Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(156)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: third_party/WebKit/Source/core/loader/FrameLoader.cpp

Issue 2372563002: Adding Embedding-CSP HTTP header (Closed)
Patch Set: Adding a test in FrameFetchContextModifyRequestTest Created 4 years, 2 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« third_party/WebKit/Source/core/loader/FrameFetchContextTest.cpp ('K') | « third_party/WebKit/Source/core/loader/FrameLoader.h ('k') | third_party/WebKit/Source/platform/network/HTTPNames.in » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 /* 1 /*
2 * Copyright (C) 2006, 2007, 2008, 2009, 2010, 2011 Apple Inc. All rights 2 * Copyright (C) 2006, 2007, 2008, 2009, 2010, 2011 Apple Inc. All rights
3 * reserved. 3 * reserved.
4 * Copyright (C) 2008 Nokia Corporation and/or its subsidiary(-ies) 4 * Copyright (C) 2008 Nokia Corporation and/or its subsidiary(-ies)
5 * Copyright (C) 2008, 2009 Torch Mobile Inc. All rights reserved. 5 * Copyright (C) 2008, 2009 Torch Mobile Inc. All rights reserved.
6 * (http://www.torchmobile.com/) 6 * (http://www.torchmobile.com/)
7 * Copyright (C) 2008 Alp Toker <alp@atoker.com> 7 * Copyright (C) 2008 Alp Toker <alp@atoker.com>
8 * Copyright (C) Research In Motion Limited 2009. All rights reserved. 8 * Copyright (C) Research In Motion Limited 2009. All rights reserved.
9 * Copyright (C) 2011 Kris Jordan <krisjordan@gmail.com> 9 * Copyright (C) 2011 Kris Jordan <krisjordan@gmail.com>
10 * Copyright (C) 2011 Google Inc. All rights reserved. 10 * Copyright (C) 2011 Google Inc. All rights reserved.
(...skipping 168 matching lines...) Expand 10 before | Expand all | Expand 10 after
179 } 179 }
180 request.setSkipServiceWorker(frameLoadType == 180 request.setSkipServiceWorker(frameLoadType ==
181 FrameLoadTypeReloadBypassingCache 181 FrameLoadTypeReloadBypassingCache
182 ? WebURLRequest::SkipServiceWorker::All 182 ? WebURLRequest::SkipServiceWorker::All
183 : WebURLRequest::SkipServiceWorker::None); 183 : WebURLRequest::SkipServiceWorker::None);
184 return request; 184 return request;
185 } 185 }
186 186
187 FrameLoader::FrameLoader(LocalFrame* frame) 187 FrameLoader::FrameLoader(LocalFrame* frame)
188 : m_frame(frame), 188 : m_frame(frame),
189 m_requiredCSP(nullAtom),
189 m_progressTracker(ProgressTracker::create(frame)), 190 m_progressTracker(ProgressTracker::create(frame)),
190 m_loadType(FrameLoadTypeStandard), 191 m_loadType(FrameLoadTypeStandard),
191 m_inStopAllLoaders(false), 192 m_inStopAllLoaders(false),
192 m_checkTimer(TaskRunnerHelper::get(TaskType::Networking, frame), 193 m_checkTimer(TaskRunnerHelper::get(TaskType::Networking, frame),
193 this, 194 this,
194 &FrameLoader::checkTimerFired), 195 &FrameLoader::checkTimerFired),
195 m_forcedSandboxFlags(SandboxNone), 196 m_forcedSandboxFlags(SandboxNone),
196 m_dispatchingDidClearWindowObjectInMainWorld(false), 197 m_dispatchingDidClearWindowObjectInMainWorld(false),
197 m_protectProvisionalLoader(false), 198 m_protectProvisionalLoader(false),
198 m_isNavigationHandledByClient(false) { 199 m_isNavigationHandledByClient(false) {
(...skipping 1400 matching lines...) Expand 10 before | Expand all | Expand 10 after
1599 NavigationType navigationType = determineNavigationType( 1600 NavigationType navigationType = determineNavigationType(
1600 type, 1601 type,
1601 frameLoadRequest.resourceRequest().httpBody() || frameLoadRequest.form(), 1602 frameLoadRequest.resourceRequest().httpBody() || frameLoadRequest.form(),
1602 frameLoadRequest.triggeringEvent()); 1603 frameLoadRequest.triggeringEvent());
1603 frameLoadRequest.resourceRequest().setRequestContext( 1604 frameLoadRequest.resourceRequest().setRequestContext(
1604 determineRequestContextFromNavigationType(navigationType)); 1605 determineRequestContextFromNavigationType(navigationType));
1605 frameLoadRequest.resourceRequest().setFrameType( 1606 frameLoadRequest.resourceRequest().setFrameType(
1606 m_frame->isMainFrame() ? WebURLRequest::FrameTypeTopLevel 1607 m_frame->isMainFrame() ? WebURLRequest::FrameTypeTopLevel
1607 : WebURLRequest::FrameTypeNested); 1608 : WebURLRequest::FrameTypeNested);
1608 ResourceRequest& request = frameLoadRequest.resourceRequest(); 1609 ResourceRequest& request = frameLoadRequest.resourceRequest();
1609 upgradeInsecureRequest(request, nullptr); 1610
1611 // Record the latest requiredCSP value that will be used when sending this req uest.
