Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(389)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp

Issue 2612793002: Implement ContentSecurityPolicy on the browser-side. (Closed)
Patch Set: Add the TODO and bug ids that was forgotten. Created 3 years, 10 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « third_party/WebKit/Source/core/frame/csp/CSPSource.cpp ('k') | third_party/WebKit/Source/core/frame/csp/SourceListDirective.h » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp
diff --git a/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp b/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp
index 2064ac7cca644ec9f2d823727a2bcdeda21556fc..f9f6bd3c3e2963d979b0935e5e52baeef8537711 100644
--- a/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp
+++ b/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp
@@ -332,8 +332,9 @@ void ContentSecurityPolicy::reportAccumulatedHeaders(
// addAndReportPolicyFromHeaderValue for more details and context.
DCHECK(client);
for (const auto& policy : m_policies) {
- client->didAddContentSecurityPolicy(policy->header(), policy->headerType(),
- policy->headerSource());
+ client->didAddContentSecurityPolicy(
+ policy->header(), policy->headerType(), policy->headerSource(),
+ {policy->exposeForNavigationalChecks()});
}
}
@@ -341,17 +342,26 @@ void ContentSecurityPolicy::addAndReportPolicyFromHeaderValue(
const String& header,
ContentSecurityPolicyHeaderType type,
ContentSecurityPolicyHeaderSource source) {
- // Notify about the new header, so that it can be reported back to the
- // browser process. This is needed in order to:
- // 1) replicate CSP directives (i.e. frame-src) to OOPIFs (only for now /
- // short-term).
- // 2) enforce CSP in the browser process (not yet / long-term - see
- // https://crbug.com/376522).
- if (document() && document()->frame())
- document()->frame()->client()->didAddContentSecurityPolicy(header, type,
- source);
-
+ size_t previousPolicyCount = m_policies.size();
addPolicyFromHeaderValue(header, type, source);
+ if (document() && document()->frame()) {
+ // Notify about the new header, so that it can be reported back to the
+ // browser process. This is needed in order to:
+ // 1) replicate CSP directives (i.e. frame-src) to OOPIFs (only for now /
+ // short-term).
+ // 2) enforce CSP in the browser process (long-term - see
+ // https://crbug.com/376522).
+ // TODO(arthursonzogni): policies are actually replicated (1) and some of
+ // them are (or will) be enforced on the browser process (2). Stop doing (1)
+ // when (2) is finished.
+
+ // Zero, one or several policies could be produced by only one header.
+ std::vector<blink::WebContentSecurityPolicyPolicy> policies;
+ for (size_t i = previousPolicyCount; i < m_policies.size(); ++i)
+ policies.push_back(m_policies[i]->exposeForNavigationalChecks());
+ document()->frame()->client()->didAddContentSecurityPolicy(
+ header, type, source, policies);
+ }
}
void ContentSecurityPolicy::setOverrideAllowInlineStyle(bool value) {
« no previous file with comments | « third_party/WebKit/Source/core/frame/csp/CSPSource.cpp ('k') | third_party/WebKit/Source/core/frame/csp/SourceListDirective.h » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698