Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(139)

Side by Side Diff: chrome/browser/renderer_host/chrome_resource_dispatcher_host_delegate.cc

Issue 10959032: Protect the entire webstore origin, not just the webstore path, with XFO. Follow-up to crrev.com/1… (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src/
Patch Set: Created 8 years, 3 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "chrome/browser/renderer_host/chrome_resource_dispatcher_host_delegate. h" 5 #include "chrome/browser/renderer_host/chrome_resource_dispatcher_host_delegate. h"
6 6
7 #include <string> 7 #include <string>
8 8
9 #include "base/base64.h" 9 #include "base/base64.h"
10 #include "base/logging.h" 10 #include "base/logging.h"
(...skipping 339 matching lines...) Expand 10 before | Expand all | Expand 10 after
350 #if defined(ENABLE_ONE_CLICK_SIGNIN) 350 #if defined(ENABLE_ONE_CLICK_SIGNIN)
351 // See if the response contains the Google-Accounts-SignIn header. If so, 351 // See if the response contains the Google-Accounts-SignIn header. If so,
352 // then the user has just finished signing in, and the server is allowing the 352 // then the user has just finished signing in, and the server is allowing the
353 // browser to suggest connecting the user's profile to the account. 353 // browser to suggest connecting the user's profile to the account.
354 OneClickSigninHelper::ShowInfoBarIfPossible(request, info->GetChildID(), 354 OneClickSigninHelper::ShowInfoBarIfPossible(request, info->GetChildID(),
355 info->GetRouteID()); 355 info->GetRouteID());
356 #endif 356 #endif
357 357
358 // Build in additional protection for the chrome web store origin. 358 // Build in additional protection for the chrome web store origin.
359 GURL webstore_url(extension_urls::GetWebstoreLaunchURL()); 359 GURL webstore_url(extension_urls::GetWebstoreLaunchURL());
360 if (request->url().DomainIs(webstore_url.host().c_str()) && 360 if (request->url().DomainIs(webstore_url.host().c_str())) {
361 StartsWithASCII(request->url().path(), webstore_url.path(), false)) {
362 net::HttpResponseHeaders* response_headers = request->response_headers(); 361 net::HttpResponseHeaders* response_headers = request->response_headers();
363 if (!response_headers->HasHeaderValue("x-frame-options", "deny") && 362 if (!response_headers->HasHeaderValue("x-frame-options", "deny") &&
364 !response_headers->HasHeaderValue("x-frame-options", "sameorigin")) { 363 !response_headers->HasHeaderValue("x-frame-options", "sameorigin")) {
365 response_headers->RemoveHeader("x-frame-options"); 364 response_headers->RemoveHeader("x-frame-options");
366 response_headers->AddHeader("x-frame-options: sameorigin"); 365 response_headers->AddHeader("x-frame-options: sameorigin");
367 } 366 }
368 } 367 }
369 368
370 ProfileIOData* io_data = ProfileIOData::FromResourceContext(resource_context); 369 ProfileIOData* io_data = ProfileIOData::FromResourceContext(resource_context);
371 if (io_data->resource_prefetch_predictor_observer()) 370 if (io_data->resource_prefetch_predictor_observer())
(...skipping 86 matching lines...) Expand 10 before | Expand all | Expand 10 after
458 if (base::Base64Encode(serialized, &hashed)) { 457 if (base::Base64Encode(serialized, &hashed)) {
459 // If successful, swap the header value with the new one. 458 // If successful, swap the header value with the new one.
460 // Note that the list of IDs and the header could be temporarily out of sync 459 // Note that the list of IDs and the header could be temporarily out of sync
461 // if IDs are added as the header is recreated. The receiving servers are OK 460 // if IDs are added as the header is recreated. The receiving servers are OK
462 // with such descrepancies. 461 // with such descrepancies.
463 variation_ids_header_ = hashed; 462 variation_ids_header_ = hashed;
464 } else { 463 } else {
465 DVLOG(1) << "Failed to base64 encode Variation IDs value: " << serialized; 464 DVLOG(1) << "Failed to base64 encode Variation IDs value: " << serialized;
466 } 465 }
467 } 466 }
OLDNEW

Powered by Google App Engine
This is Rietveld 408576698