diff options
author | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2018-01-29 11:09:26 +0100 |
---|---|---|
committer | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2018-01-29 13:27:03 +0000 |
commit | 66a21db86455dc416b39e46e7c8f14015802e521 (patch) | |
tree | 87fa21a3f12b7378480d3d8bfea888ff1d60b169 | |
parent | ce4d3b4e0a6050a81fec26b85abb8f6b86198fb2 (diff) | |
download | qtwebengine-chromium-66a21db86455dc416b39e46e7c8f14015802e521.tar.gz |
[Backport] Fixed bug where PlzNavigate CSP in a iframe did not get the inherited CSP
When inheriting the CSP from a parent document to a local-scheme CSP,
it does not always get propagated to the PlzNavigate CSP. This means
that PlzNavigate CSP checks (like `frame-src`) would be ran against
a blank policy instead of the proper inherited policy.
Bug: 778658
Reviewed-on: https://chromium-review.googlesource.com/765969
Commit-Queue: Andy Paicu <andypaicu@chromium.org>
Reviewed-by: Mike West <mkwst@chromium.org>
Cr-Commit-Position: refs/heads/master@{#518245}
(CVE-2018-6040)
Change-Id: Iaa11f67f950fc58c213a5f2c09ffeae41d5f8dac
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
-rw-r--r-- | chromium/third_party/WebKit/Source/core/dom/Document.cpp | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/chromium/third_party/WebKit/Source/core/dom/Document.cpp b/chromium/third_party/WebKit/Source/core/dom/Document.cpp index a39067db8c5..871d1b10fc5 100644 --- a/chromium/third_party/WebKit/Source/core/dom/Document.cpp +++ b/chromium/third_party/WebKit/Source/core/dom/Document.cpp @@ -5908,6 +5908,8 @@ void Document::InitContentSecurityPolicy( const ContentSecurityPolicy* policy_to_inherit) { SetContentSecurityPolicy(csp ? csp : ContentSecurityPolicy::Create()); + GetContentSecurityPolicy()->BindToExecutionContext(this); + // We inherit the parent/opener's CSP for documents with "local" schemes: // 'about', 'blob', 'data', and 'filesystem'. We also inherit CSP for // documents with empty/invalid URLs because we treat those URLs as @@ -5937,8 +5939,6 @@ void Document::InitContentSecurityPolicy( // regardless of URL. if (policy_to_inherit && IsPluginDocument()) GetContentSecurityPolicy()->CopyPluginTypesFrom(policy_to_inherit); - - GetContentSecurityPolicy()->BindToExecutionContext(this); } bool Document::IsSecureTransitionTo(const KURL& url) const { |