Merge pull request #2375 from deepak1556/web_frame_api_patch

webFrame: api to make scheme bypass CSP

atom/renderer/api/atom_api_web_frame.cc

@@ -4,12 +4,6 @@
 
 #include "atom/renderer/api/atom_api_web_frame.h"
 
-// This defines are required by SchemeRegistry.h.
-#define ALWAYS_INLINE inline
-#define OS(WTF_FEATURE) (defined WTF_OS_##WTF_FEATURE  && WTF_OS_##WTF_FEATURE)  // NOLINT
-#define USE(WTF_FEATURE) (defined WTF_USE_##WTF_FEATURE  && WTF_USE_##WTF_FEATURE)  // NOLINT
-#define ENABLE(WTF_FEATURE) (defined ENABLE_##WTF_FEATURE  && ENABLE_##WTF_FEATURE)  // NOLINT
-
 #include "atom/common/native_mate_converters/gfx_converter.h"
 #include "atom/common/native_mate_converters/string16_converter.h"
 #include "atom/renderer/api/atom_api_spell_check_client.h"
@@ -19,29 +13,11 @@
 #include "native_mate/object_template_builder.h"
 #include "third_party/WebKit/public/web/WebDocument.h"
 #include "third_party/WebKit/public/web/WebLocalFrame.h"
+#include "third_party/WebKit/public/web/WebSecurityPolicy.h"
 #include "third_party/WebKit/public/web/WebView.h"
-#include "third_party/WebKit/Source/platform/weborigin/SchemeRegistry.h"
 
 #include "atom/common/node_includes.h"
 
-namespace mate {
-
-template<>
-struct Converter<WTF::String> {
-  static bool FromV8(v8::Isolate* isolate,
-                     v8::Local<v8::Value> val,
-                     WTF::String* out) {
-    if (!val->IsString())
-      return false;
-
-    v8::String::Value s(val);
-    *out = WTF::String(reinterpret_cast<const base::char16*>(*s), s.length());
-    return true;
-  }
-};
-
-}  // namespace mate
-
 namespace atom {
 
 namespace api {
@@ -106,6 +82,18 @@ void WebFrame::SetSpellCheckProvider(mate::Arguments* args,
   web_frame_->view()->setSpellCheckClient(spell_check_client_.get());
 }
 
+void WebFrame::RegisterURLSchemeAsSecure(const std::string& scheme) {
+  // Register scheme to secure list (https, wss, data).
+  blink::WebSecurityPolicy::registerURLSchemeAsSecure(
+      blink::WebString::fromUTF8(scheme));
+}
+
+void WebFrame::RegisterURLSchemeAsBypassingCsp(const std::string& scheme) {
+  // Register scheme to bypass pages's Content Security Policy.
+  blink::WebSecurityPolicy::registerURLSchemeAsBypassingContentSecurityPolicy(
+      blink::WebString::fromUTF8(scheme));
+}
+
 mate::ObjectTemplateBuilder WebFrame::GetObjectTemplateBuilder(
     v8::Isolate* isolate) {
   return mate::ObjectTemplateBuilder(isolate)
@@ -121,7 +109,9 @@ mate::ObjectTemplateBuilder WebFrame::GetObjectTemplateBuilder(
       .SetMethod("attachGuest", &WebFrame::AttachGuest)
       .SetMethod("setSpellCheckProvider", &WebFrame::SetSpellCheckProvider)
       .SetMethod("registerUrlSchemeAsSecure",
-                 &blink::SchemeRegistry::registerURLSchemeAsSecure);
+                 &WebFrame::RegisterURLSchemeAsSecure)
+      .SetMethod("registerUrlSchemeAsBypassingCsp",
+                 &WebFrame::RegisterURLSchemeAsBypassingCsp);
 }
 
 // static

atom/renderer/api/atom_api_web_frame.h

@@ -54,6 +54,9 @@ class WebFrame : public mate::Wrappable {
                              bool auto_spell_correct_turned_on,
                              v8::Local<v8::Object> provider);
 
+  void RegisterURLSchemeAsSecure(const std::string& scheme);
+  void RegisterURLSchemeAsBypassingCsp(const std::string& scheme);
+
   // mate::Wrappable:
   virtual mate::ObjectTemplateBuilder GetObjectTemplateBuilder(
       v8::Isolate* isolate);

docs/api/web-frame.md

@@ -57,10 +57,17 @@ require('web-frame').setSpellCheckProvider("en-US", true, {
 
 * `scheme` String
 
-Sets the `scheme` as secure scheme.
+Registers the `scheme` as secure scheme.
 
 Secure schemes do not trigger mixed content warnings. For example, `https` and
 `data` are secure schemes because they cannot be corrupted by active network
 attackers.
 
+## webFrame.registerUrlSchemeAsBypassingCsp(scheme)
+
+* `scheme` String
+
+Resources will be loaded from this `scheme` regardless of
+page's Content Security Policy.
+
 [spellchecker]: https://github.com/atom/node-spellchecker