| OLD | NEW |
|---|
| 1 /* | 1 /* |
| 2 * Copyright (C) 2006, 2007, 2008 Apple Inc. All rights reserved. | 2 * Copyright (C) 2006, 2007, 2008 Apple Inc. All rights reserved. |
| 3 * Copyright (C) 2011 Google Inc. All rights reserved. | 3 * Copyright (C) 2011 Google Inc. All rights reserved. |
| 4 * | 4 * |
| 5 * Redistribution and use in source and binary forms, with or without | 5 * Redistribution and use in source and binary forms, with or without |
| 6 * modification, are permitted provided that the following conditions | 6 * modification, are permitted provided that the following conditions |
| 7 * are met: | 7 * are met: |
| 8 * | 8 * |
| 9 * 1. Redistributions of source code must retain the above copyright | 9 * 1. Redistributions of source code must retain the above copyright |
| 10 * notice, this list of conditions and the following disclaimer. | 10 * notice, this list of conditions and the following disclaimer. |
| (...skipping 91 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 102 m_originalRequest(req), | 102 m_originalRequest(req), |
| 103 m_substituteData(substituteData), | 103 m_substituteData(substituteData), |
| 104 m_request(req), | 104 m_request(req), |
| 105 m_isClientRedirect(false), | 105 m_isClientRedirect(false), |
| 106 m_replacesCurrentHistoryItem(false), | 106 m_replacesCurrentHistoryItem(false), |
| 107 m_dataReceived(false), | 107 m_dataReceived(false), |
| 108 m_navigationType(NavigationTypeOther), | 108 m_navigationType(NavigationTypeOther), |
| 109 m_documentLoadTiming(*this), | 109 m_documentLoadTiming(*this), |
| 110 m_timeOfLastDataReceived(0.0), | 110 m_timeOfLastDataReceived(0.0), |
| 111 m_applicationCacheHost(ApplicationCacheHost::create(this)), | 111 m_applicationCacheHost(ApplicationCacheHost::create(this)), |
| 112 m_wasBlockedAfterXFrameOptionsOrCSP(false), | 112 m_wasBlockedAfterCSP(false), |
| 113 m_state(NotStarted), | 113 m_state(NotStarted), |
| 114 m_inDataReceived(false), | 114 m_inDataReceived(false), |
| 115 m_dataBuffer(SharedBuffer::create()) {} | 115 m_dataBuffer(SharedBuffer::create()) {} |
| 116 | 116 |
| 117 FrameLoader* DocumentLoader::frameLoader() const { | 117 FrameLoader* DocumentLoader::frameLoader() const { |
| 118 if (!m_frame) | 118 if (!m_frame) |
| 119 return nullptr; | 119 return nullptr; |
| 120 return &m_frame->loader(); | 120 return &m_frame->loader(); |
| 121 } | 121 } |
| 122 | 122 |
| (...skipping 144 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 267 DCHECK(m_mainResource); | 267 DCHECK(m_mainResource); |
| 268 | 268 |
| 269 if (!m_mainResource->errorOccurred() && !m_mainResource->wasCanceled()) { | 269 if (!m_mainResource->errorOccurred() && !m_mainResource->wasCanceled()) { |
| 270 finishedLoading(m_mainResource->loadFinishTime()); | 270 finishedLoading(m_mainResource->loadFinishTime()); |
| 271 return; | 271 return; |
| 272 } | 272 } |
| 273 | 273 |
| 274 if (m_applicationCacheHost) | 274 if (m_applicationCacheHost) |
| 275 m_applicationCacheHost->failedLoadingMainResource(); | 275 m_applicationCacheHost->failedLoadingMainResource(); |
| 276 m_state = MainResourceDone; | 276 m_state = MainResourceDone; |
| 277 |
| 278 if (m_mainResource->resourceError().wasBlockedByResponse()) { |
| 279 InspectorInstrumentation::canceledAfterReceivedResourceResponse( |
| 280 m_frame, this, mainResourceIdentifier(), resource->response(), |
| 281 m_mainResource.get()); |
| 282 } |
| 283 |
| 277 frameLoader()->loadFailed(this, m_mainResource->resourceError()); | 284 frameLoader()->loadFailed(this, m_mainResource->resourceError()); |
| 278 clearMainResourceHandle(); | 285 clearMainResourceHandle(); |
| 279 } | 286 } |
| 280 | 287 |
| 281 void DocumentLoader::finishedLoading(double finishTime) { | 288 void DocumentLoader::finishedLoading(double finishTime) { |
| 282 DCHECK(m_frame->loader().stateMachine()->creatingInitialEmptyDocument() || | 289 DCHECK(m_frame->loader().stateMachine()->creatingInitialEmptyDocument() || |
| 283 !m_frame->page()->defersLoading() || | 290 !m_frame->page()->defersLoading() || |
| 284 InspectorInstrumentation::isDebuggerPaused(m_frame)); | 291 InspectorInstrumentation::isDebuggerPaused(m_frame)); |
