Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(151)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: Source/core/loader/FrameLoader.cpp

Issue 563473002: CSP: Move parsing a document's CSP to DocumentLoader::responseReceived. (Closed) Base URL: svn://svn.chromium.org/blink/trunk
Patch Set: Rebase. Created 6 years, 3 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« Source/core/frame/csp/ContentSecurityPolicy.cpp ('K') | « Source/core/loader/DocumentLoader.cpp ('k') | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 /* 1 /*
2 * Copyright (C) 2006, 2007, 2008, 2009, 2010, 2011 Apple Inc. All rights reserv ed. 2 * Copyright (C) 2006, 2007, 2008, 2009, 2010, 2011 Apple Inc. All rights reserv ed.
3 * Copyright (C) 2008 Nokia Corporation and/or its subsidiary(-ies) 3 * Copyright (C) 2008 Nokia Corporation and/or its subsidiary(-ies)
4 * Copyright (C) 2008, 2009 Torch Mobile Inc. All rights reserved. (http://www.t orchmobile.com/) 4 * Copyright (C) 2008, 2009 Torch Mobile Inc. All rights reserved. (http://www.t orchmobile.com/)
5 * Copyright (C) 2008 Alp Toker <alp@atoker.com> 5 * Copyright (C) 2008 Alp Toker <alp@atoker.com>
6 * Copyright (C) Research In Motion Limited 2009. All rights reserved. 6 * Copyright (C) Research In Motion Limited 2009. All rights reserved.
7 * Copyright (C) 2011 Kris Jordan <krisjordan@gmail.com> 7 * Copyright (C) 2011 Kris Jordan <krisjordan@gmail.com>
8 * Copyright (C) 2011 Google Inc. All rights reserved. 8 * Copyright (C) 2011 Google Inc. All rights reserved.
9 * 9 *
10 * Redistribution and use in source and binary forms, with or without 10 * Redistribution and use in source and binary forms, with or without
(...skipping 66 matching lines...) Expand 10 before | Expand all | Expand 10 after
77 #include "core/page/EventHandler.h" 77 #include "core/page/EventHandler.h"
78 #include "core/page/FrameTree.h" 78 #include "core/page/FrameTree.h"
79 #include "core/page/Page.h" 79 #include "core/page/Page.h"
80 #include "core/frame/Settings.h" 80 #include "core/frame/Settings.h"
81 #include "core/page/WindowFeatures.h" 81 #include "core/page/WindowFeatures.h"
82 #include "core/page/scrolling/ScrollingCoordinator.h" 82 #include "core/page/scrolling/ScrollingCoordinator.h"
83 #include "core/xml/parser/XMLDocumentParser.h" 83 #include "core/xml/parser/XMLDocumentParser.h"
84 #include "platform/Logging.h" 84 #include "platform/Logging.h"
85 #include "platform/UserGestureIndicator.h" 85 #include "platform/UserGestureIndicator.h"
86 #include "platform/geometry/FloatRect.h" 86 #include "platform/geometry/FloatRect.h"
87 #include "platform/network/ContentSecurityPolicyResponseHeaders.h"
88 #include "platform/network/HTTPParsers.h" 87 #include "platform/network/HTTPParsers.h"
89 #include "platform/network/ResourceRequest.h" 88 #include "platform/network/ResourceRequest.h"
90 #include "platform/scroll/ScrollAnimator.h" 89 #include "platform/scroll/ScrollAnimator.h"
91 #include "platform/weborigin/SecurityOrigin.h" 90 #include "platform/weborigin/SecurityOrigin.h"
92 #include "platform/weborigin/SecurityPolicy.h" 91 #include "platform/weborigin/SecurityPolicy.h"
93 #include "public/platform/WebURLRequest.h" 92 #include "public/platform/WebURLRequest.h"
94 #include "wtf/TemporaryChange.h" 93 #include "wtf/TemporaryChange.h"
95 #include "wtf/text/CString.h" 94 #include "wtf/text/CString.h"
96 #include "wtf/text/WTFString.h" 95 #include "wtf/text/WTFString.h"
97 96
(...skipping 249 matching lines...) Expand 10 before | Expand all | Expand 10 after
347 if (!m_stateMachine.committedMultipleRealLoads() && m_loadType == FrameLoadT ypeStandard) 346 if (!m_stateMachine.committedMultipleRealLoads() && m_loadType == FrameLoadT ypeStandard)
348 m_stateMachine.advanceTo(FrameLoaderStateMachine::CommittedMultipleRealL oads); 347 m_stateMachine.advanceTo(FrameLoaderStateMachine::CommittedMultipleRealL oads);
349 348
350 client()->dispatchDidCommitLoad(m_frame, m_currentItem.get(), historyCommitT ype); 349 client()->dispatchDidCommitLoad(m_frame, m_currentItem.get(), historyCommitT ype);
351 350
352 InspectorInstrumentation::didCommitLoad(m_frame, m_documentLoader.get()); 351 InspectorInstrumentation::didCommitLoad(m_frame, m_documentLoader.get());
353 m_frame->page()->didCommitLoad(m_frame); 352 m_frame->page()->didCommitLoad(m_frame);
354 dispatchDidClearDocumentOfWindowObject(); 353 dispatchDidClearDocumentOfWindowObject();
355 } 354 }
356 355
357 static void didFailContentSecurityPolicyCheck(FrameLoader* loader)
358 {
359 // load event and stopAllLoaders can detach the LocalFrame, so protect it.
