Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(1022)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: Source/core/frame/csp/ContentSecurityPolicy.cpp

Issue 658073002: CSP: Fix protocolless 'frame-ancestor' source expressions. (Closed) Base URL: https://chromium.googlesource.com/chromium/blink.git@master
Patch Set: Created 6 years, 2 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « Source/core/frame/csp/ContentSecurityPolicy.h ('k') | no next file » | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: Source/core/frame/csp/ContentSecurityPolicy.cpp
diff --git a/Source/core/frame/csp/ContentSecurityPolicy.cpp b/Source/core/frame/csp/ContentSecurityPolicy.cpp
index a80f8ad21d7e8edfa3e22cae750b74f792e26854..275d4b577799dd03db25b631b4afd53ac45c7060 100644
--- a/Source/core/frame/csp/ContentSecurityPolicy.cpp
+++ b/Source/core/frame/csp/ContentSecurityPolicy.cpp
@@ -155,7 +155,8 @@ void ContentSecurityPolicy::applyPolicySideEffectsToExecutionContext()
{
ASSERT(m_executionContext);
// Ensure that 'self' processes correctly.
- m_selfSource = adoptPtr(new CSPSource(this, securityOrigin()->protocol(), securityOrigin()->host(), securityOrigin()->port(), String(), CSPSource::NoWildcard, CSPSource::NoWildcard));
+ m_selfProtocol = securityOrigin()->protocol();
+ m_selfSource = adoptPtr(new CSPSource(this, m_selfProtocol, securityOrigin()->host(), securityOrigin()->port(), String(), CSPSource::NoWildcard, CSPSource::NoWildcard));
// If we're in a Document, set the referrer policy and sandbox flags, then dump all the
// parsing error messages, then poke at histograms.
@@ -266,7 +267,8 @@ void ContentSecurityPolicy::setOverrideURLForSelf(const KURL& url)
// an execution context (for 'frame-ancestor' resolution, for example). This CSPSource will
// be overwritten when we bind this object to an execution context.
RefPtr<SecurityOrigin> origin = SecurityOrigin::create(url);
- m_selfSource = adoptPtr(new CSPSource(this, origin->protocol(), origin->host(), origin->port(), String(), CSPSource::NoWildcard, CSPSource::NoWildcard));
+ m_selfProtocol = origin->protocol();
+ m_selfSource = adoptPtr(new CSPSource(this, m_selfProtocol, origin->host(), origin->port(), String(), CSPSource::NoWildcard, CSPSource::NoWildcard));
}
const String& ContentSecurityPolicy::deprecatedHeader() const
@@ -852,10 +854,9 @@ bool ContentSecurityPolicy::urlMatchesSelf(const KURL& url) const
bool ContentSecurityPolicy::protocolMatchesSelf(const KURL& url) const
{
- String protectedResourceScheme(securityOrigin()->protocol());
- if (equalIgnoringCase("http", protectedResourceScheme))
+ if (equalIgnoringCase("http", m_selfProtocol))
return url.protocolIsInHTTPFamily();
- return equalIgnoringCase(url.protocol(), protectedResourceScheme);
+ return equalIgnoringCase(url.protocol(), m_selfProtocol);
}
bool ContentSecurityPolicy::shouldBypassMainWorld(ExecutionContext* context)
« no previous file with comments | « Source/core/frame/csp/ContentSecurityPolicy.h ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698