Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(344)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: Source/core/frame/csp/ContentSecurityPolicy.h

Issue 1109633002: Basic experimental suborigin CSP directive and SecurityOrigin mods (Closed) Base URL: https://chromium.googlesource.com/chromium/blink.git@master
Patch Set: Created 5 years, 8 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« Source/core/dom/ExecutionContext.cpp ('K') | « Source/core/frame/csp/CSPDirectiveList.cpp ('k') | Source/core/frame/csp/ContentSecurityPolicy.cpp » ('j') | Source/platform/weborigin/SecurityOrigin.cpp » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 /* 1 /*
2 * Copyright (C) 2011 Google, Inc. All rights reserved. 2 * Copyright (C) 2011 Google, Inc. All rights reserved.
3 * 3 *
4 * Redistribution and use in source and binary forms, with or without 4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions 5 * modification, are permitted provided that the following conditions
6 * are met: 6 * are met:
7 * 1. Redistributions of source code must retain the above copyright 7 * 1. Redistributions of source code must retain the above copyright
8 * notice, this list of conditions and the following disclaimer. 8 * notice, this list of conditions and the following disclaimer.
9 * 2. Redistributions in binary form must reproduce the above copyright 9 * 2. Redistributions in binary form must reproduce the above copyright
10 * notice, this list of conditions and the following disclaimer in the 10 * notice, this list of conditions and the following disclaimer in the
(...skipping 81 matching lines...) Expand 10 before | Expand all | Expand 10 after
92 // https://w3c.github.io/manifest/#content-security-policy 92 // https://w3c.github.io/manifest/#content-security-policy
93 static const char ManifestSrc[]; 93 static const char ManifestSrc[];
94 94
95 // Mixed Content Directive 95 // Mixed Content Directive
96 // https://w3c.github.io/webappsec/specs/mixedcontent/#strict-mode 96 // https://w3c.github.io/webappsec/specs/mixedcontent/#strict-mode
97 static const char BlockAllMixedContent[]; 97 static const char BlockAllMixedContent[];
98 98
99 // https://w3c.github.io/webappsec/specs/upgrade/ 99 // https://w3c.github.io/webappsec/specs/upgrade/
100 static const char UpgradeInsecureRequests[]; 100 static const char UpgradeInsecureRequests[];
101 101
102 // Suborigin Directive
103 // https://metromoxie.github.io/webappsec/specs/suborigins/index.html
104 static const char Suborigin[];
105
102 enum ReportingStatus { 106 enum ReportingStatus {
103 SendReport, 107 SendReport,
104 SuppressReport 108 SuppressReport
105 }; 109 };
106 110
107 // When a resource is loaded after a redirect, source paths are 111 // When a resource is loaded after a redirect, source paths are
108 // ignored in the matching algorithm. 112 // ignored in the matching algorithm.
109 enum RedirectStatus { 113 enum RedirectStatus {
110 DidRedirect, 114 DidRedirect,
111 DidNotRedirect 115 DidNotRedirect
(...skipping 86 matching lines...) Expand 10 before | Expand all | Expand 10 after
198 // If a frame is passed in, the message will be logged to its active documen t's console. 202 // If a frame is passed in, the message will be logged to its active documen t's console.
199 // Otherwise, the message will be logged to this object's |m_executionContex t|. 203 // Otherwise, the message will be logged to this object's |m_executionContex t|.
200 void logToConsole(PassRefPtrWillBeRawPtr<ConsoleMessage>, LocalFrame* = null ptr); 204 void logToConsole(PassRefPtrWillBeRawPtr<ConsoleMessage>, LocalFrame* = null ptr);
201 205
202 void reportDirectiveAsSourceExpression(const String& directiveName, const St ring& sourceExpression); 206 void reportDirectiveAsSourceExpression(const String& directiveName, const St ring& sourceExpression);
203 void reportDuplicateDirective(const String&); 207 void reportDuplicateDirective(const String&);
204 void reportInvalidDirectiveValueCharacter(const String& directiveName, const String& value); 208 void reportInvalidDirectiveValueCharacter(const String& directiveName, const String& value);
205 void reportInvalidPathCharacter(const String& directiveName, const String& v alue, const char); 209 void reportInvalidPathCharacter(const String& directiveName, const String& v alue, const char);
206 void reportInvalidPluginTypes(const String&); 210 void reportInvalidPluginTypes(const String&);
207 void reportInvalidSandboxFlags(const String&); 211 void reportInvalidSandboxFlags(const String&);
212 void reportInvalidSuboriginFlags(const String&);
208 void reportInvalidSourceExpression(const String& directiveName, const String & source); 213 void reportInvalidSourceExpression(const String& directiveName, const String & source);
209 void reportInvalidReflectedXSS(const String&); 214 void reportInvalidReflectedXSS(const String&);
210 void reportMissingReportURI(const String&); 215 void reportMissingReportURI(const String&);
211 void reportUnsupportedDirective(const String&); 216 void reportUnsupportedDirective(const String&);
212 void reportInvalidInReportOnly(const String&); 217 void reportInvalidInReportOnly(const String&);
213 void reportInvalidReferrer(const String&); 218 void reportInvalidReferrer(const String&);
214 void reportReportOnlyInMeta(const String&); 219 void reportReportOnlyInMeta(const String&);
215 void reportMetaOutsideHead(const String&); 220 void reportMetaOutsideHead(const String&);
221 void reportSuboriginInMeta(const String&);
216 void reportValueForEmptyDirective(const String& directiveName, const String& value); 222 void reportValueForEmptyDirective(const String& directiveName, const String& value);
217 223
218 // If a frame is passed in, the report will be sent using it as a context. I f no frame is 224 // If a frame is passed in, the report will be sent using it as a context. I f no frame is
219 // passed in, the report will be sent via this object's |m_executionContext| (or dropped 225 // passed in, the report will be sent via this object's |m_executionContext| (or dropped
220 // on the floor if no such context is available). 226 // on the floor if no such context is available).
