diff options
| author | robertshield@chromium.org <robertshield@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-04-20 00:23:02 +0000 |
|---|---|---|
| committer | robertshield@chromium.org <robertshield@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-04-20 00:23:02 +0000 |
| commit | 89f149288692a81558b15f711a468a79f458f4f8 (patch) | |
| tree | dcf1291093cb01347ae9c82181ddec485ee39bdc /chrome_frame | |
| parent | 6722b85eed0cefc2104d0bd9b411ccca6d72cbea (diff) | |
| download | chromium_src-89f149288692a81558b15f711a468a79f458f4f8.zip chromium_src-89f149288692a81558b15f711a468a79f458f4f8.tar.gz chromium_src-89f149288692a81558b15f711a468a79f458f4f8.tar.bz2 | |
Make X-Frame-Options detection in Chrome Frame non-case-sensitive, as it should be.
BUG=42019
TEST=X-FRAME-OPTIONS et al start to work.
Review URL: http://codereview.chromium.org/1539045
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@44988 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'chrome_frame')
| -rw-r--r-- | chrome_frame/html_utils.cc | 2 | ||||
| -rw-r--r-- | chrome_frame/test/html_util_unittests.cc | 7 |
2 files changed, 8 insertions, 1 deletions
diff --git a/chrome_frame/html_utils.cc b/chrome_frame/html_utils.cc index dcc1f53..9395afa 100644 --- a/chrome_frame/html_utils.cc +++ b/chrome_frame/html_utils.cc @@ -360,7 +360,7 @@ bool HasFrameBustingHeader(const std::string& http_headers) { net::HttpUtil::HeadersIterator it( http_headers.begin(), http_headers.end(), "\r\n"); while (it.GetNext()) { - if (it.name() == kXFrameOptionsHeader) { + if (lstrcmpiA(it.name().c_str(), kXFrameOptionsHeader) == 0) { std::string allow_all(kXFrameOptionsValueAllowAll); if (it.values_end() - it.values_begin() != allow_all.length() || !std::equal(it.values_begin(), it.values_end(), diff --git a/chrome_frame/test/html_util_unittests.cc b/chrome_frame/test/html_util_unittests.cc index 7248b80..1188482 100644 --- a/chrome_frame/test/html_util_unittests.cc +++ b/chrome_frame/test/html_util_unittests.cc @@ -316,6 +316,7 @@ TEST(HttpUtils, HasFrameBustingHeader) { // Simple negative cases. EXPECT_FALSE(http_utils::HasFrameBustingHeader("")); EXPECT_FALSE(http_utils::HasFrameBustingHeader("Content-Type: text/plain")); + EXPECT_FALSE(http_utils::HasFrameBustingHeader("X-Frame-Optionss: ALLOWALL")); // Explicit negative cases, test that we ignore case. EXPECT_FALSE(http_utils::HasFrameBustingHeader("X-Frame-Options: ALLOWALL")); EXPECT_FALSE(http_utils::HasFrameBustingHeader("X-Frame-Options: allowall")); @@ -342,6 +343,12 @@ TEST(HttpUtils, HasFrameBustingHeader) { EXPECT_TRUE(http_utils::HasFrameBustingHeader( "X-Frame-Options: SAMEorigin")); + // Verify that we pick up case changes in the header name too: + EXPECT_TRUE(http_utils::HasFrameBustingHeader("X-FRAME-OPTIONS: deny")); + EXPECT_TRUE(http_utils::HasFrameBustingHeader("x-frame-options: deny")); + EXPECT_TRUE(http_utils::HasFrameBustingHeader("X-frame-optionS: deny")); + EXPECT_TRUE(http_utils::HasFrameBustingHeader("X-Frame-optionS: deny")); + // Allowall entries do not override the denying entries, are // order-independent, and the deny entries can interleave with // other headers. |