third_party/WebKit/Source/web/WebLocalFrameImpl.cpp - Issue 2190183002: Forward CSP violation reporting from RenderFrameProxy to RenderFrameImpl.

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: third_party/WebKit/Source/web/WebLocalFrameImpl.cpp

Issue 2190183002: Forward CSP violation reporting from RenderFrameProxy to RenderFrameImpl. Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: Sanitize report endpoints from IPC against actual CSP contents. Created 4 years, 4 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: third_party/WebKit/Source/web/WebLocalFrameImpl.cpp

diff --git a/third_party/WebKit/Source/web/WebLocalFrameImpl.cpp b/third_party/WebKit/Source/web/WebLocalFrameImpl.cpp

index fc1a846d6d6379fd01d8e89ad50fd1f2a924087c..8264c2fbb12df4a0ef35cd51151e22ba3aa5f902 100644

--- a/third_party/WebKit/Source/web/WebLocalFrameImpl.cpp

+++ b/third_party/WebKit/Source/web/WebLocalFrameImpl.cpp

@@ -2246,4 +2246,52 @@ void WebLocalFrameImpl::usageCountChromeLoadTimes(const WebString& metric)

UseCounter::count(frame(), feature);

}

+void WebLocalFrameImpl::reportContentSecurityPolicyViolation(

+ const WebString& directiveText,

+ const WebString& effectiveDirective,

+ const WebString& consoleMessage,

+ const WebURL& blockedURL,

+ const WebVector<WebString>& reportEndpoints,

+ const WebString& header,

+ WebContentSecurityPolicyViolationType violationType,

+ bool followedRedirect)

+ ContentSecurityPolicy* policy = m_frame->securityContext()->contentSecurityPolicy();

+ Vector<String> coreReportEndpoints;

+ coreReportEndpoints.reserveInitialCapacity(reportEndpoints.size());

+ for (const WebString& reportEndpoint : reportEndpoints) {

+ // |reportEndpoints| comes from another renderer process - restrict it

+ // to endpoints actually covered by our Content Security Policy.

+ if (policy->coversReportEndpoint(reportEndpoint))

+ coreReportEndpoints.append(reportEndpoint);

+ }

+ auto redirectStatus = followedRedirect

+ ? ResourceRequest::RedirectStatus::FollowedRedirect

+ : ResourceRequest::RedirectStatus::NoRedirect;

+ // This method has no |contextLine| parameter, because source information

+ // should not be disclosed cross-site and therefore caller of this method

+ // (by design) does not have access to the line number associated with this

+ // Content Security Policy violation.

+ int contextLine = 0;

+ policy->logToConsole(ConsoleMessage::create(

+ SecurityMessageSource,

+ ErrorMessageLevel,

+ consoleMessage));

+ policy->reportViolation(

+ directiveText,

+ effectiveDirective,

+ consoleMessage,

+ blockedURL,

+ coreReportEndpoints,

+ header,

+ static_cast<ContentSecurityPolicy::ViolationType>(violationType),

+ nullptr, // contextFrame

+ redirectStatus,

+ contextLine);

} // namespace blink

« no previous file with comments | « third_party/WebKit/Source/web/WebLocalFrameImpl.h ('k') | third_party/WebKit/public/web/WebContentSecurityPolicy.h » ('j') | no next file with comments »