Chromium Code Reviews Chromium Code Reviews
Issue 2372563002:
Adding Embedding-CSP HTTP header (Closed)
| OLD | NEW |
|---|---|
| 1 /* | 1 /* |
| 2 * Copyright (C) 2006, 2007, 2008, 2009, 2010, 2011 Apple Inc. All rights reserv ed. | 2 * Copyright (C) 2006, 2007, 2008, 2009, 2010, 2011 Apple Inc. All rights reserv ed. |
| 3 * Copyright (C) 2008 Nokia Corporation and/or its subsidiary(-ies) | 3 * Copyright (C) 2008 Nokia Corporation and/or its subsidiary(-ies) |
| 4 * Copyright (C) 2008, 2009 Torch Mobile Inc. All rights reserved. (http://www.t orchmobile.com/) | 4 * Copyright (C) 2008, 2009 Torch Mobile Inc. All rights reserved. (http://www.t orchmobile.com/) |
| 5 * Copyright (C) 2008 Alp Toker <alp@atoker.com> | 5 * Copyright (C) 2008 Alp Toker <alp@atoker.com> |
| 6 * Copyright (C) Research In Motion Limited 2009. All rights reserved. | 6 * Copyright (C) Research In Motion Limited 2009. All rights reserved. |
| 7 * Copyright (C) 2011 Kris Jordan <krisjordan@gmail.com> | 7 * Copyright (C) 2011 Kris Jordan <krisjordan@gmail.com> |
| 8 * Copyright (C) 2011 Google Inc. All rights reserved. | 8 * Copyright (C) 2011 Google Inc. All rights reserved. |
| 9 * | 9 * |
| 10 * Redistribution and use in source and binary forms, with or without | 10 * Redistribution and use in source and binary forms, with or without |
| (...skipping 156 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 167 if (!overrideURL.isEmpty()) { | 167 if (!overrideURL.isEmpty()) { |
| 168 request.setURL(overrideURL); | 168 request.setURL(overrideURL); |
| 169 request.clearHTTPReferrer(); | 169 request.clearHTTPReferrer(); |
| 170 } | 170 } |
| 171 request.setSkipServiceWorker(frameLoadType == FrameLoadTypeReloadBypassingCa che ? WebURLRequest::SkipServiceWorker::All : WebURLRequest::SkipServiceWorker:: None); | 171 request.setSkipServiceWorker(frameLoadType == FrameLoadTypeReloadBypassingCa che ? WebURLRequest::SkipServiceWorker::All : WebURLRequest::SkipServiceWorker:: None); |
| 172 return request; | 172 return request; |
| 173 } | 173 } |
| 174 | 174 |
| 175 FrameLoader::FrameLoader(LocalFrame* frame) | 175 FrameLoader::FrameLoader(LocalFrame* frame) |
| 176 : m_frame(frame) | 176 : m_frame(frame) |
| 177 , m_requiredCSP(nullAtom) | |
|
Mike West
2016/10/06 08:00:51
Nit: I think this is the default, isn't it? You sh
| |
| 177 , m_progressTracker(ProgressTracker::create(frame)) | 178 , m_progressTracker(ProgressTracker::create(frame)) |
| 178 , m_loadType(FrameLoadTypeStandard) | 179 , m_loadType(FrameLoadTypeStandard) |
| 179 , m_inStopAllLoaders(false) | 180 , m_inStopAllLoaders(false) |
| 180 , m_checkTimer(TaskRunnerHelper::get(TaskType::Networking, frame), this, &Fr ameLoader::checkTimerFired) | 181 , m_checkTimer(TaskRunnerHelper::get(TaskType::Networking, frame), this, &Fr ameLoader::checkTimerFired) |
| 181 , m_forcedSandboxFlags(SandboxNone) | 182 , m_forcedSandboxFlags(SandboxNone) |
| 182 , m_dispatchingDidClearWindowObjectInMainWorld(false) | 183 , m_dispatchingDidClearWindowObjectInMainWorld(false) |
| 183 , m_protectProvisionalLoader(false) | 184 , m_protectProvisionalLoader(false) |
| 184 , m_isNavigationHandledByClient(false) | 185 , m_isNavigationHandledByClient(false) |
| 185 { | 186 { |
| 186 TRACE_EVENT_OBJECT_CREATED_WITH_ID("loading", "FrameLoader", this); | 187 TRACE_EVENT_OBJECT_CREATED_WITH_ID("loading", "FrameLoader", this); |
| (...skipping 1246 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 1433 void FrameLoader::startLoad(FrameLoadRequest& frameLoadRequest, FrameLoadType ty pe, NavigationPolicy navigationPolicy) | 1434 void FrameLoader::startLoad(FrameLoadRequest& frameLoadRequest, FrameLoadType ty pe, NavigationPolicy navigationPolicy) |
| 1434 { | 1435 { |
| 1435 DCHECK(client()->hasWebView()); | 1436 DCHECK(client()->hasWebView()); |
| 1436 if (m_frame->document()->pageDismissalEventBeingDispatched() != Document::No Dismissal) | 1437 if (m_frame->document()->pageDismissalEventBeingDispatched() != Document::No Dismissal) |
| 1437 return; | 1438 return; |
| 1438 | 1439 |
