Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(393)

Side by Side Diff: Source/core/frame/ContentSecurityPolicy.cpp

Issue 131103010: CSP 1.1: Introduce the 'child-src' directive. (Closed) Base URL: svn://svn.chromium.org/blink/trunk
Patch Set: Tests. Created 6 years, 11 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « Source/core/frame/ContentSecurityPolicy.h ('k') | Source/core/loader/DocumentLoader.cpp » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 /* 1 /*
2 * Copyright (C) 2011 Google, Inc. All rights reserved. 2 * Copyright (C) 2011 Google, Inc. All rights reserved.
3 * 3 *
4 * Redistribution and use in source and binary forms, with or without 4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions 5 * modification, are permitted provided that the following conditions
6 * are met: 6 * are met:
7 * 1. Redistributions of source code must retain the above copyright 7 * 1. Redistributions of source code must retain the above copyright
8 * notice, this list of conditions and the following disclaimer. 8 * notice, this list of conditions and the following disclaimer.
9 * 2. Redistributions in binary form must reproduce the above copyright 9 * 2. Redistributions in binary form must reproduce the above copyright
10 * notice, this list of conditions and the following disclaimer in the 10 * notice, this list of conditions and the following disclaimer in the
(...skipping 130 matching lines...) Expand 10 before | Expand all | Expand 10 after
141 static const char imgSrc[] = "img-src"; 141 static const char imgSrc[] = "img-src";
142 static const char mediaSrc[] = "media-src"; 142 static const char mediaSrc[] = "media-src";
143 static const char objectSrc[] = "object-src"; 143 static const char objectSrc[] = "object-src";
144 static const char reportURI[] = "report-uri"; 144 static const char reportURI[] = "report-uri";
145 static const char sandbox[] = "sandbox"; 145 static const char sandbox[] = "sandbox";
146 static const char scriptSrc[] = "script-src"; 146 static const char scriptSrc[] = "script-src";
147 static const char styleSrc[] = "style-src"; 147 static const char styleSrc[] = "style-src";
148 148
149 // CSP 1.1 Directives 149 // CSP 1.1 Directives
150 static const char baseURI[] = "base-uri"; 150 static const char baseURI[] = "base-uri";
151 static const char childSrc[] = "child-src";
151 static const char formAction[] = "form-action"; 152 static const char formAction[] = "form-action";
152 static const char frameAncestors[] = "frame-ancestors"; 153 static const char frameAncestors[] = "frame-ancestors";
153 static const char pluginTypes[] = "plugin-types"; 154 static const char pluginTypes[] = "plugin-types";
154 static const char reflectedXSS[] = "reflected-xss"; 155 static const char reflectedXSS[] = "reflected-xss";
155 static const char referrer[] = "referrer"; 156 static const char referrer[] = "referrer";
156 157
157 bool isDirectiveName(const String& name) 158 bool isDirectiveName(const String& name)
158 { 159 {
159 return (equalIgnoringCase(name, connectSrc) 160 return (equalIgnoringCase(name, connectSrc)
160 || equalIgnoringCase(name, defaultSrc) 161 || equalIgnoringCase(name, defaultSrc)
161 || equalIgnoringCase(name, fontSrc) 162 || equalIgnoringCase(name, fontSrc)
162 || equalIgnoringCase(name, frameSrc) 163 || equalIgnoringCase(name, frameSrc)
163 || equalIgnoringCase(name, imgSrc) 164 || equalIgnoringCase(name, imgSrc)
