Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(15)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: Source/core/frame/csp/ContentSecurityPolicy.h

Issue 1109633002: Basic experimental suborigin CSP directive and SecurityOrigin mods (Closed) Base URL: https://chromium.googlesource.com/chromium/blink.git@master
Patch Set: Rebase on ToT Created 5 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « Source/core/frame/csp/CSPDirectiveList.cpp ('k') | Source/core/frame/csp/ContentSecurityPolicy.cpp » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 /* 1 /*
2 * Copyright (C) 2011 Google, Inc. All rights reserved. 2 * Copyright (C) 2011 Google, Inc. All rights reserved.
3 * 3 *
4 * Redistribution and use in source and binary forms, with or without 4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions 5 * modification, are permitted provided that the following conditions
6 * are met: 6 * are met:
7 * 1. Redistributions of source code must retain the above copyright 7 * 1. Redistributions of source code must retain the above copyright
8 * notice, this list of conditions and the following disclaimer. 8 * notice, this list of conditions and the following disclaimer.
9 * 2. Redistributions in binary form must reproduce the above copyright 9 * 2. Redistributions in binary form must reproduce the above copyright
10 * notice, this list of conditions and the following disclaimer in the 10 * notice, this list of conditions and the following disclaimer in the
(...skipping 83 matching lines...) Expand 10 before | Expand all | Expand 10 after
94 // https://w3c.github.io/manifest/#content-security-policy 94 // https://w3c.github.io/manifest/#content-security-policy
95 static const char ManifestSrc[]; 95 static const char ManifestSrc[];
96 96
97 // Mixed Content Directive 97 // Mixed Content Directive
98 // https://w3c.github.io/webappsec/specs/mixedcontent/#strict-mode 98 // https://w3c.github.io/webappsec/specs/mixedcontent/#strict-mode
99 static const char BlockAllMixedContent[]; 99 static const char BlockAllMixedContent[];
100 100
101 // https://w3c.github.io/webappsec/specs/upgrade/ 101 // https://w3c.github.io/webappsec/specs/upgrade/
102 static const char UpgradeInsecureRequests[]; 102 static const char UpgradeInsecureRequests[];
103 103
104 // Suborigin Directive
105 // https://metromoxie.github.io/webappsec/specs/suborigins/index.html
106 static const char Suborigin[];
107
104 enum ReportingStatus { 108 enum ReportingStatus {
105 SendReport, 109 SendReport,
106 SuppressReport 110 SuppressReport
107 }; 111 };
108 112
109 // When a resource is loaded after a redirect, source paths are 113 // When a resource is loaded after a redirect, source paths are
110 // ignored in the matching algorithm. 114 // ignored in the matching algorithm.
111 enum RedirectStatus { 115 enum RedirectStatus {
112 DidRedirect, 116 DidRedirect,
113 DidNotRedirect 117 DidNotRedirect
(...skipping 83 matching lines...) Expand 10 before | Expand all | Expand 10 after
197 // If a frame is passed in, the message will be logged to its active documen t's console. 201 // If a frame is passed in, the message will be logged to its active documen t's console.
198 // Otherwise, the message will be logged to this object's |m_executionContex t|. 202 // Otherwise, the message will be logged to this object's |m_executionContex t|.
199 void logToConsole(PassRefPtrWillBeRawPtr<ConsoleMessage>, LocalFrame* = null ptr); 203 void logToConsole(PassRefPtrWillBeRawPtr<ConsoleMessage>, LocalFrame* = null ptr);
200 204
201 void reportDirectiveAsSourceExpression(const String& directiveName, const St ring& sourceExpression); 205 void reportDirectiveAsSourceExpression(const String& directiveName, const St ring& sourceExpression);
202 void reportDuplicateDirective(const String&); 206 void reportDuplicateDirective(const String&);
203 void reportInvalidDirectiveValueCharacter(const String& directiveName, const String& value); 207 void reportInvalidDirectiveValueCharacter(const String& directiveName, const String& value);
204 void reportInvalidPathCharacter(const String& directiveName, const String& v alue, const char); 208 void reportInvalidPathCharacter(const String& directiveName, const String& v alue, const char);
205 void reportInvalidPluginTypes(const String&); 209 void reportInvalidPluginTypes(const String&);
206 void reportInvalidSandboxFlags(const String&); 210 void reportInvalidSandboxFlags(const String&);
211 void reportInvalidSuboriginFlags(const String&);
207 void reportInvalidSourceExpression(const String& directiveName, const String & source); 212 void reportInvalidSourceExpression(const String& directiveName, const String & source);
208 void reportInvalidReflectedXSS(const String&); 213 void reportInvalidReflectedXSS(const String&);
209 void reportMissingReportURI(const String&); 214 void reportMissingReportURI(const String&);
210 void reportUnsupportedDirective(const String&); 215 void reportUnsupportedDirective(const String&);
211 void reportInvalidInReportOnly(const String&); 216 void reportInvalidInReportOnly(const String&);
212 void reportInvalidReferrer(const String&); 217 void reportInvalidReferrer(const String&);
213 void reportReportOnlyInMeta(const String&); 218 void reportReportOnlyInMeta(const String&);
214 void reportMetaOutsideHead(const String&); 219 void reportMetaOutsideHead(const String&);
220 void reportSuboriginInMeta(const String&);
215 void reportValueForEmptyDirective(const String& directiveName, const String& value); 221 void reportValueForEmptyDirective(const String& directiveName, const String& value);
216 222
217 // If a frame is passed in, the report will be sent using it as a context. I f no frame is 223 // If a frame is passed in, the report will be sent using it as a context. I f no frame is
218 // passed in, the report will be sent via this object's |m_executionContext| (or dropped 224 // passed in, the report will be sent via this object's |m_executionContext| (or dropped
219 // on the floor if no such context is available). 225 // on the floor if no such context is available).
