(Re-)introduce AncestorThrottle to handle 'X-Frame-Options'.

third_party/WebKit/Source/core/loader/DocumentLoader.cpp

 /*
  * Copyright (C) 2006, 2007, 2008 Apple Inc. All rights reserved.
  * Copyright (C) 2011 Google Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  *
  * 1.  Redistributions of source code must retain the above copyright
  *     notice, this list of conditions and the following disclaimer.
@@ skipping 93 matching lines @@
       m_substituteData(substituteData),
       m_request(req),
       m_isClientRedirect(clientRedirectPolicy ==
                          ClientRedirectPolicy::ClientRedirect),
       m_replacesCurrentHistoryItem(false),
       m_dataReceived(false),
       m_navigationType(NavigationTypeOther),
       m_documentLoadTiming(*this),
       m_timeOfLastDataReceived(0.0),
       m_applicationCacheHost(ApplicationCacheHost::create(this)),
-      m_wasBlockedAfterXFrameOptionsOrCSP(false),
+      m_wasBlockedAfterCSP(false),
       m_state(NotStarted),
       m_inDataReceived(false),
       m_dataBuffer(SharedBuffer::create()) {
   // The document URL needs to be added to the head of the list as that is
   // where the redirects originated.
   if (m_isClientRedirect)
     appendRedirect(m_frame->document()->url());
 }
 
 FrameLoader* DocumentLoader::frameLoader() const {
@@ skipping 149 matching lines @@
   DCHECK(m_mainResource);
 
   if (!m_mainResource->errorOccurred() && !m_mainResource->wasCanceled()) {
     finishedLoading(m_mainResource->loadFinishTime());
     return;
   }
 
   if (m_applicationCacheHost)
     m_applicationCacheHost->failedLoadingMainResource();
   m_state = MainResourceDone;
+
+  if (m_mainResource->resourceError().wasBlockedByResponse()) {
+    InspectorInstrumentation::canceledAfterReceivedResourceResponse(
+        m_frame, this, mainResourceIdentifier(), resource->response(),
+        m_mainResource.get());
+  }
+
   frameLoader()->loadFailed(this, m_mainResource->resourceError());
   clearMainResourceHandle();
 }
 
 void DocumentLoader::finishedLoading(double finishTime) {
   DCHECK(m_frame->loader().stateMachine()->creatingInitialEmptyDocument() ||
          !m_frame->page()->suspended() ||
          InspectorInstrumentation::isDebuggerPaused(m_frame));
 
   double responseEndTime = finishTime;
@@ skipping 83 matching lines @@
     // Downloading is handled by the embedder, but we still get the initial
     // response so that we can ignore it and clean up properly.
     return false;
   }
 
   if (!canShowMIMEType(m_response.mimeType(), m_frame))
     return false;
   return true;
 }
 
-void DocumentLoader::cancelLoadAfterXFrameOptionsOrCSPDenied(
+void DocumentLoader::cancelLoadAfterCSPDenied(
     const ResourceResponse& response) {
-  InspectorInstrumentation::continueAfterXFrameOptionsDenied(
+  InspectorInstrumentation::canceledAfterReceivedResourceResponse(
       m_frame, this, mainResourceIdentifier(), response, m_mainResource.get());
 
-  setWasBlockedAfterXFrameOptionsOrCSP();
+  setWasBlockedAfterCSP();
 
   // Pretend that this was an empty HTTP 200 response.  Don't reuse the original
   // URL for the empty page (https://crbug.com/622385).
   //
   // TODO(mkwst):  Remove this once XFO moves to the browser.
   // https://crbug.com/555418.
   clearMainResourceHandle();
   m_contentSecurityPolicy.clear();
   KURL blockedURL = SecurityOrigin::urlWithUniqueSecurityOrigin();
   m_originalRequest.setURL(blockedURL);
@@ skipping 21 matching lines @@
   // we don't save the result for future use. All responses loaded from appcache
   // will have a non-zero appCacheID().
   if (response.appCacheID())
     memoryCache()->remove(m_mainResource.get());
 
   m_contentSecurityPolicy = ContentSecurityPolicy::create();
   m_contentSecurityPolicy->setOverrideURLForSelf(response.url());
   m_contentSecurityPolicy->didReceiveHeaders(
       ContentSecurityPolicyResponseHeaders(response));
   if (!m_contentSecurityPolicy->allowAncestors(m_frame, response.url())) {
-    cancelLoadAfterXFrameOptionsOrCSPDenied(response);
+    cancelLoadAfterCSPDenied(response);
     return;
   }
 