| 1439 NavigationType navigationType = determineNavigationType(type, frameLoadReque st.resourceRequest().httpBody() || frameLoadRequest.form(), frameLoadRequest.tri ggeringEvent()); | 1440 NavigationType navigationType = determineNavigationType(type, frameLoadReque st.resourceRequest().httpBody() || frameLoadRequest.form(), frameLoadRequest.tri ggeringEvent()); |
| 1440 frameLoadRequest.resourceRequest().setRequestContext(determineRequestContext FromNavigationType(navigationType)); | 1441 frameLoadRequest.resourceRequest().setRequestContext(determineRequestContext FromNavigationType(navigationType)); |
| 1441 frameLoadRequest.resourceRequest().setFrameType(m_frame->isMainFrame() ? Web URLRequest::FrameTypeTopLevel : WebURLRequest::FrameTypeNested); | 1442 frameLoadRequest.resourceRequest().setFrameType(m_frame->isMainFrame() ? Web URLRequest::FrameTypeTopLevel : WebURLRequest::FrameTypeNested); |
| 1442 ResourceRequest& request = frameLoadRequest.resourceRequest(); | 1443 ResourceRequest& request = frameLoadRequest.resourceRequest(); |
| 1443 upgradeInsecureRequest(request, nullptr); | 1444 |
| 1445 // Record the latest requiredCSP value that will be used when sending this r equest. | |
| 1446 recordLatestRequiredCSP(); | |
| 1447 addOutgoingSecurityHeadersAndUpgradeRequest(request, nullptr); | |
| 1444 if (!shouldContinueForNavigationPolicy(request, frameLoadRequest.substituteD ata(), nullptr, frameLoadRequest.shouldCheckMainWorldContentSecurityPolicy(), na vigationType, navigationPolicy, type == FrameLoadTypeReplaceCurrentItem, frameLo adRequest.clientRedirect() == ClientRedirectPolicy::ClientRedirect, frameLoadReq uest.form())) | 1448 if (!shouldContinueForNavigationPolicy(request, frameLoadRequest.substituteD ata(), nullptr, frameLoadRequest.shouldCheckMainWorldContentSecurityPolicy(), na vigationType, navigationPolicy, type == FrameLoadTypeReplaceCurrentItem, frameLo adRequest.clientRedirect() == ClientRedirectPolicy::ClientRedirect, frameLoadReq uest.form())) |
| 1445 return; | 1449 return; |
| 1446 | 1450 |
| 1447 m_frame->document()->cancelParsing(); | 1451 m_frame->document()->cancelParsing(); |
| 1448 detachDocumentLoader(m_provisionalDocumentLoader); | 1452 detachDocumentLoader(m_provisionalDocumentLoader); |
| 1449 | 1453 |
| 1450 // beforeunload fired above, and detaching a DocumentLoader can fire | 1454 // beforeunload fired above, and detaching a DocumentLoader can fire |
| 1451 // events, which can detach this frame. | 1455 // events, which can detach this frame. |
| 1452 if (!m_frame->host()) | 1456 if (!m_frame->host()) |
| 1453 return; | 1457 return; |
| (...skipping 162 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 1616 | 1620 |
| 1617 // FIXME: We need a way to propagate insecure requests policy flags to | 1621 // FIXME: We need a way to propagate insecure requests policy flags to |
| 1618 // out-of-process frames. For now, we'll always use default behavior. | 1622 // out-of-process frames. For now, we'll always use default behavior. |
| 1619 if (!parentFrame->isLocalFrame()) | 1623 if (!parentFrame->isLocalFrame()) |
| 1620 return nullptr; | 1624 return nullptr; |
| 1621 | 1625 |
| 1622 DCHECK(toLocalFrame(parentFrame)->document()); | 1626 DCHECK(toLocalFrame(parentFrame)->document()); |
| 1623 return toLocalFrame(parentFrame)->document()->insecureNavigationsToUpgrade() ; | 1627 return toLocalFrame(parentFrame)->document()->insecureNavigationsToUpgrade() ; |
| 1624 } | 1628 } |
| 1625 | 1629 |
| 1626 void FrameLoader::upgradeInsecureRequest(ResourceRequest& resourceRequest, Docum ent* document) const | 1630 void FrameLoader::addOutgoingSecurityHeadersAndUpgradeRequest(ResourceRequest& r esourceRequest, Document* document) const |
| 1627 { | 1631 { |
| 1632 if (RuntimeEnabledFeatures::embedderCSPEnforcementEnabled() && !requiredCSP( ).isEmpty()) | |
| 1633 resourceRequest.setHTTPHeaderField(HTTPNames::Embedding_CSP, requiredCSP ()); | |
|
Mike West
2016/10/06 08:00:51
Can you add a DCHECK here that the 'requiredCSP()'
amalika
2016/10/06 18:54:57
Not sure if that's what you wanted?