164 || equalIgnoringCase(name, mediaSrc) 165 || equalIgnoringCase(name, mediaSrc)
165 || equalIgnoringCase(name, objectSrc) 166 || equalIgnoringCase(name, objectSrc)
166 || equalIgnoringCase(name, reportURI) 167 || equalIgnoringCase(name, reportURI)
167 || equalIgnoringCase(name, sandbox) 168 || equalIgnoringCase(name, sandbox)
168 || equalIgnoringCase(name, scriptSrc) 169 || equalIgnoringCase(name, scriptSrc)
169 || equalIgnoringCase(name, styleSrc) 170 || equalIgnoringCase(name, styleSrc)
170 || equalIgnoringCase(name, baseURI) 171 || equalIgnoringCase(name, baseURI)
172 || equalIgnoringCase(name, childSrc)
171 || equalIgnoringCase(name, formAction) 173 || equalIgnoringCase(name, formAction)
172 || equalIgnoringCase(name, frameAncestors) 174 || equalIgnoringCase(name, frameAncestors)
173 || equalIgnoringCase(name, pluginTypes) 175 || equalIgnoringCase(name, pluginTypes)
174 || equalIgnoringCase(name, reflectedXSS) 176 || equalIgnoringCase(name, reflectedXSS)
175 || equalIgnoringCase(name, referrer) 177 || equalIgnoringCase(name, referrer)
176 ); 178 );
177 } 179 }
178 180
179 UseCounter::Feature getUseCounterType(ContentSecurityPolicy::HeaderType type) 181 UseCounter::Feature getUseCounterType(ContentSecurityPolicy::HeaderType type)
180 { 182 {
(...skipping 708 matching lines...) Expand 10 before | Expand all | Expand 10 after
889 bool allowObjectFromSource(const KURL&, ContentSecurityPolicy::ReportingStat us) const; 891 bool allowObjectFromSource(const KURL&, ContentSecurityPolicy::ReportingStat us) const;
890 bool allowChildFrameFromSource(const KURL&, ContentSecurityPolicy::Reporting Status) const; 892 bool allowChildFrameFromSource(const KURL&, ContentSecurityPolicy::Reporting Status) const;
891 bool allowImageFromSource(const KURL&, ContentSecurityPolicy::ReportingStatu s) const; 893 bool allowImageFromSource(const KURL&, ContentSecurityPolicy::ReportingStatu s) const;
892 bool allowStyleFromSource(const KURL&, ContentSecurityPolicy::ReportingStatu s) const; 894 bool allowStyleFromSource(const KURL&, ContentSecurityPolicy::ReportingStatu s) const;
893 bool allowFontFromSource(const KURL&, ContentSecurityPolicy::ReportingStatus ) const; 895 bool allowFontFromSource(const KURL&, ContentSecurityPolicy::ReportingStatus ) const;
894 bool allowMediaFromSource(const KURL&, ContentSecurityPolicy::ReportingStatu s) const; 896 bool allowMediaFromSource(const KURL&, ContentSecurityPolicy::ReportingStatu s) const;
895 bool allowConnectToSource(const KURL&, ContentSecurityPolicy::ReportingStatu s) const; 897 bool allowConnectToSource(const KURL&, ContentSecurityPolicy::ReportingStatu s) const;
896 bool allowFormAction(const KURL&, ContentSecurityPolicy::ReportingStatus) co nst; 898 bool allowFormAction(const KURL&, ContentSecurityPolicy::ReportingStatus) co nst;
897 bool allowBaseURI(const KURL&, ContentSecurityPolicy::ReportingStatus) const ; 899 bool allowBaseURI(const KURL&, ContentSecurityPolicy::ReportingStatus) const ;
898 bool allowAncestors(Frame*, ContentSecurityPolicy::ReportingStatus) const; 900 bool allowAncestors(Frame*, ContentSecurityPolicy::ReportingStatus) const;
901 bool allowChildContextFromSource(const KURL&, ContentSecurityPolicy::Reporti ngStatus) const;
899 bool allowScriptNonce(const String&) const; 902 bool allowScriptNonce(const String&) const;
900 bool allowStyleNonce(const String&) const; 903 bool allowStyleNonce(const String&) const;
901 bool allowScriptHash(const SourceHashValue&) const; 904 bool allowScriptHash(const SourceHashValue&) const;
