Index: third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp |
diff --git a/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp b/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp |
index 20fd403634bfeb45b58118b95618255ee188787f..0c211301541184f4d3f3dada2f670ecea189936d 100644 |
--- a/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp |
+++ b/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp |
@@ -311,6 +311,31 @@ void ContentSecurityPolicy::didReceiveHeader( |
applyPolicySideEffectsToExecutionContext(); |
} |
+bool ContentSecurityPolicy::shouldEnforceEmbeddersPolicy( |
Mike West
2016/10/14 09:01:17
Can you add some unit tests for this method in `Co
|
+ const ResourceResponse& response, |
+ SecurityOrigin* parentOrigin) { |
+ if (response.url().isEmpty() || response.url().protocolIsAbout() || |
+ response.url().protocolIsData() || response.url().protocolIs("blob") || |
+ response.url().protocolIs("filesystem")) { |
+ return true; |
+ } |
+ |
+ if (parentOrigin->canAccess(SecurityOrigin::create(response.url()).get())) |
+ return true; |
+ |
+ String header = response.httpHeaderField(HTTPNames::Allow_CSP_From); |
+ if (header.isEmpty() || !header.containsOnlyASCII()) |
+ return false; |
+ |
+ String headerValue = header.stripWhiteSpace(); |
+ if (headerValue == "*" || |
+ parentOrigin->canAccess( |
+ SecurityOrigin::createFromString(headerValue).get())) |
Mike West
2016/10/14 09:01:17
I think you can simplify the logic here a bit with
|
+ return true; |
Mike West
2016/10/14 09:01:17
Nit: `{}` around the body if the `if` clause is mu
|
+ |
+ return false; |
+} |
+ |
void ContentSecurityPolicy::addPolicyFromHeaderValue( |
const String& header, |
ContentSecurityPolicyHeaderType type, |