Chromium Code Reviews Chromium Code Reviews
Issue 2372563002:
Adding Embedding-CSP HTTP header (Closed)
| OLD | NEW |
|---|---|
| 1 /* | 1 /* |
| 2 * Copyright (C) 2006, 2007, 2008, 2009, 2010, 2011 Apple Inc. All rights reserv ed. | 2 * Copyright (C) 2006, 2007, 2008, 2009, 2010, 2011 Apple Inc. All rights reserv ed. |
| 3 * Copyright (C) 2008 Nokia Corporation and/or its subsidiary(-ies) | 3 * Copyright (C) 2008 Nokia Corporation and/or its subsidiary(-ies) |
| 4 * Copyright (C) 2008, 2009 Torch Mobile Inc. All rights reserved. (http://www.t orchmobile.com/) | 4 * Copyright (C) 2008, 2009 Torch Mobile Inc. All rights reserved. (http://www.t orchmobile.com/) |
| 5 * Copyright (C) 2008 Alp Toker <alp@atoker.com> | 5 * Copyright (C) 2008 Alp Toker <alp@atoker.com> |
| 6 * Copyright (C) Research In Motion Limited 2009. All rights reserved. | 6 * Copyright (C) Research In Motion Limited 2009. All rights reserved. |
| 7 * Copyright (C) 2011 Kris Jordan <krisjordan@gmail.com> | 7 * Copyright (C) 2011 Kris Jordan <krisjordan@gmail.com> |
| 8 * Copyright (C) 2011 Google Inc. All rights reserved. | 8 * Copyright (C) 2011 Google Inc. All rights reserved. |
| 9 * | 9 * |
| 10 * Redistribution and use in source and binary forms, with or without | 10 * Redistribution and use in source and binary forms, with or without |
| (...skipping 156 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 167 if (!overrideURL.isEmpty()) { | 167 if (!overrideURL.isEmpty()) { |
| 168 request.setURL(overrideURL); | 168 request.setURL(overrideURL); |
| 169 request.clearHTTPReferrer(); | 169 request.clearHTTPReferrer(); |
| 170 } | 170 } |
| 171 request.setSkipServiceWorker(frameLoadType == FrameLoadTypeReloadBypassingCa che ? WebURLRequest::SkipServiceWorker::All : WebURLRequest::SkipServiceWorker:: None); | 171 request.setSkipServiceWorker(frameLoadType == FrameLoadTypeReloadBypassingCa che ? WebURLRequest::SkipServiceWorker::All : WebURLRequest::SkipServiceWorker:: None); |
| 172 return request; | 172 return request; |
| 173 } | 173 } |
| 174 | 174 |
| 175 FrameLoader::FrameLoader(LocalFrame* frame) | 175 FrameLoader::FrameLoader(LocalFrame* frame) |
| 176 : m_frame(frame) | 176 : m_frame(frame) |
| 177 , m_requiredCSP(nullAtom) | |
| 177 , m_progressTracker(ProgressTracker::create(frame)) | 178 , m_progressTracker(ProgressTracker::create(frame)) |
| 178 , m_loadType(FrameLoadTypeStandard) | 179 , m_loadType(FrameLoadTypeStandard) |
| 179 , m_inStopAllLoaders(false) | 180 , m_inStopAllLoaders(false) |
| 180 , m_checkTimer(TaskRunnerHelper::get(TaskType::Networking, frame), this, &Fr ameLoader::checkTimerFired) | 181 , m_checkTimer(TaskRunnerHelper::get(TaskType::Networking, frame), this, &Fr ameLoader::checkTimerFired) |
| 181 , m_forcedSandboxFlags(SandboxNone) | 182 , m_forcedSandboxFlags(SandboxNone) |
| 182 , m_dispatchingDidClearWindowObjectInMainWorld(false) | 183 , m_dispatchingDidClearWindowObjectInMainWorld(false) |
| 183 , m_protectProvisionalLoader(false) | 184 , m_protectProvisionalLoader(false) |
| 184 , m_isNavigationHandledByClient(false) | 185 , m_isNavigationHandledByClient(false) |
| 185 { | 186 { |
| 186 TRACE_EVENT_OBJECT_CREATED_WITH_ID("loading", "FrameLoader", this); | 187 TRACE_EVENT_OBJECT_CREATED_WITH_ID("loading", "FrameLoader", this); |
| (...skipping 1246 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 1433 void FrameLoader::startLoad(FrameLoadRequest& frameLoadRequest, FrameLoadType ty pe, NavigationPolicy navigationPolicy) | 1434 void FrameLoader::startLoad(FrameLoadRequest& frameLoadRequest, FrameLoadType ty pe, NavigationPolicy navigationPolicy) |
| 1434 { | 1435 { |
| 1435 DCHECK(client()->hasWebView()); | 1436 DCHECK(client()->hasWebView()); |
| 1436 if (m_frame->document()->pageDismissalEventBeingDispatched() != Document::No Dismissal) | 1437 if (m_frame->document()->pageDismissalEventBeingDispatched() != Document::No Dismissal) |
| 1437 return; | 1438 return; |
| 1438 | 1439 |
