Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(400)

Unified Diff: third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp

Issue 2490943002: Block 'javascript:' navigation in the correct document. (Closed)
Patch Set: feedback Created 4 years, 1 month ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
Index: third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp
diff --git a/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp b/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp
index 52ef1de51c2fae117ff77b156b302897ead5674c..6b99ae0d54bc13edc6c2cad6f03101e41f986c58 100644
--- a/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp
+++ b/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp
@@ -1211,31 +1211,35 @@ void ContentSecurityPolicy::reportViolation(
reportObject->setObject("csp-report", std::move(cspReport));
String stringifiedReport = reportObject->toJSONString();
- if (!shouldSendViolationReport(stringifiedReport))
- return;
- didSendViolationReport(stringifiedReport);
-
- RefPtr<EncodedFormData> report =
- EncodedFormData::create(stringifiedReport.utf8());
-
- LocalFrame* frame = document->frame();
- if (!frame)
- return;
-
- for (const String& endpoint : reportEndpoints) {
- // If we have a context frame we're dealing with 'frame-ancestors' and we
- // don't have our own execution context. Use the frame's document to
- // complete the endpoint URL, overriding its URL with the blocked document's
- // URL.
- DCHECK(!contextFrame || !m_executionContext);
- DCHECK(!contextFrame ||
- equalIgnoringCase(effectiveDirective, FrameAncestors));
- KURL url =
- contextFrame
- ? frame->document()->completeURLWithOverride(endpoint, blockedURL)
- : completeURL(endpoint);
- PingLoader::sendViolationReport(
- frame, url, report, PingLoader::ContentSecurityPolicyViolationReport);
+ // Only POST unique reports to the external endpoint; repeated reports add no
+ // value on the server side, as they're indistinguishable. Note that we'll
+ // fire the DOM event for every violation, as the page has enough context to
+ // react in some reasonable way to each violation as it occurs.
+ if (shouldSendViolationReport(stringifiedReport)) {
+ didSendViolationReport(stringifiedReport);
+
+ RefPtr<EncodedFormData> report =
+ EncodedFormData::create(stringifiedReport.utf8());
+
+ LocalFrame* frame = document->frame();
+ if (!frame)
+ return;
+
+ for (const String& endpoint : reportEndpoints) {
+ // If we have a context frame we're dealing with 'frame-ancestors' and we
+ // don't have our own execution context. Use the frame's document to
+ // complete the endpoint URL, overriding its URL with the blocked
+ // document's URL.
+ DCHECK(!contextFrame || !m_executionContext);
+ DCHECK(!contextFrame ||
+ equalIgnoringCase(effectiveDirective, FrameAncestors));
+ KURL url =
+ contextFrame
+ ? frame->document()->completeURLWithOverride(endpoint, blockedURL)
+ : completeURL(endpoint);
+ PingLoader::sendViolationReport(
+ frame, url, report, PingLoader::ContentSecurityPolicyViolationReport);
+ }
}
document->postTask(

Powered by Google App Engine
This is Rietveld 408576698