Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(6)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: third_party/WebKit/Source/core/loader/FrameFetchContext.cpp

Issue 2551893002: Upgrade-Insecure-Requests: Split CSP checks into pre-upgrade and post-upgrade.
Patch Set: Created 4 years ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « third_party/WebKit/Source/core/loader/FrameFetchContext.h ('k') | third_party/WebKit/Source/core/workers/AbstractWorker.cpp » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: third_party/WebKit/Source/core/loader/FrameFetchContext.cpp
diff --git a/third_party/WebKit/Source/core/loader/FrameFetchContext.cpp b/third_party/WebKit/Source/core/loader/FrameFetchContext.cpp
index 049c2e27133a05c7fed4fc1962116c16e9474ea6..f8e9444a9f6c944160a056d11974ac39f98c6892 100644
--- a/third_party/WebKit/Source/core/loader/FrameFetchContext.cpp
+++ b/third_party/WebKit/Source/core/loader/FrameFetchContext.cpp
@@ -594,6 +594,11 @@ bool FrameFetchContext::allowResponse(
const ResourceRequest& resourceRequest,
const KURL& url,
const ResourceLoaderOptions& options) const {
+ // canRequestInternal only checks enforced policies: check report-only here
+ // to ensure violations are sent.
+ checkCSPForRequest(resourceRequest, url, options, false,
+ RedirectStatus::FollowedRedirect,
+ ContentSecurityPolicyHeaderTypeReport);
ResourceRequestBlockedReason reason =
canRequestInternal(type, resourceRequest, url, options, false,
FetchRequest::UseDefaultOriginRestrictionForType,
@@ -607,6 +612,36 @@ bool FrameFetchContext::allowResponse(
return true;
}
+ResourceRequestBlockedReason FrameFetchContext::checkCSPForRequest(
+ const ResourceRequest& resourceRequest,
+ const KURL& url,
+ const ResourceLoaderOptions& options,
+ bool forPreload,
+ ResourceRequest::RedirectStatus redirectStatus,
+ ContentSecurityPolicyHeaderType headerType) const {
+ if (frame()->script().shouldBypassMainWorldCSP() ||
+ options.contentSecurityPolicyOption == DoNotCheckContentSecurityPolicy) {
+ return ResourceRequestBlockedReasonNone;
+ }
+
+ // Don't send CSP messages for preloads, we might never actually display those
+ // items.
+ ContentSecurityPolicy::ReportingStatus cspReporting =
+ forPreload ? ContentSecurityPolicy::SuppressReport
+ : ContentSecurityPolicy::SendReport;
+
+ if (m_document) {
+ DCHECK(m_document->contentSecurityPolicy());
+ if (!m_document->contentSecurityPolicy()->allowRequest(
+ resourceRequest.requestContext(), url,
+ options.contentSecurityPolicyNonce, options.integrityMetadata,
+ options.parserDisposition, redirectStatus, cspReporting,
+ headerType))
+ return ResourceRequestBlockedReasonCSP;
+ }
+ return ResourceRequestBlockedReasonNone;
+}
+
ResourceRequestBlockedReason FrameFetchContext::canRequestInternal(
Resource::Type type,
const ResourceRequest& resourceRequest,
@@ -664,26 +699,14 @@ ResourceRequestBlockedReason FrameFetchContext::canRequestInternal(
break;
}
- // FIXME: Convert this to check the isolated world's Content Security Policy
- // once webkit.org/b/104520 is solved.
- bool shouldBypassMainWorldCSP =
- frame()->script().shouldBypassMainWorldCSP() ||
- options.contentSecurityPolicyOption == DoNotCheckContentSecurityPolicy;
-
- // Don't send CSP messages for preloads, we might never actually display those
- // items.
- ContentSecurityPolicy::ReportingStatus cspReporting =
- forPreload ? ContentSecurityPolicy::SuppressReport
- : ContentSecurityPolicy::SendReport;
-
- if (m_document) {
- DCHECK(m_document->contentSecurityPolicy());
- if (!shouldBypassMainWorldCSP &&
- !m_document->contentSecurityPolicy()->allowRequest(
- resourceRequest.requestContext(), url,
- options.contentSecurityPolicyNonce, options.integrityMetadata,
- options.parserDisposition, redirectStatus, cspReporting))
- return ResourceRequestBlockedReasonCSP;
+ // We check the 'report-only' headers before upgrading the request (in
+ // 'modifyRequestForCSP'). We check the enforced headers here to ensure we
+ // block things we ought to block.
+ if (checkCSPForRequest(resourceRequest, url, options, forPreload,
+ redirectStatus,
+ ContentSecurityPolicyHeaderTypeEnforce) ==
+ ResourceRequestBlockedReasonCSP) {
+ return ResourceRequestBlockedReasonCSP;
}
if (type == Resource::Script || type == Resource::ImportResource) {
« no previous file with comments | « third_party/WebKit/Source/core/loader/FrameFetchContext.h ('k') | third_party/WebKit/Source/core/workers/AbstractWorker.cpp » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698