Google Git
Sign in
chromium / chromium / src / dc28bfbdd63cea0d685f0c10dd50190a40430a79^! / . / extensions / renderer / script_injection.cc
commitdc28bfbdd63cea0d685f0c10dd50190a40430a79[log] [tgz]
authorKaran Bhatia <[email protected]>Tue Jan 15 05:36:11 2019
committerCommit Bot <[email protected]>Tue Jan 15 05:36:11 2019
tree4574f2d0073dc544a6718d533ddb0b9771ffc016
parent77a6053ca20bf72c2f72efd8a323a23cce6b8a8f [diff] [blame]
Blink: Plumb correct security origin for isolated world CSPs.

This CL introduces WebIsolatedWorldInfo and changes the blink public API to set
up an isolated world. The correct security origin is now plumbed for an isolated
world CSP. Also, clients can now use an empty string as the CSP for an isolated
world (Earlier this cleared the isolated world's CSP).

BUG=896041

Change-Id: I623c5fbbe678540c6474bb6db54fc287653f3689
Reviewed-on: https://chromium-review.googlesource.com/c/1395190
Commit-Queue: Karan Bhatia <[email protected]>
Reviewed-by: Kentaro Hara <[email protected]>
Reviewed-by: Rachel Blum <[email protected]>
Reviewed-by: Dominic Mazzoni <[email protected]>
Reviewed-by: Devlin <[email protected]>
Cr-Commit-Position: refs/heads/master@{#622746}
diff --git a/extensions/renderer/script_injection.cc b/extensions/renderer/script_injection.cc
index 5bf8446..fc3199e 100644
--- a/extensions/renderer/script_injection.cc
+++ b/extensions/renderer/script_injection.cc

@@ -24,6 +24,7 @@
 #include "extensions/renderer/extensions_renderer_client.h"
 #include "extensions/renderer/script_injection_callback.h"
 #include "extensions/renderer/scripts_run_info.h"
+#include "third_party/blink/public/platform/web_isolated_world_info.h"
 #include "third_party/blink/public/platform/web_security_origin.h"
 #include "third_party/blink/public/platform/web_string.h"
 #include "third_party/blink/public/web/web_document.h"
@@ -69,13 +70,16 @@
   // We need to set the isolated world origin and CSP even if it's not a new
   // world since these are stored per frame, and we might not have used this
   // isolated world in this frame before.
-  frame->SetIsolatedWorldSecurityOrigin(
-      id, blink::WebSecurityOrigin::Create(injection_host->url()));
-  frame->SetIsolatedWorldContentSecurityPolicy(
-      id,
-      blink::WebString::FromUTF8(injection_host->GetContentSecurityPolicy()));
-  frame->SetIsolatedWorldHumanReadableName(
-      id, blink::WebString::FromUTF8(injection_host->name()));
+  blink::WebIsolatedWorldInfo info;
+  info.security_origin =
+      blink::WebSecurityOrigin::Create(injection_host->url());
+  info.human_readable_name = blink::WebString::FromUTF8(injection_host->name());
+
+  const std::string* csp = injection_host->GetContentSecurityPolicy();
+  if (csp)
+    info.content_security_policy = blink::WebString::FromUTF8(*csp);
+
+  frame->SetIsolatedWorldInfo(id, info);
 
   return id;
 }