| |
| 1634 | |
| 1628 // Tack an 'Upgrade-Insecure-Requests' header to outgoing navigational reque sts, as described in | 1635 // Tack an 'Upgrade-Insecure-Requests' header to outgoing navigational reque sts, as described in |
| 1629 // https://w3c.github.io/webappsec/specs/upgrade/#feature-detect | 1636 // https://w3c.github.io/webappsec/specs/upgrade/#feature-detect |
| 1630 if (resourceRequest.frameType() != WebURLRequest::FrameTypeNone) { | 1637 if (resourceRequest.frameType() != WebURLRequest::FrameTypeNone) { |
| 1631 | 1638 |
| 1632 // Early return if the request has already been upgraded. | 1639 // Early return if the request has already been upgraded. |
| 1633 if (resourceRequest.httpHeaderField("Upgrade-Insecure-Requests") == Atom icString("1")) | 1640 if (resourceRequest.httpHeaderField("Upgrade-Insecure-Requests") == Atom icString("1")) |
| 1634 return; | 1641 return; |
| 1635 | 1642 |
| 1636 resourceRequest.addHTTPHeaderField("Upgrade-Insecure-Requests", "1"); | 1643 resourceRequest.addHTTPHeaderField("Upgrade-Insecure-Requests", "1"); |
| 1637 } | 1644 } |
| 1638 | 1645 |
| 1646 upgradeInsecureRequest(resourceRequest, document); | |
| 1647 } | |
| 1648 | |
| 1649 void FrameLoader::upgradeInsecureRequest(ResourceRequest& resourceRequest, Docum ent* document) const | |
| 1650 { | |
| 1639 KURL url = resourceRequest.url(); | 1651 KURL url = resourceRequest.url(); |
| 1640 | 1652 |
| 1641 // If we don't yet have an |m_document| (because we're loading an iframe, fo r instance), check the FrameLoader's policy. | 1653 // If we don't yet have an |m_document| (because we're loading an iframe, fo r instance), check the FrameLoader's policy. |
| 1642 WebInsecureRequestPolicy relevantPolicy = document ? document->getInsecureRe questPolicy() : getInsecureRequestPolicy(); | 1654 WebInsecureRequestPolicy relevantPolicy = document ? document->getInsecureRe questPolicy() : getInsecureRequestPolicy(); |
| 1643 SecurityContext::InsecureNavigationsSet* relevantNavigationSet = document ? document->insecureNavigationsToUpgrade() : insecureNavigationsToUpgrade(); | 1655 SecurityContext::InsecureNavigationsSet* relevantNavigationSet = document ? document->insecureNavigationsToUpgrade() : insecureNavigationsToUpgrade(); |
| 1644 | 1656 |
| 1645 if (url.protocolIs("http") && relevantPolicy & kUpgradeInsecureRequests) { | 1657 if (url.protocolIs("http") && relevantPolicy & kUpgradeInsecureRequests) { |
| 1646 // We always upgrade requests that meet any of the following criteria: | 1658 // We always upgrade requests that meet any of the following criteria: |
| 1647 // | 1659 // |
| 1648 // 1. Are for subresources (including nested frames). | 1660 // 1. Are for subresources (including nested frames). |
| 1649 // 2. Are form submissions. | 1661 // 2. Are form submissions. |
| 1650 // 3. Whose hosts are contained in the document's InsecureNavigationSet. | 1662 // 3. Whose hosts are contained in the document's InsecureNavigationSet. |
| 1651 if (resourceRequest.frameType() == WebURLRequest::FrameTypeNone | 1663 if (resourceRequest.frameType() == WebURLRequest::FrameTypeNone |
| 1652 || resourceRequest.frameType() == WebURLRequest::FrameTypeNested | 1664 || resourceRequest.frameType() == WebURLRequest::FrameTypeNested |