360 RefPtr<LocalFrame> frame(loader->frame());
361
362 // Move the page to a unique origin, and cancel the load.
363 frame->document()->enforceSandboxFlags(SandboxOrigin);
364 loader->stopAllLoaders();
365
366 // Fire a load event, as timing attacks would otherwise reveal that the
367 // frame was blocked. This way, it looks like every other cross-origin
368 // page.
369 if (FrameOwner* frameOwner = frame->owner())
370 frameOwner->dispatchLoad();
371 }
372
373 void FrameLoader::didBeginDocument(bool dispatch) 356 void FrameLoader::didBeginDocument(bool dispatch)
374 { 357 {
375 m_frame->document()->setReadyState(Document::Loading); 358 m_frame->document()->setReadyState(Document::Loading);
376 359
377 if (m_provisionalItem && m_loadType == FrameLoadTypeBackForward) 360 if (m_provisionalItem && m_loadType == FrameLoadTypeBackForward)
378 m_frame->domWindow()->statePopped(m_provisionalItem->stateObject()); 361 m_frame->domWindow()->statePopped(m_provisionalItem->stateObject());
379 362
380 if (dispatch) 363 if (dispatch)
381 dispatchDidClearDocumentOfWindowObject(); 364 dispatchDidClearDocumentOfWindowObject();
382 365
383 // FIXME: Move this to DocumentLoader::responseReceived, next to the X-Frame -Options checks. 366 m_frame->document()->initContentSecurityPolicy(m_documentLoader ? m_document Loader->releaseContentSecurityPolicy() : ContentSecurityPolicy::create());
384 RefPtr<ContentSecurityPolicy> csp = ContentSecurityPolicy::create();
385 if (m_documentLoader)
386 csp->didReceiveHeaders(ContentSecurityPolicyResponseHeaders(m_documentLo ader->response()));
387 m_frame->document()->initContentSecurityPolicy(csp);
388
389 if (!m_frame->document()->contentSecurityPolicy()->allowAncestors(m_frame)) {
390 didFailContentSecurityPolicyCheck(this);
391 return;
392 }
393 367
394 Settings* settings = m_frame->document()->settings(); 368 Settings* settings = m_frame->document()->settings();
395 if (settings) { 369 if (settings) {
396 m_frame->document()->fetcher()->setImagesEnabled(settings->imagesEnabled ()); 370 m_frame->document()->fetcher()->setImagesEnabled(settings->imagesEnabled ());
397 m_frame->document()->fetcher()->setAutoLoadImages(settings->loadsImagesA utomatically()); 371 m_frame->document()->fetcher()->setAutoLoadImages(settings->loadsImagesA utomatically());
398 } 372 }
399 373
400 if (m_documentLoader) { 374 if (m_documentLoader) {
401 const AtomicString& dnsPrefetchControl = m_documentLoader->response().ht tpHeaderField("X-DNS-Prefetch-Control"); 375 const AtomicString& dnsPrefetchControl = m_documentLoader->response().ht tpHeaderField("X-DNS-Prefetch-Control");
402 if (!dnsPrefetchControl.isEmpty()) 376 if (!dnsPrefetchControl.isEmpty())
(...skipping 1088 matching lines...) Expand 10 before | Expand all | Expand 10 after
1491 // FIXME: We need a way to propagate sandbox flags to out-of-process frames. 1465 // FIXME: We need a way to propagate sandbox flags to out-of-process frames.
1492 Frame* parentFrame = m_frame->tree().parent(); 1466 Frame* parentFrame = m_frame->tree().parent();
1493 if (parentFrame && parentFrame->isLocalFrame()) 1467 if (parentFrame && parentFrame->isLocalFrame())
1494 flags |= toLocalFrame(parentFrame)->document()->sandboxFlags(); 1468 flags |= toLocalFrame(parentFrame)->document()->sandboxFlags();
1495 if (FrameOwner* frameOwner = m_frame->owner()) 1469 if (FrameOwner* frameOwner = m_frame->owner())
1496 flags |= frameOwner->sandboxFlags(); 1470 flags |= frameOwner->sandboxFlags();
1497 return flags; 1471 return flags;
1498 } 1472 }
1499 1473
1500 } // namespace blink 1474 } // namespace blink
OLDNEW
« Source/core/frame/csp/ContentSecurityPolicy.cpp ('K') | « Source/core/loader/DocumentLoader.cpp ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698