Skip to content
Permalink
Browse files
Report the correct document uri in the case of a ContentSecurityPolic…
…yClient

https://bugs.webkit.org/show_bug.cgi?id=222489
<rdar://problem/73774118>

Reviewed by Brent Fulgham.

Source/WebCore:

Tests: http/tests/security/contentSecurityPolicy/report-document-uri-after-blocked-redirect.html
       http/tests/security/contentSecurityPolicy/report-document-uri-blob.html

Previously we were setting the document URI to be the blocked URI in
the case where we were using a ContentSecurityPolicyClient and didn't
have access to the document URL. This patch passes the document URL
to the network process when loading a resource so we can properly set
the document URI in this case.

* page/csp/ContentSecurityPolicy.cpp:
(WebCore::shouldReportProtocolOnly):
(WebCore::ContentSecurityPolicy::deprecatedURLForReporting const):
(WebCore::ContentSecurityPolicy::reportViolation const):
Follow spec guidelines https://www.w3.org/TR/CSP2/#violation-reports
and set the document URI to be the URI's scheme if it is a globally
unique identifier.

In the case where we are using a client and don't have the document
URL, we should at least strip the blocked URL before reporting to align
with the spec.

* page/csp/ContentSecurityPolicy.h:
(WebCore::ContentSecurityPolicy::setDocumentURL):

Source/WebKit:

Pass the document URL from the Network Process when we schedule a load
in case we need to report a CSP violation in NetworkLoadChecker.

* NetworkProcess/NetworkLoadChecker.cpp:
(WebKit::NetworkLoadChecker::NetworkLoadChecker):
(WebKit::NetworkLoadChecker::contentSecurityPolicy):
The regular toString() method sets file:// URLs to null. We should use
toRawString() so we can report the scheme if the source origin is a
local file, as per the W3C spec.

* NetworkProcess/NetworkLoadChecker.h:
* NetworkProcess/NetworkResourceLoadParameters.cpp:
(WebKit::NetworkResourceLoadParameters::encode const):
(WebKit::NetworkResourceLoadParameters::decode):
* NetworkProcess/NetworkResourceLoadParameters.h:
* NetworkProcess/NetworkResourceLoader.cpp:
* NetworkProcess/PingLoad.cpp:
(WebKit::PingLoad::PingLoad):
* WebProcess/Network/WebLoaderStrategy.cpp:
(WebKit::WebLoaderStrategy::scheduleLoadFromNetworkProcess):

Tools:

Rename OverrideContentSecurityPolicy.mm to ContentSecurityPolicy.mm
so we can use it for more general purpose CSP testing.

Add a test for document-uri reporting for file:, data: and about: protocols.

* TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj:
* TestWebKitAPI/Tests/WebKitCocoa/ContentSecurityPolicy.mm: Renamed from Tools/TestWebKitAPI/Tests/WebKitCocoa/OverrideContentSecurityPolicy.mm.
(TEST):
* TestWebKitAPI/Tests/WebKitCocoa/csp-document-uri-report.html: Added.

LayoutTests:

Layout test coverage for redirects using a ContentSecurityPolicyClient
and blob files.

* http/tests/security/contentSecurityPolicy/report-document-uri-blob-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/report-document-uri-blob.html: Added.
* http/tests/security/contentSecurityPolicy/report-document-uri-after-blocked-redirect-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/report-document-uri-after-blocked-redirect.html: Added.
* platform/mac-wk1/http/tests/security/contentSecurityPolicy/report-document-uri-after-blocked-redirect-expected.txt: Added.
* platform/win/http/tests/security/contentSecurityPolicy/report-document-uri-after-blocked-redirect-expected.txt: Added.
* platform/win/TestExpectations:
Blob URLs timeout on win.


Canonical link: https://commits.webkit.org/234793@main
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@273820 268f45cc-cd09-0410-ab3c-d52691b4dbfc
  • Loading branch information
kcheney1 committed Mar 3, 2021
1 parent 00a7e5e commit ae418d885eccf574b29fa3e94231ff65d4769161
Showing 23 changed files with 305 additions and 16 deletions.
@@ -1,3 +1,23 @@
2021-03-03 Kate Cheney <katherine_cheney@apple.com>

Report the correct document uri in the case of a ContentSecurityPolicyClient
https://bugs.webkit.org/show_bug.cgi?id=222489
<rdar://problem/73774118>

Reviewed by Brent Fulgham.

