| OLD | NEW |
| 1 /* | 1 /* |
| 2 * Copyright (C) 2011 Google, Inc. All rights reserved. | 2 * Copyright (C) 2011 Google, Inc. All rights reserved. |
| 3 * | 3 * |
| 4 * Redistribution and use in source and binary forms, with or without | 4 * Redistribution and use in source and binary forms, with or without |
| 5 * modification, are permitted provided that the following conditions | 5 * modification, are permitted provided that the following conditions |
| 6 * are met: | 6 * are met: |
| 7 * 1. Redistributions of source code must retain the above copyright | 7 * 1. Redistributions of source code must retain the above copyright |
| 8 * notice, this list of conditions and the following disclaimer. | 8 * notice, this list of conditions and the following disclaimer. |
| 9 * 2. Redistributions in binary form must reproduce the above copyright | 9 * 2. Redistributions in binary form must reproduce the above copyright |
| 10 * notice, this list of conditions and the following disclaimer in the | 10 * notice, this list of conditions and the following disclaimer in the |
| (...skipping 130 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 141 static const char imgSrc[] = "img-src"; | 141 static const char imgSrc[] = "img-src"; |
| 142 static const char mediaSrc[] = "media-src"; | 142 static const char mediaSrc[] = "media-src"; |
| 143 static const char objectSrc[] = "object-src"; | 143 static const char objectSrc[] = "object-src"; |
| 144 static const char reportURI[] = "report-uri"; | 144 static const char reportURI[] = "report-uri"; |
| 145 static const char sandbox[] = "sandbox"; | 145 static const char sandbox[] = "sandbox"; |
| 146 static const char scriptSrc[] = "script-src"; | 146 static const char scriptSrc[] = "script-src"; |
| 147 static const char styleSrc[] = "style-src"; | 147 static const char styleSrc[] = "style-src"; |
| 148 | 148 |
| 149 // CSP 1.1 Directives | 149 // CSP 1.1 Directives |
| 150 static const char baseURI[] = "base-uri"; | 150 static const char baseURI[] = "base-uri"; |
| 151 static const char childSrc[] = "child-src"; |
| 151 static const char formAction[] = "form-action"; | 152 static const char formAction[] = "form-action"; |
| 152 static const char frameAncestors[] = "frame-ancestors"; | 153 static const char frameAncestors[] = "frame-ancestors"; |
| 153 static const char pluginTypes[] = "plugin-types"; | 154 static const char pluginTypes[] = "plugin-types"; |
| 154 static const char reflectedXSS[] = "reflected-xss"; | 155 static const char reflectedXSS[] = "reflected-xss"; |
| 155 static const char referrer[] = "referrer"; | 156 static const char referrer[] = "referrer"; |
| 156 | 157 |
| 157 bool isDirectiveName(const String& name) | 158 bool isDirectiveName(const String& name) |
| 158 { | 159 { |
| 159 return (equalIgnoringCase(name, connectSrc) | 160 return (equalIgnoringCase(name, connectSrc) |
| 160 || equalIgnoringCase(name, defaultSrc) | 161 || equalIgnoringCase(name, defaultSrc) |
| 161 || equalIgnoringCase(name, fontSrc) | 162 || equalIgnoringCase(name, fontSrc) |
| 162 || equalIgnoringCase(name, frameSrc) | 163 || equalIgnoringCase(name, frameSrc) |
| 163 || equalIgnoringCase(name, imgSrc) | 164 || equalIgnoringCase(name, imgSrc) |
| 164 || equalIgnoringCase(name, mediaSrc) | 165 || equalIgnoringCase(name, mediaSrc) |