| 285 | 292 |
| 286 double responseEndTime = finishTime; | 293 double responseEndTime = finishTime; |
| (...skipping 84 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 371 // Downloading is handled by the embedder, but we still get the initial | 378 // Downloading is handled by the embedder, but we still get the initial |
| 372 // response so that we can ignore it and clean up properly. | 379 // response so that we can ignore it and clean up properly. |
| 373 return false; | 380 return false; |
| 374 } | 381 } |
| 375 | 382 |
| 376 if (!canShowMIMEType(m_response.mimeType(), m_frame)) | 383 if (!canShowMIMEType(m_response.mimeType(), m_frame)) |
| 377 return false; | 384 return false; |
| 378 return true; | 385 return true; |
| 379 } | 386 } |
| 380 | 387 |
| 381 void DocumentLoader::cancelLoadAfterXFrameOptionsOrCSPDenied( | 388 void DocumentLoader::cancelLoadAfterCSPDenied( |
| 382 const ResourceResponse& response) { | 389 const ResourceResponse& response) { |
| 383 InspectorInstrumentation::continueAfterXFrameOptionsDenied( | 390 InspectorInstrumentation::canceledAfterReceivedResourceResponse( |
| 384 m_frame, this, mainResourceIdentifier(), response, m_mainResource.get()); | 391 m_frame, this, mainResourceIdentifier(), response, m_mainResource.get()); |
| 385 | 392 |
| 386 setWasBlockedAfterXFrameOptionsOrCSP(); | 393 setWasBlockedAfterCSP(); |
| 387 | 394 |
| 388 // Pretend that this was an empty HTTP 200 response. Don't reuse the original | 395 // Pretend that this was an empty HTTP 200 response. Don't reuse the original |
| 389 // URL for the empty page (https://crbug.com/622385). | 396 // URL for the empty page (https://crbug.com/622385). |
| 390 // | 397 // |
| 391 // TODO(mkwst): Remove this once XFO moves to the browser. | 398 // TODO(mkwst): Remove this once XFO moves to the browser. |
| 392 // https://crbug.com/555418. | 399 // https://crbug.com/555418. |
| 393 clearMainResourceHandle(); | 400 clearMainResourceHandle(); |
| 394 KURL blockedURL = SecurityOrigin::urlWithUniqueSecurityOrigin(); | 401 KURL blockedURL = SecurityOrigin::urlWithUniqueSecurityOrigin(); |
| 395 m_originalRequest.setURL(blockedURL); | 402 m_originalRequest.setURL(blockedURL); |
| 396 m_request.setURL(blockedURL); | 403 m_request.setURL(blockedURL); |
| (...skipping 20 matching lines...) Expand all Loading... |
| 417 // we don't save the result for future use. All responses loaded from appcache | 424 // we don't save the result for future use. All responses loaded from appcache |
| 418 // will have a non-zero appCacheID(). | 425 // will have a non-zero appCacheID(). |
| 419 if (response.appCacheID()) | 426 if (response.appCacheID()) |
| 420 memoryCache()->remove(m_mainResource.get()); | 427 memoryCache()->remove(m_mainResource.get()); |
| 421 | 428 |
| 422 m_contentSecurityPolicy = ContentSecurityPolicy::create(); | 429 m_contentSecurityPolicy = ContentSecurityPolicy::create(); |
| 423 m_contentSecurityPolicy->setOverrideURLForSelf(response.url()); | 430 m_contentSecurityPolicy->setOverrideURLForSelf(response.url()); |
| 424 m_contentSecurityPolicy->didReceiveHeaders( | 431 m_contentSecurityPolicy->didReceiveHeaders( |
| 425 ContentSecurityPolicyResponseHeaders(response)); | 432 ContentSecurityPolicyResponseHeaders(response)); |
| 426 if (!m_contentSecurityPolicy->allowAncestors(m_frame, response.url())) { | 433 if (!m_contentSecurityPolicy->allowAncestors(m_frame, response.url())) { |
| 427 cancelLoadAfterXFrameOptionsOrCSPDenied(response); | 434 cancelLoadAfterCSPDenied(response); |
| 428 return; | 435 return; |
| 429 } | 436 } |
| 430 | 437 |
| 431 // 'frame-ancestors' obviates 'x-frame-options': | |
| 432 // https://w3c.github.io/webappsec/specs/content-security-policy/#frame-ancest
ors-and-frame-options | |
| 433 if (!m_contentSecurityPolicy->isFrameAncestorsEnforced()) { | |
| 434 HTTPHeaderMap::const_iterator it = | |
| 435 response.httpHeaderFields().find(HTTPNames::X_Frame_Options); | |
| 436 if (it != response.httpHeaderFields().end()) { | |
| 437 String content = it->value; | |
