Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(374)

Unified Diff: third_party/WebKit/Source/core/fetch/ResourceFetcher.cpp

Issue 1454003003: [CSP] Don't check the path component of the URL when the response was fetched via ServiceWorker. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Created 5 years, 1 month ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
Index: third_party/WebKit/Source/core/fetch/ResourceFetcher.cpp
diff --git a/third_party/WebKit/Source/core/fetch/ResourceFetcher.cpp b/third_party/WebKit/Source/core/fetch/ResourceFetcher.cpp
index dc7a14c9c6ce335816033e7266ef2157ce702a24..3cb3ae7f16662b9b2387444f2ec2f269c3b6c302 100644
--- a/third_party/WebKit/Source/core/fetch/ResourceFetcher.cpp
+++ b/third_party/WebKit/Source/core/fetch/ResourceFetcher.cpp
@@ -932,11 +932,11 @@ void ResourceFetcher::willSendRequest(unsigned long identifier, ResourceRequest&
void ResourceFetcher::didReceiveResponse(const Resource* resource, const ResourceResponse& response)
{
// If the response is fetched via ServiceWorker, the original URL of the response could be different from the URL of the request.
- // We check the URL not to load the resources which are forbidden by the page CSP. This behavior is not specified in the CSP specification yet.
- // FIXME(mkwst): Fix this behavior when the CSP docs are updated.
+ // We check the URL not to load the resources which are forbidden by the page CSP.
+ // https://w3c.github.io/webappsec-csp/#should-block-response
if (response.wasFetchedViaServiceWorker()) {
const KURL& originalURL = response.originalURLViaServiceWorker();
- if (!originalURL.isEmpty() && !context().canRequest(resource->type(), resource->resourceRequest(), originalURL, resource->options(), false, FetchRequest::UseDefaultOriginRestrictionForType)) {
+ if (!originalURL.isEmpty() && !context().allowResponse(resource->type(), resource->resourceRequest(), originalURL, resource->options())) {
resource->loader()->cancel();
bool isInternalRequest = resource->options().initiatorInfo.name == FetchInitiatorTypeNames::internal;
context().dispatchDidFail(resource->identifier(), ResourceError(errorDomainBlinkInternal, 0, originalURL.string(), "Unsafe attempt to load URL " + originalURL.elidedString() + " fetched by a ServiceWorker."), isInternalRequest);

Powered by Google App Engine
This is Rietveld 408576698