void Worker::didReceiveResponse(unsigned long identifier, const ResourceResponse& response) { const URL& responseURL = response.url(); if (!responseURL.protocolIsBlob() && !responseURL.protocolIs("file") && !SecurityOrigin::create(responseURL)->isUnique()) m_contentSecurityPolicyResponseHeaders = ContentSecurityPolicyResponseHeaders(response); InspectorInstrumentation::didReceiveScriptResponse(scriptExecutionContext(), identifier); }
void DocumentLoader::responseReceived(Resource* resource, const ResourceResponse& response, std::unique_ptr<WebDataConsumerHandle> handle) { ASSERT_UNUSED(resource, m_mainResource == resource); ASSERT_UNUSED(handle, !handle); ASSERT(frame()); m_applicationCacheHost->didReceiveResponseForMainResource(response); // The memory cache doesn't understand the application cache or its caching rules. So if a main resource is served // from the application cache, ensure we don't save the result for future use. All responses loaded // from appcache will have a non-zero appCacheID(). if (response.appCacheID()) memoryCache()->remove(m_mainResource.get()); m_contentSecurityPolicy = ContentSecurityPolicy::create(); m_contentSecurityPolicy->setOverrideURLForSelf(response.url()); m_contentSecurityPolicy->didReceiveHeaders(ContentSecurityPolicyResponseHeaders(response)); if (!m_contentSecurityPolicy->allowAncestors(m_frame, response.url())) { cancelLoadAfterXFrameOptionsOrCSPDenied(response); return; } // 'frame-ancestors' obviates 'x-frame-options': https://w3c.github.io/webappsec/specs/content-security-policy/#frame-ancestors-and-frame-options if (!m_contentSecurityPolicy->isFrameAncestorsEnforced()) { HTTPHeaderMap::const_iterator it = response.httpHeaderFields().find(HTTPNames::X_Frame_Options); if (it != response.httpHeaderFields().end()) { String content = it->value; if (frameLoader()->shouldInterruptLoadForXFrameOptions(content, response.url(), mainResourceIdentifier())) { String message = "Refused to display '" + response.url().elidedString() + "' in a frame because it set 'X-Frame-Options' to '" + content + "'."; ConsoleMessage* consoleMessage = ConsoleMessage::createForRequest(SecurityMessageSource, ErrorMessageLevel, message, response.url(), mainResourceIdentifier()); frame()->document()->addConsoleMessage(consoleMessage); cancelLoadAfterXFrameOptionsOrCSPDenied(response); return; } } } ASSERT(!m_frame->page()->defersLoading()); m_response = response; if (isArchiveMIMEType(m_response.mimeType()) && m_mainResource->getDataBufferingPolicy() != BufferData) m_mainResource->setDataBufferingPolicy(BufferData); if (!shouldContinueForResponse()) { InspectorInstrumentation::continueWithPolicyIgnore(m_frame, this, m_mainResource->identifier(), m_response, m_mainResource.get()); m_fetcher->stopFetching(); return; } if (m_response.isHTTP()) { int status = m_response.httpStatusCode(); if ((status < 200 || status >= 300) && m_frame->owner()) m_frame->owner()->renderFallbackContent(); } }
void InProcessWorkerBase::didReceiveResponse(unsigned long identifier, const ResourceResponse& response) { if (!response.url().protocolIs("blob") && !response.url().protocolIs("file") && !response.url().protocolIs("filesystem")) { m_contentSecurityPolicy = ContentSecurityPolicy::create(); m_contentSecurityPolicy->setOverrideURLForSelf(response.url()); m_contentSecurityPolicy->didReceiveHeaders(ContentSecurityPolicyResponseHeaders(response)); } InspectorInstrumentation::didReceiveScriptResponse(executionContext(), identifier); }
HTMLImportLoader::State HTMLImportLoader::startWritingAndParsing(const ResourceResponse& response) { DocumentInit init = DocumentInit(response.url(), 0, m_import->master()->contextDocument(), m_import) .withRegistrationContext(m_import->master()->registrationContext()); m_importedDocument = HTMLDocument::create(init); m_importedDocument->initContentSecurityPolicy(ContentSecurityPolicyResponseHeaders(response)); m_writer = DocumentWriter::create(m_importedDocument.get(), response.mimeType(), response.textEncodingName()); return StateLoading; }