1612 recordLatestRequiredCSP();
1613 modifyRequestForCSP(request, nullptr);
1610 if (!shouldContinueForNavigationPolicy( 1614 if (!shouldContinueForNavigationPolicy(
1611 request, frameLoadRequest.substituteData(), nullptr, 1615 request, frameLoadRequest.substituteData(), nullptr,
1612 frameLoadRequest.shouldCheckMainWorldContentSecurityPolicy(), 1616 frameLoadRequest.shouldCheckMainWorldContentSecurityPolicy(),
1613 navigationType, navigationPolicy, 1617 navigationType, navigationPolicy,
1614 type == FrameLoadTypeReplaceCurrentItem, 1618 type == FrameLoadTypeReplaceCurrentItem,
1615 frameLoadRequest.clientRedirect() == 1619 frameLoadRequest.clientRedirect() ==
1616 ClientRedirectPolicy::ClientRedirect, 1620 ClientRedirectPolicy::ClientRedirect,
1617 frameLoadRequest.form())) 1621 frameLoadRequest.form()))
1618 return; 1622 return;
1619 1623
(...skipping 191 matching lines...) Expand 10 before | Expand all | Expand 10 after
1811 1815
1812 // FIXME: We need a way to propagate insecure requests policy flags to 1816 // FIXME: We need a way to propagate insecure requests policy flags to
1813 // out-of-process frames. For now, we'll always use default behavior. 1817 // out-of-process frames. For now, we'll always use default behavior.
1814 if (!parentFrame->isLocalFrame()) 1818 if (!parentFrame->isLocalFrame())
1815 return nullptr; 1819 return nullptr;
1816 1820
1817 DCHECK(toLocalFrame(parentFrame)->document()); 1821 DCHECK(toLocalFrame(parentFrame)->document());
1818 return toLocalFrame(parentFrame)->document()->insecureNavigationsToUpgrade(); 1822 return toLocalFrame(parentFrame)->document()->insecureNavigationsToUpgrade();
1819 } 1823 }
1820 1824
1821 void FrameLoader::upgradeInsecureRequest(ResourceRequest& resourceRequest, 1825 void FrameLoader::modifyRequestForCSP(ResourceRequest& resourceRequest,
1822 Document* document) const { 1826 Document* document) const {
1823 // Tack an 'Upgrade-Insecure-Requests' header to outgoing navigational 1827 if (RuntimeEnabledFeatures::embedderCSPEnforcementEnabled() &&
1824 // requests, as described in 1828 !requiredCSP().isEmpty())
Mike West 2016/10/06 13:30:21 Nit: {}.
1829 resourceRequest.setHTTPHeaderField(HTTPNames::Embedding_CSP, requiredCSP());
1830
1831 // Tack an 'Upgrade-Insecure-Requests' header to outgoing navigational request s, as described in
1825 // https://w3c.github.io/webappsec/specs/upgrade/#feature-detect 1832 // https://w3c.github.io/webappsec/specs/upgrade/#feature-detect
1826 if (resourceRequest.frameType() != WebURLRequest::FrameTypeNone) { 1833 if (resourceRequest.frameType() != WebURLRequest::FrameTypeNone) {
1827 // Early return if the request has already been upgraded. 1834 // Early return if the request has already been upgraded.
1828 if (resourceRequest.httpHeaderField("Upgrade-Insecure-Requests") == 1835 if (resourceRequest.httpHeaderField("Upgrade-Insecure-Requests") ==
1829 AtomicString("1")) 1836 AtomicString("1"))
1830 return; 1837 return;
1831 1838
1832 resourceRequest.addHTTPHeaderField("Upgrade-Insecure-Requests", "1"); 1839 resourceRequest.addHTTPHeaderField("Upgrade-Insecure-Requests", "1");
1833 } 1840 }
1834 1841
1842 upgradeInsecureRequest(resourceRequest, document);
1843 }
1844
1845 void FrameLoader::upgradeInsecureRequest(ResourceRequest& resourceRequest,
1846 Document* document) const {
1835 KURL url = resourceRequest.url(); 1847 KURL url = resourceRequest.url();
1836 1848
1837 // If we don't yet have an |m_document| (because we're loading an iframe, for 1849 // If we don't yet have an |m_document| (because we're loading an iframe, for
1838 // instance), check the FrameLoader's policy. 1850 // instance), check the FrameLoader's policy.
