diff options
| author | robertshield@chromium.org <robertshield@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-04-20 01:22:07 +0000 |
|---|---|---|
| committer | robertshield@chromium.org <robertshield@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-04-20 01:22:07 +0000 |
| commit | c829e5ca7781bf6b8c8cf17b602f4ae10743b470 (patch) | |
| tree | 0a6b7a24feab57f9b58f61de0d4c118737f5724e | |
| parent | 5b740aaa49e92e8d432da48f157e73345c1639e9 (diff) | |
| download | chromium_src-c829e5ca7781bf6b8c8cf17b602f4ae10743b470.zip chromium_src-c829e5ca7781bf6b8c8cf17b602f4ae10743b470.tar.gz chromium_src-c829e5ca7781bf6b8c8cf17b602f4ae10743b470.tar.bz2 | |
Merge 44988 - Make XFrameOptions detection in Chrome Frame noncasesensitive, as it should be.
BUG=42019
TEST=XFRAMEOPTIONS et al start to work.
Review URL: http://codereview.chromium.org/1539045
TBR=robertshield@chromium.org
Review URL: http://codereview.chromium.org/1604046
git-svn-id: svn://svn.chromium.org/chrome/branches/375/src@44998 0039d316-1c4b-4281-b951-d872f2087c98
| -rw-r--r-- | chrome_frame/html_utils.cc | 2 | ||||
| -rw-r--r-- | chrome_frame/test/html_util_unittests.cc | 7 |
2 files changed, 8 insertions, 1 deletions
diff --git a/chrome_frame/html_utils.cc b/chrome_frame/html_utils.cc index dcc1f53..9395afa 100644 --- a/chrome_frame/html_utils.cc +++ b/chrome_frame/html_utils.cc @@ -360,7 +360,7 @@ bool HasFrameBustingHeader(const std::string& http_headers) { net::HttpUtil::HeadersIterator it( http_headers.begin(), http_headers.end(), "\r\n"); while (it.GetNext()) { - if (it.name() == kXFrameOptionsHeader) { + if (lstrcmpiA(it.name().c_str(), kXFrameOptionsHeader) == 0) { std::string allow_all(kXFrameOptionsValueAllowAll); if (it.values_end() - it.values_begin() != allow_all.length() || !std::equal(it.values_begin(), it.values_end(), diff --git a/chrome_frame/test/html_util_unittests.cc b/chrome_frame/test/html_util_unittests.cc index 7248b80..1188482 100644 --- a/chrome_frame/test/html_util_unittests.cc +++ b/chrome_frame/test/html_util_unittests.cc @@ -316,6 +316,7 @@ TEST(HttpUtils, HasFrameBustingHeader) { // Simple negative cases. EXPECT_FALSE(http_utils::HasFrameBustingHeader("")); EXPECT_FALSE(http_utils::HasFrameBustingHeader("Content-Type: text/plain")); + EXPECT_FALSE(http_utils::HasFrameBustingHeader("X-Frame-Optionss: ALLOWALL")); // Explicit negative cases, test that we ignore case. EXPECT_FALSE(http_utils::HasFrameBustingHeader("X-Frame-Options: ALLOWALL")); EXPECT_FALSE(http_utils::HasFrameBustingHeader("X-Frame-Options: allowall")); @@ -342,6 +343,12 @@ TEST(HttpUtils, HasFrameBustingHeader) { EXPECT_TRUE(http_utils::HasFrameBustingHeader( "X-Frame-Options: SAMEorigin")); + // Verify that we pick up case changes in the header name too: + EXPECT_TRUE(http_utils::HasFrameBustingHeader("X-FRAME-OPTIONS: deny")); + EXPECT_TRUE(http_utils::HasFrameBustingHeader("x-frame-options: deny")); + EXPECT_TRUE(http_utils::HasFrameBustingHeader("X-frame-optionS: deny")); + EXPECT_TRUE(http_utils::HasFrameBustingHeader("X-Frame-optionS: deny")); + // Allowall entries do not override the denying entries, are // order-independent, and the deny entries can interleave with // other headers. |