Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(562)

Unified Diff: third_party/WebKit/Source/core/loader/FrameFetchContext.cpp

Issue 2651943002: Block subresource requests whose URLs include credentials. (Closed)
Patch Set: Test. Created 3 years, 9 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
Index: third_party/WebKit/Source/core/loader/FrameFetchContext.cpp
diff --git a/third_party/WebKit/Source/core/loader/FrameFetchContext.cpp b/third_party/WebKit/Source/core/loader/FrameFetchContext.cpp
index d267da610300fd28151cce77f7237c92549ea124..35b4d0f1f9ba3167a5d6ff69dd70de23f6f5de7e 100644
--- a/third_party/WebKit/Source/core/loader/FrameFetchContext.cpp
+++ b/third_party/WebKit/Source/core/loader/FrameFetchContext.cpp
@@ -803,6 +803,10 @@ ResourceRequestBlockedReason FrameFetchContext::canRequestInternal(
Deprecation::countDeprecation(
frame()->document(),
UseCounter::RequestedSubresourceWithEmbeddedCredentials);
+ // TODO(mkwst): Remove the runtime-enabled check in M59:
+ // https://www.chromestatus.com/feature/5669008342777856
+ if (RuntimeEnabledFeatures::blockCredentialedSubresourcesEnabled())
+ return ResourceRequestBlockedReason::Origin;
}
}

Powered by Google App Engine
This is Rietveld 408576698