third_party/WebKit/Source/core/loader/FrameLoader.cpp - Issue 2910573002: Implement upgrade-insecure-requests in browser for frame requests

Side by Side Diff: third_party/WebKit/Source/core/loader/FrameLoader.cpp

Issue 2910573002: Implement upgrade-insecure-requests in browser for frame requests (Closed)

Patch Set: fix BuildPolicy argument Created 3 years, 6 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

OLD	NEW
1 /*	1 /*

2 * Copyright (C) 2006, 2007, 2008, 2009, 2010, 2011 Apple Inc. All rights	2 * Copyright (C) 2006, 2007, 2008, 2009, 2010, 2011 Apple Inc. All rights

3 * reserved.	3 * reserved.

4 * Copyright (C) 2008 Nokia Corporation and/or its subsidiary(-ies)	4 * Copyright (C) 2008 Nokia Corporation and/or its subsidiary(-ies)

5 * Copyright (C) 2008, 2009 Torch Mobile Inc. All rights reserved.	5 * Copyright (C) 2008, 2009 Torch Mobile Inc. All rights reserved.

6 * (http://www.torchmobile.com/)	6 * (http://www.torchmobile.com/)

7 * Copyright (C) 2008 Alp Toker <alp@atoker.com>	7 * Copyright (C) 2008 Alp Toker <alp@atoker.com>

8 * Copyright (C) Research In Motion Limited 2009. All rights reserved.	8 * Copyright (C) Research In Motion Limited 2009. All rights reserved.

9 * Copyright (C) 2011 Kris Jordan <krisjordan@gmail.com>	9 * Copyright (C) 2011 Kris Jordan <krisjordan@gmail.com>

10 * Copyright (C) 2011 Google Inc. All rights reserved.	10 * Copyright (C) 2011 Google Inc. All rights reserved.

(...skipping 47 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
58 #include "core/frame/csp/ContentSecurityPolicy.h"	58 #include "core/frame/csp/ContentSecurityPolicy.h"

59 #include "core/html/HTMLFormElement.h"	59 #include "core/html/HTMLFormElement.h"

60 #include "core/html/HTMLFrameOwnerElement.h"	60 #include "core/html/HTMLFrameOwnerElement.h"

61 #include "core/input/EventHandler.h"	61 #include "core/input/EventHandler.h"

62 #include "core/inspector/ConsoleMessage.h"	62 #include "core/inspector/ConsoleMessage.h"

63 #include "core/loader/DocumentLoadTiming.h"	63 #include "core/loader/DocumentLoadTiming.h"

64 #include "core/loader/DocumentLoader.h"	64 #include "core/loader/DocumentLoader.h"

65 #include "core/loader/FormSubmission.h"	65 #include "core/loader/FormSubmission.h"

66 #include "core/loader/FrameLoadRequest.h"	66 #include "core/loader/FrameLoadRequest.h"

67 #include "core/loader/LinkLoader.h"	67 #include "core/loader/LinkLoader.h"

68 #include "core/loader/MixedContentChecker.h"

69 #include "core/loader/NavigationScheduler.h"	68 #include "core/loader/NavigationScheduler.h"

70 #include "core/loader/NetworkHintsInterface.h"	69 #include "core/loader/NetworkHintsInterface.h"

71 #include "core/loader/ProgressTracker.h"	70 #include "core/loader/ProgressTracker.h"

72 #include "core/loader/appcache/ApplicationCacheHost.h"	71 #include "core/loader/appcache/ApplicationCacheHost.h"

73 #include "core/page/ChromeClient.h"	72 #include "core/page/ChromeClient.h"

74 #include "core/page/CreateWindow.h"	73 #include "core/page/CreateWindow.h"

75 #include "core/page/FrameTree.h"	74 #include "core/page/FrameTree.h"

76 #include "core/page/Page.h"	75 #include "core/page/Page.h"

77 #include "core/page/WindowFeatures.h"	76 #include "core/page/WindowFeatures.h"

78 #include "core/page/scrolling/ScrollingCoordinator.h"	77 #include "core/page/scrolling/ScrollingCoordinator.h"

(...skipping 1271 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
1350 Document::kNoDismissal) {	1349 Document::kNoDismissal) {

1351 return kNavigationPolicyIgnore;	1350 return kNavigationPolicyIgnore;

1352 }	1351 }

1353	1352

1354 // Record the latest requiredCSP value that will be used when sending this	1353 // Record the latest requiredCSP value that will be used when sending this

1355 // request.	1354 // request.

1356 ResourceRequest& resource_request = frame_load_request.GetResourceRequest();	1355 ResourceRequest& resource_request = frame_load_request.GetResourceRequest();

1357 RecordLatestRequiredCSP();	1356 RecordLatestRequiredCSP();

1358 // Before modifying the request, check report-only CSP headers to give the	1357 // Before modifying the request, check report-only CSP headers to give the

1359 // site owner a chance to learn about requests that need to be modified.	1358 // site owner a chance to learn about requests that need to be modified.

