From 2ce57c782597859abf4ae85dfe0164610df49e7a Mon Sep 17 00:00:00 2001 From: "joi@chromium.org" Date: Tue, 17 Nov 2009 18:15:40 +0000 Subject: Don't treat CF in privileged mode as an iframe for framebusting headers. BUG=none TEST=none Review URL: http://codereview.chromium.org/402013 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@32183 0039d316-1c4b-4281-b951-d872f2087c98 --- chrome_frame/chrome_frame_activex_base.h | 5 ++++- chrome_frame/chrome_frame_npapi.cc | 2 +- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/chrome_frame/chrome_frame_activex_base.h b/chrome_frame/chrome_frame_activex_base.h index 4a4fe95..202f4d6 100644 --- a/chrome_frame/chrome_frame_activex_base.h +++ b/chrome_frame/chrome_frame_activex_base.h @@ -305,8 +305,11 @@ END_MSG_MAP() // of this template should implement this method based on how // it "feels" from a security perspective. If it's hosted in another // scriptable document, return true, else false. + // + // The base implementation returns true unless we are in privileged + // mode, in which case we always trust our container so we return false. bool is_frame_busting_enabled() const { - return true; + return !is_privileged_; } // Needed to support PostTask. diff --git a/chrome_frame/chrome_frame_npapi.cc b/chrome_frame/chrome_frame_npapi.cc index 620db8d..509f083 100644 --- a/chrome_frame/chrome_frame_npapi.cc +++ b/chrome_frame/chrome_frame_npapi.cc @@ -669,7 +669,7 @@ void ChromeFrameNPAPI::OnRequestStart(int tab_handle, int request_id, if (new_request->Initialize(automation_client_.get(), tab_handle, request_id, request.url, request.method, request.referrer, request.extra_request_headers, - request.upload_data.get(), true)) { + request.upload_data.get(), !is_privileged_)) { if (new_request->Start()) { // Keep additional reference on request for NPSTREAM // This will be released in NPP_UrlNotify -- cgit v1.1