902 bool allowStyleHash(const SourceHashValue&) const; 905 bool allowStyleHash(const SourceHashValue&) const;
903 906
904 const String& evalDisabledErrorMessage() const { return m_evalDisabledErrorM essage; } 907 const String& evalDisabledErrorMessage() const { return m_evalDisabledErrorM essage; }
905 ReflectedXSSDisposition reflectedXSSDisposition() const { return m_reflected XSSDisposition; } 908 ReflectedXSSDisposition reflectedXSSDisposition() const { return m_reflected XSSDisposition; }
906 ReferrerPolicy referrerPolicy() const { return m_referrerPolicy; } 909 ReferrerPolicy referrerPolicy() const { return m_referrerPolicy; }
907 bool didSetReferrerPolicy() const { return m_didSetReferrerPolicy; } 910 bool didSetReferrerPolicy() const { return m_didSetReferrerPolicy; }
908 bool isReportOnly() const { return m_reportOnly; } 911 bool isReportOnly() const { return m_reportOnly; }
909 const Vector<KURL>& reportURIs() const { return m_reportURIs; } 912 const Vector<KURL>& reportURIs() const { return m_reportURIs; }
910 913
911 private: 914 private:
912 CSPDirectiveList(ContentSecurityPolicy*, ContentSecurityPolicy::HeaderType, ContentSecurityPolicy::HeaderSource); 915 CSPDirectiveList(ContentSecurityPolicy*, ContentSecurityPolicy::HeaderType, ContentSecurityPolicy::HeaderSource);
913 916
914 bool parseDirective(const UChar* begin, const UChar* end, String& name, Stri ng& value); 917 bool parseDirective(const UChar* begin, const UChar* end, String& name, Stri ng& value);
915 void parseReportURI(const String& name, const String& value); 918 void parseReportURI(const String& name, const String& value);
916 void parsePluginTypes(const String& name, const String& value); 919 void parsePluginTypes(const String& name, const String& value);
917 void parseReflectedXSS(const String& name, const String& value); 920 void parseReflectedXSS(const String& name, const String& value);
918 void parseReferrer(const String& name, const String& value); 921 void parseReferrer(const String& name, const String& value);
919 void addDirective(const String& name, const String& value); 922 void addDirective(const String& name, const String& value);
920 void applySandboxPolicy(const String& name, const String& sandboxPolicy); 923 void applySandboxPolicy(const String& name, const String& sandboxPolicy);
921 924
922 template <class CSPDirectiveType> 925 template <class CSPDirectiveType>
923 void setCSPDirective(const String& name, const String& value, OwnPtr<CSPDire ctiveType>&); 926 void setCSPDirective(const String& name, const String& value, OwnPtr<CSPDire ctiveType>&);
924 927
925 SourceListDirective* operativeDirective(SourceListDirective*) const; 928 SourceListDirective* operativeDirective(SourceListDirective*) const;
929 SourceListDirective* operativeDirective(SourceListDirective*, SourceListDire ctive* override) const;
926 void reportViolation(const String& directiveText, const String& effectiveDir ective, const String& consoleMessage, const KURL& blockedURL) const; 930 void reportViolation(const String& directiveText, const String& effectiveDir ective, const String& consoleMessage, const KURL& blockedURL) const;
927 void reportViolationWithLocation(const String& directiveText, const String& effectiveDirective, const String& consoleMessage, const KURL& blockedURL, const String& contextURL, const WTF::OrdinalNumber& contextLine) const; 931 void reportViolationWithLocation(const String& directiveText, const String& effectiveDirective, const String& consoleMessage, const KURL& blockedURL, const String& contextURL, const WTF::OrdinalNumber& contextLine) const;