| 438 if (frameLoader()->shouldInterruptLoadForXFrameOptions( | |
| 439 content, response.url(), mainResourceIdentifier())) { | |
| 440 String message = "Refused to display '" + | |
| 441 response.url().elidedString() + | |
| 442 "' in a frame because it set 'X-Frame-Options' to '" + | |
| 443 content + "'."; | |
| 444 ConsoleMessage* consoleMessage = ConsoleMessage::createForRequest( | |
| 445 SecurityMessageSource, ErrorMessageLevel, message, response.url(), | |
| 446 mainResourceIdentifier()); | |
| 447 frame()->document()->addConsoleMessage(consoleMessage); | |
| 448 | |
| 449 cancelLoadAfterXFrameOptionsOrCSPDenied(response); | |
| 450 return; | |
| 451 } | |
| 452 } | |
| 453 } | |
| 454 | |
| 455 if (RuntimeEnabledFeatures::embedderCSPEnforcementEnabled() && | 438 if (RuntimeEnabledFeatures::embedderCSPEnforcementEnabled() && |
| 456 !frameLoader()->requiredCSP().isEmpty()) { | 439 !frameLoader()->requiredCSP().isEmpty()) { |
| 457 SecurityOrigin* parentSecurityOrigin = | 440 SecurityOrigin* parentSecurityOrigin = |
| 458 frame()->tree().parent()->securityContext()->getSecurityOrigin(); | 441 frame()->tree().parent()->securityContext()->getSecurityOrigin(); |
| 459 if (ContentSecurityPolicy::shouldEnforceEmbeddersPolicy( | 442 if (ContentSecurityPolicy::shouldEnforceEmbeddersPolicy( |
| 460 response, parentSecurityOrigin)) { | 443 response, parentSecurityOrigin)) { |
| 461 m_contentSecurityPolicy->addPolicyFromHeaderValue( | 444 m_contentSecurityPolicy->addPolicyFromHeaderValue( |
| 462 frameLoader()->requiredCSP(), ContentSecurityPolicyHeaderTypeEnforce, | 445 frameLoader()->requiredCSP(), ContentSecurityPolicyHeaderTypeEnforce, |
| 463 ContentSecurityPolicyHeaderSourceHTTP); | 446 ContentSecurityPolicyHeaderSourceHTTP); |
| 464 } else { | 447 } else { |
| 465 String message = "Refused to display '" + response.url().elidedString() + | 448 String message = "Refused to display '" + response.url().elidedString() + |
| 466 "' because it has not opted-into the following policy " | 449 "' because it has not opted-into the following policy " |
| 467 "required by its embedder: '" + | 450 "required by its embedder: '" + |
| 468 frameLoader()->requiredCSP() + "'."; | 451 frameLoader()->requiredCSP() + "'."; |
| 469 ConsoleMessage* consoleMessage = ConsoleMessage::createForRequest( | 452 ConsoleMessage* consoleMessage = ConsoleMessage::createForRequest( |
| 470 SecurityMessageSource, ErrorMessageLevel, message, response.url(), | 453 SecurityMessageSource, ErrorMessageLevel, message, response.url(), |
| 471 mainResourceIdentifier()); | 454 mainResourceIdentifier()); |
| 472 frame()->document()->addConsoleMessage(consoleMessage); | 455 frame()->document()->addConsoleMessage(consoleMessage); |
| 473 cancelLoadAfterXFrameOptionsOrCSPDenied(response); | 456 cancelLoadAfterCSPDenied(response); |
| 474 return; | 457 return; |
| 475 } | 458 } |
| 476 } | 459 } |
| 477 | 460 |
| 478 DCHECK(!m_frame->page()->defersLoading()); | 461 DCHECK(!m_frame->page()->defersLoading()); |
| 479 | 462 |
| 480 m_response = response; | 463 m_response = response; |
| 481 | 464 |
| 482 if (isArchiveMIMEType(m_response.mimeType()) && | 465 if (isArchiveMIMEType(m_response.mimeType()) && |
| 483 m_mainResource->getDataBufferingPolicy() != BufferData) | 466 m_mainResource->getDataBufferingPolicy() != BufferData) |
| (...skipping 303 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 787 m_writer ? m_writer->encoding() : emptyAtom, true, | 770 m_writer ? m_writer->encoding() : emptyAtom, true, |
| 788 ForceSynchronousParsing); | 771 ForceSynchronousParsing); |
| 789 if (!source.isNull()) | 772 if (!source.isNull()) |
| 790 m_writer->appendReplacingData(source); | 773 m_writer->appendReplacingData(source); |
| 791 endWriting(); | 774 endWriting(); |
| 792 } | 775 } |
| 793 | 776 |
| 794 DEFINE_WEAK_IDENTIFIER_MAP(DocumentLoader); | 777 DEFINE_WEAK_IDENTIFIER_MAP(DocumentLoader); |
| 795 | 778 |
| 796 } // namespace blink | 779 } // namespace blink |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2321503002:
(Re-)introduce AncestorThrottle to handle 'X-Frame-Options'. (Closed)
