Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(549)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: third_party/WebKit/Source/core/loader/FrameLoader.cpp

Issue 2557063002: Upgrade Insecure Requests: bugfixes, tests, and support for OOPIF.
Patch Set: Addressed comments (@nasko #2). Created 4 years ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « third_party/WebKit/Source/core/loader/FrameLoader.h ('k') | third_party/WebKit/Source/core/loader/FrameLoaderClient.h » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: third_party/WebKit/Source/core/loader/FrameLoader.cpp
diff --git a/third_party/WebKit/Source/core/loader/FrameLoader.cpp b/third_party/WebKit/Source/core/loader/FrameLoader.cpp
index 4cbd51bfa9ecb2615c9f93bd6a81801b4e308834..e52102ed88282c91e0ded0913524b525a833b2b0 100644
--- a/third_party/WebKit/Source/core/loader/FrameLoader.cpp
+++ b/third_party/WebKit/Source/core/loader/FrameLoader.cpp
@@ -1672,7 +1672,7 @@ void FrameLoader::startLoad(FrameLoadRequest& frameLoadRequest,
// Record the latest requiredCSP value that will be used when sending this
// request.
recordLatestRequiredCSP();
- modifyRequestForCSP(resourceRequest, nullptr);
+ modifyRequestForCSP(resourceRequest, frameLoadRequest.originDocument());
if (!shouldContinueForNavigationPolicy(
resourceRequest, frameLoadRequest.substituteData(), nullptr,
frameLoadRequest.shouldCheckMainWorldContentSecurityPolicy(),
@@ -1867,17 +1867,11 @@ FrameLoader::insecureNavigationsToUpgrade() const {
if (!parentFrame)
return nullptr;
- // FIXME: We need a way to propagate insecure requests policy flags to
- // out-of-process frames. For now, we'll always use default behavior.
- if (!parentFrame->isLocalFrame())
- return nullptr;
-
- DCHECK(toLocalFrame(parentFrame)->document());
- return toLocalFrame(parentFrame)->document()->insecureNavigationsToUpgrade();
+ return parentFrame->securityContext()->insecureNavigationsToUpgrade();
}
void FrameLoader::modifyRequestForCSP(ResourceRequest& resourceRequest,
- Document* document) const {
+ Document* originDocument) const {
if (RuntimeEnabledFeatures::embedderCSPEnforcementEnabled() &&
!requiredCSP().isEmpty()) {
// TODO(amalika): Strengthen this DCHECK that requiredCSP has proper format
@@ -1899,34 +1893,41 @@ void FrameLoader::modifyRequestForCSP(ResourceRequest& resourceRequest,
"1");
}
- upgradeInsecureRequest(resourceRequest, document);
+ upgradeInsecureRequest(resourceRequest, originDocument);
}
void FrameLoader::upgradeInsecureRequest(ResourceRequest& resourceRequest,
- Document* document) const {
+ Document* originDocument) const {
+ // We always upgrade requests that meet any of the following criteria:
+ //
+ // Enforced in FrameLoader::upgradeInsecureRequest.
+ // 1. Are for subresources.
+ // 2. Are for nested frames.
+ // 3. Are form submissions.
+ // 4. Whose hosts are contained in the originDocument's upgrade insecure
+ // navigations set. (same-frame navigation).
+ // Enforced in Frame::upgradeInsecureRequest.
+ // 4. Whose hosts are contained in the originDocument's upgrade insecure
+ // navigations set. (cross-frame navigation).
+
KURL url = resourceRequest.url();
- // If we don't yet have an |m_document| (because we're loading an iframe, for
- // instance), check the FrameLoader's policy.
+ // If we don't yet have an |originDocument| (because we're loading an iframe,
+ // for instance), check the FrameLoader's policy.
WebInsecureRequestPolicy relevantPolicy =
- document ? document->getInsecureRequestPolicy()
- : getInsecureRequestPolicy();
+ originDocument ? originDocument->getInsecureRequestPolicy()
+ : getInsecureRequestPolicy();
SecurityContext::InsecureNavigationsSet* relevantNavigationSet =
- document ? document->insecureNavigationsToUpgrade()
- : insecureNavigationsToUpgrade();
+ originDocument ? originDocument->insecureNavigationsToUpgrade()
+ : insecureNavigationsToUpgrade();
if (url.protocolIs("http") && relevantPolicy & kUpgradeInsecureRequests) {
- // We always upgrade requests that meet any of the following criteria:
- //
- // 1. Are for subresources (including nested frames).
- // 2. Are form submissions.
- // 3. Whose hosts are contained in the document's InsecureNavigationSet.
if (resourceRequest.frameType() == WebURLRequest::FrameTypeNone ||
resourceRequest.frameType() == WebURLRequest::FrameTypeNested ||
resourceRequest.requestContext() == WebURLRequest::RequestContextForm ||
(!url.host().isNull() &&
relevantNavigationSet->contains(url.host().impl()->hash()))) {
- UseCounter::count(document,
+ UseCounter::count(originDocument,
UseCounter::UpgradeInsecureRequestsUpgradedRequest);
url.setProtocol("https");
if (url.port() == 80)
« no previous file with comments | « third_party/WebKit/Source/core/loader/FrameLoader.h ('k') | third_party/WebKit/Source/core/loader/FrameLoaderClient.h » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698