| 165 || equalIgnoringCase(name, objectSrc) | 166 || equalIgnoringCase(name, objectSrc) |
| 166 || equalIgnoringCase(name, reportURI) | 167 || equalIgnoringCase(name, reportURI) |
| 167 || equalIgnoringCase(name, sandbox) | 168 || equalIgnoringCase(name, sandbox) |
| 168 || equalIgnoringCase(name, scriptSrc) | 169 || equalIgnoringCase(name, scriptSrc) |
| 169 || equalIgnoringCase(name, styleSrc) | 170 || equalIgnoringCase(name, styleSrc) |
| 170 || equalIgnoringCase(name, baseURI) | 171 || equalIgnoringCase(name, baseURI) |
| 172 || equalIgnoringCase(name, childSrc) |
| 171 || equalIgnoringCase(name, formAction) | 173 || equalIgnoringCase(name, formAction) |
| 172 || equalIgnoringCase(name, frameAncestors) | 174 || equalIgnoringCase(name, frameAncestors) |
| 173 || equalIgnoringCase(name, pluginTypes) | 175 || equalIgnoringCase(name, pluginTypes) |
| 174 || equalIgnoringCase(name, reflectedXSS) | 176 || equalIgnoringCase(name, reflectedXSS) |
| 175 || equalIgnoringCase(name, referrer) | 177 || equalIgnoringCase(name, referrer) |
| 176 ); | 178 ); |
| 177 } | 179 } |
| 178 | 180 |
| 179 UseCounter::Feature getUseCounterType(ContentSecurityPolicy::HeaderType type) | 181 UseCounter::Feature getUseCounterType(ContentSecurityPolicy::HeaderType type) |
| 180 { | 182 { |
| (...skipping 708 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 889 bool allowObjectFromSource(const KURL&, ContentSecurityPolicy::ReportingStat
us) const; | 891 bool allowObjectFromSource(const KURL&, ContentSecurityPolicy::ReportingStat
us) const; |
| 890 bool allowChildFrameFromSource(const KURL&, ContentSecurityPolicy::Reporting
Status) const; | 892 bool allowChildFrameFromSource(const KURL&, ContentSecurityPolicy::Reporting
Status) const; |
| 891 bool allowImageFromSource(const KURL&, ContentSecurityPolicy::ReportingStatu
s) const; | 893 bool allowImageFromSource(const KURL&, ContentSecurityPolicy::ReportingStatu
s) const; |
| 892 bool allowStyleFromSource(const KURL&, ContentSecurityPolicy::ReportingStatu
s) const; | 894 bool allowStyleFromSource(const KURL&, ContentSecurityPolicy::ReportingStatu
s) const; |
| 893 bool allowFontFromSource(const KURL&, ContentSecurityPolicy::ReportingStatus
) const; | 895 bool allowFontFromSource(const KURL&, ContentSecurityPolicy::ReportingStatus
) const; |
| 894 bool allowMediaFromSource(const KURL&, ContentSecurityPolicy::ReportingStatu
s) const; | 896 bool allowMediaFromSource(const KURL&, ContentSecurityPolicy::ReportingStatu
s) const; |
| 895 bool allowConnectToSource(const KURL&, ContentSecurityPolicy::ReportingStatu
s) const; | 897 bool allowConnectToSource(const KURL&, ContentSecurityPolicy::ReportingStatu
s) const; |
| 896 bool allowFormAction(const KURL&, ContentSecurityPolicy::ReportingStatus) co
nst; | 898 bool allowFormAction(const KURL&, ContentSecurityPolicy::ReportingStatus) co
nst; |
| 897 bool allowBaseURI(const KURL&, ContentSecurityPolicy::ReportingStatus) const
; | 899 bool allowBaseURI(const KURL&, ContentSecurityPolicy::ReportingStatus) const
; |
| 898 bool allowAncestors(Frame*, ContentSecurityPolicy::ReportingStatus) const; | 900 bool allowAncestors(Frame*, ContentSecurityPolicy::ReportingStatus) const; |
| 901 bool allowChildContextFromSource(const KURL&, ContentSecurityPolicy::Reporti
ngStatus) const; |
| 899 bool allowScriptNonce(const String&) const; | 902 bool allowScriptNonce(const String&) const; |
