Source/core/dom/Document.cpp - Issue 559503002: CSP: Move policy parsing out of Document.

Unified Diff: Source/core/dom/Document.cpp

Issue 559503002: CSP: Move policy parsing out of Document. (Closed) Base URL: svn://svn.chromium.org/blink/trunk

Patch Set: Reworking. Created 6 years, 3 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Index: Source/core/dom/Document.cpp

diff --git a/Source/core/dom/Document.cpp b/Source/core/dom/Document.cpp

index 43e0fbb257c9b8957918ee8083fdb126fa1d6114..4062d41226534d89e4486773cebf5ec5018738e0 100644

--- a/Source/core/dom/Document.cpp

+++ b/Source/core/dom/Document.cpp

@@ -4769,13 +4769,6 @@ void Document::initSecurityContext()

initSecurityContext(DocumentInit(m_url, m_frame, contextDocument(), m_importsController));

}

-static PassRefPtr<ContentSecurityPolicy> contentSecurityPolicyFor(Document* document)

- if (document->importsController())

- return document->importsController()->master()->contentSecurityPolicy();

- return ContentSecurityPolicy::create(document);

void Document::initSecurityContext(const DocumentInit& initializer)

{

if (haveInitializedSecurityOrigin()) {

@@ -4788,7 +4781,7 @@ void Document::initSecurityContext(const DocumentInit& initializer)

// This can occur via document.implementation.createDocument().

m_cookieURL = KURL(ParsedURLString, emptyString());

setSecurityOrigin(SecurityOrigin::createUnique());

- setContentSecurityPolicy(ContentSecurityPolicy::create(this));

+ initContentSecurityPolicy();

return;

}

@@ -4797,7 +4790,16 @@ void Document::initSecurityContext(const DocumentInit& initializer)

m_cookieURL = m_url;

enforceSandboxFlags(initializer.sandboxFlags());

setSecurityOrigin(isSandboxed(SandboxOrigin) ? SecurityOrigin::createUnique() : SecurityOrigin::create(m_url));

- setContentSecurityPolicy(contentSecurityPolicyFor(this));

+ if (importsController()) {

+ // If this document is an HTML import, grab a reference to it's master document's Content

+ // Security Policy. We don't call 'initContentSecurityPolicy' in this case, as we can't

+ // rebind the master document's policy object: its ExecutionContext needs to remain tied

+ // to the master document.

+ setContentSecurityPolicy(importsController()->master()->contentSecurityPolicy());

+ } else {

+ initContentSecurityPolicy();

+ }

if (Settings* settings = initializer.settings()) {

if (!settings->webSecurityEnabled()) {

@@ -4849,11 +4851,14 @@ void Document::initSecurityContext(const DocumentInit& initializer)

setSecurityOrigin(initializer.owner()->securityOrigin());

}

-void Document::initContentSecurityPolicy(const ContentSecurityPolicyResponseHeaders& headers)

+void Document::initContentSecurityPolicy(PassRefPtr<ContentSecurityPolicy> csp)

{

+ setContentSecurityPolicy(csp ? csp : ContentSecurityPolicy::create());

if (m_frame && m_frame->tree().parent() && m_frame->tree().parent()->isLocalFrame() && (shouldInheritSecurityOriginFromOwner(m_url) || isPluginDocument()))

contentSecurityPolicy()->copyStateFrom(toLocalFrame(m_frame->tree().parent())->document()->contentSecurityPolicy());

- contentSecurityPolicy()->didReceiveHeaders(headers);

+ if (transformSourceDocument())

+ contentSecurityPolicy()->copyStateFrom(transformSourceDocument()->contentSecurityPolicy());

+ contentSecurityPolicy()->bindToExecutionContext(this);

}

bool Document::allowInlineEventHandlers(Node* node, EventListener* listener, const String& contextURL, const WTF::OrdinalNumber& contextLine)

« no previous file with comments | « Source/core/dom/Document.h ('k') | Source/core/frame/csp/ContentSecurityPolicy.h » ('j') | no next file with comments »