OLD | NEW |
1 // Copyright 2013 The Chromium Authors. All rights reserved. | 1 // Copyright 2013 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "extensions/common/csp_validator.h" | 5 #include "extensions/common/csp_validator.h" |
6 | 6 |
7 #include <vector> | 7 #include <vector> |
8 | 8 |
9 #include "base/strings/string_split.h" | 9 #include "base/strings/string_split.h" |
10 #include "base/strings/string_tokenizer.h" | 10 #include "base/strings/string_tokenizer.h" |
(...skipping 274 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
285 AllowedToHaveInsecureObjectSrc(options, directives); | 285 AllowedToHaveInsecureObjectSrc(options, directives); |
286 | 286 |
287 std::vector<std::string> sane_csp_parts; | 287 std::vector<std::string> sane_csp_parts; |
288 std::vector<InstallWarning> default_src_csp_warnings; | 288 std::vector<InstallWarning> default_src_csp_warnings; |
289 for (size_t i = 0; i < directives.size(); ++i) { | 289 for (size_t i = 0; i < directives.size(); ++i) { |
290 std::string& input = directives[i]; | 290 std::string& input = directives[i]; |
291 base::StringTokenizer tokenizer(input, " \t\r\n"); | 291 base::StringTokenizer tokenizer(input, " \t\r\n"); |
292 if (!tokenizer.GetNext()) | 292 if (!tokenizer.GetNext()) |
293 continue; | 293 continue; |
294 | 294 |
295 std::string directive_name = tokenizer.token(); | 295 std::string directive_name = base::ToLowerASCII(tokenizer.token_piece()); |
296 base::StringToLowerASCII(&directive_name); | |
297 | |
298 if (UpdateStatus(directive_name, &tokenizer, &default_src_status, options, | 296 if (UpdateStatus(directive_name, &tokenizer, &default_src_status, options, |
299 &sane_csp_parts, &default_src_csp_warnings)) | 297 &sane_csp_parts, &default_src_csp_warnings)) |
300 continue; | 298 continue; |
301 if (UpdateStatus(directive_name, &tokenizer, &script_src_status, options, | 299 if (UpdateStatus(directive_name, &tokenizer, &script_src_status, options, |
302 &sane_csp_parts, warnings)) | 300 &sane_csp_parts, warnings)) |
303 continue; | 301 continue; |
304 if (!allow_insecure_object_src && | 302 if (!allow_insecure_object_src && |
305 UpdateStatus(directive_name, &tokenizer, &object_src_status, options, | 303 UpdateStatus(directive_name, &tokenizer, &object_src_status, options, |
306 &sane_csp_parts, warnings)) | 304 &sane_csp_parts, warnings)) |
307 continue; | 305 continue; |
(...skipping 33 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
341 bool ContentSecurityPolicyIsSandboxed( | 339 bool ContentSecurityPolicyIsSandboxed( |
342 const std::string& policy, Manifest::Type type) { | 340 const std::string& policy, Manifest::Type type) { |
343 // See http://www.w3.org/TR/CSP/#parse-a-csp-policy for parsing algorithm. | 341 // See http://www.w3.org/TR/CSP/#parse-a-csp-policy for parsing algorithm. |
344 bool seen_sandbox = false; | 342 bool seen_sandbox = false; |
345 for (const std::string& input : base::SplitString( | 343 for (const std::string& input : base::SplitString( |
346 policy, ";", base::TRIM_WHITESPACE, base::SPLIT_WANT_ALL)) { | 344 policy, ";", base::TRIM_WHITESPACE, base::SPLIT_WANT_ALL)) { |
347 base::StringTokenizer tokenizer(input, " \t\r\n"); | 345 base::StringTokenizer tokenizer(input, " \t\r\n"); |
348 if (!tokenizer.GetNext()) | 346 if (!tokenizer.GetNext()) |
349 continue; | 347 continue; |
350 | 348 |
351 std::string directive_name = tokenizer.token(); | 349 std::string directive_name = base::ToLowerASCII(tokenizer.token_piece()); |
352 base::StringToLowerASCII(&directive_name); | |
353 | |
354 if (directive_name != kSandboxDirectiveName) | 350 if (directive_name != kSandboxDirectiveName) |
355 continue; | 351 continue; |
356 | 352 |
357 seen_sandbox = true; | 353 seen_sandbox = true; |
358 | 354 |
359 while (tokenizer.GetNext()) { | 355 while (tokenizer.GetNext()) { |
360 std::string token = tokenizer.token(); | 356 std::string token = base::ToLowerASCII(tokenizer.token_piece()); |
361 base::StringToLowerASCII(&token); | |
362 | 357 |
363 // The same origin token negates the sandboxing. | 358 // The same origin token negates the sandboxing. |
364 if (token == kAllowSameOriginToken) | 359 if (token == kAllowSameOriginToken) |
365 return false; | 360 return false; |
366 | 361 |
367 // Platform apps don't allow navigation. | 362 // Platform apps don't allow navigation. |
368 if (type == Manifest::TYPE_PLATFORM_APP) { | 363 if (type == Manifest::TYPE_PLATFORM_APP) { |
369 if (token == kAllowTopNavigation) | 364 if (token == kAllowTopNavigation) |
370 return false; | 365 return false; |
371 } | 366 } |
372 } | 367 } |
373 } | 368 } |
374 | 369 |
375 return seen_sandbox; | 370 return seen_sandbox; |
376 } | 371 } |
377 | 372 |
378 } // namespace csp_validator | 373 } // namespace csp_validator |
379 | 374 |
380 } // namespace extensions | 375 } // namespace extensions |
OLD | NEW |