XSDB should also apply to filesystem URIs |
||
Issue description
Currently we in CrossSiteDocumentResourceHandler::ShouldBlockBasedOnHeaders:
// Only block documents from HTTP(S) schemes.
if (!CrossSiteDocumentClassifier::IsBlockableScheme(url))
return false;
We should change that to something like:
// Only block documents from HTTP(S) origins.
if (!CrossSiteDocumentClassifier::IsBlockableScheme(response_origin))
return false;
This will ensure that XSDB can also protect filesystem URIs.
,
Jan 25 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/e4b5dc98979065d5cd03a8bdbfa9a509223b7da0 commit e4b5dc98979065d5cd03a8bdbfa9a509223b7da0 Author: Lukasz Anforowicz <lukasza@chromium.org> Date: Thu Jan 25 17:54:40 2018 XSDB should also protect filesystem:... and blob:... URIs. Bug: 804957 Change-Id: I2d2cccf2e77ad44305af1601e52c6ae80e062d7d Reviewed-on: https://chromium-review.googlesource.com/882450 Commit-Queue: Ćukasz Anforowicz <lukasza@chromium.org> Reviewed-by: Alex Moshchuk <alexmos@chromium.org> Cr-Commit-Position: refs/heads/master@{#531936} [modify] https://crrev.com/e4b5dc98979065d5cd03a8bdbfa9a509223b7da0/content/browser/loader/cross_site_document_resource_handler.cc [modify] https://crrev.com/e4b5dc98979065d5cd03a8bdbfa9a509223b7da0/content/browser/loader/cross_site_document_resource_handler_unittest.cc
,
Jan 25 2018
|
||
►
Sign in to add a comment |
||
Comment 1 by lukasza@chromium.org
, Jan 23 2018