third_party/WebKit/Source/core/fetch/ResourceFetcher.cpp - Issue 2551893002: Upgrade-Insecure-Requests: Split CSP checks into pre-upgrade and post-upgrade.

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: third_party/WebKit/Source/core/fetch/ResourceFetcher.cpp

Issue 2551893002: Upgrade-Insecure-Requests: Split CSP checks into pre-upgrade and post-upgrade.

Patch Set: Created 4 years ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

Index: third_party/WebKit/Source/core/fetch/ResourceFetcher.cpp

diff --git a/third_party/WebKit/Source/core/fetch/ResourceFetcher.cpp b/third_party/WebKit/Source/core/fetch/ResourceFetcher.cpp

index cb7b2cccaaab98ed31825e0f51f7e26352b45a12..384cbaaab7d4f209ba24e82c4ca5f98c44e57871 100644

--- a/third_party/WebKit/Source/core/fetch/ResourceFetcher.cpp

+++ b/third_party/WebKit/Source/core/fetch/ResourceFetcher.cpp

@@ -40,6 +40,7 @@

#include "platform/RuntimeEnabledFeatures.h"

#include "platform/mhtml/ArchiveResource.h"

#include "platform/mhtml/MHTMLArchive.h"

+#include "platform/network/ContentSecurityPolicyParsers.h"

#include "platform/network/NetworkInstrumentation.h"

#include "platform/network/NetworkUtils.h"

#include "platform/network/ResourceTimingInfo.h"

@@ -495,6 +496,16 @@ Resource* ResourceFetcher::requestResource(

factory.type() == Resource::XSLStyleSheet);

context().populateRequestData(request.mutableResourceRequest());

+ // It's important that we check the request against the page's CSP _before_

+ // modifying it via upgrade-insecure-requests, etc. Otherwise, developers

+ // won't get error reports for upgraded resources.

+ context().checkCSPForRequest(

+ request.resourceRequest(),

+ MemoryCache::removeFragmentIdentifierIfNeeded(request.url()),

+ request.options(), request.forPreload(),

+ request.resourceRequest().redirectStatus(),

+ ContentSecurityPolicyHeaderTypeReport);

context().modifyRequestForCSP(request.mutableResourceRequest());

context().addClientHintsIfNecessary(request);

context().addCSPHeaderIfNecessary(factory.type(), request);

@@ -1368,6 +1379,7 @@ bool ResourceFetcher::willFollowRedirect(

ResourceRequest& newRequest,

const ResourceResponse& redirectResponse) {

if (!isManualRedirectFetchRequest(resource->resourceRequest())) {

+ // TODO(mkwst):

if (!context().canRequest(resource->getType(), newRequest, newRequest.url(),

resource->options(), resource->isUnusedPreload(),

FetchRequest::UseDefaultOriginRestrictionForType))