Index: content/browser/child_process_security_policy_impl.cc |
diff --git a/content/browser/child_process_security_policy_impl.cc b/content/browser/child_process_security_policy_impl.cc |
index 652a7ac175420cba631376bba186834094a5d1f8..4fe230aea4fc4cb9407dc64bb93135921c486278 100644 |
--- a/content/browser/child_process_security_policy_impl.cc |
+++ b/content/browser/child_process_security_policy_impl.cc |
@@ -308,6 +308,8 @@ ChildProcessSecurityPolicyImpl::ChildProcessSecurityPolicyImpl() { |
RegisterPseudoScheme(url::kAboutScheme); |
RegisterPseudoScheme(url::kJavaScriptScheme); |
RegisterPseudoScheme(kViewSourceScheme); |
+ RegisterPseudoScheme(kHttpSuboriginScheme); |
nasko
2016/09/22 23:53:42
I'll poke at this tomorrow, but now that we have a
jww
2016/09/23 04:12:44
Fair question. My impression was that all schemes
nasko
2016/09/23 21:59:48
Yeah, I poked around a bit and indeed it is a good
|
+ RegisterPseudoScheme(kHttpsSuboriginScheme); |
} |
ChildProcessSecurityPolicyImpl::~ChildProcessSecurityPolicyImpl() { |
@@ -617,6 +619,19 @@ bool ChildProcessSecurityPolicyImpl::CanCommitURL(int child_id, |
} |
} |
+bool ChildProcessSecurityPolicyImpl::CanSetAsOriginHeader(int child_id, |
+ const GURL& url) { |
+ if (!url.is_valid()) |
+ return false; // Can't set invalid URLs as origin headers. |
+ |
+ // Suborigin URLs are a special case and are allowed to be an origin header. |
+ if (IsPseudoScheme(url.scheme()) && (url.scheme() == kHttpSuboriginScheme || |
nasko
2016/09/23 21:59:47
You technically don't need the IsPseudoScheme chec
jww
2016/09/23 22:52:27
Done.
|
+ url.scheme() == kHttpsSuboriginScheme)) |
+ return true; |
+ |
+ return CanCommitURL(child_id, url); |
+} |
+ |
bool ChildProcessSecurityPolicyImpl::CanReadFile(int child_id, |
const base::FilePath& file) { |
return HasPermissionsForFile(child_id, file, READ_FILE_GRANT); |