Index: Source/web/WebEmbeddedWorkerImpl.cpp |
diff --git a/Source/web/WebEmbeddedWorkerImpl.cpp b/Source/web/WebEmbeddedWorkerImpl.cpp |
index 24a2327033df1285e3e2da989832efe0c811ef32..1d2ea672898545bd17d15fad5c7eb84099403c53 100644 |
--- a/Source/web/WebEmbeddedWorkerImpl.cpp |
+++ b/Source/web/WebEmbeddedWorkerImpl.cpp |
@@ -33,6 +33,7 @@ |
#include "core/dom/CrossThreadTask.h" |
#include "core/dom/Document.h" |
+#include "core/frame/csp/ContentSecurityPolicy.h" |
#include "core/inspector/InspectorInstrumentation.h" |
#include "core/inspector/WorkerDebuggerAgent.h" |
#include "core/inspector/WorkerInspectorController.h" |
@@ -49,6 +50,7 @@ |
#include "platform/SharedBuffer.h" |
#include "platform/heap/Handle.h" |
#include "platform/network/ContentSecurityPolicyParsers.h" |
+#include "platform/network/ContentSecurityPolicyResponseHeaders.h" |
#include "public/platform/Platform.h" |
#include "public/platform/WebURLRequest.h" |
#include "public/web/WebDevToolsAgent.h" |
@@ -88,6 +90,13 @@ public: |
*loadingContext, scriptURL, DenyCrossOriginRequests, this); |
} |
+ void didReceiveResponse(unsigned long identifier, const ResourceResponse& response) override |
+ { |
+ m_contentSecurityPolicy = ContentSecurityPolicy::create(); |
+ m_contentSecurityPolicy->setOverrideURLForSelf(response.url()); |
+ m_contentSecurityPolicy->didReceiveHeaders(ContentSecurityPolicyResponseHeaders(response)); |
+ } |
+ |
virtual void notifyFinished() override |
{ |
m_callback(); |
@@ -101,6 +110,7 @@ public: |
bool failed() const { return m_scriptLoader->failed(); } |
const KURL& url() const { return m_scriptLoader->responseURL(); } |
String script() const { return m_scriptLoader->script(); } |
+ PassRefPtr<ContentSecurityPolicy> releaseContentSecurityPolicy() { return m_contentSecurityPolicy.release(); } |
private: |
Loader() : m_scriptLoader(WorkerScriptLoader::create()) |
@@ -108,6 +118,7 @@ private: |
} |
RefPtr<WorkerScriptLoader> m_scriptLoader; |
+ RefPtr<ContentSecurityPolicy> m_contentSecurityPolicy; |
Closure m_callback; |
}; |
@@ -407,6 +418,9 @@ void WebEmbeddedWorkerImpl::startWorkerThread() |
providePermissionClientToWorker(workerClients.get(), m_permissionClient.release()); |
provideServiceWorkerGlobalScopeClientToWorker(workerClients.get(), ServiceWorkerGlobalScopeClientImpl::create(*m_workerContextClient)); |
+ // We need to set the CSP to both the shadow page's document and the ServiceWorkerGlobalScope. |
+ document->initContentSecurityPolicy(m_mainScriptLoader->releaseContentSecurityPolicy()); |
+ |
KURL scriptURL = m_mainScriptLoader->url(); |
OwnPtrWillBeRawPtr<WorkerThreadStartupData> startupData = |
WorkerThreadStartupData::create( |
@@ -414,9 +428,8 @@ void WebEmbeddedWorkerImpl::startWorkerThread() |
m_workerStartData.userAgent, |
m_mainScriptLoader->script(), |
startMode, |
- // FIXME: fill appropriate CSP info and policy type. |
- String(), |
- ContentSecurityPolicyHeaderTypeEnforce, |
+ document->contentSecurityPolicy()->deprecatedHeader(), |
Mike West
2014/11/12 12:28:36
I don't think this is correct; it differs from the
horo
2014/11/13 01:09:02
This document is not the document who created (reg
Mike West
2014/11/19 10:31:49
Hrm. Ok, then I misunderstood the implementation h
horo
2014/11/19 12:35:41
Yes.
We create the dummy document which lives in t
|
+ document->contentSecurityPolicy()->deprecatedHeaderType(), |
starterOrigin, |
workerClients.release()); |