Index: third_party/WebKit/Source/core/loader/DocumentLoader.cpp |
diff --git a/third_party/WebKit/Source/core/loader/DocumentLoader.cpp b/third_party/WebKit/Source/core/loader/DocumentLoader.cpp |
index ba90b82aa70e5e3e32e3a4f5ed2fca29cdde0e33..4ce81f06a360ecab815d553d177d9a07ec61b904 100644 |
--- a/third_party/WebKit/Source/core/loader/DocumentLoader.cpp |
+++ b/third_party/WebKit/Source/core/loader/DocumentLoader.cpp |
@@ -468,16 +468,25 @@ void DocumentLoader::responseReceived( |
frameLoader()->requiredCSP(), ContentSecurityPolicyHeaderTypeEnforce, |
ContentSecurityPolicyHeaderSourceHTTP); |
} else { |
- String message = "Refused to display '" + response.url().elidedString() + |
- "' because it has not opted-into the following policy " |
- "required by its embedder: '" + |
- frameLoader()->requiredCSP() + "'."; |
- ConsoleMessage* consoleMessage = ConsoleMessage::createForRequest( |
- SecurityMessageSource, ErrorMessageLevel, message, response.url(), |
- mainResourceIdentifier()); |
- frame()->document()->addConsoleMessage(consoleMessage); |
- cancelLoadAfterXFrameOptionsOrCSPDenied(response); |
- return; |
+ ContentSecurityPolicy* embeddingCSP = ContentSecurityPolicy::create(); |
+ embeddingCSP->setOverrideURLForSelf( |
+ KURL(ParsedURLString, parentSecurityOrigin->toString())); |
amalika
2016/11/28 11:56:22
Not sure if there should be other conversions appl
Mike West
2016/11/28 13:08:02
What should this do in a sandboxed document (where
amalika
2016/11/29 12:43:52
Oh... hmm. Is there any other way we can learn the
|
+ embeddingCSP->addPolicyFromHeaderValue( |
+ frameLoader()->requiredCSP(), ContentSecurityPolicyHeaderTypeEnforce, |
+ ContentSecurityPolicyHeaderSourceHTTP); |
+ if (!embeddingCSP->subsumes(*m_contentSecurityPolicy)) { |
+ String message = "Refused to display '" + |
+ response.url().elidedString() + |
+ "' because it has not opted-into the following policy " |
+ "required by its embedder: '" + |
+ frameLoader()->requiredCSP() + "'."; |
+ ConsoleMessage* consoleMessage = ConsoleMessage::createForRequest( |
+ SecurityMessageSource, ErrorMessageLevel, message, response.url(), |
+ mainResourceIdentifier()); |
+ frame()->document()->addConsoleMessage(consoleMessage); |
+ cancelLoadAfterXFrameOptionsOrCSPDenied(response); |
+ return; |
+ } |
} |
} |