DescriptionOOPIF support for 'plugin-types' Content Security Policy.
The CL makes 'plugin-types' Content Security Policy compatible with
OOPIFs by avoiding isLocalFrame check and toLocalFrame cast inside
ContentSecurityPolicy::allowPluginTypeForDocument method. The method
was tweaked to get a ContentSecurityPolicy object for the parent frame
in a way that works both for local and remote frames.
Additionally, it turned out that before this CL, the error message about
the blocked plugin would incorrectly report the declared MIME type of
the plugin if the parent frame is local (i.e. without
--site-per-process), but would report actual, correct MIME type if the
parent frame was remote (i.e. with --site-per-process, after fixing
allowPluginTypeForDocument method). This would result in non-sensical
error messages where the blocked plugin seems to match the list of
allowed MIME types:
Refused to load 'http://localhost:8000/plugins/resources/mock-plugin.pl'
(MIME type 'text/plain') because it violates the following Content
Security Policy Directive: 'plugin-types text/plain'.
The expected error message is obviously:
Refused to load 'http://localhost:8000/plugins/resources/mock-plugin.pl'
(MIME type 'application/x-blink-test-plugin') because it violates the
following Content Security Policy Directive: 'plugin-types text/plain'.
This is fixed by tweaking HTMLPlugInElement::allowedToLoadObject to
always pass the value of type attribute declared in the plugin document,
rather than passing the value of the type attribute declared in the
parent document.
BUG=633749
Committed: https://crrev.com/6e2cf9768a02d4ff281dc47d9a1fb07ddb1e27a0
Cr-Commit-Position: refs/heads/master@{#412855}
Patch Set 1 #Patch Set 2 : Rebasing... #Patch Set 3 : Rebasing on top of ToT (i.e. w/o dependency on https://crrev.com/2190183002). #Patch Set 4 : Accounting for lack of https://crrev.com/2190183002 (i.e. no CSP reports from remote frames). #Messages
Total messages: 10 (4 generated)
|