1360 //

1361 // TODO(estark): this doesn't work with --enable-browser-side-navigation,

1362 // wherein 'frame-src' is checked in the browser process. Figure out what to

1363 // do; maybe with browser-side navigation the upgrade should be happening in

1364 // the browser process too. See also https://crbug.com/692595

1365 Settings* settings = frame_->GetSettings();	1359 Settings* settings = frame_->GetSettings();

1366 MaybeCheckCSP(	1360 MaybeCheckCSP(

1367 resource_request, navigation_type, frame_, navigation_policy,	1361 resource_request, navigation_type, frame_, navigation_policy,

1368 frame_load_request.ShouldCheckMainWorldContentSecurityPolicy() ==	1362 frame_load_request.ShouldCheckMainWorldContentSecurityPolicy() ==

1369 kCheckContentSecurityPolicy,	1363 kCheckContentSecurityPolicy,

1370 settings && settings->GetBrowserSideNavigationEnabled(),	1364 settings && settings->GetBrowserSideNavigationEnabled(),

1371 ContentSecurityPolicy::CheckHeaderType::kCheckReportOnly);	1365 ContentSecurityPolicy::CheckHeaderType::kCheckReportOnly);

1372 ModifyRequestForCSP(resource_request, nullptr);	1366 ModifyRequestForCSP(resource_request, nullptr);

1373	1367

1374 return ShouldContinueForNavigationPolicy(	1368 return ShouldContinueForNavigationPolicy(

(...skipping 218 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
1593 // Early return if the request has already been upgraded.	1587 // Early return if the request has already been upgraded.

1594 if (!resource_request.HttpHeaderField(HTTPNames::Upgrade_Insecure_Requests)	1588 if (!resource_request.HttpHeaderField(HTTPNames::Upgrade_Insecure_Requests)

1595 .IsNull()) {	1589 .IsNull()) {

1596 return;	1590 return;

1597 }	1591 }

1598	1592

1599 resource_request.SetHTTPHeaderField(HTTPNames::Upgrade_Insecure_Requests,	1593 resource_request.SetHTTPHeaderField(HTTPNames::Upgrade_Insecure_Requests,

1600 "1");	1594 "1");

1601 }	1595 }

1602	1596

	1597 // PlzNavigate: Upgrading subframe requests is handled by the browser process.

	1598 Settings* settings = frame_->GetSettings();

	1599 if (resource_request.GetFrameType() == WebURLRequest::kFrameTypeNested &&

	1600 settings && settings->GetBrowserSideNavigationEnabled()) {
	Mike West 2017/05/30 07:36:30 Tiny nit: You could skip checking `settings` here Tiny nit: You could skip checking `settings` here if you wrapped the assignment in an if. Like `if (Settings* settings = frame_->GetSettings())` estark 2017/06/01 04:18:30 I'll skip this one if you don't mind -- my weaklin Show quoted text On 2017/05/30 07:36:30, Mike West wrote: > Tiny nit: You could skip checking `settings` here if you wrapped the assignment > in an if. Like `if (Settings* settings = frame_->GetSettings())` I'll skip this one if you don't mind -- my weakling brain finds such things hard to read. Happy to do it if you feel strongly though :)
	1601 return;

	1602 }

1603 UpgradeInsecureRequest(resource_request, document);	1603 UpgradeInsecureRequest(resource_request, document);

1604 }	1604 }

1605	1605

1606 void FrameLoader::UpgradeInsecureRequest(ResourceRequest& resource_request,	1606 void FrameLoader::UpgradeInsecureRequest(ResourceRequest& resource_request,

1607 Document* document) const {	1607 Document* document) const {

1608 KURL url = resource_request.Url();	1608 KURL url = resource_request.Url();

1609	1609

1610 // If we don't yet have an \|m_document\| (because we're loading an iframe, for	1610 // If we don't yet have an \|m_document\| (because we're loading an iframe, for

1611 // instance), check the FrameLoader's policy.	1611 // instance), check the FrameLoader's policy.

1612 WebInsecureRequestPolicy relevant_policy =	1612 WebInsecureRequestPolicy relevant_policy =

(...skipping 75 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
1688 // TODO(japhet): This is needed because the browser process DCHECKs if the	1688 // TODO(japhet): This is needed because the browser process DCHECKs if the

1689 // first entry we commit in a new frame has replacement set. It's unclear	1689 // first entry we commit in a new frame has replacement set. It's unclear

1690 // whether the DCHECK is right, investigate removing this special case.	1690 // whether the DCHECK is right, investigate removing this special case.

1691 bool replace_current_item = load_type == kFrameLoadTypeReplaceCurrentItem &&	1691 bool replace_current_item = load_type == kFrameLoadTypeReplaceCurrentItem &&

1692 (!Opener() \|\| !request.Url().IsEmpty());	1692 (!Opener() \|\| !request.Url().IsEmpty());

1693 loader->SetReplacesCurrentHistoryItem(replace_current_item);	1693 loader->SetReplacesCurrentHistoryItem(replace_current_item);

1694 return loader;	1694 return loader;

1695 }	1695 }

1696	1696

1697 } // namespace blink	1697 } // namespace blink

OLD	NEW

« third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp ('K') | « third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp ('k') | no next file » | no next file with comments »