| OLD | NEW |
|---|
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "content/browser/frame_host/navigation_request.h" | 5 #include "content/browser/frame_host/navigation_request.h" |
| 6 | 6 |
| 7 #include <utility> | 7 #include <utility> |
| 8 | 8 |
| 9 #include "base/memory/ptr_util.h" | 9 #include "base/memory/ptr_util.h" |
| 10 #include "content/browser/appcache/appcache_navigation_handle.h" | 10 #include "content/browser/appcache/appcache_navigation_handle.h" |
| (...skipping 925 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 936 | 936 |
| 937 // The CSP frame-src directive only applies to subframes. | 937 // The CSP frame-src directive only applies to subframes. |
| 938 if (frame_tree_node()->IsMainFrame()) | 938 if (frame_tree_node()->IsMainFrame()) |
| 939 return CONTENT_SECURITY_POLICY_CHECK_PASSED; | 939 return CONTENT_SECURITY_POLICY_CHECK_PASSED; |
| 940 | 940 |
| 941 FrameTreeNode* parent_ftn = frame_tree_node()->parent(); | 941 FrameTreeNode* parent_ftn = frame_tree_node()->parent(); |
| 942 DCHECK(parent_ftn); | 942 DCHECK(parent_ftn); |
| 943 RenderFrameHostImpl* parent = parent_ftn->current_frame_host(); | 943 RenderFrameHostImpl* parent = parent_ftn->current_frame_host(); |
| 944 DCHECK(parent); | 944 DCHECK(parent); |
| 945 | 945 |
| 946 // CSP checking happens in three phases, per steps 3-5 of |
| 947 // https://fetch.spec.whatwg.org/#main-fetch: |
| 948 // |
| 949 // (1) Check report-only policies and trigger reports for any violations. |
| 950 // (2) Upgrade the request to HTTPS if necessary. |
| 951 // (3) Check enforced policies (triggering reports for any violations of those |
| 952 // policies) and block the request if necessary. |
| 953 // |
| 954 // This sequence of events allows site owners to learn about (via step 1) any |
| 955 // requests that are upgraded in step 2. |
| 956 |
| 957 bool allowed = parent->IsAllowedByCsp( |
| 958 CSPDirective::FrameSrc, common_params_.url, is_redirect, |
| 959 common_params_.source_location.value_or(SourceLocation()), |
| 960 CSPContext::CHECK_REPORT_ONLY_CSP); |
| 961 |
| 962 // Checking report-only CSP should never return false because no requests are |
| 963 // blocked by report-only policies. |
| 964 DCHECK(allowed); |
| 965 |
| 966 // TODO(mkwst,estark): upgrade-insecure-requests does not work when following |
| 967 // redirects. Trying to uprade the new URL on redirect here is fruitless: the |
| 968 // redirect URL cannot be changed at this point. upgrade-insecure-requests |
| 969 // needs to move to the net stack to resolve this. https://crbug.com/615885 |
| 970 if (!is_redirect) { |
| 971 GURL new_url; |
| 972 if (parent->ShouldModifyRequestUrlForCsp( |
| 973 common_params_.url, true /* is subresource */, &new_url)) { |
| 974 common_params_.url = new_url; |
| 975 request_params_.original_url = new_url; |
| 976 } |
| 977 } |
| 978 |
| 946 if (parent->IsAllowedByCsp( | 979 if (parent->IsAllowedByCsp( |
| 947 CSPDirective::FrameSrc, common_params_.url, is_redirect, | 980 CSPDirective::FrameSrc, common_params_.url, is_redirect, |
| 948 common_params_.source_location.value_or(SourceLocation()))) { | 981 common_params_.source_location.value_or(SourceLocation()), |
| 982 CSPContext::CHECK_ENFORCED_CSP)) { |
| 949 return CONTENT_SECURITY_POLICY_CHECK_PASSED; | 983 return CONTENT_SECURITY_POLICY_CHECK_PASSED; |
| 950 } | 984 } |
| 951 | 985 |
| 952 return CONTENT_SECURITY_POLICY_CHECK_FAILED; | 986 return CONTENT_SECURITY_POLICY_CHECK_FAILED; |
| 953 } | 987 } |
| 954 | 988 |
| 955 } // namespace content | 989 } // namespace content |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2910573002:
Implement upgrade-insecure-requests in browser for frame requests (Closed)