Layout test coverage for redirects using a ContentSecurityPolicyClient
and blob files.

* http/tests/security/contentSecurityPolicy/report-document-uri-blob-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/report-document-uri-blob.html: Added.
* http/tests/security/contentSecurityPolicy/report-document-uri-after-blocked-redirect-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/report-document-uri-after-blocked-redirect.html: Added.
* platform/mac-wk1/http/tests/security/contentSecurityPolicy/report-document-uri-after-blocked-redirect-expected.txt: Added.
* platform/win/http/tests/security/contentSecurityPolicy/report-document-uri-after-blocked-redirect-expected.txt: Added.
* platform/win/TestExpectations:
Blob URLs timeout on win.

2021-03-03 Chris Gambrell <cgambrell@apple.com>

[LayoutTests] Convert http/tests/misc convert PHP to Python
@@ -0,0 +1,10 @@
CONSOLE MESSAGE: Refused to connect to http://localhost:8000/security/contentSecurityPolicy/resources/xhr-redirect-not-allowed.pl because it does not appear in the connect-src directive of the Content Security Policy.
CONSOLE MESSAGE: Blocked by Content Security Policy.
CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/security/contentSecurityPolicy/resources/xhr-redirect-not-allowed.pl due to access control checks.
PASS XMLHttpRequest.send() did not follow the disallowed redirect.
PASS successfullyParsed is true

TEST COMPLETE
documentURI = http://127.0.0.1:8000/security/contentSecurityPolicy/report-document-uri-after-blocked-redirect.html


@@ -0,0 +1,43 @@
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Security-Policy" content="connect-src http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.php">
<script src="/js-test-resources/js-test-pre.js"></script>
</head>
<body>
<script>
window.jsTestIsAsync = true;
function log(msg) {
document.getElementById("console").appendChild(document.createTextNode(msg + "\n"));
}

// Expect the document URI to be the document URL stripped for reporting.
document.addEventListener('securitypolicyviolation', e => {
document.body.innerHTML += `documentURI = <b>${e.documentURI}</b><br/><br/>`;
finishJSTest();
});

var xhr = new XMLHttpRequest;
try {
// Redirect to a different host, because as of CSP2 paths
// are ignored when matching after a redirect.
xhr.open("GET", "resources/redir.php?url=http://localhost:8000/security/contentSecurityPolicy/resources/xhr-redirect-not-allowed.pl", true);
} catch(e) {
testFailed("XMLHttpRequest.open() should not throw an exception.");
}

xhr.onload = function () {
testFailed("XMLHttpRequest.send() should fail to follow the disallowed redirect.");
finishJSTest();
};

xhr.onerror = function () {
testPassed("XMLHttpRequest.send() did not follow the disallowed redirect.");
};

xhr.send();
</script>
</script>
<script src="/js-test-resources/js-test-post.js"></script>
</body>
</html>
@@ -0,0 +1,4 @@
CONSOLE MESSAGE: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
documentURI = blob


@@ -0,0 +1,23 @@
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Security-Policy" content="script-src 'nonce-test'">
<script nonce="test">
if (window.testRunner)
testRunner.dumpAsText();

// Include a script not included in the script-src to cause a violation.
// Include another script to report the document URI of this report, expecting
// it to be stripped to only consist of the URL protocol.
var violatingScript = "<script>\n\<" + "/script>"
var reportingScript = "<script nonce=\"test\"> testRunner.waitUntilDone(); document.addEventListener('securitypolicyviolation', e => { document.body.innerHTML += `documentURI = <b>${e.documentURI}</b><br/><br/>`; testRunner.notifyDone(); });<" + "/script>";

let blob = new Blob([violatingScript + reportingScript], {type : "text/html"});
if (window.testRunner)
testRunner.queueLoad(URL.createObjectURL(blob));
</script>
<body>
<p>Initial page</p>
</body>
</head>
</html>
@@ -0,0 +1,10 @@
CONSOLE MESSAGE: Refused to connect to http://localhost:8000/security/contentSecurityPolicy/resources/xhr-redirect-not-allowed.pl because it does not appear in the connect-src directive of the Content Security Policy.
CONSOLE MESSAGE: Blocked by Content Security Policy.
CONSOLE MESSAGE: XMLHttpRequest cannot load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.php?url=http://localhost:8000/security/contentSecurityPolicy/resources/xhr-redirect-not-allowed.pl due to access control checks.
PASS XMLHttpRequest.send() did not follow the disallowed redirect.
PASS successfullyParsed is true

