Revert of Move 'frame-src' CSP checks into FrameFetchContext.

third_party/WebKit/Source/core/loader/FrameLoader.cpp

 /*
  * Copyright (C) 2006, 2007, 2008, 2009, 2010, 2011 Apple Inc. All rights reserved.
  * Copyright (C) 2008 Nokia Corporation and/or its subsidiary(-ies)
  * Copyright (C) 2008, 2009 Torch Mobile Inc. All rights reserved. (http://www.torchmobile.com/)
  * Copyright (C) 2008 Alp Toker <alp@atoker.com>
  * Copyright (C) Research In Motion Limited 2009. All rights reserved.
  * Copyright (C) 2011 Kris Jordan <krisjordan@gmail.com>
  * Copyright (C) 2011 Google Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ skipping 183 matching lines @@
     visitor->trace(m_provisionalItem);
     visitor->trace(m_deferredHistoryLoad);
 }
 
 void FrameLoader::init()
 {
     ResourceRequest initialRequest(KURL(ParsedURLString, emptyString()));
     initialRequest.setRequestContext(WebURLRequest::RequestContextInternal);
     initialRequest.setFrameType(m_frame->isMainFrame() ? WebURLRequest::FrameTypeTopLevel : WebURLRequest::FrameTypeNested);
     m_provisionalDocumentLoader = client()->createDocumentLoader(m_frame, initialRequest, SubstituteData());
-    m_provisionalDocumentLoader->startLoadingMainResource(CheckContentSecurityPolicy);
+    m_provisionalDocumentLoader->startLoadingMainResource();
     m_frame->document()->cancelParsing();
     m_stateMachine.advanceTo(FrameLoaderStateMachine::DisplayingInitialEmptyDocument);
     takeObjectSnapshot();
 }
 
 FrameLoaderClient* FrameLoader::client() const
 {
     return static_cast<FrameLoaderClient*>(m_frame->client());
 }
 
@@ skipping 1136 matching lines @@
         }
 
         if (i == targetFrames.size())
             shouldClose = true;
     }
 
     return shouldClose;
 }
 
 bool FrameLoader::shouldContinueForNavigationPolicy(const ResourceRequest& request, const SubstituteData& substituteData,
-    DocumentLoader* loader, NavigationType type, NavigationPolicy policy, bool replacesCurrentHistoryItem, bool isClientRedirect)
+    DocumentLoader* loader, ContentSecurityPolicyDisposition shouldCheckMainWorldContentSecurityPolicy,
+    NavigationType type, NavigationPolicy policy, bool replacesCurrentHistoryItem, bool isClientRedirect)
 {
     // Don't ask if we are loading an empty URL.
     if (request.url().isEmpty() || substituteData.isValid())
         return true;
 
-    // TODO(mkwst): Look into moving this to 'FrameFetchContext::canRequestInternal' alongside the
-    // 'frame-src' checks.
+    // If we're loading content into a subframe, check against the parent's Content Security Policy
+    // and kill the load if that check fails, unless we should bypass the main world's CSP.
+    if (shouldCheckMainWorldContentSecurityPolicy == CheckContentSecurityPolicy) {
+        Frame* parentFrame = m_frame->tree().parent();
+        if (parentFrame) {
+            ContentSecurityPolicy* parentPolicy = parentFrame->securityContext()->contentSecurityPolicy();
+            if (!parentPolicy->allowChildFrameFromSource(request.url(), request.redirectStatus())) {
+                // Fire a load event, as timing attacks would otherwise reveal that the
+                // frame was blocked. This way, it looks like every other cross-origin
+                // page load.
+                m_frame->document()->enforceSandboxFlags(SandboxOrigin);
+                m_frame->owner()->dispatchLoad();
+                return false;
+            }
+        }
+    }
+
     bool isFormSubmission = type == NavigationTypeFormSubmitted || type == NavigationTypeFormResubmitted;
     if (isFormSubmission && !m_frame->document()->contentSecurityPolicy()->allowFormAction(request.url()))
         return false;
 
