 securityOrigin = m_document->getSecurityOrigin(); |
| 480 | 476 |
| 481 if (originRestriction != FetchRequest::NoOriginRestriction && securityOrigin
&& !securityOrigin->canDisplay(url)) { | 477 if (originRestriction != FetchRequest::NoOriginRestriction && securityOrigin
&& !securityOrigin->canDisplay(url)) { |
| 482 if (!forPreload) | 478 if (!forPreload) |
| (...skipping 79 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 562 ASSERT(frame()->document()); | 558 ASSERT(frame()->document()); |
| 563 if (SchemeRegistry::shouldTreatURLSchemeAsLegacy(url.protocol()) && !Sch
emeRegistry::shouldTreatURLSchemeAsLegacy(frame()->document()->getSecurityOrigin
()->protocol())) | 559 if (SchemeRegistry::shouldTreatURLSchemeAsLegacy(url.protocol()) && !Sch
emeRegistry::shouldTreatURLSchemeAsLegacy(frame()->document()->getSecurityOrigin
()->protocol())) |
| 564 UseCounter::count(frame()->document(), UseCounter::LegacyProtocolEmb
eddedAsSubresource); | 560 UseCounter::count(frame()->document(), UseCounter::LegacyProtocolEmb
eddedAsSubresource); |
| 565 if (!url.user().isEmpty() || !url.pass().isEmpty()) | 561 if (!url.user().isEmpty() || !url.pass().isEmpty()) |
| 566 UseCounter::count(frame()->document(), UseCounter::RequestedSubresou
rceWithEmbeddedCredentials); | 562 UseCounter::count(frame()->document(), UseCounter::RequestedSubresou
rceWithEmbeddedCredentials); |
| 567 } | 563 } |
| 568 | 564 |
| 569 // Measure the number of pages that load resources after a redirect | 565 // Measure the number of pages that load resources after a redirect |
| 570 // when a CSP is active, to see if implementing CSP | 566 // when a CSP is active, to see if implementing CSP |
| 571 // 'unsafe-redirect' is feasible. | 567 // 'unsafe-redirect' is feasible. |
| 572 if (csp && csp->isActive() && resourceRequest.frameType() != WebURLRequest::
FrameTypeTopLevel && resourceRequest.frameType() != WebURLRequest::FrameTypeAuxi
liary && redirectStatus == ContentSecurityPolicy::DidRedirect) { | 568 if (csp && csp->isActive() && resourceRequest.frameType() != WebURLRequest::
FrameTypeTopLevel && resourceRequest.frameType() != WebURLRequest::FrameTypeAuxi
liary && redirectStatus == RedirectStatus::FollowedRedirect) { |
| 573 ASSERT(frame()->document()); | 569 ASSERT(frame()->document()); |
| 574 UseCounter::count(frame()->document(), UseCounter::ResourceLoadedAfterRe
directWithCSP); | 570 UseCounter::count(frame()->document(), UseCounter::ResourceLoadedAfterRe
directWithCSP); |
| 575 } | 571 } |
| 576 | 572 |
| 577 // Last of all, check for mixed content. We do this last so that when | 573 // Last of all, check for mixed content. We do this last so that when |
| 578 // folks block mixed content with a CSP policy, they don't get a warning. | 574 // folks block mixed content with a CSP policy, they don't get a warning. |
| 579 // They'll still get a warning in the console about CSP blocking the load. | 575 // They'll still get a warning in the console about CSP blocking the load. |
| 580 MixedContentChecker::ReportingStatus mixedContentReporting = forPreload ? | 576 MixedContentChecker::ReportingStatus mixedContentReporting = forPreload ? |
| 581 MixedContentChecker::SuppressReport : MixedContentChecker::SendReport; | 577 MixedContentChecker::SuppressReport : MixedContentChecker::SendReport; |
| 582 if (MixedContentChecker::shouldBlockFetch(frame(), resourceRequest, url, mix
edContentReporting)) | 578 if (MixedContentChecker::shouldBlockFetch(frame(), resourceRequest, url, mix
edContentReporting)) |
| (...skipping 234 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 817 } | 813 } |
| 818 | 814 |
| 819 DEFINE_TRACE(FrameFetchContext) | 815 DEFINE_TRACE(FrameFetchContext) |
| 820 { | 816 { |
| 821 visitor->trace(m_document); | 817 visitor->trace(m_document); |
| 822 visitor->trace(m_documentLoader); | 818 visitor->trace(m_documentLoader); |
| 823 FetchContext::trace(visitor); | 819 FetchContext::trace(visitor); |
| 824 } | 820 } |
| 825 | 821 |
| 826 } // namespace blink | 822 } // namespace blink |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2025633002:
Move 'ContentSecurityPolicy::RedirectStatus' into 'ResourceRequest' (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master