| 1439 NavigationType navigationType = determineNavigationType(type, frameLoadReque st.resourceRequest().httpBody() || frameLoadRequest.form(), frameLoadRequest.tri ggeringEvent()); | 1440 NavigationType navigationType = determineNavigationType(type, frameLoadReque st.resourceRequest().httpBody() || frameLoadRequest.form(), frameLoadRequest.tri ggeringEvent()); |
| 1440 frameLoadRequest.resourceRequest().setRequestContext(determineRequestContext FromNavigationType(navigationType)); | 1441 frameLoadRequest.resourceRequest().setRequestContext(determineRequestContext FromNavigationType(navigationType)); |
| 1441 frameLoadRequest.resourceRequest().setFrameType(m_frame->isMainFrame() ? Web URLRequest::FrameTypeTopLevel : WebURLRequest::FrameTypeNested); | 1442 frameLoadRequest.resourceRequest().setFrameType(m_frame->isMainFrame() ? Web URLRequest::FrameTypeTopLevel : WebURLRequest::FrameTypeNested); |
| 1442 ResourceRequest& request = frameLoadRequest.resourceRequest(); | 1443 ResourceRequest& request = frameLoadRequest.resourceRequest(); |
| 1443 upgradeInsecureRequest(request, nullptr); | 1444 |
| 1445 // Record the latest requiredCSP value that will be used when sending this r equest. | |
| 1446 recordLatestRequiredCSP(); | |
| 1447 addOutgoingSecurityHeaders(request, nullptr); | |
| 1444 if (!shouldContinueForNavigationPolicy(request, frameLoadRequest.substituteD ata(), nullptr, frameLoadRequest.shouldCheckMainWorldContentSecurityPolicy(), na vigationType, navigationPolicy, type == FrameLoadTypeReplaceCurrentItem, frameLo adRequest.clientRedirect() == ClientRedirectPolicy::ClientRedirect, frameLoadReq uest.form())) | 1448 if (!shouldContinueForNavigationPolicy(request, frameLoadRequest.substituteD ata(), nullptr, frameLoadRequest.shouldCheckMainWorldContentSecurityPolicy(), na vigationType, navigationPolicy, type == FrameLoadTypeReplaceCurrentItem, frameLo adRequest.clientRedirect() == ClientRedirectPolicy::ClientRedirect, frameLoadReq uest.form())) |
| 1445 return; | 1449 return; |
| 1446 | 1450 |
| 1447 m_frame->document()->cancelParsing(); | 1451 m_frame->document()->cancelParsing(); |
| 1448 detachDocumentLoader(m_provisionalDocumentLoader); | 1452 detachDocumentLoader(m_provisionalDocumentLoader); |
| 1449 | 1453 |
| 1450 // beforeunload fired above, and detaching a DocumentLoader can fire | 1454 // beforeunload fired above, and detaching a DocumentLoader can fire |
| 1451 // events, which can detach this frame. | 1455 // events, which can detach this frame. |
| 1452 if (!m_frame->host()) | 1456 if (!m_frame->host()) |
| 1453 return; | 1457 return; |
| (...skipping 162 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 1616 | 1620 |
| 1617 // FIXME: We need a way to propagate insecure requests policy flags to | 1621 // FIXME: We need a way to propagate insecure requests policy flags to |
| 1618 // out-of-process frames. For now, we'll always use default behavior. | 1622 // out-of-process frames. For now, we'll always use default behavior. |
| 1619 if (!parentFrame->isLocalFrame()) | 1623 if (!parentFrame->isLocalFrame()) |
| 1620 return nullptr; | 1624 return nullptr; |
| 1621 | 1625 |
| 1622 DCHECK(toLocalFrame(parentFrame)->document()); | 1626 DCHECK(toLocalFrame(parentFrame)->document()); |
| 1623 return toLocalFrame(parentFrame)->document()->insecureNavigationsToUpgrade() ; | 1627 return toLocalFrame(parentFrame)->document()->insecureNavigationsToUpgrade() ; |
| 1624 } | 1628 } |
| 1625 | 1629 |
| 1626 void FrameLoader::upgradeInsecureRequest(ResourceRequest& resourceRequest, Docum ent* document) const | 1630 void FrameLoader::addOutgoingSecurityHeaders(ResourceRequest& resourceRequest, D ocument* document) const |
|
Mike West
2016/09/30 13:11:49
Hrm. I think it makes more sense to pull out the h
| |
| 1627 { | 1631 { |
| 1632 if (RuntimeEnabledFeatures::embedderCSPEnforcementEnabled() && !requiredCSP( ).isEmpty()) | |
| 1633 resourceRequest.setHTTPHeaderField(HTTPNames::Embedding_CSP, requiredCSP ()); | |
| 1634 | |
