Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(7)

Side by Side Diff: third_party/WebKit/Source/core/loader/FrameLoader.cpp

Issue 2488743003: (Re-)introduce AncestorThrottle to handle 'X-Frame-Options'. (Closed)
Patch Set: Addressed comments (@alexmos #2) Created 3 years, 12 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
OLDNEW
1 /* 1 /*
2 * Copyright (C) 2006, 2007, 2008, 2009, 2010, 2011 Apple Inc. All rights 2 * Copyright (C) 2006, 2007, 2008, 2009, 2010, 2011 Apple Inc. All rights
3 * reserved. 3 * reserved.
4 * Copyright (C) 2008 Nokia Corporation and/or its subsidiary(-ies) 4 * Copyright (C) 2008 Nokia Corporation and/or its subsidiary(-ies)
5 * Copyright (C) 2008, 2009 Torch Mobile Inc. All rights reserved. 5 * Copyright (C) 2008, 2009 Torch Mobile Inc. All rights reserved.
6 * (http://www.torchmobile.com/) 6 * (http://www.torchmobile.com/)
7 * Copyright (C) 2008 Alp Toker <alp@atoker.com> 7 * Copyright (C) 2008 Alp Toker <alp@atoker.com>
8 * Copyright (C) Research In Motion Limited 2009. All rights reserved. 8 * Copyright (C) Research In Motion Limited 2009. All rights reserved.
9 * Copyright (C) 2011 Kris Jordan <krisjordan@gmail.com> 9 * Copyright (C) 2011 Kris Jordan <krisjordan@gmail.com>
10 * Copyright (C) 2011 Google Inc. All rights reserved. 10 * Copyright (C) 2011 Google Inc. All rights reserved.
(...skipping 1706 matching lines...) Expand 10 before | Expand all | Expand 10 after
1717 1717
1718 takeObjectSnapshot(); 1718 takeObjectSnapshot();
1719 } 1719 }
1720 1720
1721 void FrameLoader::applyUserAgent(ResourceRequest& request) { 1721 void FrameLoader::applyUserAgent(ResourceRequest& request) {
1722 String userAgent = this->userAgent(); 1722 String userAgent = this->userAgent();
1723 DCHECK(!userAgent.isNull()); 1723 DCHECK(!userAgent.isNull());
1724 request.setHTTPUserAgent(AtomicString(userAgent)); 1724 request.setHTTPUserAgent(AtomicString(userAgent));
1725 } 1725 }
1726 1726
1727 bool FrameLoader::shouldInterruptLoadForXFrameOptions(
1728 const String& content,
1729 const KURL& url,
1730 unsigned long requestIdentifier) {
1731 UseCounter::count(m_frame->domWindow()->document(),
1732 UseCounter::XFrameOptions);
1733
1734 Frame* topFrame = m_frame->tree().top();
1735 if (m_frame == topFrame)
1736 return false;
1737
1738 XFrameOptionsDisposition disposition = parseXFrameOptionsHeader(content);
1739
1740 switch (disposition) {
1741 case XFrameOptionsSameOrigin: {
1742 UseCounter::count(m_frame->domWindow()->document(),
1743 UseCounter::XFrameOptionsSameOrigin);
1744 RefPtr<SecurityOrigin> origin = SecurityOrigin::create(url);
1745 // Out-of-process ancestors are always a different origin.
1746 if (!topFrame->isLocalFrame() ||
1747 !origin->isSameSchemeHostPort(
1748 toLocalFrame(topFrame)->document()->getSecurityOrigin()))
1749 return true;
1750 for (Frame* frame = m_frame->tree().parent(); frame;
1751 frame = frame->tree().parent()) {
1752 if (!frame->isLocalFrame() ||
1753 !origin->isSameSchemeHostPort(
1754 toLocalFrame(frame)->document()->getSecurityOrigin())) {
1755 UseCounter::count(
1756 m_frame->domWindow()->document(),
1757 UseCounter::XFrameOptionsSameOriginWithBadAncestorChain);
1758 break;
1759 }
1760 }
1761 return false;
1762 }
1763 case XFrameOptionsDeny:
1764 return true;
1765 case XFrameOptionsAllowAll:
1766 return false;
1767 case XFrameOptionsConflict: {
1768 ConsoleMessage* consoleMessage = ConsoleMessage::createForRequest(
1769 JSMessageSource, ErrorMessageLevel,
1770 "Multiple 'X-Frame-Options' headers with conflicting values ('" +
1771 content + "') encountered when loading '" + url.elidedString() +
1772 "'. Falling back to 'DENY'.",
1773 url, requestIdentifier);
1774 m_frame->document()->addConsoleMessage(consoleMessage);
1775 return true;
1776 }
1777 case XFrameOptionsInvalid: {
1778 ConsoleMessage* consoleMessage = ConsoleMessage::createForRequest(
1779 JSMessageSource, ErrorMessageLevel,
1780 "Invalid 'X-Frame-Options' header encountered when loading '" +
1781 url.elidedString() + "': '" + content +
1782 "' is not a recognized directive. The header will be ignored.",
1783 url, requestIdentifier);
1784 m_frame->document()->addConsoleMessage(consoleMessage);
1785 return false;
1786 }
1787 default:
1788 NOTREACHED();
1789 return false;
1790 }
1791 }
1792
1793 bool FrameLoader::shouldTreatURLAsSameAsCurrent(const KURL& url) const { 1727 bool FrameLoader::shouldTreatURLAsSameAsCurrent(const KURL& url) const {
1794 return m_currentItem && url == m_currentItem->url(); 1728 return m_currentItem && url == m_currentItem->url();
1795 } 1729 }
1796 1730
1797 bool FrameLoader::shouldTreatURLAsSrcdocDocument(const KURL& url) const { 1731 bool FrameLoader::shouldTreatURLAsSrcdocDocument(const KURL& url) const {
1798 if (!url.isAboutSrcdocURL()) 1732 if (!url.isAboutSrcdocURL())
1799 return false; 1733 return false;
1800 HTMLFrameOwnerElement* ownerElement = m_frame->deprecatedLocalOwner(); 1734 HTMLFrameOwnerElement* ownerElement = m_frame->deprecatedLocalOwner();
1801 if (!isHTMLIFrameElement(ownerElement)) 1735 if (!isHTMLIFrameElement(ownerElement))
1802 return false; 1736 return false;
(...skipping 156 matching lines...) Expand 10 before | Expand all | Expand 10 after
1959 m_documentLoader ? m_documentLoader->url() : String()); 1893 m_documentLoader ? m_documentLoader->url() : String());
1960 return tracedValue; 1894 return tracedValue;
1961 } 1895 }
1962 1896
1963 inline void FrameLoader::takeObjectSnapshot() const { 1897 inline void FrameLoader::takeObjectSnapshot() const {
1964 TRACE_EVENT_OBJECT_SNAPSHOT_WITH_ID("loading", "FrameLoader", this, 1898 TRACE_EVENT_OBJECT_SNAPSHOT_WITH_ID("loading", "FrameLoader", this,
1965 toTracedValue()); 1899 toTracedValue());
1966 } 1900 }
1967 1901
1968 } // namespace blink 1902 } // namespace blink
OLDNEW

Powered by Google App Engine
This is Rietveld 408576698