Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(234)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: Source/core/loader/FrameLoader.cpp

Issue 20822002: 'X-Frame-Options: SAMEORIGIN' should check all ancestor frames. (Closed) Base URL: svn://svn.chromium.org/blink/trunk
Patch Set: tests. Created 7 years, 5 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « LayoutTests/http/tests/security/XFrameOptions/x-frame-options-ancestors-same-origin-deny-expected.txt ('k') | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 /* 1 /*
2 * Copyright (C) 2006, 2007, 2008, 2009, 2010, 2011 Apple Inc. All rights reserv ed. 2 * Copyright (C) 2006, 2007, 2008, 2009, 2010, 2011 Apple Inc. All rights reserv ed.
3 * Copyright (C) 2008 Nokia Corporation and/or its subsidiary(-ies) 3 * Copyright (C) 2008 Nokia Corporation and/or its subsidiary(-ies)
4 * Copyright (C) 2008, 2009 Torch Mobile Inc. All rights reserved. (http://www.t orchmobile.com/) 4 * Copyright (C) 2008, 2009 Torch Mobile Inc. All rights reserved. (http://www.t orchmobile.com/)
5 * Copyright (C) 2008 Alp Toker <alp@atoker.com> 5 * Copyright (C) 2008 Alp Toker <alp@atoker.com>
6 * Copyright (C) Research In Motion Limited 2009. All rights reserved. 6 * Copyright (C) Research In Motion Limited 2009. All rights reserved.
7 * Copyright (C) 2011 Kris Jordan <krisjordan@gmail.com> 7 * Copyright (C) 2011 Kris Jordan <krisjordan@gmail.com>
8 * Copyright (C) 2011 Google Inc. All rights reserved. 8 * Copyright (C) 2011 Google Inc. All rights reserved.
9 * 9 *
10 * Redistribution and use in source and binary forms, with or without 10 * Redistribution and use in source and binary forms, with or without
(...skipping 2036 matching lines...) Expand 10 before | Expand all | Expand 10 after
2047 2047
2048 switch (disposition) { 2048 switch (disposition) {
2049 case XFrameOptionsSameOrigin: { 2049 case XFrameOptionsSameOrigin: {
2050 UseCounter::count(m_frame->document(), UseCounter::XFrameOptionsSameOrig in); 2050 UseCounter::count(m_frame->document(), UseCounter::XFrameOptionsSameOrig in);
2051 RefPtr<SecurityOrigin> origin = SecurityOrigin::create(url); 2051 RefPtr<SecurityOrigin> origin = SecurityOrigin::create(url);
2052 if (!origin->isSameSchemeHostPort(topFrame->document()->securityOrigin() )) 2052 if (!origin->isSameSchemeHostPort(topFrame->document()->securityOrigin() ))
2053 return true; 2053 return true;
2054 for (Frame* frame = m_frame->tree()->parent(); frame; frame = frame->tre e()->parent()) { 2054 for (Frame* frame = m_frame->tree()->parent(); frame; frame = frame->tre e()->parent()) {
2055 if (!origin->isSameSchemeHostPort(frame->document()->securityOrigin( ))) { 2055 if (!origin->isSameSchemeHostPort(frame->document()->securityOrigin( ))) {
2056 UseCounter::count(m_frame->document(), UseCounter::XFrameOptions SameOriginWithBadAncestorChain); 2056 UseCounter::count(m_frame->document(), UseCounter::XFrameOptions SameOriginWithBadAncestorChain);
2057 break; 2057 return true;
2058 } 2058 }
2059 } 2059 }
2060 return false; 2060 return false;
2061 } 2061 }
2062 case XFrameOptionsDeny: 2062 case XFrameOptionsDeny:
2063 return true; 2063 return true;
2064 case XFrameOptionsAllowAll: 2064 case XFrameOptionsAllowAll:
2065 return false; 2065 return false;
2066 case XFrameOptionsConflict: 2066 case XFrameOptionsConflict:
2067 m_frame->document()->addConsoleMessage(JSMessageSource, ErrorMessageLeve l, "Multiple 'X-Frame-Options' headers with conflicting values ('" + content + " ') encountered when loading '" + url.elidedString() + "'. Falling back to 'DENY' .", requestIdentifier); 2067 m_frame->document()->addConsoleMessage(JSMessageSource, ErrorMessageLeve l, "Multiple 'X-Frame-Options' headers with conflicting values ('" + content + " ') encountered when loading '" + url.elidedString() + "'. Falling back to 'DENY' .", requestIdentifier);
(...skipping 192 matching lines...) Expand 10 before | Expand all | Expand 10 after
2260 InspectorInstrumentation::didCommitLoad(m_frame, m_documentLoader.get()); 2260 InspectorInstrumentation::didCommitLoad(m_frame, m_documentLoader.get());
2261 2261
2262 m_frame->page()->didCommitLoad(m_frame); 2262 m_frame->page()->didCommitLoad(m_frame);
2263 2263
2264 if (m_frame->page()->mainFrame() == m_frame) 2264 if (m_frame->page()->mainFrame() == m_frame)
2265 m_frame->page()->useCounter()->didCommitLoad(); 2265 m_frame->page()->useCounter()->didCommitLoad();
2266 2266
2267 } 2267 }
2268 2268
2269 } // namespace WebCore 2269 } // namespace WebCore
OLDNEW
« no previous file with comments | « LayoutTests/http/tests/security/XFrameOptions/x-frame-options-ancestors-same-origin-deny-expected.txt ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698