| 900 bool allowStyleNonce(const String&) const; | 903 bool allowStyleNonce(const String&) const; |
| 901 bool allowScriptHash(const SourceHashValue&) const; | 904 bool allowScriptHash(const SourceHashValue&) const; |
| 902 bool allowStyleHash(const SourceHashValue&) const; | 905 bool allowStyleHash(const SourceHashValue&) const; |
| 903 | 906 |
| 904 const String& evalDisabledErrorMessage() const { return m_evalDisabledErrorM
essage; } | 907 const String& evalDisabledErrorMessage() const { return m_evalDisabledErrorM
essage; } |
| 905 ReflectedXSSDisposition reflectedXSSDisposition() const { return m_reflected
XSSDisposition; } | 908 ReflectedXSSDisposition reflectedXSSDisposition() const { return m_reflected
XSSDisposition; } |
| 906 ReferrerPolicy referrerPolicy() const { return m_referrerPolicy; } | 909 ReferrerPolicy referrerPolicy() const { return m_referrerPolicy; } |
| 907 bool didSetReferrerPolicy() const { return m_didSetReferrerPolicy; } | 910 bool didSetReferrerPolicy() const { return m_didSetReferrerPolicy; } |
| 908 bool isReportOnly() const { return m_reportOnly; } | 911 bool isReportOnly() const { return m_reportOnly; } |
| 909 const Vector<KURL>& reportURIs() const { return m_reportURIs; } | 912 const Vector<KURL>& reportURIs() const { return m_reportURIs; } |
| 910 | 913 |
| 911 private: | 914 private: |
| 912 CSPDirectiveList(ContentSecurityPolicy*, ContentSecurityPolicy::HeaderType,
ContentSecurityPolicy::HeaderSource); | 915 CSPDirectiveList(ContentSecurityPolicy*, ContentSecurityPolicy::HeaderType,
ContentSecurityPolicy::HeaderSource); |
| 913 | 916 |
| 914 bool parseDirective(const UChar* begin, const UChar* end, String& name, Stri
ng& value); | 917 bool parseDirective(const UChar* begin, const UChar* end, String& name, Stri
ng& value); |
| 915 void parseReportURI(const String& name, const String& value); | 918 void parseReportURI(const String& name, const String& value); |
| 916 void parsePluginTypes(const String& name, const String& value); | 919 void parsePluginTypes(const String& name, const String& value); |
| 917 void parseReflectedXSS(const String& name, const String& value); | 920 void parseReflectedXSS(const String& name, const String& value); |
| 918 void parseReferrer(const String& name, const String& value); | 921 void parseReferrer(const String& name, const String& value); |
| 919 void addDirective(const String& name, const String& value); | 922 void addDirective(const String& name, const String& value); |
| 920 void applySandboxPolicy(const String& name, const String& sandboxPolicy); | 923 void applySandboxPolicy(const String& name, const String& sandboxPolicy); |
| 921 | 924 |
| 922 template <class CSPDirectiveType> | 925 template <class CSPDirectiveType> |
| 923 void setCSPDirective(const String& name, const String& value, OwnPtr<CSPDire
ctiveType>&); | 926 void setCSPDirective(const String& name, const String& value, OwnPtr<CSPDire
ctiveType>&); |
| 924 | 927 |
| 925 SourceListDirective* operativeDirective(SourceListDirective*) const; | 928 SourceListDirective* operativeDirective(SourceListDirective*) const; |
| 929 SourceListDirective* operativeDirective(SourceListDirective*, SourceListDire
ctive* override) const; |
| 926 void reportViolation(const String& directiveText, const String& effectiveDir
