Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(849)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: Source/core/fetch/ResourceFetcher.cpp

Issue 353873003: Clean up usage of CSP functions (Closed) Base URL: svn://svn.chromium.org/blink/trunk
Patch Set: Fix to apply Created 6 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « Source/core/dom/StyleElement.cpp ('k') | Source/core/frame/csp/ContentSecurityPolicy.h » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: Source/core/fetch/ResourceFetcher.cpp
diff --git a/Source/core/fetch/ResourceFetcher.cpp b/Source/core/fetch/ResourceFetcher.cpp
index e35154b07170a220f0cf1967559637ab33651e19..fbf3ebea262ee26e21c864fa3a8aac5a5c467e10 100644
--- a/Source/core/fetch/ResourceFetcher.cpp
+++ b/Source/core/fetch/ResourceFetcher.cpp
@@ -497,9 +497,6 @@ bool ResourceFetcher::canRequest(Resource::Type type, const KURL& url, const Res
return 0;
}
- // FIXME: Convert this to check the isolated world's Content Security Policy once webkit.org/b/104520 is solved.
- bool shouldBypassMainWorldContentSecurityPolicy = (frame() && frame()->script().shouldBypassMainWorldContentSecurityPolicy()) || (options.contentSecurityPolicyOption == DoNotCheckContentSecurityPolicy);
-
// Some types of resources can be loaded only from the same origin. Other
// types of resources, like Images, Scripts, and CSS, can be loaded from
// any URL.
@@ -532,19 +529,30 @@ bool ResourceFetcher::canRequest(Resource::Type type, const KURL& url, const Res
break;
}
+ // FIXME: Convert this to check the isolated world's Content Security Policy once webkit.org/b/104520 is solved.
+ bool shouldBypassMainWorldCSP = (frame() && frame()->script().shouldBypassMainWorldCSP()) || (options.contentSecurityPolicyOption == DoNotCheckContentSecurityPolicy);
+
// Don't send CSP messages for preloads, we might never actually display those items.
ContentSecurityPolicy::ReportingStatus cspReporting = forPreload ?
ContentSecurityPolicy::SuppressReport : ContentSecurityPolicy::SendReport;
+ // m_document can be null, but not in any of the cases where csp is actually used below.
+ // ImageResourceTest.MultipartImage crashes w/o the m_document null check.
+ // I believe it's the Resource::Raw case.
+ const ContentSecurityPolicy* csp = m_document ? m_document->contentSecurityPolicy() : nullptr;
+
+ // FIXME: This would be cleaner if moved this switch into an allowFromSource()
+ // helper on this object which took a Resource::Type, then this block would
+ // collapse to about 10 lines for handling Raw and Script special cases.
switch (type) {
case Resource::XSLStyleSheet:
ASSERT(RuntimeEnabledFeatures::xsltEnabled());
- if (!shouldBypassMainWorldContentSecurityPolicy && !m_document->contentSecurityPolicy()->allowScriptFromSource(url, cspReporting))
+ if (!shouldBypassMainWorldCSP && !csp->allowScriptFromSource(url, cspReporting))
return false;
break;
case Resource::Script:
case Resource::ImportResource:
- if (!shouldBypassMainWorldContentSecurityPolicy && !m_document->contentSecurityPolicy()->allowScriptFromSource(url, cspReporting))
+ if (!shouldBypassMainWorldCSP && !csp->allowScriptFromSource(url, cspReporting))
return false;
if (frame()) {
@@ -556,16 +564,16 @@ bool ResourceFetcher::canRequest(Resource::Type type, const KURL& url, const Res
}
break;
case Resource::CSSStyleSheet:
- if (!shouldBypassMainWorldContentSecurityPolicy && !m_document->contentSecurityPolicy()->allowStyleFromSource(url, cspReporting))
+ if (!shouldBypassMainWorldCSP && !csp->allowStyleFromSource(url, cspReporting))
return false;
break;
case Resource::SVGDocument:
case Resource::Image:
- if (!shouldBypassMainWorldContentSecurityPolicy && !m_document->contentSecurityPolicy()->allowImageFromSource(url, cspReporting))
+ if (!shouldBypassMainWorldCSP && !csp->allowImageFromSource(url, cspReporting))
return false;
break;
case Resource::Font: {
- if (!shouldBypassMainWorldContentSecurityPolicy && !m_document->contentSecurityPolicy()->allowFontFromSource(url, cspReporting))
+ if (!shouldBypassMainWorldCSP && !csp->allowFontFromSource(url, cspReporting))
return false;
break;
}
@@ -576,7 +584,7 @@ bool ResourceFetcher::canRequest(Resource::Type type, const KURL& url, const Res
break;
case Resource::Media:
case Resource::TextTrack:
- if (!shouldBypassMainWorldContentSecurityPolicy && !m_document->contentSecurityPolicy()->allowMediaFromSource(url, cspReporting))
+ if (!shouldBypassMainWorldCSP && !csp->allowMediaFromSource(url, cspReporting))
return false;
if (frame()) {
« no previous file with comments | « Source/core/dom/StyleElement.cpp ('k') | Source/core/frame/csp/ContentSecurityPolicy.h » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698