OLD | NEW |
---|---|
1 /* | 1 /* |
2 * Copyright (C) 2006, 2007, 2008 Apple Inc. All rights reserved. | 2 * Copyright (C) 2006, 2007, 2008 Apple Inc. All rights reserved. |
3 * Copyright (C) 2011 Google Inc. All rights reserved. | 3 * Copyright (C) 2011 Google Inc. All rights reserved. |
4 * | 4 * |
5 * Redistribution and use in source and binary forms, with or without | 5 * Redistribution and use in source and binary forms, with or without |
6 * modification, are permitted provided that the following conditions | 6 * modification, are permitted provided that the following conditions |
7 * are met: | 7 * are met: |
8 * | 8 * |
9 * 1. Redistributions of source code must retain the above copyright | 9 * 1. Redistributions of source code must retain the above copyright |
10 * notice, this list of conditions and the following disclaimer. | 10 * notice, this list of conditions and the following disclaimer. |
(...skipping 450 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
461 if (RuntimeEnabledFeatures::embedderCSPEnforcementEnabled() && | 461 if (RuntimeEnabledFeatures::embedderCSPEnforcementEnabled() && |
462 !frameLoader()->requiredCSP().isEmpty()) { | 462 !frameLoader()->requiredCSP().isEmpty()) { |
463 SecurityOrigin* parentSecurityOrigin = | 463 SecurityOrigin* parentSecurityOrigin = |
464 frame()->tree().parent()->securityContext()->getSecurityOrigin(); | 464 frame()->tree().parent()->securityContext()->getSecurityOrigin(); |
465 if (ContentSecurityPolicy::shouldEnforceEmbeddersPolicy( | 465 if (ContentSecurityPolicy::shouldEnforceEmbeddersPolicy( |
466 response, parentSecurityOrigin)) { | 466 response, parentSecurityOrigin)) { |
467 m_contentSecurityPolicy->addPolicyFromHeaderValue( | 467 m_contentSecurityPolicy->addPolicyFromHeaderValue( |
468 frameLoader()->requiredCSP(), ContentSecurityPolicyHeaderTypeEnforce, | 468 frameLoader()->requiredCSP(), ContentSecurityPolicyHeaderTypeEnforce, |
469 ContentSecurityPolicyHeaderSourceHTTP); | 469 ContentSecurityPolicyHeaderSourceHTTP); |
470 } else { | 470 } else { |
471 String message = "Refused to display '" + response.url().elidedString() + | 471 ContentSecurityPolicy* embeddingCSP = ContentSecurityPolicy::create(); |
472 "' because it has not opted-into the following policy " | 472 embeddingCSP->setOverrideURLForSelf( |
473 "required by its embedder: '" + | 473 KURL(ParsedURLString, parentSecurityOrigin->toString())); |
amalika
2016/11/28 11:56:22
Not sure if there should be other conversions appl
Mike West
2016/11/28 13:08:02
What should this do in a sandboxed document (where
amalika
2016/11/29 12:43:52
Oh... hmm. Is there any other way we can learn the
| |
474 frameLoader()->requiredCSP() + "'."; | 474 embeddingCSP->addPolicyFromHeaderValue( |
475 ConsoleMessage* consoleMessage = ConsoleMessage::createForRequest( | 475 frameLoader()->requiredCSP(), ContentSecurityPolicyHeaderTypeEnforce, |
476 SecurityMessageSource, ErrorMessageLevel, message, response.url(), | 476 ContentSecurityPolicyHeaderSourceHTTP); |
477 mainResourceIdentifier()); | 477 if (!embeddingCSP->subsumes(*m_contentSecurityPolicy)) { |
478 frame()->document()->addConsoleMessage(consoleMessage); | 478 String message = "Refused to display '" + |
479 cancelLoadAfterXFrameOptionsOrCSPDenied(response); | 479 response.url().elidedString() + |
480 return; | 480 "' because it has not opted-into the following policy " |
481 "required by its embedder: '" + | |
482 frameLoader()->requiredCSP() + "'."; | |
483 ConsoleMessage* consoleMessage = ConsoleMessage::createForRequest( | |
484 SecurityMessageSource, ErrorMessageLevel, message, response.url(), | |
485 mainResourceIdentifier()); | |
486 frame()->document()->addConsoleMessage(consoleMessage); | |
487 cancelLoadAfterXFrameOptionsOrCSPDenied(response); | |
488 return; | |
489 } | |
481 } | 490 } |
482 } | 491 } |
483 | 492 |
484 DCHECK(!m_frame->page()->defersLoading()); | 493 DCHECK(!m_frame->page()->defersLoading()); |
485 | 494 |
486 m_response = response; | 495 m_response = response; |
487 | 496 |
488 if (isArchiveMIMEType(m_response.mimeType()) && | 497 if (isArchiveMIMEType(m_response.mimeType()) && |
489 m_mainResource->getDataBufferingPolicy() != BufferData) | 498 m_mainResource->getDataBufferingPolicy() != BufferData) |
490 m_mainResource->setDataBufferingPolicy(BufferData); | 499 m_mainResource->setDataBufferingPolicy(BufferData); |
(...skipping 302 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
793 m_writer ? m_writer->encoding() : emptyAtom, true, | 802 m_writer ? m_writer->encoding() : emptyAtom, true, |
794 ForceSynchronousParsing); | 803 ForceSynchronousParsing); |
795 if (!source.isNull()) | 804 if (!source.isNull()) |
796 m_writer->appendReplacingData(source); | 805 m_writer->appendReplacingData(source); |
797 endWriting(); | 806 endWriting(); |
798 } | 807 } |
799 | 808 |
800 DEFINE_WEAK_IDENTIFIER_MAP(DocumentLoader); | 809 DEFINE_WEAK_IDENTIFIER_MAP(DocumentLoader); |
801 | 810 |
802 } // namespace blink | 811 } // namespace blink |
OLD | NEW |