OLD | NEW |
1 // Copyright 2013 The Chromium Authors. All rights reserved. | 1 // Copyright 2013 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "extensions/common/csp_validator.h" | 5 #include "extensions/common/csp_validator.h" |
6 | 6 |
7 #include <vector> | 7 #include <vector> |
8 | 8 |
9 #include "base/strings/string_split.h" | 9 #include "base/strings/string_split.h" |
10 #include "base/strings/string_tokenizer.h" | 10 #include "base/strings/string_tokenizer.h" |
(...skipping 39 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
50 const char* directive_name; | 50 const char* directive_name; |
51 bool seen_in_policy; | 51 bool seen_in_policy; |
52 }; | 52 }; |
53 | 53 |
54 // Returns whether |url| starts with |scheme_and_separator| and does not have a | 54 // Returns whether |url| starts with |scheme_and_separator| and does not have a |
55 // too permissive wildcard host name. If |should_check_rcd| is true, then the | 55 // too permissive wildcard host name. If |should_check_rcd| is true, then the |
56 // Public suffix list is used to exclude wildcard TLDs such as "https://*.org". | 56 // Public suffix list is used to exclude wildcard TLDs such as "https://*.org". |
57 bool isNonWildcardTLD(const std::string& url, | 57 bool isNonWildcardTLD(const std::string& url, |
58 const std::string& scheme_and_separator, | 58 const std::string& scheme_and_separator, |
59 bool should_check_rcd) { | 59 bool should_check_rcd) { |
60 if (!StartsWithASCII(url, scheme_and_separator, true)) | 60 if (!base::StartsWithASCII(url, scheme_and_separator, true)) |
61 return false; | 61 return false; |
62 | 62 |
63 size_t start_of_host = scheme_and_separator.length(); | 63 size_t start_of_host = scheme_and_separator.length(); |
64 | 64 |
65 size_t end_of_host = url.find("/", start_of_host); | 65 size_t end_of_host = url.find("/", start_of_host); |
66 if (end_of_host == std::string::npos) | 66 if (end_of_host == std::string::npos) |
67 end_of_host = url.size(); | 67 end_of_host = url.size(); |
68 | 68 |
69 // Note: It is sufficient to only compare the first character against '*' | 69 // Note: It is sufficient to only compare the first character against '*' |
70 // because the CSP only allows wildcards at the start of a directive, see | 70 // because the CSP only allows wildcards at the start of a directive, see |
(...skipping 55 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
126 std::string source = tokenizer->token(); | 126 std::string source = tokenizer->token(); |
127 base::StringToLowerASCII(&source); | 127 base::StringToLowerASCII(&source); |
128 bool is_secure_csp_token = false; | 128 bool is_secure_csp_token = false; |
129 | 129 |
130 // We might need to relax this whitelist over time. | 130 // We might need to relax this whitelist over time. |
131 if (source == "'self'" || source == "'none'" || | 131 if (source == "'self'" || source == "'none'" || |
132 source == "http://127.0.0.1" || | 132 source == "http://127.0.0.1" || |
133 base::LowerCaseEqualsASCII(source, "blob:") || | 133 base::LowerCaseEqualsASCII(source, "blob:") || |
134 base::LowerCaseEqualsASCII(source, "filesystem:") || | 134 base::LowerCaseEqualsASCII(source, "filesystem:") || |
135 base::LowerCaseEqualsASCII(source, "http://localhost") || | 135 base::LowerCaseEqualsASCII(source, "http://localhost") || |
136 StartsWithASCII(source, "http://127.0.0.1:", true) || | 136 base::StartsWithASCII(source, "http://127.0.0.1:", true) || |
137 StartsWithASCII(source, "http://localhost:", true) || | 137 base::StartsWithASCII(source, "http://localhost:", true) || |
138 isNonWildcardTLD(source, "https://", true) || | 138 isNonWildcardTLD(source, "https://", true) || |
139 isNonWildcardTLD(source, "chrome://", false) || | 139 isNonWildcardTLD(source, "chrome://", false) || |
140 isNonWildcardTLD(source, std::string(extensions::kExtensionScheme) + | 140 isNonWildcardTLD(source, std::string(extensions::kExtensionScheme) + |
141 url::kStandardSchemeSeparator, | 141 url::kStandardSchemeSeparator, |
142 false) || | 142 false) || |
143 StartsWithASCII(source, "chrome-extension-resource:", true)) { | 143 base::StartsWithASCII(source, "chrome-extension-resource:", true)) { |
144 is_secure_csp_token = true; | 144 is_secure_csp_token = true; |
145 } else if ((options & OPTIONS_ALLOW_UNSAFE_EVAL) && | 145 } else if ((options & OPTIONS_ALLOW_UNSAFE_EVAL) && |
146 source == "'unsafe-eval'") { | 146 source == "'unsafe-eval'") { |
147 is_secure_csp_token = true; | 147 is_secure_csp_token = true; |
148 } | 148 } |
149 | 149 |
150 if (is_secure_csp_token) { | 150 if (is_secure_csp_token) { |
151 sane_csp_parts->push_back(source); | 151 sane_csp_parts->push_back(source); |
152 } else if (warnings) { | 152 } else if (warnings) { |
153 warnings->push_back(CSPInstallWarning(ErrorUtils::FormatErrorMessage( | 153 warnings->push_back(CSPInstallWarning(ErrorUtils::FormatErrorMessage( |
(...skipping 183 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
337 } | 337 } |
338 } | 338 } |
339 } | 339 } |
340 | 340 |
341 return seen_sandbox; | 341 return seen_sandbox; |
342 } | 342 } |
343 | 343 |
344 } // namespace csp_validator | 344 } // namespace csp_validator |
345 | 345 |
346 } // namespace extensions | 346 } // namespace extensions |
OLD | NEW |