зеркало из https://github.com/mozilla/gecko-dev.git
Bug 1600174: Only enfore CSP frame-ancestors check if the load comes from an actual http channel in content. r=smaug
Differential Revision: https://phabricator.services.mozilla.com/D55279 --HG-- extra : moz-landing-system : lando
This commit is contained in:
Родитель
ff99325d0b
Коммит
005ea8ccc8
|
@ -3004,7 +3004,13 @@ nsresult Document::StartDocumentLoad(const char* aCommand, nsIChannel* aChannel,
|
|||
// if this is not a load of such type, there is nothing to do here.
|
||||
if (contentType == nsIContentPolicy::TYPE_SUBDOCUMENT ||
|
||||
contentType == nsIContentPolicy::TYPE_OBJECT) {
|
||||
if (mCSP) {
|
||||
// we only enforce frame-ancestors if the load is an actual http
|
||||
// channel, otherwise we block dynamic iframes since about:blank
|
||||
// inherits the CSP.
|
||||
nsCOMPtr<nsIHttpChannel> httpChannel;
|
||||
nsContentSecurityUtils::GetHttpChannelFromPotentialMultiPart(
|
||||
aChannel, getter_AddRefs(httpChannel));
|
||||
if (httpChannel && mCSP) {
|
||||
bool safeAncestry = false;
|
||||
// PermitsAncestry sends violation reports when necessary
|
||||
rv = mCSP->PermitsAncestry(loadInfo, &safeAncestry);
|
||||
|
|
Загрузка…
Ссылка в новой задаче