DescriptionImplement upgrade-insecure-requests in browser for frame requests
In PlzNavigate, frame requests currently have most of their CSP checks done in
the browser process. But upgrade-insecure-requests was still applied in Blink,
meaning that upgraded frame requests couldn't be properly reported.
This CL moves upgrading into the browser process for frame requests, and
properly splits up CSP checks per spec: (1) evaluate report-only CSPs,
(2) upgrade request if needed, (3) evaluate enforced CSPs.
There are other cases for which we might need to do something similar which
are not handled by this CL: namely form submissions and same-host main-frame
navigations.
Also note that I'm not attempting to apply upgrade-insecure-requests when
following redirects. UIR in general does not work when following redirects, and
that's a much larger issue outside the scope of this CL.
(https://crbug.com/615885)
This is a follow-up to https://codereview.chromium.org/2909513002/, and is
the browser-process version of https://codereview.chromium.org/2790693002.
BUG=713388
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_site_isolation
Review-Url: https://codereview.chromium.org/2910573002
Cr-Commit-Position: refs/heads/master@{#478478}
Committed: https://chromium.googlesource.com/chromium/src/+/4bb7f5d6743f3ae5a69f1624c6e3547ba4f234ee
Patch Set 1 #Patch Set 2 : rebase #Patch Set 3 : rebase #Patch Set 4 : rebase, fix unit tests #Patch Set 5 : blink::WebString constructor #Patch Set 6 : rebase #Patch Set 7 : rebase #Patch Set 8 : add unit tests, don't even try on redirects #Patch Set 9 : fix BuildPolicy argument #
Total comments: 4
Patch Set 10 : mkwst comment #Patch Set 11 : update test expectations #
Total comments: 6
Patch Set 12 : update original_url, add test for it #Patch Set 13 : rebase #Depends on Patchset: Messages
Total messages: 68 (54 generated)
|