1839 WebInsecureRequestPolicy relevantPolicy = 1851 WebInsecureRequestPolicy relevantPolicy =
1840 document ? document->getInsecureRequestPolicy() 1852 document ? document->getInsecureRequestPolicy()
1841 : getInsecureRequestPolicy(); 1853 : getInsecureRequestPolicy();
1842 SecurityContext::InsecureNavigationsSet* relevantNavigationSet = 1854 SecurityContext::InsecureNavigationsSet* relevantNavigationSet =
1843 document ? document->insecureNavigationsToUpgrade() 1855 document ? document->insecureNavigationsToUpgrade()
1844 : insecureNavigationsToUpgrade(); 1856 : insecureNavigationsToUpgrade();
(...skipping 12 matching lines...) Expand all
1857 UseCounter::count(document, 1869 UseCounter::count(document,
1858 UseCounter::UpgradeInsecureRequestsUpgradedRequest); 1870 UseCounter::UpgradeInsecureRequestsUpgradedRequest);
1859 url.setProtocol("https"); 1871 url.setProtocol("https");
1860 if (url.port() == 80) 1872 if (url.port() == 80)
1861 url.setPort(443); 1873 url.setPort(443);
1862 resourceRequest.setURL(url); 1874 resourceRequest.setURL(url);
1863 } 1875 }
1864 } 1876 }
1865 } 1877 }
1866 1878
1879 void FrameLoader::recordLatestRequiredCSP() {
1880 m_requiredCSP = m_frame->owner() ? m_frame->owner()->csp() : nullAtom;
1881 }
1882
1867 std::unique_ptr<TracedValue> FrameLoader::toTracedValue() const { 1883 std::unique_ptr<TracedValue> FrameLoader::toTracedValue() const {
1868 std::unique_ptr<TracedValue> tracedValue = TracedValue::create(); 1884 std::unique_ptr<TracedValue> tracedValue = TracedValue::create();
1869 tracedValue->beginDictionary("frame"); 1885 tracedValue->beginDictionary("frame");
1870 tracedValue->setString( 1886 tracedValue->setString(
1871 "id_ref", 1887 "id_ref",
1872 String::format( 1888 String::format(
1873 "0x%" PRIx64, 1889 "0x%" PRIx64,
1874 static_cast<uint64_t>(reinterpret_cast<uintptr_t>(m_frame.get())))); 1890 static_cast<uint64_t>(reinterpret_cast<uintptr_t>(m_frame.get()))));
1875 tracedValue->endDictionary(); 1891 tracedValue->endDictionary();
1876 tracedValue->setBoolean("isLoadingMainFrame", isLoadingMainFrame()); 1892 tracedValue->setBoolean("isLoadingMainFrame", isLoadingMainFrame());
1877 tracedValue->setString("stateMachine", m_stateMachine.toString()); 1893 tracedValue->setString("stateMachine", m_stateMachine.toString());
1878 tracedValue->setString("provisionalDocumentLoaderURL", 1894 tracedValue->setString("provisionalDocumentLoaderURL",
1879 m_provisionalDocumentLoader 1895 m_provisionalDocumentLoader
1880 ? m_provisionalDocumentLoader->url() 1896 ? m_provisionalDocumentLoader->url()
1881 : String()); 1897 : String());
1882 tracedValue->setString("documentLoaderURL", 1898 tracedValue->setString("documentLoaderURL",
1883 m_documentLoader ? m_documentLoader->url() : String()); 1899 m_documentLoader ? m_documentLoader->url() : String());
1884 return tracedValue; 1900 return tracedValue;
1885 } 1901 }
1886 1902
1887 inline void FrameLoader::takeObjectSnapshot() const { 1903 inline void FrameLoader::takeObjectSnapshot() const {
1888 TRACE_EVENT_OBJECT_SNAPSHOT_WITH_ID("loading", "FrameLoader", this, 1904 TRACE_EVENT_OBJECT_SNAPSHOT_WITH_ID("loading", "FrameLoader", this,
1889 toTracedValue()); 1905 toTracedValue());
1890 } 1906 }
1891 1907
1892 } // namespace blink 1908 } // namespace blink
OLDNEW
« third_party/WebKit/Source/core/loader/FrameFetchContextTest.cpp ('K') | « third_party/WebKit/Source/core/loader/FrameLoader.h ('k') | third_party/WebKit/Source/platform/network/HTTPNames.in » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698