| Index: third_party/WebKit/Source/core/loader/FrameFetchContext.cpp
|
| diff --git a/third_party/WebKit/Source/core/loader/FrameFetchContext.cpp b/third_party/WebKit/Source/core/loader/FrameFetchContext.cpp
|
| index 23f6b6e72df84e308ed07e8af68048a261f6c717..f09d2ece98f445c40de0f3ebdabb3a5295bc29b7 100644
|
| --- a/third_party/WebKit/Source/core/loader/FrameFetchContext.cpp
|
| +++ b/third_party/WebKit/Source/core/loader/FrameFetchContext.cpp
|
| @@ -526,8 +526,18 @@ ResourceRequestBlockedReason FrameFetchContext::canRequestInternal(Resource::Typ
|
| break;
|
| }
|
|
|
| - if (contentSecurityPolicyBlocksRequest(type, resourceRequest, url, options, forPreload, redirectStatus))
|
| - return ResourceRequestBlockedReasonCSP;
|
| + // FIXME: Convert this to check the isolated world's Content Security Policy once webkit.org/b/104520 is solved.
|
| + bool shouldBypassMainWorldCSP = frame()->script().shouldBypassMainWorldCSP() || options.contentSecurityPolicyOption == DoNotCheckContentSecurityPolicy;
|
| +
|
| + // Don't send CSP messages for preloads, we might never actually display those items.
|
| + ContentSecurityPolicy::ReportingStatus cspReporting = forPreload ?
|
| + ContentSecurityPolicy::SuppressReport : ContentSecurityPolicy::SendReport;
|
| +
|
| + if (m_document) {
|
| + DCHECK(m_document->contentSecurityPolicy());
|
| + if (!shouldBypassMainWorldCSP && !m_document->contentSecurityPolicy()->allowRequest(resourceRequest.requestContext(), url, options.contentSecurityPolicyNonce, redirectStatus, cspReporting))
|
| + return ResourceRequestBlockedReasonCSP;
|
| + }
|
|
|
| if (type == Resource::Script || type == Resource::ImportResource) {
|
| ASSERT(frame());
|
| @@ -576,37 +586,6 @@ ResourceRequestBlockedReason FrameFetchContext::canRequestInternal(Resource::Typ
|
| return ResourceRequestBlockedReasonNone;
|
| }
|
|
|
| -bool FrameFetchContext::contentSecurityPolicyBlocksRequest(Resource::Type type, const ResourceRequest& resourceRequest, const KURL& url, const ResourceLoaderOptions& options, bool forPreload, ResourceRequest::RedirectStatus redirectStatus) const
|
| -{
|
| - // FIXME: Convert this to check the isolated world's Content Security Policy once webkit.org/b/104520 is solved.
|
| - if (!frame()->script().shouldBypassMainWorldCSP() && options.contentSecurityPolicyOption == CheckContentSecurityPolicy) {
|
| - // Don't send CSP messages for preloads, we might never actually display those items.
|
| - ContentSecurityPolicy::ReportingStatus cspReporting = forPreload ? ContentSecurityPolicy::SuppressReport : ContentSecurityPolicy::SendReport;
|
| - if (m_document) {
|
| - DCHECK(m_document->contentSecurityPolicy());
|
| - if (!m_document->contentSecurityPolicy()->allowRequest(resourceRequest.requestContext(), url, options.contentSecurityPolicyNonce, redirectStatus, cspReporting))
|
| - return true;
|
| - } else if (type == Resource::MainResource) {
|
| - // When loading the main document of an iframe, we won't have a document
|
| - // yet. We instead need to grab the frame's parent's policy in order to
|
| - // perform 'frame-src' checks:
|
| - if (Frame* parentFrame = frame()->tree().parent()) {
|
| - if (!parentFrame->securityContext()->contentSecurityPolicy()->allowChildFrameFromSource(url, redirectStatus, cspReporting)) {
|
| - // TODO(mkwst): If we cancel the request after a redirect, we never instantiate
|
| - // a document, and therefore don't inherit the loader's sandbox flags, or trigger
|
| - // a load event. This is strange.
|
| - if (redirectStatus == ResourceRequest::RedirectStatus::FollowedRedirect) {
|
| - frame()->document()->enforceSandboxFlags(SandboxOrigin);
|
| - frame()->owner()->dispatchLoad();
|
| - }
|
| - return true;
|
| - }
|
| - }
|
| - }
|
| - }
|
| - return false;
|
| -}
|
| -
|
| bool FrameFetchContext::isControlledByServiceWorker() const
|
| {
|
| ASSERT(m_documentLoader || frame()->loader().documentLoader());
|
|
|
Chromium Code Reviews
Issue 2068443002:
Revert of Move 'frame-src' CSP checks into FrameFetchContext. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master