Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(445)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: third_party/WebKit/Source/core/loader/FrameFetchContext.cpp

Issue 1454003003: [CSP] Don't check the path component of the URL when the response was fetched via ServiceWorker. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Created 5 years, 1 month ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « third_party/WebKit/Source/core/loader/FrameFetchContext.h ('k') | no next file » | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: third_party/WebKit/Source/core/loader/FrameFetchContext.cpp
diff --git a/third_party/WebKit/Source/core/loader/FrameFetchContext.cpp b/third_party/WebKit/Source/core/loader/FrameFetchContext.cpp
index 6084b70661771dde3525ba9743f6887eeadef140..a0ff535cf679f6ecfea89180aeca40785adc666b 100644
--- a/third_party/WebKit/Source/core/loader/FrameFetchContext.cpp
+++ b/third_party/WebKit/Source/core/loader/FrameFetchContext.cpp
@@ -343,7 +343,11 @@ void FrameFetchContext::printAccessDeniedMessage(const KURL& url) const
bool FrameFetchContext::canRequest(Resource::Type type, const ResourceRequest& resourceRequest, const KURL& url, const ResourceLoaderOptions& options, bool forPreload, FetchRequest::OriginRestriction originRestriction) const
{
- ResourceRequestBlockedReason reason = canRequestInternal(type, resourceRequest, url, options, forPreload, originRestriction);
+ // As of CSP2, for requests that are the results of redirects, the match
+ // algorithm should ignore the path component of the URL.
+ ContentSecurityPolicy::RedirectStatus redirectStatus = resourceRequest.followedRedirect() ? ContentSecurityPolicy::DidRedirect : ContentSecurityPolicy::DidNotRedirect;
Mike West 2015/11/19 09:46:25 Is `followedRedirect` true for any response that's
horo 2015/11/20 02:17:07 Yes. If the SW returns a redirect response (ex:"Re
+
+ ResourceRequestBlockedReason reason = canRequestInternal(type, resourceRequest, url, options, forPreload, originRestriction, redirectStatus);
if (reason != ResourceRequestBlockedReasonNone) {
if (!forPreload)
InspectorInstrumentation::didBlockRequest(frame(), resourceRequest, ensureLoaderForNotifications(), options.initiatorInfo, reason);
@@ -352,7 +356,17 @@ bool FrameFetchContext::canRequest(Resource::Type type, const ResourceRequest& r
return true;
}
-ResourceRequestBlockedReason FrameFetchContext::canRequestInternal(Resource::Type type, const ResourceRequest& resourceRequest, const KURL& url, const ResourceLoaderOptions& options, bool forPreload, FetchRequest::OriginRestriction originRestriction) const
+bool FrameFetchContext::allowResponse(Resource::Type type, const ResourceRequest& resourceRequest, const KURL& url, const ResourceLoaderOptions& options) const
+{
+ ResourceRequestBlockedReason reason = canRequestInternal(type, resourceRequest, url, options, false, FetchRequest::UseDefaultOriginRestrictionForType, ContentSecurityPolicy::DidRedirect);
+ if (reason != ResourceRequestBlockedReasonNone) {
+ InspectorInstrumentation::didBlockRequest(frame(), resourceRequest, ensureLoaderForNotifications(), options.initiatorInfo, reason);
+ return false;
+ }
+ return true;
+}
+
+ResourceRequestBlockedReason FrameFetchContext::canRequestInternal(Resource::Type type, const ResourceRequest& resourceRequest, const KURL& url, const ResourceLoaderOptions& options, bool forPreload, FetchRequest::OriginRestriction originRestriction, ContentSecurityPolicy::RedirectStatus redirectStatus) const
{
InstrumentingAgents* agents = InspectorInstrumentation::instrumentingAgentsFor(frame());
if (agents && agents->inspectorResourceAgent()) {
@@ -411,10 +425,6 @@ ResourceRequestBlockedReason FrameFetchContext::canRequestInternal(Resource::Typ
ContentSecurityPolicy::ReportingStatus cspReporting = forPreload ?
ContentSecurityPolicy::SuppressReport : ContentSecurityPolicy::SendReport;
- // As of CSP2, for requests that are the results of redirects, the match
- // algorithm should ignore the path component of the URL.
- ContentSecurityPolicy::RedirectStatus redirectStatus = resourceRequest.followedRedirect() ? ContentSecurityPolicy::DidRedirect : ContentSecurityPolicy::DidNotRedirect;
-
// m_document can be null, but not in any of the cases where csp is actually used below.
// ImageResourceTest.MultipartImage crashes w/o the m_document null check.
// I believe it's the Resource::Raw case.
« no previous file with comments | « third_party/WebKit/Source/core/loader/FrameFetchContext.h ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698