TEST COMPLETE
documentURI = http://127.0.0.1:8000/security/contentSecurityPolicy/report-document-uri-after-blocked-redirect.html


@@ -2327,6 +2327,7 @@ http/tests/history/back-during-onload-triggered-by-back.html [ Skip ] # Timeout
fast/frames/restoring-page-cache-should-not-run-scripts.html [ Skip ]
http/tests/security/mixedContent/blob-url-in-iframe.html [ Skip ]
http/tests/security/contentSecurityPolicy/navigate-self-to-blob.html [ Skip ]
http/tests/security/contentSecurityPolicy/report-document-uri-blob.html [ Skip ]
fast/frames/restoring-page-cache-should-not-run-scripts-via-style-update.html [ Skip ]

# Clear Key not implemented
@@ -0,0 +1,10 @@
CONSOLE MESSAGE: Refused to connect to http://localhost:8000/security/contentSecurityPolicy/resources/xhr-redirect-not-allowed.pl because it does not appear in the connect-src directive of the Content Security Policy.
CONSOLE MESSAGE: Blocked by Content Security Policy.
CONSOLE MESSAGE: XMLHttpRequest cannot load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.php?url=http://localhost:8000/security/contentSecurityPolicy/resources/xhr-redirect-not-allowed.pl due to access control checks.
PASS XMLHttpRequest.send() did not follow the disallowed redirect.
PASS successfullyParsed is true

TEST COMPLETE
documentURI = http://127.0.0.1:8000/security/contentSecurityPolicy/report-document-uri-after-blocked-redirect.html


@@ -1,3 +1,35 @@
2021-03-03 Kate Cheney <katherine_cheney@apple.com>

Report the correct document uri in the case of a ContentSecurityPolicyClient
https://bugs.webkit.org/show_bug.cgi?id=222489
<rdar://problem/73774118>

Reviewed by Brent Fulgham.

Tests: http/tests/security/contentSecurityPolicy/report-document-uri-after-blocked-redirect.html
http/tests/security/contentSecurityPolicy/report-document-uri-blob.html

Previously we were setting the document URI to be the blocked URI in
the case where we were using a ContentSecurityPolicyClient and didn't
have access to the document URL. This patch passes the document URL
to the network process when loading a resource so we can properly set
the document URI in this case.

* page/csp/ContentSecurityPolicy.cpp:
(WebCore::shouldReportProtocolOnly):
(WebCore::ContentSecurityPolicy::deprecatedURLForReporting const):
(WebCore::ContentSecurityPolicy::reportViolation const):
Follow spec guidelines https://www.w3.org/TR/CSP2/#violation-reports
and set the document URI to be the URI's scheme if it is a globally
unique identifier.

In the case where we are using a client and don't have the document
URL, we should at least strip the blocked URL before reporting to align
with the spec.

* page/csp/ContentSecurityPolicy.h:
(WebCore::ContentSecurityPolicy::setDocumentURL):

2021-03-03 Youenn Fablet <youenn@apple.com>

WebKitLegacy needs to keep JSDOMWindow even though it is used while its origin is not set
@@ -651,11 +651,16 @@ bool ContentSecurityPolicy::allowBaseURI(const URL& url, bool overrideContentSec
return allPoliciesAllow(WTFMove(handleViolatedDirective), &ContentSecurityPolicyDirectiveList::violatedDirectiveForBaseURI, url);
}

static bool shouldReportProtocolOnly(const URL& url)
{
return !url.isHierarchical() || url.protocolIs("file");
}

