bool CSPDirectiveList::allowObjectFromSource(const KURL& url, ContentSecurityPolicy::ReportingStatus reportingStatus) const
{
if (url.protocolIsAbout())
return true;
return reportingStatus == ContentSecurityPolicy::SendReport ?
checkSourceAndReportViolation(operativeDirective(m_objectSrc.get()), url, ContentSecurityPolicy::ObjectSrc) :
checkSource(operativeDirective(m_objectSrc.get()), url);
}
static bool shouldInheritSecurityOriginFromOwner(const KURL& url) {
// https://html.spec.whatwg.org/multipage/browsers.html#origin
//
// If a Document is the initial "about:blank" document The origin and
// effective script origin of the Document are those it was assigned when its
// browsing context was created.
//
// Note: We generalize this to all "blank" URLs and invalid URLs because we
// treat all of these URLs as about:blank.
return url.isEmpty() || url.protocolIsAbout();
}
// static
PresentationRequest* PresentationRequest::create(ExecutionContext* executionContext, const String& url, ExceptionState& exceptionState)
{
KURL parsedUrl = KURL(executionContext->url(), url);
if (!parsedUrl.isValid() || parsedUrl.protocolIsAbout()) {
exceptionState.throwTypeError("'" + url + "' can't be resolved to a valid URL.");
return nullptr;
}
PresentationRequest* request = new PresentationRequest(executionContext, parsedUrl);
request->suspendIfNeeded();
return request;
}
bool CSPDirectiveList::allowChildFrameFromSource(const KURL& url, ContentSecurityPolicy::RedirectStatus redirectStatus, ContentSecurityPolicy::ReportingStatus reportingStatus) const
{
if (url.protocolIsAbout())
return true;
// 'frame-src' is the only directive which overrides something other than the default sources.
// It overrides 'child-src', which overrides the default sources. So, we do this nested set
// of calls to 'operativeDirective()' to grab 'frame-src' if it exists, 'child-src' if it
// doesn't, and 'defaut-src' if neither are available.
SourceListDirective* whichDirective = operativeDirective(m_frameSrc.get(), operativeDirective(m_childSrc.get()));
return reportingStatus == ContentSecurityPolicy::SendReport ? checkSourceAndReportViolation(whichDirective, url, ContentSecurityPolicy::FrameSrc, redirectStatus) : checkSource(whichDirective, url, redirectStatus);
}
bool LocalFrame::isURLAllowed(const KURL& url) const {
// Exempt about: URLs from self-reference check.
if (url.protocolIsAbout())
return true;
// We allow one level of self-reference because some sites depend on that,
// but we don't allow more than one.
bool foundSelfReference = false;
for (const Frame* frame = this; frame; frame = frame->tree().parent()) {
if (!frame->isLocalFrame())
continue;
if (equalIgnoringFragmentIdentifier(toLocalFrame(frame)->document()->url(),
url)) {
if (foundSelfReference)
return false;
foundSelfReference = true;
}
}
return true;
}
ScriptPromise ServiceWorkerWindowClient::navigate(ScriptState* scriptState,
const String& url) {
ScriptPromiseResolver* resolver = ScriptPromiseResolver::create(scriptState);
ScriptPromise promise = resolver->promise();
ExecutionContext* context = scriptState->getExecutionContext();
KURL parsedUrl = KURL(toWorkerGlobalScope(context)->location()->url(), url);
if (!parsedUrl.isValid() || parsedUrl.protocolIsAbout()) {
resolver->reject(V8ThrowException::createTypeError(
scriptState->isolate(), "'" + url + "' is not a valid URL."));
return promise;
}
if (!context->getSecurityOrigin()->canDisplay(parsedUrl)) {
resolver->reject(V8ThrowException::createTypeError(
scriptState->isolate(),
"'" + parsedUrl.elidedString() + "' cannot navigate."));
return promise;
}
ServiceWorkerGlobalScopeClient::from(context)->navigate(
uuid(), parsedUrl, new NavigateClientCallback(resolver));
return promise;
}