ective, const String& consoleMessage, const KURL& blockedURL) const; | 930 void reportViolation(const String& directiveText, const String& effectiveDir
ective, const String& consoleMessage, const KURL& blockedURL) const; |
| 927 void reportViolationWithLocation(const String& directiveText, const String&
effectiveDirective, const String& consoleMessage, const KURL& blockedURL, const
String& contextURL, const WTF::OrdinalNumber& contextLine) const; | 931 void reportViolationWithLocation(const String& directiveText, const String&
effectiveDirective, const String& consoleMessage, const KURL& blockedURL, const
String& contextURL, const WTF::OrdinalNumber& contextLine) const; |
| 928 void reportViolationWithState(const String& directiveText, const String& eff
ectiveDirective, const String& consoleMessage, const KURL& blockedURL, ScriptSta
te*) const; | 932 void reportViolationWithState(const String& directiveText, const String& eff
ectiveDirective, const String& consoleMessage, const KURL& blockedURL, ScriptSta
te*) const; |
| 929 | 933 |
| 930 bool checkEval(SourceListDirective*) const; | 934 bool checkEval(SourceListDirective*) const; |
| 931 bool checkInline(SourceListDirective*) const; | 935 bool checkInline(SourceListDirective*) const; |
| 932 bool checkNonce(SourceListDirective*, const String&) const; | 936 bool checkNonce(SourceListDirective*, const String&) const; |
| 933 bool checkHash(SourceListDirective*, const SourceHashValue&) const; | 937 bool checkHash(SourceListDirective*, const SourceHashValue&) const; |
| 934 bool checkSource(SourceListDirective*, const KURL&) const; | 938 bool checkSource(SourceListDirective*, const KURL&) const; |
| 935 bool checkMediaType(MediaListDirective*, const String& type, const String& t
ypeAttribute) const; | 939 bool checkMediaType(MediaListDirective*, const String& type, const String& t
ypeAttribute) const; |
| (...skipping 18 matching lines...) Expand all Loading... |
| 954 | 958 |
| 955 bool m_reportOnly; | 959 bool m_reportOnly; |
| 956 bool m_haveSandboxPolicy; | 960 bool m_haveSandboxPolicy; |
| 957 ReflectedXSSDisposition m_reflectedXSSDisposition; | 961 ReflectedXSSDisposition m_reflectedXSSDisposition; |
| 958 | 962 |
| 959 bool m_didSetReferrerPolicy; | 963 bool m_didSetReferrerPolicy; |
| 960 ReferrerPolicy m_referrerPolicy; | 964 ReferrerPolicy m_referrerPolicy; |
| 961 | 965 |
| 962 OwnPtr<MediaListDirective> m_pluginTypes; | 966 OwnPtr<MediaListDirective> m_pluginTypes; |
| 963 OwnPtr<SourceListDirective> m_baseURI; | 967 OwnPtr<SourceListDirective> m_baseURI; |
| 968 OwnPtr<SourceListDirective> m_childSrc; |
| 964 OwnPtr<SourceListDirective> m_connectSrc; | 969 OwnPtr<SourceListDirective> m_connectSrc; |
| 965 OwnPtr<SourceListDirective> m_defaultSrc; | 970 OwnPtr<SourceListDirective> m_defaultSrc; |
| 966 OwnPtr<SourceListDirective> m_fontSrc; | 971 OwnPtr<SourceListDirective> m_fontSrc; |
| 967 OwnPtr<SourceListDirective> m_formAction; | 972 OwnPtr<SourceListDirective> m_formAction; |
| 968 OwnPtr<SourceListDirective> m_frameAncestors; | 973 OwnPtr<SourceListDirective> m_frameAncestors; |
| 969 OwnPtr<SourceListDirective> m_frameSrc; | 974 OwnPtr<SourceListDirective> m_frameSrc; |
| 970 OwnPtr<SourceListDirective> m_imgSrc; | 975 OwnPtr<SourceListDirective> m_imgSrc; |
| 971 OwnPtr<SourceListDirective> m_mediaSrc; | 976 OwnPtr<SourceListDirective> m_mediaSrc; |
