RedirectStatus::kNoRedirect);
}
+#if BUILDFLAG(IS_TIZEN)
+bool ContentSecurityPolicy::AllowFrameFromSource(
+ const KURL& url,
+ const KURL& url_before_redirects,
+ RedirectStatus redirect_status,
+ ReportingDisposition reporting_disposition,
+ CheckHeaderType check_header_type) {
+ return AllowFromSource(CSPDirectiveName::FrameSrc, url, url_before_redirects,
+ redirect_status, reporting_disposition,
+ check_header_type);
+}
+#endif
+
bool ContentSecurityPolicy::AllowImageFromSource(
const KURL& url,
const KURL& url_before_redirects,
return mojom::blink::RequestContextType::HYPERLINK;
}
+#if BUILDFLAG(IS_TIZEN)
+static NavigationPolicy MaybeCheckCSP(
+ const ResourceRequest& request,
+ WebNavigationType type,
+ LocalFrame* frame,
+ NavigationPolicy policy,
+ network::mojom::CSPDisposition should_check_main_world_csp,
+ ContentSecurityPolicy::CheckHeaderType check_header_type) {
+ // If we're loading content into |frame| (NavigationPolicyCurrentTab), check
+ // against the parent's Content Security Policy and kill the load if that
+ // check fails, unless we should bypass the main world's CSP.
+ if (policy == kNavigationPolicyCurrentTab &&
+ should_check_main_world_csp == network::mojom::CSPDisposition::CHECK) {
+ LocalFrame* parent_frame = DynamicTo<LocalFrame>(frame->Tree().Parent());
+ if (parent_frame) {
+ ContentSecurityPolicy* parent_policy =
+ parent_frame->DomWindow()->GetContentSecurityPolicy();
+ const absl::optional<ResourceRequest::RedirectInfo>& redirect_info =
+ request.GetRedirectInfo();
+ const KURL& url_before_redirects =
+ redirect_info ? redirect_info->original_url : request.Url();
+ ResourceRequest::RedirectStatus redirect_status =
+ redirect_info ? RedirectStatus::kFollowedRedirect
+ : RedirectStatus::kNoRedirect;
+ if (!parent_policy->AllowFrameFromSource(
+ request.Url(), url_before_redirects, redirect_status,
+ ReportingDisposition::kReport, check_header_type)) {
+ // Fire a load event, as timing attacks would otherwise reveal that the
+ // frame was blocked. This way, it looks like every other cross-origin
+ // page load.
+ frame->GetDocument()->EnforceSandboxFlags(
+ network::mojom::blink::WebSandboxFlags::kOrigin);
+ frame->Owner()->DispatchLoad();
+ return kNavigationPolicyIgnore;
+ }
+ }
+ }
+
+ return policy;
+}
+#endif
+
static network::mojom::RequestDestination
DetermineRequestDestinationFromNavigationType(
const WebNavigationType navigation_type) {
}
return;
}
+#if BUILDFLAG(IS_TIZEN)
+ else {
+ using CSPDisposition = network::mojom::CSPDisposition;
+ CSPDisposition should_check_main_world_csp =
+ ContentSecurityPolicy::ShouldBypassMainWorldDeprecated(
+ request.JavascriptWorld().get())
+ ? CSPDisposition::DO_NOT_CHECK
+ : CSPDisposition::CHECK;
+
+ if (MaybeCheckCSP(request.GetResourceRequest(), navigation_type, frame_,
+ request.GetNavigationPolicy(),
+ should_check_main_world_csp,
+ ContentSecurityPolicy::CheckHeaderType::kCheckEnforce) ==
+ kNavigationPolicyIgnore)
+ return;
+ }
+#endif
if (auto* navigation_api = NavigationApi::navigation(*frame_->DomWindow())) {
if (request.GetNavigationPolicy() == kNavigationPolicyCurrentTab &&