Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(85)

Side by Side Diff: content/browser/frame_host/navigation_request.cc

Issue 2910573002: Implement upgrade-insecure-requests in browser for frame requests (Closed)
Patch Set: fix BuildPolicy argument Created 3 years, 7 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
OLDNEW
1 // Copyright 2014 The Chromium Authors. All rights reserved. 1 // Copyright 2014 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "content/browser/frame_host/navigation_request.h" 5 #include "content/browser/frame_host/navigation_request.h"
6 6
7 #include <utility> 7 #include <utility>
8 8
9 #include "base/memory/ptr_util.h" 9 #include "base/memory/ptr_util.h"
10 #include "content/browser/appcache/appcache_navigation_handle.h" 10 #include "content/browser/appcache/appcache_navigation_handle.h"
(...skipping 927 matching lines...) Expand 10 before | Expand all | Expand 10 after
938 return CONTENT_SECURITY_POLICY_CHECK_PASSED; 938 return CONTENT_SECURITY_POLICY_CHECK_PASSED;
939 939
940 FrameTreeNode* parent_ftn = frame_tree_node()->parent(); 940 FrameTreeNode* parent_ftn = frame_tree_node()->parent();
941 DCHECK(parent_ftn); 941 DCHECK(parent_ftn);
942 RenderFrameHostImpl* parent = parent_ftn->current_frame_host(); 942 RenderFrameHostImpl* parent = parent_ftn->current_frame_host();
943 DCHECK(parent); 943 DCHECK(parent);
944 944
945 SourceLocation source_location; 945 SourceLocation source_location;
946 if (common_params_.source_location) 946 if (common_params_.source_location)
947 source_location = common_params_.source_location.value(); 947 source_location = common_params_.source_location.value();
948
949 // CSP checking happens in three phases, per steps 3-5 of
950 // https://fetch.spec.whatwg.org/#main-fetch:
951 //
952 // (1) Check report-only policies and trigger reports for any violations.
953 // (2) Upgrade the request to HTTPS if necessary.
954 // (3) Check enforced policies (triggering reports for any violations of those
955 // policies) and block the request if necessary.
956 //
957 // This sequence of events allows site owners to learn about (via step 1) any
958 // requests that are upgraded in step 2.
959
960 bool allowed = parent->IsAllowedByCsp(
961 CSPDirective::FrameSrc, common_params_.url, is_redirect, source_location,
962 CSPContext::CHECK_REPORT_ONLY_CSP);
963 // Checking report-only CSP should never return false because no requests are
964 // blocked by report-only policies.
965 DCHECK(allowed);
966
967 // TODO(mkwst,estark): upgrade-insecure-requests does not work when following
968 // redirects. Trying to uprade the new URL on redirect here is fruitless: the
969 // redirect URL cannot be changed at this point. upgrade-insecure-requests
970 // needs to move to the net stack to resolve this. https://crbug.com/615885
971 if (!is_redirect) {
972 GURL new_url;
973 if (parent->ShouldModifyRequestUrlForCsp(
974 common_params_.url, true /* is subresource */, &new_url)) {
975 common_params_.url = new_url;
976 }
977 }
978
948 if (parent->IsAllowedByCsp(CSPDirective::FrameSrc, common_params_.url, 979 if (parent->IsAllowedByCsp(CSPDirective::FrameSrc, common_params_.url,
949 is_redirect, source_location)) { 980 is_redirect, source_location,
981 CSPContext::CHECK_ENFORCED_CSP)) {
950 return CONTENT_SECURITY_POLICY_CHECK_PASSED; 982 return CONTENT_SECURITY_POLICY_CHECK_PASSED;
951 } 983 }
952 984
953 return CONTENT_SECURITY_POLICY_CHECK_FAILED; 985 return CONTENT_SECURITY_POLICY_CHECK_FAILED;
954 } 986 }
955 987
956 } // namespace content 988 } // namespace content
OLDNEW

Powered by Google App Engine
This is Rietveld 408576698