Index: content/browser/child_process_security_policy_impl.cc |
diff --git a/content/browser/child_process_security_policy_impl.cc b/content/browser/child_process_security_policy_impl.cc |
index 60d7a7aed73f25731d5c5079c183ea8a0fdacd73..db3fb1b3a7d08a2bb529a5db43c0569830973605 100644 |
--- a/content/browser/child_process_security_policy_impl.cc |
+++ b/content/browser/child_process_security_policy_impl.cc |
@@ -333,6 +333,8 @@ ChildProcessSecurityPolicyImpl::ChildProcessSecurityPolicyImpl() { |
RegisterPseudoScheme(url::kAboutScheme); |
RegisterPseudoScheme(url::kJavaScriptScheme); |
RegisterPseudoScheme(kViewSourceScheme); |
+ RegisterPseudoScheme(kHttpSuboriginScheme); |
+ RegisterPseudoScheme(kHttpsSuboriginScheme); |
} |
ChildProcessSecurityPolicyImpl::~ChildProcessSecurityPolicyImpl() { |
@@ -648,6 +650,21 @@ bool ChildProcessSecurityPolicyImpl::CanCommitURL(int child_id, |
} |
} |
+bool ChildProcessSecurityPolicyImpl::CanSetAsOriginHeader(int child_id, |
+ const GURL& url) { |
+ if (!url.is_valid()) |
+ return false; // Can't set invalid URLs as origin headers. |
+ |
+ // Suborigin URLs are a special case and are allowed to be an origin header. |
+ if (url.scheme() == kHttpSuboriginScheme || |
+ url.scheme() == kHttpsSuboriginScheme) { |
+ DCHECK(IsPseudoScheme(url.scheme())); |
+ return true; |
+ } |
+ |
+ return CanCommitURL(child_id, url); |
+} |
+ |
bool ChildProcessSecurityPolicyImpl::CanReadFile(int child_id, |
const base::FilePath& file) { |
return HasPermissionsForFile(child_id, file, READ_FILE_GRANT); |