928 void reportViolationWithState(const String& directiveText, const String& eff ectiveDirective, const String& consoleMessage, const KURL& blockedURL, ScriptSta te*) const; 932 void reportViolationWithState(const String& directiveText, const String& eff ectiveDirective, const String& consoleMessage, const KURL& blockedURL, ScriptSta te*) const;
929 933
930 bool checkEval(SourceListDirective*) const; 934 bool checkEval(SourceListDirective*) const;
931 bool checkInline(SourceListDirective*) const; 935 bool checkInline(SourceListDirective*) const;
932 bool checkNonce(SourceListDirective*, const String&) const; 936 bool checkNonce(SourceListDirective*, const String&) const;
933 bool checkHash(SourceListDirective*, const SourceHashValue&) const; 937 bool checkHash(SourceListDirective*, const SourceHashValue&) const;
934 bool checkSource(SourceListDirective*, const KURL&) const; 938 bool checkSource(SourceListDirective*, const KURL&) const;
935 bool checkMediaType(MediaListDirective*, const String& type, const String& t ypeAttribute) const; 939 bool checkMediaType(MediaListDirective*, const String& type, const String& t ypeAttribute) const;
(...skipping 18 matching lines...) Expand all
954 958
955 bool m_reportOnly; 959 bool m_reportOnly;
956 bool m_haveSandboxPolicy; 960 bool m_haveSandboxPolicy;
957 ReflectedXSSDisposition m_reflectedXSSDisposition; 961 ReflectedXSSDisposition m_reflectedXSSDisposition;
958 962
959 bool m_didSetReferrerPolicy; 963 bool m_didSetReferrerPolicy;
960 ReferrerPolicy m_referrerPolicy; 964 ReferrerPolicy m_referrerPolicy;
961 965
962 OwnPtr<MediaListDirective> m_pluginTypes; 966 OwnPtr<MediaListDirective> m_pluginTypes;
963 OwnPtr<SourceListDirective> m_baseURI; 967 OwnPtr<SourceListDirective> m_baseURI;
968 OwnPtr<SourceListDirective> m_childSrc;
964 OwnPtr<SourceListDirective> m_connectSrc; 969 OwnPtr<SourceListDirective> m_connectSrc;
965 OwnPtr<SourceListDirective> m_defaultSrc; 970 OwnPtr<SourceListDirective> m_defaultSrc;
966 OwnPtr<SourceListDirective> m_fontSrc; 971 OwnPtr<SourceListDirective> m_fontSrc;
967 OwnPtr<SourceListDirective> m_formAction; 972 OwnPtr<SourceListDirective> m_formAction;
968 OwnPtr<SourceListDirective> m_frameAncestors; 973 OwnPtr<SourceListDirective> m_frameAncestors;
969 OwnPtr<SourceListDirective> m_frameSrc; 974 OwnPtr<SourceListDirective> m_frameSrc;
970 OwnPtr<SourceListDirective> m_imgSrc; 975 OwnPtr<SourceListDirective> m_imgSrc;
971 OwnPtr<SourceListDirective> m_mediaSrc; 976 OwnPtr<SourceListDirective> m_mediaSrc;
972 OwnPtr<SourceListDirective> m_objectSrc; 977 OwnPtr<SourceListDirective> m_objectSrc;
973 OwnPtr<SourceListDirective> m_scriptSrc; 978 OwnPtr<SourceListDirective> m_scriptSrc;
(...skipping 98 matching lines...) Expand 10 before | Expand all | Expand 10 after
1072 if (typeAttribute.isEmpty() || typeAttribute.stripWhiteSpace() != type) 1077 if (typeAttribute.isEmpty() || typeAttribute.stripWhiteSpace() != type)
1073 return false; 1078 return false;
1074 return directive->allows(type); 1079 return directive->allows(type);
1075 } 1080 }
1076 1081
1077 SourceListDirective* CSPDirectiveList::operativeDirective(SourceListDirective* d irective) const 1082 SourceListDirective* CSPDirectiveList::operativeDirective(SourceListDirective* d irective) const
