Chromium Code Reviews Chromium Code Reviews
Issue 10829465:
Apply frame-src content-security-policy to WebUI pages. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src/| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "chrome/browser/ui/webui/chrome_url_data_manager_backend.h" | 5 #include "chrome/browser/ui/webui/chrome_url_data_manager_backend.h" |
| 6 | 6 |
| 7 #include <set> | 7 #include <set> |
| 8 | 8 |
| 9 #include "base/basictypes.h" | 9 #include "base/basictypes.h" |
| 10 #include "base/bind.h" | 10 #include "base/bind.h" |
| (...skipping 70 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 81 insert(chrome::kChromeUISystemInfoHost); | 81 insert(chrome::kChromeUISystemInfoHost); |
| 82 #endif | 82 #endif |
| 83 #if defined(OS_CHROMEOS) || defined(USE_AURA) | 83 #if defined(OS_CHROMEOS) || defined(USE_AURA) |
| 84 insert(chrome::kChromeUICollectedCookiesHost); | 84 insert(chrome::kChromeUICollectedCookiesHost); |
| 85 insert(chrome::kChromeUIHttpAuthHost); | 85 insert(chrome::kChromeUIHttpAuthHost); |
| 86 insert(chrome::kChromeUITabModalConfirmDialogHost); | 86 insert(chrome::kChromeUITabModalConfirmDialogHost); |
| 87 #endif | 87 #endif |
| 88 } | 88 } |
| 89 }; | 89 }; |
| 90 | 90 |
| 91 // It is OK to add URLs to this set which slightly reduces the CSP for them. | 91 // It is OK to add URLs to these maps and slightly reduce the CSP protection |
| 92 class ChromeURLContentSecurityPolicyObjectTagSet | 92 // applied to the WebUI page. |
|
Evan Stade
2012/08/21 20:56:26
documentation for what this is a map from and to
| |
| 93 : public std::set<std::string> { | 93 class ChromeURLObjectSrcExceptionMap |
| 94 : public std::map<std::string, std::string> { | |
| 94 public: | 95 public: |
| 95 ChromeURLContentSecurityPolicyObjectTagSet() : std::set<std::string>() { | 96 ChromeURLObjectSrcExceptionMap() : std::map<std::string, std::string>() { |
| 96 insert(chrome::kChromeUIPrintHost); | 97 insert(std::pair<std::string, std::string>( |
| 98 chrome::kChromeUIPrintHost, "object-src 'self';")); | |
| 99 } | |
| 100 }; | |
| 101 | |
| 102 class ChromeURLFrameSrcExceptionMap | |
| 103 : public std::map<std::string, std::string> { | |
| 104 public: | |
| 105 ChromeURLFrameSrcExceptionMap() : std::map<std::string, std::string>() { | |
| 106 insert(std::pair<std::string, std::string>( | |
| 107 chrome::kChromeUIUberHost, "frame-src chrome:;")); | |
| 108 insert(std::pair<std::string, std::string>( | |
| 109 chrome::kChromeUIUberFrameHost, "frame-src chrome:;")); | |
| 97 } | 110 } |
| 98 }; | 111 }; |
| 99 | 112 |
| 100 base::LazyInstance<ChromeURLContentSecurityPolicyExceptionSet> | 113 base::LazyInstance<ChromeURLContentSecurityPolicyExceptionSet> |
| 101 g_chrome_url_content_security_policy_exception_set = | 114 g_chrome_url_content_security_policy_exception_set = |
| 102 LAZY_INSTANCE_INITIALIZER; | 115 LAZY_INSTANCE_INITIALIZER; |
| 103 | 116 |
| 104 base::LazyInstance<ChromeURLContentSecurityPolicyObjectTagSet> | 117 base::LazyInstance<ChromeURLObjectSrcExceptionMap> |
| 105 g_chrome_url_content_security_policy_object_tag_set = | 118 g_chrome_url_object_src_exception_map = LAZY_INSTANCE_INITIALIZER; |
| 106 LAZY_INSTANCE_INITIALIZER; | 119 |
| 120 base::LazyInstance<ChromeURLFrameSrcExceptionMap> | |
| 121 g_chrome_url_frame_src_exception_map = LAZY_INSTANCE_INITIALIZER; | |
| 107 | 122 |
| 108 // Determine the least-privileged content security policy header, if any, | 123 // Determine the least-privileged content security policy header, if any, |
