Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(262)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: third_party/WebKit/Source/core/loader/FrameLoader.cpp

Issue 2372563002: Adding Embedding-CSP HTTP header (Closed)
Patch Set: ASCII DCHECK and a comment Created 4 years, 2 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « third_party/WebKit/Source/core/loader/FrameLoader.h ('k') | third_party/WebKit/Source/platform/network/HTTPNames.in » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: third_party/WebKit/Source/core/loader/FrameLoader.cpp
diff --git a/third_party/WebKit/Source/core/loader/FrameLoader.cpp b/third_party/WebKit/Source/core/loader/FrameLoader.cpp
index 8441cd534ad327390274d9f49bec7aafbb0f6f3b..f8dfb07d48c1ab9801334d736a34d151f5df833d 100644
--- a/third_party/WebKit/Source/core/loader/FrameLoader.cpp
+++ b/third_party/WebKit/Source/core/loader/FrameLoader.cpp
@@ -1611,7 +1611,11 @@ void FrameLoader::startLoad(FrameLoadRequest& frameLoadRequest,
m_frame->isMainFrame() ? WebURLRequest::FrameTypeTopLevel
: WebURLRequest::FrameTypeNested);
ResourceRequest& request = frameLoadRequest.resourceRequest();
- upgradeInsecureRequest(request, nullptr);
+
+ // Record the latest requiredCSP value that will be used when sending this
+ // request.
+ recordLatestRequiredCSP();
+ modifyRequestForCSP(request, nullptr);
if (!shouldContinueForNavigationPolicy(
request, frameLoadRequest.substituteData(), nullptr,
frameLoadRequest.shouldCheckMainWorldContentSecurityPolicy(),
@@ -1823,8 +1827,15 @@ FrameLoader::insecureNavigationsToUpgrade() const {
return toLocalFrame(parentFrame)->document()->insecureNavigationsToUpgrade();
}
-void FrameLoader::upgradeInsecureRequest(ResourceRequest& resourceRequest,
- Document* document) const {
+void FrameLoader::modifyRequestForCSP(ResourceRequest& resourceRequest,
+ Document* document) const {
+ if (RuntimeEnabledFeatures::embedderCSPEnforcementEnabled() &&
+ !requiredCSP().isEmpty()) {
+ // TODO(amalika): Strengthen this DCHECK that requiredCSP has proper format
+ DCHECK(requiredCSP().getString().containsOnlyASCII());
+ resourceRequest.setHTTPHeaderField(HTTPNames::Embedding_CSP, requiredCSP());
+ }
+
// Tack an 'Upgrade-Insecure-Requests' header to outgoing navigational
// requests, as described in
// https://w3c.github.io/webappsec/specs/upgrade/#feature-detect
@@ -1837,6 +1848,11 @@ void FrameLoader::upgradeInsecureRequest(ResourceRequest& resourceRequest,
resourceRequest.addHTTPHeaderField("Upgrade-Insecure-Requests", "1");
}
+ upgradeInsecureRequest(resourceRequest, document);
+}
+
+void FrameLoader::upgradeInsecureRequest(ResourceRequest& resourceRequest,
+ Document* document) const {
KURL url = resourceRequest.url();
// If we don't yet have an |m_document| (because we're loading an iframe, for
@@ -1869,6 +1885,10 @@ void FrameLoader::upgradeInsecureRequest(ResourceRequest& resourceRequest,
}
}
+void FrameLoader::recordLatestRequiredCSP() {
+ m_requiredCSP = m_frame->owner() ? m_frame->owner()->csp() : nullAtom;
+}
+
std::unique_ptr<TracedValue> FrameLoader::toTracedValue() const {
std::unique_ptr<TracedValue> tracedValue = TracedValue::create();
tracedValue->beginDictionary("frame");
« no previous file with comments | « third_party/WebKit/Source/core/loader/FrameLoader.h ('k') | third_party/WebKit/Source/platform/network/HTTPNames.in » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698