[webkit-reviews] review granted: [Bug 185410] Check X-Frame-Options and CSP frame-ancestors in network process : [Attachment 339795] Patch
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon May 7 21:24:20 PDT 2018
Ryosuke Niwa <rniwa at webkit.org> has granted Daniel Bates <dbates at webkit.org>'s
request for review:
Bug 185410: Check X-Frame-Options and CSP frame-ancestors in network process
https://bugs.webkit.org/show_bug.cgi?id=185410
Attachment 339795: Patch
https://bugs.webkit.org/attachment.cgi?id=339795&action=review
--- Comment #3 from Ryosuke Niwa <rniwa at webkit.org> ---
Comment on attachment 339795
--> https://bugs.webkit.org/attachment.cgi?id=339795
Patch
View in context: https://bugs.webkit.org/attachment.cgi?id=339795&action=review
> Source/WebCore/loader/DocumentLoader.cpp:770
> + if
(!m_frame->settings().networkProcessCSPFrameAncestorsCheckingEnabled() ||
!RuntimeEnabledFeatures::sharedFeatures().restrictedHTTPResponseAccess()) {
I think we should add a new method to PlatformStrategies instead of using
settings to behave differently in WK1 and WK2.
> Source/WebCore/page/csp/ContentSecurityPolicy.cpp:486
> + if (ancestorOrigins.size() == 1)
> + return true; // The top-most frame is always allowed.
Instead of adding a comment like this, why don't we use a local boolean
variable with a descriptive name?
e.g.
bool isNavigatingTopLevelFrame = ancestorOrigins.size() == 1;
if (isNavigatingTopLevelFrame)
return true;
> Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp:93
> + URL origin { URL { }, (*it)->toString() };
Why are we converting SecurityOrigin > String > URL?
What's the practical implication of this conversion?
I think we should either add a comment here or add a member function with a
descriptive name to SecurityOrigin
referencing
https://w3c.github.io/webappsec-csp/#frame-ancestors-navigation-response
> Source/WebKit/NetworkProcess/NetworkResourceLoader.cpp:407
> + XFrameOptionsDisposition disposition =
parseXFrameOptionsHeader(xFrameOptions);
Seems like we don't need this local variable. It's only used in switch.
More information about the webkit-reviews
mailing list