Index: third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp |
diff --git a/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp b/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp |
index 20fd403634bfeb45b58118b95618255ee188787f..30c1a9d6be2dbdd6fadc7ef4ed27509a5ac931be 100644 |
--- a/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp |
+++ b/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp |
@@ -311,6 +311,48 @@ void ContentSecurityPolicy::didReceiveHeader( |
applyPolicySideEffectsToExecutionContext(); |
} |
+bool ContentSecurityPolicy::checkAllowBlanketEnforcement( |
+ const ResourceResponse& response, |
+ const KURL& parentUrl) { |
+ if (response.url().isEmpty() || response.url().protocolIsAbout() || |
+ response.url().protocolIsAbout() || response.url().protocolIs("blob") || |
Mike West
2016/10/13 11:01:42
Nit: One of these `protocolIsAbout` should probabl
|
+ response.url().protocolIs("filesystem")) { |
+ return true; |
+ } |
+ |
+ if (parentUrl.protocol() == response.url().protocol() && |
+ parentUrl.host() == response.url().host() && |
+ parentUrl.port() == response.url().port()) { |
+ return true; |
+ } |
Mike West
2016/10/13 11:01:42
If you pass in an origin, you can change this to `
|
+ |
+ HTTPHeaderMap::const_iterator it = |
+ response.httpHeaderFields().find(HTTPNames::Allow_CSP_From); |
+ |
+ String header = |
+ it != response.httpHeaderFields().end() ? it->value : nullAtom; |
Mike West
2016/10/13 11:01:42
You can simplify this check down to something like
|
+ |
+ if (header.isEmpty() || !header.containsOnlyASCII()) |
+ return false; |
+ |
+ Vector<String> headers; |
+ header.split(',', headers); |
Mike West
2016/10/13 11:01:42
I think we probably don't want to look at all the
|
+ for (size_t i = 0; i < headers.size(); i++) { |
+ String currentHeader = headers[i].stripWhiteSpace(); |
+ if (equalIgnoringCase(currentHeader, "*")) { |
Mike West
2016/10/13 11:01:42
No need for case-folding here: `*` is not a cased
|
+ return true; |
+ } |
+ const KURL allowed(ParsedURLString, currentHeader); |
+ if (allowed.isValid() && parentUrl.protocol() == allowed.protocol() && |
+ parentUrl.host() == allowed.host() && |
+ parentUrl.port() == allowed.port()) { |
+ return true; |
+ } |
Mike West
2016/10/13 11:01:42
This should also be an origin check. That is, `par
|
+ } |
+ |
+ return false; |
+} |
+ |
void ContentSecurityPolicy::addPolicyFromHeaderValue( |
const String& header, |
ContentSecurityPolicyHeaderType type, |