| 972 OwnPtr<SourceListDirective> m_objectSrc; | 977 OwnPtr<SourceListDirective> m_objectSrc; |
| 973 OwnPtr<SourceListDirective> m_scriptSrc; | 978 OwnPtr<SourceListDirective> m_scriptSrc; |
| (...skipping 98 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1072 if (typeAttribute.isEmpty() || typeAttribute.stripWhiteSpace() != type) | 1077 if (typeAttribute.isEmpty() || typeAttribute.stripWhiteSpace() != type) |
| 1073 return false; | 1078 return false; |
| 1074 return directive->allows(type); | 1079 return directive->allows(type); |
| 1075 } | 1080 } |
| 1076 | 1081 |
| 1077 SourceListDirective* CSPDirectiveList::operativeDirective(SourceListDirective* d
irective) const | 1082 SourceListDirective* CSPDirectiveList::operativeDirective(SourceListDirective* d
irective) const |
| 1078 { | 1083 { |
| 1079 return directive ? directive : m_defaultSrc.get(); | 1084 return directive ? directive : m_defaultSrc.get(); |
| 1080 } | 1085 } |
| 1081 | 1086 |
| 1087 SourceListDirective* CSPDirectiveList::operativeDirective(SourceListDirective* d
irective, SourceListDirective* override) const |
| 1088 { |
| 1089 return directive ? directive : override; |
| 1090 } |
| 1091 |
| 1082 bool CSPDirectiveList::checkEvalAndReportViolation(SourceListDirective* directiv
e, const String& consoleMessage, ScriptState* state) const | 1092 bool CSPDirectiveList::checkEvalAndReportViolation(SourceListDirective* directiv
e, const String& consoleMessage, ScriptState* state) const |
| 1083 { | 1093 { |
| 1084 if (checkEval(directive)) | 1094 if (checkEval(directive)) |
| 1085 return true; | 1095 return true; |
| 1086 | 1096 |
| 1087 String suffix = String(); | 1097 String suffix = String(); |
| 1088 if (directive == m_defaultSrc) | 1098 if (directive == m_defaultSrc) |
| 1089 suffix = " Note that 'script-src' was not explicitly set, so 'default-sr
c' is used as a fallback."; | 1099 suffix = " Note that 'script-src' was not explicitly set, so 'default-sr
c' is used as a fallback."; |
| 1090 | 1100 |
| 1091 reportViolationWithState(directive->text(), scriptSrc, consoleMessage + "\""
+ directive->text() + "\"." + suffix + "\n", KURL(), state); | 1101 reportViolationWithState(directive->text(), scriptSrc, consoleMessage + "\""
+ directive->text() + "\"." + suffix + "\n", KURL(), state); |
| (...skipping 43 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1135 } | 1145 } |
| 1136 | 1146 |
| 1137 bool CSPDirectiveList::checkSourceAndReportViolation(SourceListDirective* direct
ive, const KURL& url, const String& effectiveDirective) const | 1147 bool CSPDirectiveList::checkSourceAndReportViolation(SourceListDirective* direct
ive, const KURL& url, const String& effectiveDirective) const |
| 1138 { | 1148 { |
| 1139 if (checkSource(directive, url)) | 1149 if (checkSource(directive, url)) |
| 1140 return true; | 1150 return true; |
| 1141 | 1151 |
| 1142 String prefix; | 1152 String prefix; |
| 1143 if (baseURI == effectiveDirective) | 1153 if (baseURI == effectiveDirective) |
| 1144 prefix = "Refused to set the document's base URI to '"; | 1154 prefix = "Refused to set the document's base URI to '"; |
| 1155 else if (childSrc == effectiveDirective) |
| 1156 prefix = "Refused to create a child context containing '"; |
| 1145 else if (connectSrc == effectiveDirective) | 1157 else if (connectSrc == effectiveDirective) |
