(Re-)introduce AncestorThrottle to handle 'X-Frame-Options'.

third_party/WebKit/Source/core/loader/DocumentLoader.cpp

 /*
  * Copyright (C) 2006, 2007, 2008 Apple Inc. All rights reserved.
  * Copyright (C) 2011 Google Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  *
  * 1.  Redistributions of source code must retain the above copyright
  *     notice, this list of conditions and the following disclaimer.
@@ skipping 91 matching lines @@
     , m_originalRequest(req)
     , m_substituteData(substituteData)
     , m_request(req)
     , m_isClientRedirect(false)
     , m_replacesCurrentHistoryItem(false)
     , m_dataReceived(false)
     , m_navigationType(NavigationTypeOther)
     , m_documentLoadTiming(*this)
     , m_timeOfLastDataReceived(0.0)
     , m_applicationCacheHost(ApplicationCacheHost::create(this))
-    , m_wasBlockedAfterXFrameOptionsOrCSP(false)
+    , m_wasBlockedAfterCSP(false)
     , m_state(NotStarted)
     , m_inDataReceived(false)
     , m_dataBuffer(SharedBuffer::create())
 {
 }
 
 FrameLoader* DocumentLoader::frameLoader() const
 {
     if (!m_frame)
         return nullptr;
@@ skipping 147 matching lines @@
     ASSERT(m_mainResource);
 
     if (!m_mainResource->errorOccurred() && !m_mainResource->wasCanceled()) {
         finishedLoading(m_mainResource->loadFinishTime());
         return;
     }
 
     if (m_applicationCacheHost)
         m_applicationCacheHost->failedLoadingMainResource();
     m_state = MainResourceDone;
+
+    if (m_mainResource->resourceError().wasBlockedByResponse())
+        InspectorInstrumentation::canceledAfterReceivedResourceResponse(m_frame, this, mainResourceIdentifier(), resource->response(), m_mainResource.get());
+
     frameLoader()->loadFailed(this, m_mainResource->resourceError());
     clearMainResourceHandle();
 }
 
 void DocumentLoader::finishedLoading(double finishTime)
 {
     DCHECK(m_frame->loader().stateMachine()->creatingInitialEmptyDocument()
         || !m_frame->page()->defersLoading()
         || InspectorInstrumentation::isDebuggerPaused(m_frame));
 
@@ skipping 75 matching lines @@
         // Downloading is handled by the embedder, but we still get the initial
         // response so that we can ignore it and clean up properly.
         return false;
     }
 
     if (!canShowMIMEType(m_response.mimeType(), m_frame))
         return false;
     return true;
 }
 
-void DocumentLoader::cancelLoadAfterXFrameOptionsOrCSPDenied(const ResourceResponse& response)
+void DocumentLoader::cancelLoadAfterCSPDenied(const ResourceResponse& response)
 {
-    InspectorInstrumentation::continueAfterXFrameOptionsDenied(m_frame, this, mainResourceIdentifier(), response, m_mainResource.get());
+    InspectorInstrumentation::canceledAfterReceivedResourceResponse(m_frame, this, mainResourceIdentifier(), response, m_mainResource.get());
 
-    setWasBlockedAfterXFrameOptionsOrCSP();
+    setWasBlockedAfterCSP();
 
     // Pretend that this was an empty HTTP 200 response.  Don't reuse the
     // original URL for the empty page (https://crbug.com/622385).
     //
     // TODO(mkwst):  Remove this once XFO moves to the browser.
     // https://crbug.com/555418.
     clearMainResourceHandle();
     KURL blockedURL = SecurityOrigin::urlWithUniqueSecurityOrigin();
     m_originalRequest.setURL(blockedURL);
     m_request.setURL(blockedURL);
@@ skipping 16 matching lines @@
     // The memory cache doesn't understand the application cache or its caching rules. So if a main resource is served
     // from the application cache, ensure we don't save the result for future use. All responses loaded
     // from appcache will have a non-zero appCacheID().
     if (response.appCacheID())
         memoryCache()->remove(m_mainResource.get());
 
     m_contentSecurityPolicy = ContentSecurityPolicy::create();
     m_contentSecurityPolicy->setOverrideURLForSelf(response.url());
     m_contentSecurityPolicy->didReceiveHeaders(ContentSecurityPolicyResponseHeaders(response));
     if (!m_contentSecurityPolicy->allowAncestors(m_frame, response.url())) {
-        cancelLoadAfterXFrameOptionsOrCSPDenied(response);
+        cancelLoadAfterCSPDenied(response);
         return;
     }
 
-    // 'frame-ancestors' obviates 'x-frame-options': https://w3c.github.io/webappsec/specs/content-security-policy/#frame-ancestors-and-frame-options
-    if (!m_contentSecurityPolicy->isFrameAncestorsEnforced()) {
-        HTTPHeaderMap::const_iterator it = response.httpHeaderFields().find(HTTPNames::X_Frame_Options);
-        if (it != response.httpHeaderFields().end()) {
-            String content = it->value;
-            if (frameLoader()->shouldInterruptLoadForXFrameOptions(content, response.url(), mainResourceIdentifier())) {
-                String message = "Refused to display '" + response.url().elidedString() + "' in a frame because it set 'X-Frame-Options' to '" + content + "'.";
-                ConsoleMessage* consoleMessage = ConsoleMessage::createForRequest(SecurityMessageSource, ErrorMessageLevel, message, response.url(), mainResourceIdentifier());
-                frame()->document()->addConsoleMessage(consoleMessage);
-
-                cancelLoadAfterXFrameOptionsOrCSPDenied(response);
-                return;
-            }
-        }
-    }
-
     ASSERT(!m_frame->page()->defersLoading());
 
     m_response = response;
 
     if (isArchiveMIMEType(m_response.mimeType()) && m_mainResource->getDataBufferingPolicy() != BufferData)
         m_mainResource->setDataBufferingPolicy(BufferData);
 
     if (!shouldContinueForResponse()) {
         InspectorInstrumentation::continueWithPolicyIgnore(m_frame, this, m_mainResource->identifier(), m_response, m_mainResource.get());
         m_fetcher->stopFetching();
@@ skipping 274 matching lines @@
 {
     m_writer = createWriterFor(init, mimeType(), m_writer ? m_writer->encoding() : emptyAtom, true, ForceSynchronousParsing);
     if (!source.isNull())
         m_writer->appendReplacingData(source);
     endWriting(m_writer.get());
 }
 
 DEFINE_WEAK_IDENTIFIER_MAP(DocumentLoader);
 
 } // namespace blink