String ContentSecurityPolicy::deprecatedURLForReporting(const URL& url) const
{
if (!url.isValid())
return { };
if (!url.isHierarchical() || url.protocolIs("file"))
if (shouldReportProtocolOnly(url))
return url.protocol().toString();
return static_cast<SecurityOriginData>(*m_selfSource).securityOrigin()->canRequest(url) ? url.strippedForUseAsReferrer() : SecurityOrigin::create(url)->toString();
}
@@ -686,7 +691,9 @@ void ContentSecurityPolicy::reportViolation(const String& effectiveViolatedDirec

// FIXME: Support sending reports from worker.
CSPInfo info;
info.documentURI = blockedURL.string();

info.documentURI = m_documentURL ? m_documentURL.value().strippedForUseAsReferrer() : deprecatedURLForReporting(blockedURL);

if (m_client)
m_client->willSendCSPViolationReport(info);
else {
@@ -698,7 +705,7 @@ void ContentSecurityPolicy::reportViolation(const String& effectiveViolatedDirec
if (!frame)
return;

info.documentURI = document.url().strippedForUseAsReferrer();
info.documentURI = shouldReportProtocolOnly(document.url()) ? document.url().protocol().toString() : document.url().strippedForUseAsReferrer();

auto stack = createScriptCallStack(JSExecState::currentState(), 2);
auto* callFrame = stack->firstNonNativeCallFrame();
@@ -175,6 +175,8 @@ class ContentSecurityPolicy {
void setClient(ContentSecurityPolicyClient* client) { m_client = client; }
void updateSourceSelf(const SecurityOrigin&);

void setDocumentURL(URL& documentURL) { m_documentURL = documentURL; }

private:
void logToConsole(const String& message, const String& contextURL = String(), const WTF::OrdinalNumber& contextLine = WTF::OrdinalNumber::beforeFirst(), const WTF::OrdinalNumber& contextColumn = WTF::OrdinalNumber::beforeFirst(), JSC::JSGlobalObject* = nullptr) const;
void applyPolicyToScriptExecutionContext();
@@ -216,6 +218,7 @@ class ContentSecurityPolicy {
ScriptExecutionContext* m_scriptExecutionContext { nullptr };
ContentSecurityPolicyClient* m_client { nullptr };
URL m_protectedURL;
Optional<URL> m_documentURL;
std::unique_ptr<ContentSecurityPolicySource> m_selfSource;
String m_selfSourceProtocol;
CSPDirectiveListVector m_policies;
@@ -1,3 +1,32 @@
2021-03-03 Kate Cheney <katherine_cheney@apple.com>

Report the correct document uri in the case of a ContentSecurityPolicyClient
https://bugs.webkit.org/show_bug.cgi?id=222489
<rdar://problem/73774118>

Reviewed by Brent Fulgham.

Pass the document URL from the Network Process when we schedule a load
in case we need to report a CSP violation in NetworkLoadChecker.

* NetworkProcess/NetworkLoadChecker.cpp:
(WebKit::NetworkLoadChecker::NetworkLoadChecker):
(WebKit::NetworkLoadChecker::contentSecurityPolicy):
The regular toString() method sets file:// URLs to null. We should use
toRawString() so we can report the scheme if the source origin is a
local file, as per the W3C spec.

* NetworkProcess/NetworkLoadChecker.h:
* NetworkProcess/NetworkResourceLoadParameters.cpp:
(WebKit::NetworkResourceLoadParameters::encode const):
(WebKit::NetworkResourceLoadParameters::decode):
* NetworkProcess/NetworkResourceLoadParameters.h:
* NetworkProcess/NetworkResourceLoader.cpp:
* NetworkProcess/PingLoad.cpp:
(WebKit::PingLoad::PingLoad):
* WebProcess/Network/WebLoaderStrategy.cpp:
(WebKit::WebLoaderStrategy::scheduleLoadFromNetworkProcess):

2021-03-03 Don Olmstead <don.olmstead@sony.com>

[CMake] JavaScriptCore GLib headers should be copies
@@ -50,13 +50,14 @@ static inline bool isSameOrigin(const URL& url, const SecurityOrigin* origin)
return url.protocolIsData() || url.protocolIsBlob() || !origin || origin->canRequest(url);
}

