diff options
author | Devlin Cronin <rdevlin.cronin@chromium.org> | 2015-09-11 12:09:54 -0700 |
---|---|---|
committer | Devlin Cronin <rdevlin.cronin@chromium.org> | 2015-09-11 19:10:49 +0000 |
commit | e22bd11c3a288bd7b6abb34798caca1fe0f583ed (patch) | |
tree | 63c87c002447673f06c2aa161b0ac1f3a6106e5d | |
parent | 0fc8d1d04be6a826e1222ccd4bbff86bfecd1d86 (diff) | |
download | chromium_src-e22bd11c3a288bd7b6abb34798caca1fe0f583ed.zip chromium_src-e22bd11c3a288bd7b6abb34798caca1fe0f583ed.tar.gz chromium_src-e22bd11c3a288bd7b6abb34798caca1fe0f583ed.tar.bz2 |
Allow 'chrome-extension:' URLs to bypass content settings (1/2)
We changed the behavior of 'Document::firstPartyForCookies' to return an
empty URL in the case where any URL in the ancestor chain doesn't match
the current document's URL. Previously, we'd simply return the top-level
document's URL.
This means that the content-settings bypass check in
'ContentSettingsObserver::IsWhitelistedForContentSettings' sees an empty
URL as opposed to a 'chrome-extension://' URL for cases in which an
extension loads a resource, so content settings are applied as per usual.
This breaks things fairly badly for folks who have turned on third-party
cookie blocking.
In these patches, we introduce a new scheme registry for those schemes
which ought to override Blink's concept of "first-party" when they're
loaded into the top-level browsing context.
Patch 1 (Blink): https://codereview.chromium.org/1305253012
Patch 2 (Chromium): [This patch]
BUG=527963
TBR=jochen@chromium.org
Review URL: https://codereview.chromium.org/1332563006
Cr-Commit-Position: refs/heads/master@{#348194}
(cherry picked from commit cfed7a300606c5eedb858433b37db5ffadf3b2cc)
Cherry-Pick note: Moved the call of this method from Dispatcher::WebKitInitialized()
to ChromeContentRendererClient::RenderThreadStarted(), which is
where all the similar methods were for this point in history.
Review URL: https://codereview.chromium.org/1339763002 .
Cr-Commit-Position: refs/branch-heads/2454@{#463}
Cr-Branched-From: 12bfc3360892ec53cd00fc239a47e5298beb063b-refs/heads/master@{#338390}
-rw-r--r-- | chrome/renderer/chrome_content_renderer_client.cc | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/chrome/renderer/chrome_content_renderer_client.cc b/chrome/renderer/chrome_content_renderer_client.cc index cc4ba2b..bb76fcf 100644 --- a/chrome/renderer/chrome_content_renderer_client.cc +++ b/chrome/renderer/chrome_content_renderer_client.cc @@ -497,6 +497,13 @@ void ChromeContentRendererClient::RenderThreadStarted() { WebSecurityPolicy::registerURLSchemeAsBypassingContentSecurityPolicy( extension_resource_scheme); + // Extension resources, when loaded as the top-level document, should bypass + // Blink's strict first-party origin checks. + WebSecurityPolicy::registerURLSchemeAsFirstPartyWhenTopLevel( + extension_scheme); + WebSecurityPolicy::registerURLSchemeAsFirstPartyWhenTopLevel( + extension_resource_scheme); + #if defined(ENABLE_PRINT_PREVIEW) pdf_print_client_.reset(new ChromePDFPrintClient()); pdf::PepperPDFHost::SetPrintClient(pdf_print_client_.get()); |