| 1146 prefix = "Refused to connect to '"; | 1158 prefix = "Refused to connect to '"; |
| 1147 else if (fontSrc == effectiveDirective) | 1159 else if (fontSrc == effectiveDirective) |
| 1148 prefix = "Refused to load the font '"; | 1160 prefix = "Refused to load the font '"; |
| 1149 else if (formAction == effectiveDirective) | 1161 else if (formAction == effectiveDirective) |
| 1150 prefix = "Refused to send form data to '"; | 1162 prefix = "Refused to send form data to '"; |
| 1151 else if (frameSrc == effectiveDirective) | 1163 else if (frameSrc == effectiveDirective) |
| 1152 prefix = "Refused to frame '"; | 1164 prefix = "Refused to frame '"; |
| 1153 else if (imgSrc == effectiveDirective) | 1165 else if (imgSrc == effectiveDirective) |
| 1154 prefix = "Refused to load the image '"; | 1166 prefix = "Refused to load the image '"; |
| (...skipping 85 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1240 return true; | 1252 return true; |
| 1241 return reportingStatus == ContentSecurityPolicy::SendReport ? | 1253 return reportingStatus == ContentSecurityPolicy::SendReport ? |
| 1242 checkSourceAndReportViolation(operativeDirective(m_objectSrc.get()), url
, objectSrc) : | 1254 checkSourceAndReportViolation(operativeDirective(m_objectSrc.get()), url
, objectSrc) : |
| 1243 checkSource(operativeDirective(m_objectSrc.get()), url); | 1255 checkSource(operativeDirective(m_objectSrc.get()), url); |
| 1244 } | 1256 } |
| 1245 | 1257 |
| 1246 bool CSPDirectiveList::allowChildFrameFromSource(const KURL& url, ContentSecurit
yPolicy::ReportingStatus reportingStatus) const | 1258 bool CSPDirectiveList::allowChildFrameFromSource(const KURL& url, ContentSecurit
yPolicy::ReportingStatus reportingStatus) const |
| 1247 { | 1259 { |
| 1248 if (url.isBlankURL()) | 1260 if (url.isBlankURL()) |
| 1249 return true; | 1261 return true; |
| 1262 |
| 1263 // 'frame-src' is the only directive which overrides something other than th
e default sources. |
| 1264 // It overrides 'child-src', which overrides the default sources. So, we do
this nested set |
| 1265 // of calls to 'operativeDirective()' to grab 'frame-src' if it exists, 'chi
ld-src' if it |
| 1266 // doesn't, and 'defaut-src' if neither are available. |
| 1267 // |
| 1268 // All of this only applies, of course, if we're in CSP 1.1. In CSP 1.0, 'fr
ame-src' |
| 1269 // overrides 'default-src' directly. |
| 1270 SourceListDirective* whichDirective = m_policy->experimentalFeaturesEnabled(
) ? |
| 1271 operativeDirective(m_frameSrc.get(), operativeDirective(m_childSrc.get()
)) : |
| 1272 operativeDirective(m_frameSrc.get()); |
| 1273 |
| 1250 return reportingStatus == ContentSecurityPolicy::SendReport ? | 1274 return reportingStatus == ContentSecurityPolicy::SendReport ? |
| 1251 checkSourceAndReportViolation(operativeDirective(m_frameSrc.get()), url,
frameSrc) : | 1275 checkSourceAndReportViolation(whichDirective, url, frameSrc) : |
| 1252 checkSource(operativeDirective(m_frameSrc.get()), url); | 1276 checkSource(whichDirective, url); |
| 1253 } | 1277 } |
| 1254 | 1278 |
| 1255 bool CSPDirectiveList::allowImageFromSource(const KURL& url, ContentSecurityPoli
cy::ReportingStatus reportingStatus) const | 1279 bool CSPDirectiveList::allowImageFromSource(const KURL& url, ContentSecurityPoli
cy::ReportingStatus reportingStatus) const |
