Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(553)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: third_party/WebKit/Source/core/loader/FrameLoader.cpp

Issue 2372563002: Adding Embedding-CSP HTTP header (Closed)
Patch Set: Moving requiredCSP to FrameLoader Created 4 years, 3 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« third_party/WebKit/Source/core/loader/FrameFetchContext.cpp ('K') | « third_party/WebKit/Source/core/loader/FrameLoader.h ('k') | third_party/WebKit/Source/platform/network/HTTPNames.in » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: third_party/WebKit/Source/core/loader/FrameLoader.cpp
diff --git a/third_party/WebKit/Source/core/loader/FrameLoader.cpp b/third_party/WebKit/Source/core/loader/FrameLoader.cpp
index af4d71268aead1e1b8211453e5ba162035ffb0b9..dca64590b9a11343fdb3bc3ebaa732d331d8ee40 100644
--- a/third_party/WebKit/Source/core/loader/FrameLoader.cpp
+++ b/third_party/WebKit/Source/core/loader/FrameLoader.cpp
@@ -174,6 +174,7 @@ ResourceRequest FrameLoader::resourceRequestForReload(FrameLoadType frameLoadTyp
FrameLoader::FrameLoader(LocalFrame* frame)
: m_frame(frame)
+ , m_requiredCSP(nullAtom)
, m_progressTracker(ProgressTracker::create(frame))
, m_loadType(FrameLoadTypeStandard)
, m_inStopAllLoaders(false)
@@ -1440,7 +1441,10 @@ void FrameLoader::startLoad(FrameLoadRequest& frameLoadRequest, FrameLoadType ty
frameLoadRequest.resourceRequest().setRequestContext(determineRequestContextFromNavigationType(navigationType));
frameLoadRequest.resourceRequest().setFrameType(m_frame->isMainFrame() ? WebURLRequest::FrameTypeTopLevel : WebURLRequest::FrameTypeNested);
ResourceRequest& request = frameLoadRequest.resourceRequest();
- upgradeInsecureRequest(request, nullptr);
+
+ // Record the latest requiredCSP value that will be used when sending this request.
+ recordLatestRequiredCSP();
+ addOutgoingSecurityHeaders(request, nullptr);
if (!shouldContinueForNavigationPolicy(request, frameLoadRequest.substituteData(), nullptr, frameLoadRequest.shouldCheckMainWorldContentSecurityPolicy(), navigationType, navigationPolicy, type == FrameLoadTypeReplaceCurrentItem, frameLoadRequest.clientRedirect() == ClientRedirectPolicy::ClientRedirect, frameLoadRequest.form()))
return;
@@ -1623,8 +1627,11 @@ SecurityContext::InsecureNavigationsSet* FrameLoader::insecureNavigationsToUpgra
return toLocalFrame(parentFrame)->document()->insecureNavigationsToUpgrade();
}
-void FrameLoader::upgradeInsecureRequest(ResourceRequest& resourceRequest, Document* document) const
+void FrameLoader::addOutgoingSecurityHeaders(ResourceRequest& resourceRequest, Document* document) const
Mike West 2016/09/30 13:11:49 Hrm. I think it makes more sense to pull out the h
{
+ if (RuntimeEnabledFeatures::embedderCSPEnforcementEnabled() && !requiredCSP().isEmpty())
+ resourceRequest.setHTTPHeaderField(HTTPNames::Embedding_CSP, requiredCSP());
+
// Tack an 'Upgrade-Insecure-Requests' header to outgoing navigational requests, as described in
// https://w3c.github.io/webappsec/specs/upgrade/#feature-detect
if (resourceRequest.frameType() != WebURLRequest::FrameTypeNone) {
@@ -1661,6 +1668,10 @@ void FrameLoader::upgradeInsecureRequest(ResourceRequest& resourceRequest, Docum
}
}
+void FrameLoader::recordLatestRequiredCSP()
+{
+ m_requiredCSP = m_frame->owner() ? m_frame->owner()->csp() : nullAtom;
+}
std::unique_ptr<TracedValue> FrameLoader::toTracedValue() const
{
« third_party/WebKit/Source/core/loader/FrameFetchContext.cpp ('K') | « third_party/WebKit/Source/core/loader/FrameLoader.h ('k') | third_party/WebKit/Source/platform/network/HTTPNames.in » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698