Index: third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp |
diff --git a/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp b/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp |
index 3ff396642f61a6722b5b1cf7f35136afc2fc77c1..c82f49fb495336968e1beb3725d94e1b325f8360 100644 |
--- a/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp |
+++ b/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp |
@@ -311,6 +311,30 @@ void ContentSecurityPolicy::didReceiveHeader( |
applyPolicySideEffectsToExecutionContext(); |
} |
+bool ContentSecurityPolicy::shouldEnforceEmbeddersPolicy( |
+ const ResourceResponse& response, |
+ SecurityOrigin* parentOrigin) { |
+ if (response.url().isEmpty() || response.url().protocolIsAbout() || |
+ response.url().protocolIsData() || response.url().protocolIs("blob") || |
+ response.url().protocolIs("filesystem")) { |
+ return true; |
+ } |
+ |
+ if (parentOrigin->canAccess(SecurityOrigin::create(response.url()).get())) |
+ return true; |
+ |
+ String header = response.httpHeaderField(HTTPNames::Allow_CSP_From); |
+ header = header.stripWhiteSpace(); |
+ if (header == "*") |
+ return true; |
+ if (RefPtr<SecurityOrigin> childOrigin = |
+ SecurityOrigin::createFromString(header)) { |
+ return parentOrigin->canAccess(childOrigin.get()); |
+ } |
+ |
+ return false; |
+} |
+ |
void ContentSecurityPolicy::addPolicyFromHeaderValue( |
const String& header, |
ContentSecurityPolicyHeaderType type, |