| 109 // that is compatible with a given WebUI URL, and append it to the existing | 124 // that is compatible with a given WebUI URL, and append it to the existing |
| 110 // response headers. | 125 // response headers. |
| 111 void AddContentSecurityPolicyHeader( | 126 void AddContentSecurityPolicyHeader( |
| 112 const GURL& url, net::HttpResponseHeaders* headers) { | 127 const GURL& url, net::HttpResponseHeaders* headers) { |
| 113 ChromeURLContentSecurityPolicyExceptionSet* exceptions = | 128 ChromeURLContentSecurityPolicyExceptionSet* exceptions = |
| 114 g_chrome_url_content_security_policy_exception_set.Pointer(); | 129 g_chrome_url_content_security_policy_exception_set.Pointer(); |
| 115 | 130 |
| 116 if (exceptions->find(url.host()) == exceptions->end()) { | 131 if (exceptions->find(url.host()) == exceptions->end()) { |
| 117 std::string base = kChromeURLContentSecurityPolicyHeaderBase; | 132 std::string base = kChromeURLContentSecurityPolicyHeaderBase; |
| 118 ChromeURLContentSecurityPolicyObjectTagSet* object_tag_set = | |
| 119 g_chrome_url_content_security_policy_object_tag_set.Pointer(); | |
| 120 | 133 |
| 121 base.append(object_tag_set->find(url.host()) == object_tag_set->end() ? | 134 ChromeURLObjectSrcExceptionMap* object_map = |
| 122 "object-src 'none';" : | 135 g_chrome_url_object_src_exception_map.Pointer(); |
| 123 "object-src 'self';"); | 136 ChromeURLObjectSrcExceptionMap::iterator object_iter = |
| 137 object_map->find(url.host()); | |
| 138 base.append(object_iter == object_map->end() ? | |
| 139 "object-src 'none';" : object_iter->second); | |
| 140 | |
| 141 ChromeURLFrameSrcExceptionMap* frame_map = | |
| 142 g_chrome_url_frame_src_exception_map.Pointer(); | |
| 143 ChromeURLFrameSrcExceptionMap::iterator frame_iter = | |
| 144 frame_map->find(url.host()); | |
| 145 base.append(frame_iter == frame_map->end() ? | |
| 146 "frame-src 'none';" : frame_iter->second); | |
| 124 | 147 |
| 125 headers->AddHeader(base); | 148 headers->AddHeader(base); |
| 126 } | 149 } |
| 127 } | 150 } |
| 128 | 151 |
| 129 // Parse a URL into the components used to resolve its request. |source_name| | 152 // Parse a URL into the components used to resolve its request. |source_name| |
| 130 // is the hostname and |path| is the remaining portion of the URL. | 153 // is the hostname and |path| is the remaining portion of the URL. |
| 131 void URLToRequest(const GURL& url, std::string* source_name, | 154 void URLToRequest(const GURL& url, std::string* source_name, |
| 132 std::string* path) { | 155 std::string* path) { |
| 133 DCHECK(url.SchemeIs(chrome::kChromeDevToolsScheme) || | 156 DCHECK(url.SchemeIs(chrome::kChromeDevToolsScheme) || |
| (...skipping 464 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 598 | 621 |
| 599 return new URLRequestChromeJob(request, backend_); | 622 return new URLRequestChromeJob(request, backend_); |
| 600 } | 623 } |
| 601 | 624 |
| 602 } // namespace | 625 } // namespace |
| 603 | 626 |
| 604 net::URLRequestJobFactory::ProtocolHandler* | 627 net::URLRequestJobFactory::ProtocolHandler* |
| 605 CreateDevToolsProtocolHandler(ChromeURLDataManagerBackend* backend) { | 628 CreateDevToolsProtocolHandler(ChromeURLDataManagerBackend* backend) { |
| 606 return new DevToolsJobFactory(backend); | 629 return new DevToolsJobFactory(backend); |
| 607 } | 630 } |
| OLD | NEW |