221 void reportViolation(const String& directiveText, const String& effectiveDir ective, const String& consoleMessage, const KURL& blockedURL, const Vector<Strin g>& reportEndpoints, const String& header, LocalFrame* = nullptr); 227 void reportViolation(const String& directiveText, const String& effectiveDir ective, const String& consoleMessage, const KURL& blockedURL, const Vector<Strin g>& reportEndpoints, const String& header, LocalFrame* = nullptr);
222 228
223 void reportBlockedScriptExecutionToInspector(const String& directiveText) co nst; 229 void reportBlockedScriptExecutionToInspector(const String& directiveText) co nst;
224 230
225 const KURL url() const; 231 const KURL url() const;
226 void enforceSandboxFlags(SandboxFlags); 232 void enforceSandboxFlags(SandboxFlags);
233 void enforceSuborigin(const String&);
227 void enforceStrictMixedContentChecking(); 234 void enforceStrictMixedContentChecking();
228 String evalDisabledErrorMessage() const; 235 String evalDisabledErrorMessage() const;
229 236
230 void setInsecureRequestsPolicy(SecurityContext::InsecureRequestsPolicy); 237 void setInsecureRequestsPolicy(SecurityContext::InsecureRequestsPolicy);
231 SecurityContext::InsecureRequestsPolicy insecureRequestsPolicy() const { ret urn m_insecureRequestsPolicy; }; 238 SecurityContext::InsecureRequestsPolicy insecureRequestsPolicy() const { ret urn m_insecureRequestsPolicy; };
232 239
233 bool urlMatchesSelf(const KURL&) const; 240 bool urlMatchesSelf(const KURL&) const;
234 bool protocolMatchesSelf(const KURL&) const; 241 bool protocolMatchesSelf(const KURL&) const;
235 242
236 bool experimentalFeaturesEnabled() const; 243 bool experimentalFeaturesEnabled() const;
(...skipping 36 matching lines...) Expand 10 before | Expand all | Expand 10 after
273 HashSet<unsigned, AlreadyHashed> m_violationReportsSent; 280 HashSet<unsigned, AlreadyHashed> m_violationReportsSent;
274 281
275 // We put the hash functions used on the policy object so that we only need 282 // We put the hash functions used on the policy object so that we only need
276 // to calculate a hash once and then distribute it to all of the directives 283 // to calculate a hash once and then distribute it to all of the directives
277 // for validation. 284 // for validation.
278 uint8_t m_scriptHashAlgorithmsUsed; 285 uint8_t m_scriptHashAlgorithmsUsed;
279 uint8_t m_styleHashAlgorithmsUsed; 286 uint8_t m_styleHashAlgorithmsUsed;
280 287
281 // State flags used to configure the environment after parsing a policy. 288 // State flags used to configure the environment after parsing a policy.
282 SandboxFlags m_sandboxMask; 289 SandboxFlags m_sandboxMask;
290 String m_suboriginName;
283 bool m_enforceStrictMixedContentChecking; 291 bool m_enforceStrictMixedContentChecking;
284 ReferrerPolicy m_referrerPolicy; 292 ReferrerPolicy m_referrerPolicy;
285 String m_disableEvalErrorMessage; 293 String m_disableEvalErrorMessage;
286 SecurityContext::InsecureRequestsPolicy m_insecureRequestsPolicy; 294 SecurityContext::InsecureRequestsPolicy m_insecureRequestsPolicy;
287 295
288 OwnPtr<CSPSource> m_selfSource; 296 OwnPtr<CSPSource> m_selfSource;
289 String m_selfProtocol; 297 String m_selfProtocol;
290 }; 298 };
291 299
292 } 300 }
293 301
294 #endif 302 #endif
OLDNEW
« Source/core/dom/ExecutionContext.cpp ('K') | « Source/core/frame/csp/CSPDirectiveList.cpp ('k') | Source/core/frame/csp/ContentSecurityPolicy.cpp » ('j') | Source/platform/weborigin/SecurityOrigin.cpp » ('J')

Powered by Google App Engine
This is Rietveld 408576698