NetworkLoadChecker::NetworkLoadChecker(NetworkProcess& networkProcess, NetworkResourceLoader* networkResourceLoader, NetworkSchemeRegistry* schemeRegistry, FetchOptions&& options, PAL::SessionID sessionID, WebPageProxyIdentifier webPageProxyID, HTTPHeaderMap&& originalRequestHeaders, URL&& url, RefPtr<SecurityOrigin>&& sourceOrigin, RefPtr<SecurityOrigin>&& topOrigin, PreflightPolicy preflightPolicy, String&& referrer, bool isHTTPSUpgradeEnabled, bool shouldCaptureExtraNetworkLoadMetrics, LoadType requestLoadType)
NetworkLoadChecker::NetworkLoadChecker(NetworkProcess& networkProcess, NetworkResourceLoader* networkResourceLoader, NetworkSchemeRegistry* schemeRegistry, FetchOptions&& options, PAL::SessionID sessionID, WebPageProxyIdentifier webPageProxyID, HTTPHeaderMap&& originalRequestHeaders, URL&& url, DocumentURL&& documentURL, RefPtr<SecurityOrigin>&& sourceOrigin, RefPtr<SecurityOrigin>&& topOrigin, PreflightPolicy preflightPolicy, String&& referrer, bool isHTTPSUpgradeEnabled, bool shouldCaptureExtraNetworkLoadMetrics, LoadType requestLoadType)
: m_options(WTFMove(options))
, m_sessionID(sessionID)
, m_networkProcess(networkProcess)
, m_webPageProxyID(webPageProxyID)
, m_originalRequestHeaders(WTFMove(originalRequestHeaders))
, m_url(WTFMove(url))
, m_documentURL(WTFMove(documentURL))
, m_origin(WTFMove(sourceOrigin))
, m_topOrigin(WTFMove(topOrigin))
, m_preflightPolicy(preflightPolicy)
@@ -474,8 +475,10 @@ ContentSecurityPolicy* NetworkLoadChecker::contentSecurityPolicy()
{
if (!m_contentSecurityPolicy && m_cspResponseHeaders) {
// FIXME: Pass the URL of the protected resource instead of its origin.
m_contentSecurityPolicy = makeUnique<ContentSecurityPolicy>(URL { URL { }, m_origin->toString() });
m_contentSecurityPolicy = makeUnique<ContentSecurityPolicy>(URL { URL { }, m_origin->toRawString() });
m_contentSecurityPolicy->didReceiveHeaders(*m_cspResponseHeaders, String { m_referrer }, ContentSecurityPolicy::ReportParsingErrors::No);
if (!m_documentURL.isEmpty())
m_contentSecurityPolicy->setDocumentURL(m_documentURL);
}
return m_contentSecurityPolicy.get();
}
@@ -53,12 +53,14 @@ class NetworkProcess;
class NetworkResourceLoader;
class NetworkSchemeRegistry;

using DocumentURL = URL;

class NetworkLoadChecker : public CanMakeWeakPtr<NetworkLoadChecker> {
WTF_MAKE_FAST_ALLOCATED;
public:
enum class LoadType : bool { MainFrame, Other };

NetworkLoadChecker(NetworkProcess&, NetworkResourceLoader*, NetworkSchemeRegistry*, WebCore::FetchOptions&&, PAL::SessionID, WebPageProxyIdentifier, WebCore::HTTPHeaderMap&&, URL&&, RefPtr<WebCore::SecurityOrigin>&&, RefPtr<WebCore::SecurityOrigin>&& topOrigin, WebCore::PreflightPolicy, String&& referrer, bool isHTTPSUpgradeEnabled = false, bool shouldCaptureExtraNetworkLoadMetrics = false, LoadType requestLoadType = LoadType::Other);
NetworkLoadChecker(NetworkProcess&, NetworkResourceLoader*, NetworkSchemeRegistry*, WebCore::FetchOptions&&, PAL::SessionID, WebPageProxyIdentifier, WebCore::HTTPHeaderMap&&, URL&&, DocumentURL&&, RefPtr<WebCore::SecurityOrigin>&&, RefPtr<WebCore::SecurityOrigin>&& topOrigin, WebCore::PreflightPolicy, String&& referrer, bool isHTTPSUpgradeEnabled = false, bool shouldCaptureExtraNetworkLoadMetrics = false, LoadType requestLoadType = LoadType::Other);
~NetworkLoadChecker();

