diff options
Diffstat (limited to 'chromium/third_party/blink/renderer/core/frame/csp/execution_context_csp_delegate.cc')
-rw-r--r-- | chromium/third_party/blink/renderer/core/frame/csp/execution_context_csp_delegate.cc | 22 |
1 files changed, 20 insertions, 2 deletions
diff --git a/chromium/third_party/blink/renderer/core/frame/csp/execution_context_csp_delegate.cc b/chromium/third_party/blink/renderer/core/frame/csp/execution_context_csp_delegate.cc index e20d974e509..2521361469e 100644 --- a/chromium/third_party/blink/renderer/core/frame/csp/execution_context_csp_delegate.cc +++ b/chromium/third_party/blink/renderer/core/frame/csp/execution_context_csp_delegate.cc @@ -14,11 +14,11 @@ #include "third_party/blink/renderer/core/frame/local_frame_client.h" #include "third_party/blink/renderer/core/frame/report.h" #include "third_party/blink/renderer/core/frame/reporting_context.h" -#include "third_party/blink/renderer/core/frame/use_counter.h" #include "third_party/blink/renderer/core/loader/document_loader.h" #include "third_party/blink/renderer/core/loader/ping_loader.h" #include "third_party/blink/renderer/core/probe/core_probes.h" #include "third_party/blink/renderer/core/workers/worker_global_scope.h" +#include "third_party/blink/renderer/platform/instrumentation/use_counter.h" #include "third_party/blink/renderer/platform/network/encoded_form_data.h" #include "third_party/blink/renderer/platform/runtime_enabled_features.h" #include "third_party/blink/renderer/platform/weborigin/security_origin.h" @@ -43,7 +43,25 @@ const KURL& ExecutionContextCSPDelegate::Url() const { } void ExecutionContextCSPDelegate::SetSandboxFlags(SandboxFlags mask) { - GetSecurityContext().EnforceSandboxFlags(mask); + // Ideally sandbox flags are determined at construction time since + // sandbox flags influence the security origin and that influences + // the Agent that is assigned for the ExecutionContext. Changing + // an ExecutionContext's agent in the middle of an object lifecycle + // is not permitted. + + // Since Workers and Worklets don't share agents (each one is unique) + // we allow them to apply new sandbox flags on top of the current ones. + WorkerOrWorkletGlobalScope* worklet_or_worker = + DynamicTo<WorkerOrWorkletGlobalScope>(execution_context_.Get()); + if (worklet_or_worker) { + worklet_or_worker->ApplySandboxFlags(mask); + } + // Just check that all the sandbox flags that are set by CSP have + // already been set on the security context. Meta tags can't set them + // and we should have already constructed the document with the correct + // sandbox flags from CSP already. + WebSandboxFlags flags = GetSecurityContext().GetSandboxFlags(); + CHECK_EQ(flags | mask, flags); } void ExecutionContextCSPDelegate::SetAddressSpace(mojom::IPAddressSpace space) { |