Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(539)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: third_party/WebKit/Source/core/loader/FrameLoader.cpp

Issue 2372563002: Adding Embedding-CSP HTTP header (Closed)
Patch Set: Addressing comments Created 4 years, 2 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « third_party/WebKit/Source/core/loader/FrameLoader.h ('k') | third_party/WebKit/Source/platform/network/HTTPNames.in » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: third_party/WebKit/Source/core/loader/FrameLoader.cpp
diff --git a/third_party/WebKit/Source/core/loader/FrameLoader.cpp b/third_party/WebKit/Source/core/loader/FrameLoader.cpp
index 982cae2be874fabec575daf90ae87c09ad9730da..ef86c71df01d09467d9717dcc7f1ddfd83b0222a 100644
--- a/third_party/WebKit/Source/core/loader/FrameLoader.cpp
+++ b/third_party/WebKit/Source/core/loader/FrameLoader.cpp
@@ -1606,7 +1606,10 @@ void FrameLoader::startLoad(FrameLoadRequest& frameLoadRequest,
m_frame->isMainFrame() ? WebURLRequest::FrameTypeTopLevel
: WebURLRequest::FrameTypeNested);
ResourceRequest& request = frameLoadRequest.resourceRequest();
- upgradeInsecureRequest(request, nullptr);
+
+ // Record the latest requiredCSP value that will be used when sending this request.
+ recordLatestRequiredCSP();
+ modifyRequestForCSP(request, nullptr);
if (!shouldContinueForNavigationPolicy(
request, frameLoadRequest.substituteData(), nullptr,
frameLoadRequest.shouldCheckMainWorldContentSecurityPolicy(),
@@ -1818,10 +1821,15 @@ FrameLoader::insecureNavigationsToUpgrade() const {
return toLocalFrame(parentFrame)->document()->insecureNavigationsToUpgrade();
}
-void FrameLoader::upgradeInsecureRequest(ResourceRequest& resourceRequest,
- Document* document) const {
- // Tack an 'Upgrade-Insecure-Requests' header to outgoing navigational
- // requests, as described in
+void FrameLoader::modifyRequestForCSP(ResourceRequest& resourceRequest,
+ Document* document) const {
+ if (RuntimeEnabledFeatures::embedderCSPEnforcementEnabled() &&
+ !requiredCSP().isEmpty()) {
+ DCHECK(requiredCSP());
Mike West 2016/10/07 12:11:59 I was going for something more like `DCHECK(requir
+ resourceRequest.setHTTPHeaderField(HTTPNames::Embedding_CSP, requiredCSP());
+ }
+
+ // Tack an 'Upgrade-Insecure-Requests' header to outgoing navigational requests, as described in
// https://w3c.github.io/webappsec/specs/upgrade/#feature-detect
if (resourceRequest.frameType() != WebURLRequest::FrameTypeNone) {
// Early return if the request has already been upgraded.
@@ -1832,6 +1840,11 @@ void FrameLoader::upgradeInsecureRequest(ResourceRequest& resourceRequest,
resourceRequest.addHTTPHeaderField("Upgrade-Insecure-Requests", "1");
}
+ upgradeInsecureRequest(resourceRequest, document);
+}
+
+void FrameLoader::upgradeInsecureRequest(ResourceRequest& resourceRequest,
+ Document* document) const {
KURL url = resourceRequest.url();
// If we don't yet have an |m_document| (because we're loading an iframe, for
@@ -1864,6 +1877,10 @@ void FrameLoader::upgradeInsecureRequest(ResourceRequest& resourceRequest,
}
}
+void FrameLoader::recordLatestRequiredCSP() {
+ m_requiredCSP = m_frame->owner() ? m_frame->owner()->csp() : nullAtom;
+}
+
std::unique_ptr<TracedValue> FrameLoader::toTracedValue() const {
std::unique_ptr<TracedValue> tracedValue = TracedValue::create();
tracedValue->beginDictionary("frame");
« no previous file with comments | « third_party/WebKit/Source/core/loader/FrameLoader.h ('k') | third_party/WebKit/Source/platform/network/HTTPNames.in » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698