OLD | NEW |
1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "content/browser/frame_host/navigation_request.h" | 5 #include "content/browser/frame_host/navigation_request.h" |
6 | 6 |
7 #include <utility> | 7 #include <utility> |
8 | 8 |
9 #include "base/memory/ptr_util.h" | 9 #include "base/memory/ptr_util.h" |
10 #include "content/browser/appcache/appcache_navigation_handle.h" | 10 #include "content/browser/appcache/appcache_navigation_handle.h" |
(...skipping 927 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
938 return CONTENT_SECURITY_POLICY_CHECK_PASSED; | 938 return CONTENT_SECURITY_POLICY_CHECK_PASSED; |
939 | 939 |
940 FrameTreeNode* parent_ftn = frame_tree_node()->parent(); | 940 FrameTreeNode* parent_ftn = frame_tree_node()->parent(); |
941 DCHECK(parent_ftn); | 941 DCHECK(parent_ftn); |
942 RenderFrameHostImpl* parent = parent_ftn->current_frame_host(); | 942 RenderFrameHostImpl* parent = parent_ftn->current_frame_host(); |
943 DCHECK(parent); | 943 DCHECK(parent); |
944 | 944 |
945 SourceLocation source_location; | 945 SourceLocation source_location; |
946 if (common_params_.source_location) | 946 if (common_params_.source_location) |
947 source_location = common_params_.source_location.value(); | 947 source_location = common_params_.source_location.value(); |
| 948 |
| 949 // CSP checking happens in three phases, per steps 3-5 of |
| 950 // https://fetch.spec.whatwg.org/#main-fetch: |
| 951 // |
| 952 // (1) Check report-only policies and trigger reports for any violations. |
| 953 // (2) Upgrade the request to HTTPS if necessary. |
| 954 // (3) Check enforced policies (triggering reports for any violations of those |
| 955 // policies) and block the request if necessary. |
| 956 // |
| 957 // This sequence of events allows site owners to learn about (via step 1) any |
| 958 // requests that are upgraded in step 2. |
| 959 |
| 960 bool allowed = parent->IsAllowedByCsp( |
| 961 CSPDirective::FrameSrc, common_params_.url, is_redirect, source_location, |
| 962 CSPContext::CHECK_REPORT_ONLY_CSP); |
| 963 // Checking report-only CSP should never return false because no requests are |
| 964 // blocked by report-only policies. |
| 965 DCHECK(allowed); |
| 966 |
| 967 // TODO(mkwst,estark): upgrade-insecure-requests does not work when following |
| 968 // redirects. Trying to uprade the new URL on redirect here is fruitless: the |
| 969 // redirect URL cannot be changed at this point. upgrade-insecure-requests |
| 970 // needs to move to the net stack to resolve this. https://crbug.com/615885 |
| 971 if (!is_redirect) { |
| 972 GURL new_url; |
| 973 if (parent->ShouldModifyRequestUrlForCsp( |
| 974 common_params_.url, true /* is subresource */, &new_url)) { |
| 975 common_params_.url = new_url; |
| 976 } |
| 977 } |
| 978 |
948 if (parent->IsAllowedByCsp(CSPDirective::FrameSrc, common_params_.url, | 979 if (parent->IsAllowedByCsp(CSPDirective::FrameSrc, common_params_.url, |
949 is_redirect, source_location)) { | 980 is_redirect, source_location, |
| 981 CSPContext::CHECK_ENFORCED_CSP)) { |
950 return CONTENT_SECURITY_POLICY_CHECK_PASSED; | 982 return CONTENT_SECURITY_POLICY_CHECK_PASSED; |
951 } | 983 } |
952 | 984 |
953 return CONTENT_SECURITY_POLICY_CHECK_FAILED; | 985 return CONTENT_SECURITY_POLICY_CHECK_FAILED; |
954 } | 986 } |
955 | 987 |
956 } // namespace content | 988 } // namespace content |
OLD | NEW |