void WorkerScriptLoader::processContentSecurityPolicy(const ResourceResponse& response) { // Per http://www.w3.org/TR/CSP2/#processing-model-workers, if the Worker's // URL is not a GUID, then it grabs its CSP from the response headers // directly. Otherwise, the Worker inherits the policy from the parent // document (which is implemented in WorkerMessagingProxy, and // m_contentSecurityPolicy should be left as nullptr to inherit the policy). if (!response.url().protocolIs("blob") && !response.url().protocolIs("file") && !response.url().protocolIs("filesystem")) { m_contentSecurityPolicy = ContentSecurityPolicy::create(); m_contentSecurityPolicy->setOverrideURLForSelf(response.url()); m_contentSecurityPolicy->didReceiveHeaders(ContentSecurityPolicyResponseHeaders(response)); } }
HTMLImportLoader::State HTMLImportLoader::startWritingAndParsing(const ResourceResponse& response) { // Current canAccess() implementation isn't sufficient for catching cross-domain redirects: http://crbug.com/256976 if (!m_parent->document()->fetcher()->canAccess(m_resource.get())) return StateError; DocumentInit init = DocumentInit(response.url(), 0, root()->document()->contextDocument(), this) .withRegistrationContext(root()->document()->registrationContext()); m_importedDocument = HTMLDocument::create(init); m_importedDocument->initContentSecurityPolicy(ContentSecurityPolicyResponseHeaders(response)); m_writer = DocumentWriter::create(m_importedDocument.get(), response.mimeType(), response.textEncodingName()); return StateLoading; }
void DocumentLoader::responseReceived(Resource* resource, const ResourceResponse& response, PassOwnPtr<WebDataConsumerHandle> handle) { ASSERT_UNUSED(resource, m_mainResource == resource); ASSERT_UNUSED(handle, !handle); RefPtr<DocumentLoader> protect(this); m_applicationCacheHost->didReceiveResponseForMainResource(response); // The memory cache doesn't understand the application cache or its caching rules. So if a main resource is served // from the application cache, ensure we don't save the result for future use. All responses loaded // from appcache will have a non-zero appCacheID(). if (response.appCacheID()) memoryCache()->remove(m_mainResource.get()); DEFINE_STATIC_LOCAL(AtomicString, xFrameOptionHeader, ("x-frame-options", AtomicString::ConstructFromLiteral)); HTTPHeaderMap::const_iterator it = response.httpHeaderFields().find(xFrameOptionHeader); if (it != response.httpHeaderFields().end()) { String content = it->value; if (frameLoader()->shouldInterruptLoadForXFrameOptions(content, response.url(), mainResourceIdentifier())) { String message = "Refused to display '" + response.url().elidedString() + "' in a frame because it set 'X-Frame-Options' to '" + content + "'."; RefPtrWillBeRawPtr<ConsoleMessage> consoleMessage = ConsoleMessage::create(SecurityMessageSource, ErrorMessageLevel, message); consoleMessage->setRequestIdentifier(mainResourceIdentifier()); frame()->document()->addConsoleMessage(consoleMessage.release()); cancelLoadAfterXFrameOptionsOrCSPDenied(response); return; } } m_contentSecurityPolicy = ContentSecurityPolicy::create(); m_contentSecurityPolicy->setOverrideURLForSelf(response.url()); m_contentSecurityPolicy->didReceiveHeaders(ContentSecurityPolicyResponseHeaders(response)); if (!m_contentSecurityPolicy->allowAncestors(m_frame, response.url())) { cancelLoadAfterXFrameOptionsOrCSPDenied(response); return; } ASSERT(!mainResourceLoader() || !mainResourceLoader()->defersLoading()); m_response = response; if (isArchiveMIMEType(m_response.mimeType()) && m_mainResource->dataBufferingPolicy() != BufferData) m_mainResource->setDataBufferingPolicy(BufferData); if (!shouldContinueForResponse()) { InspectorInstrumentation::continueWithPolicyIgnore(m_frame, this, m_mainResource->identifier(), m_response); cancelMainResourceLoad(ResourceError::cancelledError(m_request.url())); return; } if (m_response.isHTTP()) { int status = m_response.httpStatusCode(); // FIXME: Fallback content only works if the parent is in the same processs. if ((status < 200 || status >= 300) && m_frame->owner()) { if (!m_frame->deprecatedLocalOwner()) { ASSERT_NOT_REACHED(); } else if (m_frame->deprecatedLocalOwner()->isObjectElement()) { m_frame->deprecatedLocalOwner()->renderFallbackContent(); // object elements are no longer rendered after we fallback, so don't // keep trying to process data from their load cancelMainResourceLoad(ResourceError::cancelledError(m_request.url())); } } } }