| 1628 // Tack an 'Upgrade-Insecure-Requests' header to outgoing navigational reque sts, as described in | 1635 // Tack an 'Upgrade-Insecure-Requests' header to outgoing navigational reque sts, as described in |
| 1629 // https://w3c.github.io/webappsec/specs/upgrade/#feature-detect | 1636 // https://w3c.github.io/webappsec/specs/upgrade/#feature-detect |
| 1630 if (resourceRequest.frameType() != WebURLRequest::FrameTypeNone) { | 1637 if (resourceRequest.frameType() != WebURLRequest::FrameTypeNone) { |
| 1631 | 1638 |
| 1632 // Early return if the request has already been upgraded. | 1639 // Early return if the request has already been upgraded. |
| 1633 if (resourceRequest.httpHeaderField("Upgrade-Insecure-Requests") == Atom icString("1")) | 1640 if (resourceRequest.httpHeaderField("Upgrade-Insecure-Requests") == Atom icString("1")) |
| 1634 return; | 1641 return; |
| 1635 | 1642 |
| 1636 resourceRequest.addHTTPHeaderField("Upgrade-Insecure-Requests", "1"); | 1643 resourceRequest.addHTTPHeaderField("Upgrade-Insecure-Requests", "1"); |
| 1637 } | 1644 } |
| (...skipping 16 matching lines...) Expand all Loading... | |
| 1654 || (!url.host().isNull() && relevantNavigationSet->contains(url.host ().impl()->hash()))) { | 1661 || (!url.host().isNull() && relevantNavigationSet->contains(url.host ().impl()->hash()))) { |
| 1655 UseCounter::count(document, UseCounter::UpgradeInsecureRequestsUpgra dedRequest); | 1662 UseCounter::count(document, UseCounter::UpgradeInsecureRequestsUpgra dedRequest); |
| 1656 url.setProtocol("https"); | 1663 url.setProtocol("https"); |
| 1657 if (url.port() == 80) | 1664 if (url.port() == 80) |
| 1658 url.setPort(443); | 1665 url.setPort(443); |
| 1659 resourceRequest.setURL(url); | 1666 resourceRequest.setURL(url); |
| 1660 } | 1667 } |
| 1661 } | 1668 } |
| 1662 } | 1669 } |
| 1663 | 1670 |
| 1671 void FrameLoader::recordLatestRequiredCSP() | |
| 1672 { | |
| 1673 m_requiredCSP = m_frame->owner() ? m_frame->owner()->csp() : nullAtom; | |
| 1674 } | |
| 1664 | 1675 |
| 1665 std::unique_ptr<TracedValue> FrameLoader::toTracedValue() const | 1676 std::unique_ptr<TracedValue> FrameLoader::toTracedValue() const |
| 1666 { | 1677 { |
| 1667 std::unique_ptr<TracedValue> tracedValue = TracedValue::create(); | 1678 std::unique_ptr<TracedValue> tracedValue = TracedValue::create(); |
| 1668 tracedValue->beginDictionary("frame"); | 1679 tracedValue->beginDictionary("frame"); |
| 1669 tracedValue->setString("id_ref", String::format("0x%" PRIx64, static_cast<ui nt64_t>(reinterpret_cast<uintptr_t>(m_frame.get())))); | 1680 tracedValue->setString("id_ref", String::format("0x%" PRIx64, static_cast<ui nt64_t>(reinterpret_cast<uintptr_t>(m_frame.get())))); |
| 1670 tracedValue->endDictionary(); | 1681 tracedValue->endDictionary(); |
| 1671 tracedValue->setBoolean("isLoadingMainFrame", isLoadingMainFrame()); | 1682 tracedValue->setBoolean("isLoadingMainFrame", isLoadingMainFrame()); |
| 1672 tracedValue->setString("stateMachine", m_stateMachine.toString()); | 1683 tracedValue->setString("stateMachine", m_stateMachine.toString()); |
| 1673 tracedValue->setString("provisionalDocumentLoaderURL", m_provisionalDocument Loader ? m_provisionalDocumentLoader->url() : String()); | 1684 tracedValue->setString("provisionalDocumentLoaderURL", m_provisionalDocument Loader ? m_provisionalDocumentLoader->url() : String()); |
| 1674 tracedValue->setString("documentLoaderURL", m_documentLoader ? m_documentLoa der->url() : String()); | 1685 tracedValue->setString("documentLoaderURL", m_documentLoader ? m_documentLoa der->url() : String()); |
| 1675 return tracedValue; | 1686 return tracedValue; |
| 1676 } | 1687 } |
| 1677 | 1688 |
| 1678 inline void FrameLoader::takeObjectSnapshot() const | 1689 inline void FrameLoader::takeObjectSnapshot() const |
| 1679 { | 1690 { |
| 1680 TRACE_EVENT_OBJECT_SNAPSHOT_WITH_ID("loading", "FrameLoader", this, toTraced Value()); | 1691 TRACE_EVENT_OBJECT_SNAPSHOT_WITH_ID("loading", "FrameLoader", this, toTraced Value()); |
| 1681 } | 1692 } |
| 1682 | 1693 |
| 1683 } // namespace blink | 1694 } // namespace blink |
| OLD | NEW |