-  // 'frame-ancestors' obviates 'x-frame-options':
-  // https://w3c.github.io/webappsec/specs/content-security-policy/#frame-ancestors-and-frame-options
-  if (!m_contentSecurityPolicy->isFrameAncestorsEnforced()) {
-    HTTPHeaderMap::const_iterator it =
-        response.httpHeaderFields().find(HTTPNames::X_Frame_Options);
-    if (it != response.httpHeaderFields().end()) {
-      String content = it->value;
-      if (frameLoader()->shouldInterruptLoadForXFrameOptions(
-              content, response.url(), mainResourceIdentifier())) {
-        String message = "Refused to display '" +
-                         response.url().elidedString() +
-                         "' in a frame because it set 'X-Frame-Options' to '" +
-                         content + "'.";
-        ConsoleMessage* consoleMessage = ConsoleMessage::createForRequest(
-            SecurityMessageSource, ErrorMessageLevel, message, response.url(),
-            mainResourceIdentifier());
-        frame()->document()->addConsoleMessage(consoleMessage);
-
-        cancelLoadAfterXFrameOptionsOrCSPDenied(response);
-        return;
-      }
-    }
-  }
-
   if (RuntimeEnabledFeatures::embedderCSPEnforcementEnabled() &&
       !frameLoader()->requiredCSP().isEmpty()) {
     SecurityOrigin* parentSecurityOrigin =
         frame()->tree().parent()->securityContext()->getSecurityOrigin();
     if (ContentSecurityPolicy::shouldEnforceEmbeddersPolicy(
             response, parentSecurityOrigin)) {
       m_contentSecurityPolicy->addPolicyFromHeaderValue(
           frameLoader()->requiredCSP(), ContentSecurityPolicyHeaderTypeEnforce,
           ContentSecurityPolicyHeaderSourceHTTP);
     } else {
       ContentSecurityPolicy* embeddingCSP = ContentSecurityPolicy::create();
       embeddingCSP->addPolicyFromHeaderValue(
           frameLoader()->requiredCSP(), ContentSecurityPolicyHeaderTypeEnforce,
           ContentSecurityPolicyHeaderSourceHTTP);
       if (!embeddingCSP->subsumes(*m_contentSecurityPolicy)) {
         String message = "Refused to display '" +
                          response.url().elidedString() +
                          "' because it has not opted-into the following policy "
                          "required by its embedder: '" +
                          frameLoader()->requiredCSP() + "'.";
         ConsoleMessage* consoleMessage = ConsoleMessage::createForRequest(
             SecurityMessageSource, ErrorMessageLevel, message, response.url(),
             mainResourceIdentifier());
         frame()->document()->addConsoleMessage(consoleMessage);
-        cancelLoadAfterXFrameOptionsOrCSPDenied(response);
+        cancelLoadAfterCSPDenied(response);
         return;
       }
     }
   }
 
   DCHECK(!m_frame->page()->suspended());
 
   m_response = response;
 
   if (isArchiveMIMEType(m_response.mimeType()) &&
@@ skipping 304 matching lines @@
                              m_writer ? m_writer->encoding() : emptyAtom, true,
                              ForceSynchronousParsing);
   if (!source.isNull())
     m_writer->appendReplacingData(source);
   endWriting();
 }
 
 DEFINE_WEAK_IDENTIFIER_MAP(DocumentLoader);
 
 }  // namespace blink