diff options
Diffstat (limited to 'chromium/third_party/blink/renderer/core/loader/modulescript/worker_module_script_fetcher.cc')
-rw-r--r-- | chromium/third_party/blink/renderer/core/loader/modulescript/worker_module_script_fetcher.cc | 17 |
1 files changed, 15 insertions, 2 deletions
diff --git a/chromium/third_party/blink/renderer/core/loader/modulescript/worker_module_script_fetcher.cc b/chromium/third_party/blink/renderer/core/loader/modulescript/worker_module_script_fetcher.cc index 54878e001e2..092915a99d8 100644 --- a/chromium/third_party/blink/renderer/core/loader/modulescript/worker_module_script_fetcher.cc +++ b/chromium/third_party/blink/renderer/core/loader/modulescript/worker_module_script_fetcher.cc @@ -4,6 +4,7 @@ #include "third_party/blink/renderer/core/loader/modulescript/worker_module_script_fetcher.h" +#include "third_party/blink/renderer/core/inspector/console_message.h" #include "third_party/blink/renderer/core/workers/worker_global_scope.h" #include "third_party/blink/renderer/platform/loader/fetch/resource_fetcher.h" #include "third_party/blink/renderer/platform/network/http_names.h" @@ -61,6 +62,19 @@ void WorkerModuleScriptFetcher::NotifyFinished(Resource* resource) { // and run them after module loading. This may require the spec change. // (https://crbug.com/845285) + // Ensure redirects don't affect SecurityOrigin. + const KURL request_url = resource->Url(); + const KURL response_url = resource->GetResponse().Url(); + if (request_url != response_url && + !global_scope_->GetSecurityOrigin()->IsSameSchemeHostPort( + SecurityOrigin::Create(response_url).get())) { + error_messages.push_back(ConsoleMessage::Create( + kSecurityMessageSource, kErrorMessageLevel, + "Refused to cross-origin redirects of the top-level worker script.")); + client_->NotifyFetchFinished(base::nullopt, error_messages); + return; + } + // Step 13.3. "Set worker global scope's url to response's url." [spec text] // Step 13.4. "Set worker global scope's HTTPS state to response's HTTPS // state." [spec text] @@ -85,8 +99,7 @@ void WorkerModuleScriptFetcher::NotifyFinished(Resource* resource) { ModuleScriptCreationParams params( script_resource->GetResponse().Url(), script_resource->SourceText(), script_resource->GetResourceRequest().GetFetchCredentialsMode(), - script_resource->CalculateAccessControlStatus( - global_scope_->EnsureFetcher()->Context().GetSecurityOrigin())); + script_resource->CalculateAccessControlStatus()); // Step 13.7. "Asynchronously complete the perform the fetch steps with // response." [spec text] |