1078 { 1083 {
1079 return directive ? directive : m_defaultSrc.get(); 1084 return directive ? directive : m_defaultSrc.get();
1080 } 1085 }
1081 1086
1087 SourceListDirective* CSPDirectiveList::operativeDirective(SourceListDirective* d irective, SourceListDirective* override) const
1088 {
1089 return directive ? directive : override;
1090 }
1091
1082 bool CSPDirectiveList::checkEvalAndReportViolation(SourceListDirective* directiv e, const String& consoleMessage, ScriptState* state) const 1092 bool CSPDirectiveList::checkEvalAndReportViolation(SourceListDirective* directiv e, const String& consoleMessage, ScriptState* state) const
1083 { 1093 {
1084 if (checkEval(directive)) 1094 if (checkEval(directive))
1085 return true; 1095 return true;
1086 1096
1087 String suffix = String(); 1097 String suffix = String();
1088 if (directive == m_defaultSrc) 1098 if (directive == m_defaultSrc)
1089 suffix = " Note that 'script-src' was not explicitly set, so 'default-sr c' is used as a fallback."; 1099 suffix = " Note that 'script-src' was not explicitly set, so 'default-sr c' is used as a fallback.";
1090 1100
1091 reportViolationWithState(directive->text(), scriptSrc, consoleMessage + "\"" + directive->text() + "\"." + suffix + "\n", KURL(), state); 1101 reportViolationWithState(directive->text(), scriptSrc, consoleMessage + "\"" + directive->text() + "\"." + suffix + "\n", KURL(), state);
(...skipping 43 matching lines...) Expand 10 before | Expand all | Expand 10 after
1135 } 1145 }
1136 1146
1137 bool CSPDirectiveList::checkSourceAndReportViolation(SourceListDirective* direct ive, const KURL& url, const String& effectiveDirective) const 1147 bool CSPDirectiveList::checkSourceAndReportViolation(SourceListDirective* direct ive, const KURL& url, const String& effectiveDirective) const
1138 { 1148 {
1139 if (checkSource(directive, url)) 1149 if (checkSource(directive, url))
1140 return true; 1150 return true;
1141 1151
1142 String prefix; 1152 String prefix;
1143 if (baseURI == effectiveDirective) 1153 if (baseURI == effectiveDirective)
1144 prefix = "Refused to set the document's base URI to '"; 1154 prefix = "Refused to set the document's base URI to '";
1155 else if (childSrc == effectiveDirective)
1156 prefix = "Refused to create a child context containing '";
1145 else if (connectSrc == effectiveDirective) 1157 else if (connectSrc == effectiveDirective)
1146 prefix = "Refused to connect to '"; 1158 prefix = "Refused to connect to '";
1147 else if (fontSrc == effectiveDirective) 1159 else if (fontSrc == effectiveDirective)
1148 prefix = "Refused to load the font '"; 1160 prefix = "Refused to load the font '";
1149 else if (formAction == effectiveDirective) 1161 else if (formAction == effectiveDirective)
1150 prefix = "Refused to send form data to '"; 1162 prefix = "Refused to send form data to '";
1151 else if (frameSrc == effectiveDirective) 1163 else if (frameSrc == effectiveDirective)
1152 prefix = "Refused to frame '"; 1164 prefix = "Refused to frame '";
1153 else if (imgSrc == effectiveDirective) 1165 else if (imgSrc == effectiveDirective)
1154 prefix = "Refused to load the image '"; 1166 prefix = "Refused to load the image '";
(...skipping 85 matching lines...) Expand 10 before | Expand all | Expand 10 after
1240 return true; 1252 return true;
1241 return reportingStatus == ContentSecurityPolicy::SendReport ? 1253 return reportingStatus == ContentSecurityPolicy::SendReport ?
