Chromium Code Reviews Chromium Code Reviews
Issue 2404373003:
Experimental Feature: Allow-CSP-From header (Closed)
| Index: third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp |
| diff --git a/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp b/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp |
| index 20fd403634bfeb45b58118b95618255ee188787f..0c211301541184f4d3f3dada2f670ecea189936d 100644 |
| --- a/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp |
| +++ b/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp |
| @@ -311,6 +311,31 @@ void ContentSecurityPolicy::didReceiveHeader( |
| applyPolicySideEffectsToExecutionContext(); |
| } |
| +bool ContentSecurityPolicy::shouldEnforceEmbeddersPolicy( |
|
Mike West
2016/10/14 09:01:17
Can you add some unit tests for this method in `Co
|
| + const ResourceResponse& response, |
| + SecurityOrigin* parentOrigin) { |
| + if (response.url().isEmpty() || response.url().protocolIsAbout() || |
| + response.url().protocolIsData() || response.url().protocolIs("blob") || |
| + response.url().protocolIs("filesystem")) { |
| + return true; |
| + } |
| + |
| + if (parentOrigin->canAccess(SecurityOrigin::create(response.url()).get())) |
| + return true; |
| + |
| + String header = response.httpHeaderField(HTTPNames::Allow_CSP_From); |
| + if (header.isEmpty() || !header.containsOnlyASCII()) |
| + return false; |
| + |
| + String headerValue = header.stripWhiteSpace(); |
| + if (headerValue == "*" || |
| + parentOrigin->canAccess( |
| + SecurityOrigin::createFromString(headerValue).get())) |
|
Mike West
2016/10/14 09:01:17
I think you can simplify the logic here a bit with
|
| + return true; |
|
Mike West
2016/10/14 09:01:17
Nit: `{}` around the body if the `if` clause is mu
|
| + |
| + return false; |
| +} |
| + |
| void ContentSecurityPolicy::addPolicyFromHeaderValue( |
| const String& header, |
| ContentSecurityPolicyHeaderType type, |