struct RedirectionTriplet {
@@ -135,6 +137,7 @@ class NetworkLoadChecker : public CanMakeWeakPtr<NetworkLoadChecker> {
WebCore::HTTPHeaderMap m_originalRequestHeaders; // Needed for CORS checks.
WebCore::HTTPHeaderMap m_firstRequestHeaders; // Needed for CORS checks.
URL m_url;
DocumentURL m_documentURL;
RefPtr<WebCore::SecurityOrigin> m_origin;
RefPtr<WebCore::SecurityOrigin> m_topOrigin;
Optional<WebCore::ContentSecurityPolicyResponseHeaders> m_cspResponseHeaders;
@@ -110,6 +110,8 @@ void NetworkResourceLoadParameters::encode(IPC::Encoder& encoder) const
encoder << parentFrameID;
encoder << crossOriginAccessControlCheckEnabled;

encoder << documentURL;

#if ENABLE(SERVICE_WORKER)
encoder << serviceWorkersMode;
encoder << serviceWorkerRegistrationIdentifier;
@@ -275,6 +277,12 @@ Optional<NetworkResourceLoadParameters> NetworkResourceLoadParameters::decode(IP
return WTF::nullopt;
result.crossOriginAccessControlCheckEnabled = *crossOriginAccessControlCheckEnabled;

Optional<URL> documentURL;
decoder >> documentURL;
if (!documentURL)
return WTF::nullopt;
result.documentURL = *documentURL;

#if ENABLE(SERVICE_WORKER)
Optional<ServiceWorkersMode> serviceWorkersMode;
decoder >> serviceWorkersMode;
@@ -64,7 +64,8 @@ class NetworkResourceLoadParameters : public NetworkLoadParameters {
bool pageHasResourceLoadClient { false };
Optional<WebCore::FrameIdentifier> parentFrameID;
bool crossOriginAccessControlCheckEnabled { true };

URL documentURL;

#if ENABLE(SERVICE_WORKER)
WebCore::ServiceWorkersMode serviceWorkersMode { WebCore::ServiceWorkersMode::None };
Optional<WebCore::ServiceWorkerRegistrationIdentifier> serviceWorkerRegistrationIdentifier;
@@ -118,7 +118,7 @@ NetworkResourceLoader::NetworkResourceLoader(NetworkResourceLoadParameters&& par

if (synchronousReply || parameters.shouldRestrictHTTPResponseAccess || parameters.options.keepAlive) {
NetworkLoadChecker::LoadType requestLoadType = isMainFrameLoad() ? NetworkLoadChecker::LoadType::MainFrame : NetworkLoadChecker::LoadType::Other;
m_networkLoadChecker = makeUnique<NetworkLoadChecker>(connection.networkProcess(), this, &connection.schemeRegistry(), FetchOptions { m_parameters.options }, sessionID(), m_parameters.webPageProxyID, HTTPHeaderMap { m_parameters.originalRequestHeaders }, URL { m_parameters.request.url() }, m_parameters.sourceOrigin.copyRef(), m_parameters.topOrigin.copyRef(), m_parameters.preflightPolicy, originalRequest().httpReferrer(), m_parameters.isHTTPSUpgradeEnabled, shouldCaptureExtraNetworkLoadMetrics(), requestLoadType);
m_networkLoadChecker = makeUnique<NetworkLoadChecker>(connection.networkProcess(), this, &connection.schemeRegistry(), FetchOptions { m_parameters.options }, sessionID(), m_parameters.webPageProxyID, HTTPHeaderMap { m_parameters.originalRequestHeaders }, URL { m_parameters.request.url() }, URL { m_parameters.documentURL }, m_parameters.sourceOrigin.copyRef(), m_parameters.topOrigin.copyRef(), m_parameters.preflightPolicy, originalRequest().httpReferrer(), m_parameters.isHTTPSUpgradeEnabled, shouldCaptureExtraNetworkLoadMetrics(), requestLoadType);
if (m_parameters.cspResponseHeaders)
m_networkLoadChecker->setCSPResponseHeaders(ContentSecurityPolicyResponseHeaders { m_parameters.cspResponseHeaders.value() });
#if ENABLE(CONTENT_EXTENSIONS)

0 comments on commit ae418d8

Please sign in to comment.