220 void reportViolation(const String& directiveText, const String& effectiveDir ective, const String& consoleMessage, const KURL& blockedURL, const Vector<Strin g>& reportEndpoints, const String& header, LocalFrame* = nullptr); 226 void reportViolation(const String& directiveText, const String& effectiveDir ective, const String& consoleMessage, const KURL& blockedURL, const Vector<Strin g>& reportEndpoints, const String& header, LocalFrame* = nullptr);
221 227
222 void reportBlockedScriptExecutionToInspector(const String& directiveText) co nst; 228 void reportBlockedScriptExecutionToInspector(const String& directiveText) co nst;
223 229
224 const KURL url() const; 230 const KURL url() const;
225 void enforceSandboxFlags(SandboxFlags); 231 void enforceSandboxFlags(SandboxFlags);
232 void enforceSuborigin(const String&);
226 void enforceStrictMixedContentChecking(); 233 void enforceStrictMixedContentChecking();
227 String evalDisabledErrorMessage() const; 234 String evalDisabledErrorMessage() const;
228 235
229 void setInsecureRequestsPolicy(SecurityContext::InsecureRequestsPolicy); 236 void setInsecureRequestsPolicy(SecurityContext::InsecureRequestsPolicy);
230 SecurityContext::InsecureRequestsPolicy insecureRequestsPolicy() const { ret urn m_insecureRequestsPolicy; }; 237 SecurityContext::InsecureRequestsPolicy insecureRequestsPolicy() const { ret urn m_insecureRequestsPolicy; };
231 238
232 bool urlMatchesSelf(const KURL&) const; 239 bool urlMatchesSelf(const KURL&) const;
233 bool protocolMatchesSelf(const KURL&) const; 240 bool protocolMatchesSelf(const KURL&) const;
234 241
235 bool experimentalFeaturesEnabled() const; 242 bool experimentalFeaturesEnabled() const;
(...skipping 36 matching lines...) Expand 10 before | Expand all | Expand 10 after
272 HashSet<unsigned, AlreadyHashed> m_violationReportsSent; 279 HashSet<unsigned, AlreadyHashed> m_violationReportsSent;
273 280
274 // We put the hash functions used on the policy object so that we only need 281 // We put the hash functions used on the policy object so that we only need
275 // to calculate a hash once and then distribute it to all of the directives 282 // to calculate a hash once and then distribute it to all of the directives
276 // for validation. 283 // for validation.
277 uint8_t m_scriptHashAlgorithmsUsed; 284 uint8_t m_scriptHashAlgorithmsUsed;
278 uint8_t m_styleHashAlgorithmsUsed; 285 uint8_t m_styleHashAlgorithmsUsed;
279 286
280 // State flags used to configure the environment after parsing a policy. 287 // State flags used to configure the environment after parsing a policy.
281 SandboxFlags m_sandboxMask; 288 SandboxFlags m_sandboxMask;
289 String m_suboriginName;
282 bool m_enforceStrictMixedContentChecking; 290 bool m_enforceStrictMixedContentChecking;
283 ReferrerPolicy m_referrerPolicy; 291 ReferrerPolicy m_referrerPolicy;
284 String m_disableEvalErrorMessage; 292 String m_disableEvalErrorMessage;
285 SecurityContext::InsecureRequestsPolicy m_insecureRequestsPolicy; 293 SecurityContext::InsecureRequestsPolicy m_insecureRequestsPolicy;
286 294
287 OwnPtr<CSPSource> m_selfSource; 295 OwnPtr<CSPSource> m_selfSource;
288 String m_selfProtocol; 296 String m_selfProtocol;
289 }; 297 };
290 298
291 } 299 }
292 300
293 #endif 301 #endif
OLDNEW
« no previous file with comments | « Source/core/frame/csp/CSPDirectiveList.cpp ('k') | Source/core/frame/csp/ContentSecurityPolicy.cpp » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698