1242 checkSourceAndReportViolation(operativeDirective(m_objectSrc.get()), url , objectSrc) : 1254 checkSourceAndReportViolation(operativeDirective(m_objectSrc.get()), url , objectSrc) :
1243 checkSource(operativeDirective(m_objectSrc.get()), url); 1255 checkSource(operativeDirective(m_objectSrc.get()), url);
1244 } 1256 }
1245 1257
1246 bool CSPDirectiveList::allowChildFrameFromSource(const KURL& url, ContentSecurit yPolicy::ReportingStatus reportingStatus) const 1258 bool CSPDirectiveList::allowChildFrameFromSource(const KURL& url, ContentSecurit yPolicy::ReportingStatus reportingStatus) const
1247 { 1259 {
1248 if (url.isBlankURL()) 1260 if (url.isBlankURL())
1249 return true; 1261 return true;
1262
1263 // 'frame-src' is the only directive which overrides something other than th e default sources.
1264 // It overrides 'child-src', which overrides the default sources. So, we do this nested set
1265 // of calls to 'operativeDirective()' to grab 'frame-src' if it exists, 'chi ld-src' if it
1266 // doesn't, and 'defaut-src' if neither are available.
1267 //
1268 // All of this only applies, of course, if we're in CSP 1.1. In CSP 1.0, 'fr ame-src'
1269 // overrides 'default-src' directly.
1270 SourceListDirective* whichDirective = m_policy->experimentalFeaturesEnabled( ) ?
1271 operativeDirective(m_frameSrc.get(), operativeDirective(m_childSrc.get() )) :
1272 operativeDirective(m_frameSrc.get());
1273
1250 return reportingStatus == ContentSecurityPolicy::SendReport ? 1274 return reportingStatus == ContentSecurityPolicy::SendReport ?
1251 checkSourceAndReportViolation(operativeDirective(m_frameSrc.get()), url, frameSrc) : 1275 checkSourceAndReportViolation(whichDirective, url, frameSrc) :
1252 checkSource(operativeDirective(m_frameSrc.get()), url); 1276 checkSource(whichDirective, url);
1253 } 1277 }
1254 1278
1255 bool CSPDirectiveList::allowImageFromSource(const KURL& url, ContentSecurityPoli cy::ReportingStatus reportingStatus) const 1279 bool CSPDirectiveList::allowImageFromSource(const KURL& url, ContentSecurityPoli cy::ReportingStatus reportingStatus) const
1256 { 1280 {
1257 return reportingStatus == ContentSecurityPolicy::SendReport ? 1281 return reportingStatus == ContentSecurityPolicy::SendReport ?
1258 checkSourceAndReportViolation(operativeDirective(m_imgSrc.get()), url, i mgSrc) : 1282 checkSourceAndReportViolation(operativeDirective(m_imgSrc.get()), url, i mgSrc) :
1259 checkSource(operativeDirective(m_imgSrc.get()), url); 1283 checkSource(operativeDirective(m_imgSrc.get()), url);
1260 } 1284 }
1261 1285
1262 bool CSPDirectiveList::allowStyleFromSource(const KURL& url, ContentSecurityPoli cy::ReportingStatus reportingStatus) const 1286 bool CSPDirectiveList::allowStyleFromSource(const KURL& url, ContentSecurityPoli cy::ReportingStatus reportingStatus) const
(...skipping 38 matching lines...) Expand 10 before | Expand all | Expand 10 after
1301 checkSource(m_baseURI.get(), url); 1325 checkSource(m_baseURI.get(), url);
1302 } 1326 }
1303 1327
1304 bool CSPDirectiveList::allowAncestors(Frame* frame, ContentSecurityPolicy::Repor tingStatus reportingStatus) const 1328 bool CSPDirectiveList::allowAncestors(Frame* frame, ContentSecurityPolicy::Repor tingStatus reportingStatus) const
1305 { 1329 {
1306 return reportingStatus == ContentSecurityPolicy::SendReport ? 1330 return reportingStatus == ContentSecurityPolicy::SendReport ?
