2682a4a179b5fb1d3b604241653b08b1fb4b35e6 - chromium/blink

commit	2682a4a179b5fb1d3b604241653b08b1fb4b35e6	[log] [tgz]
author	horo@chromium.org <horo@chromium.org>	Wed Nov 19 23:15:21 2014
committer	horo@chromium.org <horo@chromium.org>	Wed Nov 19 23:15:21 2014
tree	1ef68c29270ccb8c6bc4d5bd3ef7c363c46ed73f
parent	dbaa37479d16df658e5905ef76419e8ccaa7d413 [diff]

[ServiceWorker] CSP support for ServiceWorker environment.

According to the CSP spec, we have to check the Content-Security-Policy HTTP response header of the ServiceWorker script.
https://w3c.github.io/webappsec/specs/content-security-policy/#processing-model-workers

For example:
When "Content-Security-Policy: script-src 'self'" is set, "importScripts('https://othersite/'); must fail.
When "Content-Security-Policy: connect-src 'self'" is set, "fetch('https://othersite/data'); must fail.

The changes in WebEmbeddedWorkerImpl.cpp introduce CSP check for ServiceWorker environment.
The changes in FetchManager.cpp introduce CSP check for fech API.

We need to set the CSP not only to the ServiceWorkerGlobalScope but also to the shadow page's document.
The CSP in the shadow page's document will be used while handling the redirect responses in DocumentThreadableLoader::isAllowedByContentSecurityPolicy()

BUG=432069

Review URL: https://codereview.chromium.org/714833002

git-svn-id: svn://svn.chromium.org/blink/trunk@185630 bbb929c8-8fbe-4397-9dbb-9b2b20218538

4 files changed

tree: 1ef68c29270ccb8c6bc4d5bd3ef7c363c46ed73f