     policy = client()->decidePolicyForNavigation(request, loader, type, policy, replacesCurrentHistoryItem, isClientRedirect);
     if (policy == NavigationPolicyCurrentTab)
         return true;
     if (policy == NavigationPolicyIgnore)
         return false;
     if (policy == NavigationPolicyHandledByClient) {
@@ skipping 10 matching lines @@
 void FrameLoader::startLoad(FrameLoadRequest& frameLoadRequest, FrameLoadType type, NavigationPolicy navigationPolicy)
 {
     ASSERT(client()->hasWebView());
     if (m_frame->document()->pageDismissalEventBeingDispatched() != Document::NoDismissal)
         return;
 
     NavigationType navigationType = determineNavigationType(type, frameLoadRequest.resourceRequest().httpBody() || frameLoadRequest.form(), frameLoadRequest.triggeringEvent());
     frameLoadRequest.resourceRequest().setRequestContext(determineRequestContextFromNavigationType(navigationType));
     frameLoadRequest.resourceRequest().setFrameType(m_frame->isMainFrame() ? WebURLRequest::FrameTypeTopLevel : WebURLRequest::FrameTypeNested);
     ResourceRequest& request = frameLoadRequest.resourceRequest();
-    if (!shouldContinueForNavigationPolicy(request, frameLoadRequest.substituteData(), nullptr, navigationType, navigationPolicy, type == FrameLoadTypeReplaceCurrentItem, frameLoadRequest.clientRedirect() == ClientRedirectPolicy::ClientRedirect))
+    if (!shouldContinueForNavigationPolicy(request, frameLoadRequest.substituteData(), nullptr, frameLoadRequest.shouldCheckMainWorldContentSecurityPolicy(), navigationType, navigationPolicy, type == FrameLoadTypeReplaceCurrentItem, frameLoadRequest.clientRedirect() == ClientRedirectPolicy::ClientRedirect))
         return;
 
     m_frame->document()->cancelParsing();
     if (m_provisionalDocumentLoader) {
         FrameNavigationDisabler navigationDisabler(*m_frame);
         detachDocumentLoader(m_provisionalDocumentLoader);
     }
 
     // beforeunload fired above, and detaching a DocumentLoader can fire
     // events, which can detach this frame.
@@ skipping 15 matching lines @@
     if (frameLoadRequest.form())
         client()->dispatchWillSubmitForm(frameLoadRequest.form());
 
     m_progressTracker->progressStarted();
     if (m_provisionalDocumentLoader->isClientRedirect())
         m_provisionalDocumentLoader->appendRedirect(m_frame->document()->url());
     m_provisionalDocumentLoader->appendRedirect(m_provisionalDocumentLoader->request().url());
     double triggeringEventTime = frameLoadRequest.triggeringEvent() ? frameLoadRequest.triggeringEvent()->platformTimeStamp() : 0;
     client()->dispatchDidStartProvisionalLoad(triggeringEventTime);
     ASSERT(m_provisionalDocumentLoader);
-    m_provisionalDocumentLoader->startLoadingMainResource(frameLoadRequest.shouldCheckMainWorldContentSecurityPolicy());
+    m_provisionalDocumentLoader->startLoadingMainResource();
 
     takeObjectSnapshot();
 }
 
 void FrameLoader::applyUserAgent(ResourceRequest& request)
 {
     String userAgent = this->userAgent();
     ASSERT(!userAgent.isNull());
     request.setHTTPUserAgent(AtomicString(userAgent));
 }
@@ skipping 146 matching lines @@
     tracedValue->setString("documentLoaderURL", m_documentLoader ? m_documentLoader->url() : String());
     return tracedValue;
 }
 
 inline void FrameLoader::takeObjectSnapshot() const
 {
     TRACE_EVENT_OBJECT_SNAPSHOT_WITH_ID("loading", "FrameLoader", this, toTracedValue());
 }
 
 } // namespace blink