1307 checkAncestorsAndReportViolation(m_frameAncestors.get(), frame) : 1331 checkAncestorsAndReportViolation(m_frameAncestors.get(), frame) :
1308 checkAncestors(m_frameAncestors.get(), frame); 1332 checkAncestors(m_frameAncestors.get(), frame);
1309 } 1333 }
1310 1334
1335 bool CSPDirectiveList::allowChildContextFromSource(const KURL& url, ContentSecur ityPolicy::ReportingStatus reportingStatus) const
1336 {
1337 return reportingStatus == ContentSecurityPolicy::SendReport ?
1338 checkSourceAndReportViolation(operativeDirective(m_childSrc.get()), url, childSrc) :
1339 checkSource(operativeDirective(m_childSrc.get()), url);
1340 }
1341
1311 bool CSPDirectiveList::allowScriptNonce(const String& nonce) const 1342 bool CSPDirectiveList::allowScriptNonce(const String& nonce) const
1312 { 1343 {
1313 return checkNonce(operativeDirective(m_scriptSrc.get()), nonce); 1344 return checkNonce(operativeDirective(m_scriptSrc.get()), nonce);
1314 } 1345 }
1315 1346
1316 bool CSPDirectiveList::allowStyleNonce(const String& nonce) const 1347 bool CSPDirectiveList::allowStyleNonce(const String& nonce) const
1317 { 1348 {
1318 return checkNonce(operativeDirective(m_styleSrc.get()), nonce); 1349 return checkNonce(operativeDirective(m_styleSrc.get()), nonce);
1319 } 1350 }
1320 1351
(...skipping 267 matching lines...) Expand 10 before | Expand all | Expand 10 after
1588 setCSPDirective<SourceListDirective>(name, value, m_mediaSrc); 1619 setCSPDirective<SourceListDirective>(name, value, m_mediaSrc);
1589 } else if (equalIgnoringCase(name, connectSrc)) { 1620 } else if (equalIgnoringCase(name, connectSrc)) {
1590 setCSPDirective<SourceListDirective>(name, value, m_connectSrc); 1621 setCSPDirective<SourceListDirective>(name, value, m_connectSrc);
1591 } else if (equalIgnoringCase(name, sandbox)) { 1622 } else if (equalIgnoringCase(name, sandbox)) {
1592 applySandboxPolicy(name, value); 1623 applySandboxPolicy(name, value);
1593 } else if (equalIgnoringCase(name, reportURI)) { 1624 } else if (equalIgnoringCase(name, reportURI)) {
1594 parseReportURI(name, value); 1625 parseReportURI(name, value);
1595 } else if (m_policy->experimentalFeaturesEnabled()) { 1626 } else if (m_policy->experimentalFeaturesEnabled()) {
1596 if (equalIgnoringCase(name, baseURI)) 1627 if (equalIgnoringCase(name, baseURI))
1597 setCSPDirective<SourceListDirective>(name, value, m_baseURI); 1628 setCSPDirective<SourceListDirective>(name, value, m_baseURI);
1629 else if (equalIgnoringCase(name, childSrc))
1630 setCSPDirective<SourceListDirective>(name, value, m_childSrc);
1598 else if (equalIgnoringCase(name, formAction)) 1631 else if (equalIgnoringCase(name, formAction))
1599 setCSPDirective<SourceListDirective>(name, value, m_formAction); 1632 setCSPDirective<SourceListDirective>(name, value, m_formAction);
1600 else if (equalIgnoringCase(name, frameAncestors)) 1633 else if (equalIgnoringCase(name, frameAncestors))
1601 setCSPDirective<SourceListDirective>(name, value, m_frameAncestors); 1634 setCSPDirective<SourceListDirective>(name, value, m_frameAncestors);
1602 else if (equalIgnoringCase(name, pluginTypes)) 1635 else if (equalIgnoringCase(name, pluginTypes))
1603 setCSPDirective<MediaListDirective>(name, value, m_pluginTypes); 1636 setCSPDirective<MediaListDirective>(name, value, m_pluginTypes);
1604 else if (equalIgnoringCase(name, reflectedXSS)) 1637 else if (equalIgnoringCase(name, reflectedXSS))