| 1653 || resourceRequest.requestContext() == WebURLRequest::RequestContext Form | 1665 || resourceRequest.requestContext() == WebURLRequest::RequestContext Form |
| 1654 || (!url.host().isNull() && relevantNavigationSet->contains(url.host ().impl()->hash()))) { | 1666 || (!url.host().isNull() && relevantNavigationSet->contains(url.host ().impl()->hash()))) { |
| 1655 UseCounter::count(document, UseCounter::UpgradeInsecureRequestsUpgra dedRequest); | 1667 UseCounter::count(document, UseCounter::UpgradeInsecureRequestsUpgra dedRequest); |
| 1656 url.setProtocol("https"); | 1668 url.setProtocol("https"); |
| 1657 if (url.port() == 80) | 1669 if (url.port() == 80) |
| 1658 url.setPort(443); | 1670 url.setPort(443); |
| 1659 resourceRequest.setURL(url); | 1671 resourceRequest.setURL(url); |
| 1660 } | 1672 } |
| 1661 } | 1673 } |
| 1662 } | 1674 } |
| 1663 | 1675 |
| 1676 void FrameLoader::recordLatestRequiredCSP() | |
| 1677 { | |
| 1678 m_requiredCSP = m_frame->owner() ? m_frame->owner()->csp() : nullAtom; | |
| 1679 } | |
| 1664 | 1680 |
| 1665 std::unique_ptr<TracedValue> FrameLoader::toTracedValue() const | 1681 std::unique_ptr<TracedValue> FrameLoader::toTracedValue() const |
| 1666 { | 1682 { |
| 1667 std::unique_ptr<TracedValue> tracedValue = TracedValue::create(); | 1683 std::unique_ptr<TracedValue> tracedValue = TracedValue::create(); |
| 1668 tracedValue->beginDictionary("frame"); | 1684 tracedValue->beginDictionary("frame"); |
| 1669 tracedValue->setString("id_ref", String::format("0x%" PRIx64, static_cast<ui nt64_t>(reinterpret_cast<uintptr_t>(m_frame.get())))); | 1685 tracedValue->setString("id_ref", String::format("0x%" PRIx64, static_cast<ui nt64_t>(reinterpret_cast<uintptr_t>(m_frame.get())))); |
| 1670 tracedValue->endDictionary(); | 1686 tracedValue->endDictionary(); |
| 1671 tracedValue->setBoolean("isLoadingMainFrame", isLoadingMainFrame()); | 1687 tracedValue->setBoolean("isLoadingMainFrame", isLoadingMainFrame()); |
| 1672 tracedValue->setString("stateMachine", m_stateMachine.toString()); | 1688 tracedValue->setString("stateMachine", m_stateMachine.toString()); |
| 1673 tracedValue->setString("provisionalDocumentLoaderURL", m_provisionalDocument Loader ? m_provisionalDocumentLoader->url() : String()); | 1689 tracedValue->setString("provisionalDocumentLoaderURL", m_provisionalDocument Loader ? m_provisionalDocumentLoader->url() : String()); |
| 1674 tracedValue->setString("documentLoaderURL", m_documentLoader ? m_documentLoa der->url() : String()); | 1690 tracedValue->setString("documentLoaderURL", m_documentLoader ? m_documentLoa der->url() : String()); |
| 1675 return tracedValue; | 1691 return tracedValue; |
| 1676 } | 1692 } |
| 1677 | 1693 |
| 1678 inline void FrameLoader::takeObjectSnapshot() const | 1694 inline void FrameLoader::takeObjectSnapshot() const |
| 1679 { | 1695 { |
| 1680 TRACE_EVENT_OBJECT_SNAPSHOT_WITH_ID("loading", "FrameLoader", this, toTraced Value()); | 1696 TRACE_EVENT_OBJECT_SNAPSHOT_WITH_ID("loading", "FrameLoader", this, toTraced Value()); |
| 1681 } | 1697 } |
| 1682 | 1698 |
| 1683 } // namespace blink | 1699 } // namespace blink |
| OLD | NEW |
