third_party/WebKit/Source/core/dom/Document.cpp - Issue 2472333003: CSP: "local schemes" should inherit policy when embedded.

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: third_party/WebKit/Source/core/dom/Document.cpp

Issue 2472333003: CSP: "local schemes" should inherit policy when embedded. (Closed)

Patch Set: dcheng@ Created 4 years, 1 month ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

« no previous file with comments | « third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/resources/cascade-helper.js ('k') | third_party/WebKit/Source/core/loader/DocumentLoader.cpp » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

Index: third_party/WebKit/Source/core/dom/Document.cpp

diff --git a/third_party/WebKit/Source/core/dom/Document.cpp b/third_party/WebKit/Source/core/dom/Document.cpp

index 0ebe859b57d47b8720d4d445c2829f78cd57f74f..8a394b442085bdb71681852e61ec9f615ff941ec 100644

--- a/third_party/WebKit/Source/core/dom/Document.cpp

+++ b/third_party/WebKit/Source/core/dom/Document.cpp

@@ -367,19 +367,6 @@ static inline bool isValidNamePart(UChar32 c) {

return true;

}

-static bool shouldInheritSecurityOriginFromOwner(const KURL& url) {

- // http://www.whatwg.org/specs/web-apps/current-work/#origin-0

- //

- // If a Document has the address "about:blank"

- // The origin of the Document is the origin it was assigned when its

- // browsing context was created.

- //

- // Note: We generalize this to all "blank" URLs and invalid URLs because we

- // treat all of these URLs as about:blank.

- //

- return url.isEmpty() || url.protocolIsAbout();

static Widget* widgetForElement(const Element& focusedElement) {

LayoutObject* layoutObject = focusedElement.layoutObject();

if (!layoutObject || !layoutObject->isLayoutPart())

@@ -5524,7 +5511,15 @@ void Document::initContentSecurityPolicy(ContentSecurityPolicy* csp) {

ContentSecurityPolicy* parentCSP = toLocalFrame(m_frame->tree().parent())

->document()

->contentSecurityPolicy();

- if (shouldInheritSecurityOriginFromOwner(m_url)) {

+ // We inherit the parent frame's CSP for documents with "local" schemes:

+ // 'about', 'blob', 'data', and 'filesystem'. We also inherit the parent

+ // frame's CSP for documents with empty/invalid URLs because we treat

+ // those URLs as 'about:blank' in Blink.

+ //

+ // https://w3c.github.io/webappsec-csp/#initialize-document-csp

+ if (m_url.isEmpty() || m_url.protocolIsAbout() || m_url.protocolIsData() ||

+ m_url.protocolIs("blob") || m_url.protocolIs("filesystem")) {

contentSecurityPolicy()->copyStateFrom(parentCSP);

} else if (isPluginDocument()) {

// Per CSP2, plugin-types for plugin documents in nested browsing