| OLD | NEW |
|---|
| 1 // Copyright 2013 The Chromium Authors. All rights reserved. | 1 // Copyright 2013 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "extensions/common/csp_validator.h" | 5 #include "extensions/common/csp_validator.h" |
| 6 | 6 |
| 7 #include <vector> | 7 #include <vector> |
| 8 | 8 |
| 9 #include "base/strings/string_split.h" | 9 #include "base/strings/string_split.h" |
| 10 #include "base/strings/string_tokenizer.h" | 10 #include "base/strings/string_tokenizer.h" |
| (...skipping 39 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 50 const char* directive_name; | 50 const char* directive_name; |
| 51 bool seen_in_policy; | 51 bool seen_in_policy; |
| 52 }; | 52 }; |
| 53 | 53 |
| 54 // Returns whether |url| starts with |scheme_and_separator| and does not have a | 54 // Returns whether |url| starts with |scheme_and_separator| and does not have a |
| 55 // too permissive wildcard host name. If |should_check_rcd| is true, then the | 55 // too permissive wildcard host name. If |should_check_rcd| is true, then the |
| 56 // Public suffix list is used to exclude wildcard TLDs such as "https://*.org". | 56 // Public suffix list is used to exclude wildcard TLDs such as "https://*.org". |
| 57 bool isNonWildcardTLD(const std::string& url, | 57 bool isNonWildcardTLD(const std::string& url, |
| 58 const std::string& scheme_and_separator, | 58 const std::string& scheme_and_separator, |
| 59 bool should_check_rcd) { | 59 bool should_check_rcd) { |
| 60 if (!base::StartsWithASCII(url, scheme_and_separator, true)) | 60 if (!base::StartsWith(url, scheme_and_separator, |
| 61 base::CompareCase::SENSITIVE)) |
| 61 return false; | 62 return false; |
| 62 | 63 |
| 63 size_t start_of_host = scheme_and_separator.length(); | 64 size_t start_of_host = scheme_and_separator.length(); |
| 64 | 65 |
| 65 size_t end_of_host = url.find("/", start_of_host); | 66 size_t end_of_host = url.find("/", start_of_host); |
| 66 if (end_of_host == std::string::npos) | 67 if (end_of_host == std::string::npos) |
| 67 end_of_host = url.size(); | 68 end_of_host = url.size(); |
| 68 | 69 |
| 69 // Note: It is sufficient to only compare the first character against '*' | 70 // Note: It is sufficient to only compare the first character against '*' |
| 70 // because the CSP only allows wildcards at the start of a directive, see | 71 // because the CSP only allows wildcards at the start of a directive, see |
| (...skipping 55 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 126 std::string source = tokenizer->token(); | 127 std::string source = tokenizer->token(); |
| 127 base::StringToLowerASCII(&source); | 128 base::StringToLowerASCII(&source); |
| 128 bool is_secure_csp_token = false; | 129 bool is_secure_csp_token = false; |
| 129 | 130 |
| 130 // We might need to relax this whitelist over time. | 131 // We might need to relax this whitelist over time. |
| 131 if (source == "'self'" || source == "'none'" || | 132 if (source == "'self'" || source == "'none'" || |
| 132 source == "http://127.0.0.1" || | 133 source == "http://127.0.0.1" || |
| 133 base::LowerCaseEqualsASCII(source, "blob:") || | 134 base::LowerCaseEqualsASCII(source, "blob:") || |
| 134 base::LowerCaseEqualsASCII(source, "filesystem:") || | 135 base::LowerCaseEqualsASCII(source, "filesystem:") || |
| 135 base::LowerCaseEqualsASCII(source, "http://localhost") || | 136 base::LowerCaseEqualsASCII(source, "http://localhost") || |
| 136 base::StartsWithASCII(source, "http://127.0.0.1:", true) || | 137 base::StartsWith(source, "http://127.0.0.1:", |
| 137 base::StartsWithASCII(source, "http://localhost:", true) || | 138 base::CompareCase::SENSITIVE) || |
| 139 base::StartsWith(source, "http://localhost:", |
| 140 base::CompareCase::SENSITIVE) || |
| 138 isNonWildcardTLD(source, "https://", true) || | 141 isNonWildcardTLD(source, "https://", true) || |
| 139 isNonWildcardTLD(source, "chrome://", false) || | 142 isNonWildcardTLD(source, "chrome://", false) || |
| 140 isNonWildcardTLD(source, std::string(extensions::kExtensionScheme) + | 143 isNonWildcardTLD(source, std::string(extensions::kExtensionScheme) + |
| 141 url::kStandardSchemeSeparator, | 144 url::kStandardSchemeSeparator, |
| 142 false) || | 145 false) || |
| 143 base::StartsWithASCII(source, "chrome-extension-resource:", true)) { | 146 base::StartsWith(source, "chrome-extension-resource:", |
| 147 base::CompareCase::SENSITIVE)) { |
| 144 is_secure_csp_token = true; | 148 is_secure_csp_token = true; |
| 145 } else if ((options & OPTIONS_ALLOW_UNSAFE_EVAL) && | 149 } else if ((options & OPTIONS_ALLOW_UNSAFE_EVAL) && |
| 146 source == "'unsafe-eval'") { | 150 source == "'unsafe-eval'") { |
| 147 is_secure_csp_token = true; | 151 is_secure_csp_token = true; |
| 148 } | 152 } |
| 149 | 153 |
| 150 if (is_secure_csp_token) { | 154 if (is_secure_csp_token) { |
| 151 sane_csp_parts->push_back(source); | 155 sane_csp_parts->push_back(source); |
| 152 } else if (warnings) { | 156 } else if (warnings) { |
| 153 warnings->push_back(CSPInstallWarning(ErrorUtils::FormatErrorMessage( | 157 warnings->push_back(CSPInstallWarning(ErrorUtils::FormatErrorMessage( |
| (...skipping 183 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 337 } | 341 } |
| 338 } | 342 } |
| 339 } | 343 } |
| 340 | 344 |
| 341 return seen_sandbox; | 345 return seen_sandbox; |
| 342 } | 346 } |
| 343 | 347 |
| 344 } // namespace csp_validator | 348 } // namespace csp_validator |
| 345 | 349 |
| 346 } // namespace extensions | 350 } // namespace extensions |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1242023005:
Remove legacy StartsWithASCII function. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master