1605 parseReflectedXSS(name, value); 1638 parseReflectedXSS(name, value);
1606 else if (equalIgnoringCase(name, referrer)) 1639 else if (equalIgnoringCase(name, referrer))
1607 parseReferrer(name, value); 1640 parseReferrer(name, value);
(...skipping 330 matching lines...) Expand 10 before | Expand all | Expand 10 after
1938 bool ContentSecurityPolicy::allowBaseURI(const KURL& url, ContentSecurityPolicy: :ReportingStatus reportingStatus) const 1971 bool ContentSecurityPolicy::allowBaseURI(const KURL& url, ContentSecurityPolicy: :ReportingStatus reportingStatus) const
1939 { 1972 {
1940 return isAllowedByAllWithURL<&CSPDirectiveList::allowBaseURI>(m_policies, ur l, reportingStatus); 1973 return isAllowedByAllWithURL<&CSPDirectiveList::allowBaseURI>(m_policies, ur l, reportingStatus);
1941 } 1974 }
1942 1975
1943 bool ContentSecurityPolicy::allowAncestors(Frame* frame, ContentSecurityPolicy:: ReportingStatus reportingStatus) const 1976 bool ContentSecurityPolicy::allowAncestors(Frame* frame, ContentSecurityPolicy:: ReportingStatus reportingStatus) const
1944 { 1977 {
1945 return isAllowedByAllWithFrame<&CSPDirectiveList::allowAncestors>(m_policies , frame, reportingStatus); 1978 return isAllowedByAllWithFrame<&CSPDirectiveList::allowAncestors>(m_policies , frame, reportingStatus);
1946 } 1979 }
1947 1980
1981 bool ContentSecurityPolicy::allowChildContextFromSource(const KURL& url, Content SecurityPolicy::ReportingStatus reportingStatus) const
1982 {
1983 return isAllowedByAllWithURL<&CSPDirectiveList::allowChildContextFromSource> (m_policies, url, reportingStatus);
1984 }
1985
1948 bool ContentSecurityPolicy::isActive() const 1986 bool ContentSecurityPolicy::isActive() const
1949 { 1987 {
1950 return !m_policies.isEmpty(); 1988 return !m_policies.isEmpty();
1951 } 1989 }
1952 1990
1953 ReflectedXSSDisposition ContentSecurityPolicy::reflectedXSSDisposition() const 1991 ReflectedXSSDisposition ContentSecurityPolicy::reflectedXSSDisposition() const
1954 { 1992 {
1955 ReflectedXSSDisposition disposition = ReflectedXSSUnset; 1993 ReflectedXSSDisposition disposition = ReflectedXSSUnset;
1956 for (size_t i = 0; i < m_policies.size(); ++i) { 1994 for (size_t i = 0; i < m_policies.size(); ++i) {
1957 if (m_policies[i]->reflectedXSSDisposition() > disposition) 1995 if (m_policies[i]->reflectedXSSDisposition() > disposition)
(...skipping 273 matching lines...) Expand 10 before | Expand all | Expand 10 after
2231 // Collisions have no security impact, so we can save space by storing only the string's hash rather than the whole report. 2269 // Collisions have no security impact, so we can save space by storing only the string's hash rather than the whole report.
2232 return !m_violationReportsSent.contains(report.impl()->hash()); 2270 return !m_violationReportsSent.contains(report.impl()->hash());
2233 } 2271 }
2234 2272
2235 void ContentSecurityPolicy::didSendViolationReport(const String& report) 2273 void ContentSecurityPolicy::didSendViolationReport(const String& report)
2236 { 2274 {
2237 m_violationReportsSent.add(report.impl()->hash()); 2275 m_violationReportsSent.add(report.impl()->hash());
2238 } 2276 }
2239 2277
2240 } // namespace WebCore 2278 } // namespace WebCore
OLDNEW
« no previous file with comments | « Source/core/frame/ContentSecurityPolicy.h ('k') | Source/core/loader/DocumentLoader.cpp » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698