1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
|
// Copyright 2014 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#ifndef CONTENT_COMMON_FRAME_REPLICATION_STATE_H_
#define CONTENT_COMMON_FRAME_REPLICATION_STATE_H_
#include <string>
#include <vector>
#include "content/common/content_export.h"
#include "services/network/public/mojom/content_security_policy.mojom.h"
#include "services/network/public/mojom/web_sandbox_flags.mojom.h"
#include "third_party/blink/public/common/feature_policy/feature_policy.h"
#include "third_party/blink/public/common/frame/frame_policy.h"
#include "third_party/blink/public/mojom/ad_tagging/ad_frame.mojom.h"
#include "third_party/blink/public/mojom/frame/frame_owner_element_type.mojom.h"
#include "third_party/blink/public/mojom/frame/tree_scope_type.mojom.h"
#include "third_party/blink/public/mojom/security_context/insecure_request_policy.mojom.h"
#include "url/origin.h"
namespace content {
// This structure holds information that needs to be replicated between a
// RenderFrame and any of its associated RenderFrameProxies.
struct CONTENT_EXPORT FrameReplicationState {
FrameReplicationState();
FrameReplicationState(
blink::mojom::TreeScopeType scope,
const std::string& name,
const std::string& unique_name,
blink::mojom::InsecureRequestPolicy insecure_request_policy,
const std::vector<uint32_t>& insecure_navigations_set,
bool has_potentially_trustworthy_unique_origin,
bool has_active_user_gesture,
bool has_received_user_gesture_before_nav,
blink::mojom::FrameOwnerElementType owner_type);
~FrameReplicationState();
FrameReplicationState(const FrameReplicationState& other);
FrameReplicationState& operator=(const FrameReplicationState& other);
// Current origin of the frame. This field is updated whenever a frame
// navigation commits.
//
// TODO(alexmos): For now, |origin| updates are immediately sent to all frame
// proxies when in --site-per-process mode. This isn't ideal, since Blink
// typically needs a proxy's origin only when performing security checks on
// the ancestors of a local frame. So, as a future improvement, we could
// delay sending origin updates to proxies until they have a local descendant
// (if ever). This would reduce leaking a user's browsing history into a
// compromized renderer.
url::Origin origin;
// The assigned name of the frame (see WebFrame::assignedName()).
//
// |name| is set when a new child frame is created using the value of the
// <iframe> element's "name" attribute (see
// RenderFrameHostImpl::OnCreateChildFrame), and it is updated dynamically
// whenever a frame sets its window.name.
//
// |name| updates are immediately sent to all frame proxies (when in
// --site-per-process mode), so that other frames can look up or navigate a
// frame using its updated name (e.g., using window.open(url, frame_name)).
std::string name;
// Unique name of the frame (see WebFrame::uniqueName()).
//
// |unique_name| is used in heuristics that try to identify the same frame
// across different, unrelated navigations (i.e. to refer to the frame
// when going back/forward in session history OR when refering to the frame
// in web tests results).
//
// |unique_name| needs to be replicated to ensure that unique name for a given
// frame is the same across all renderers - without replication a renderer
// might arrive at a different value when recalculating the unique name from
// scratch.
std::string unique_name;
// Parsed feature policy header. May be empty if no header was sent with the
// document.
blink::ParsedFeaturePolicy feature_policy_header;
// Contains the currently active sandbox flags for this frame, including flags
// inherited from parent frames, the currently active flags from the <iframe>
// element hosting this frame, as well as any flags set from a
// Content-Security-Policy HTTP header.
network::mojom::WebSandboxFlags active_sandbox_flags =
network::mojom::WebSandboxFlags::kNone;
// Iframe sandbox flags and container policy currently in effect for the
// frame. Container policy may be empty if this is the top-level frame.
// |sandbox_flags| are initialized for new child frames using the value of the
// <iframe> element's "sandbox" attribute, combined with any sandbox flags in
// effect for the parent frame. This does *not* include any flags set by a
// Content-Security-Policy header delivered with the framed document.
//
// When a parent frame updates an <iframe>'s sandbox attribute via
// JavaScript, |sandbox_flags| are updated only after the child frame commits
// a navigation that makes the updated flags take effect. This is also the
// point at which updates are sent to proxies (see
// CommitPendingFramePolicy()). The proxies need updated flags so that they
// can be inherited properly if a proxy ever becomes a parent of a local
// frame.
blink::FramePolicy frame_policy;
// The state of feature policies in the opener browsing context. This field is
// only relevant for a root FrameTreeNode.
blink::FeaturePolicy::FeatureState opener_feature_state;
// Accumulated CSP headers - gathered from http headers, <meta> elements,
// parent frames (in case of about:blank frames).
std::vector<network::mojom::ContentSecurityPolicyHeader>
accumulated_csp_headers;
// Whether the frame is in a document tree or a shadow tree, per the Shadow
// DOM spec: https://w3c.github.io/webcomponents/spec/shadow/
// Note: This should really be const, as it can never change once a frame is
// created. However, making it const makes it a pain to embed into IPC message
// params: having a const member implicitly deletes the copy assignment
// operator.
blink::mojom::TreeScopeType scope = blink::mojom::TreeScopeType::kDocument;
// The insecure request policy that a frame's current document is enforcing.
// Updates are immediately sent to all frame proxies when frames live in
// different processes.
blink::mojom::InsecureRequestPolicy insecure_request_policy =
blink::mojom::InsecureRequestPolicy::kLeaveInsecureRequestsAlone;
// The upgrade insecure navigations set that a frame's current document is
// enforcing. Updates are immediately sent to all frame proxies when frames
// live in different processes. Elements in the set are hashes of hosts to be
// upgraded.
std::vector<uint32_t> insecure_navigations_set;
// True if a frame's origin is unique and should be considered potentially
// trustworthy.
bool has_potentially_trustworthy_unique_origin = false;
// Whether the frame has an active transient user gesture.
bool has_active_user_gesture = false;
// Whether the frame has received a user gesture in a previous navigation so
// long as a the frame has staying on the same eTLD+1.
bool has_received_user_gesture_before_nav = false;
// The type of the (local) frame owner for this frame in the parent process.
// Note: This should really be const, as it can never change once a frame is
// created. However, making it const makes it a pain to embed into IPC message
// params: having a const member implicitly deletes the copy assignment
// operator.
blink::mojom::FrameOwnerElementType frame_owner_element_type =
blink::mojom::FrameOwnerElementType::kNone;
// Whether this frame is an ad frame. Once a frame becomes an ad, it stays as
// an ad throughout its lifetime, even if it later navigates to a non-ad
// document.
blink::mojom::AdFrameType ad_frame_type = blink::mojom::AdFrameType::kNonAd;
// IMPORTANT NOTE: When adding a new member to this struct, don't forget to
// also add a corresponding entry to the struct traits in frame_messages.h!
};
} // namespace content
#endif // CONTENT_COMMON_FRAME_REPLICATION_STATE_H_
|