| 1256 { | 1280 { |
| 1257 return reportingStatus == ContentSecurityPolicy::SendReport ? | 1281 return reportingStatus == ContentSecurityPolicy::SendReport ? |
| 1258 checkSourceAndReportViolation(operativeDirective(m_imgSrc.get()), url, i
mgSrc) : | 1282 checkSourceAndReportViolation(operativeDirective(m_imgSrc.get()), url, i
mgSrc) : |
| 1259 checkSource(operativeDirective(m_imgSrc.get()), url); | 1283 checkSource(operativeDirective(m_imgSrc.get()), url); |
| 1260 } | 1284 } |
| 1261 | 1285 |
| 1262 bool CSPDirectiveList::allowStyleFromSource(const KURL& url, ContentSecurityPoli
cy::ReportingStatus reportingStatus) const | 1286 bool CSPDirectiveList::allowStyleFromSource(const KURL& url, ContentSecurityPoli
cy::ReportingStatus reportingStatus) const |
| (...skipping 38 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1301 checkSource(m_baseURI.get(), url); | 1325 checkSource(m_baseURI.get(), url); |
| 1302 } | 1326 } |
| 1303 | 1327 |
| 1304 bool CSPDirectiveList::allowAncestors(Frame* frame, ContentSecurityPolicy::Repor
tingStatus reportingStatus) const | 1328 bool CSPDirectiveList::allowAncestors(Frame* frame, ContentSecurityPolicy::Repor
tingStatus reportingStatus) const |
| 1305 { | 1329 { |
| 1306 return reportingStatus == ContentSecurityPolicy::SendReport ? | 1330 return reportingStatus == ContentSecurityPolicy::SendReport ? |
| 1307 checkAncestorsAndReportViolation(m_frameAncestors.get(), frame) : | 1331 checkAncestorsAndReportViolation(m_frameAncestors.get(), frame) : |
| 1308 checkAncestors(m_frameAncestors.get(), frame); | 1332 checkAncestors(m_frameAncestors.get(), frame); |
| 1309 } | 1333 } |
| 1310 | 1334 |
| 1335 bool CSPDirectiveList::allowChildContextFromSource(const KURL& url, ContentSecur
ityPolicy::ReportingStatus reportingStatus) const |
| 1336 { |
| 1337 return reportingStatus == ContentSecurityPolicy::SendReport ? |
| 1338 checkSourceAndReportViolation(operativeDirective(m_childSrc.get()), url,
childSrc) : |
| 1339 checkSource(operativeDirective(m_childSrc.get()), url); |
| 1340 } |
| 1341 |
| 1311 bool CSPDirectiveList::allowScriptNonce(const String& nonce) const | 1342 bool CSPDirectiveList::allowScriptNonce(const String& nonce) const |
| 1312 { | 1343 { |
| 1313 return checkNonce(operativeDirective(m_scriptSrc.get()), nonce); | 1344 return checkNonce(operativeDirective(m_scriptSrc.get()), nonce); |
| 1314 } | 1345 } |
| 1315 | 1346 |
| 1316 bool CSPDirectiveList::allowStyleNonce(const String& nonce) const | 1347 bool CSPDirectiveList::allowStyleNonce(const String& nonce) const |
| 1317 { | 1348 { |
| 1318 return checkNonce(operativeDirective(m_styleSrc.get()), nonce); | 1349 return checkNonce(operativeDirective(m_styleSrc.get()), nonce); |
| 1319 } | 1350 } |
| 1320 | 1351 |
| (...skipping 267 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1588 setCSPDirective<SourceListDirective>(name, value, m_mediaSrc); | 1619 setCSPDirective<SourceListDirective>(name, value, m_mediaSrc); |
| 1589 } else if (equalIgnoringCase(name, connectSrc)) { | 1620 } else if (equalIgnoringCase(name, connectSrc)) { |
| 1590 setCSPDirective<SourceListDirective>(name, value, m_connectSrc); | 1621 setCSPDirective<SourceListDirective>(name, value, m_connectSrc); |
| 1591 } else if (equalIgnoringCase(name, sandbox)) { | 1622 } else if (equalIgnoringCase(name, sandbox)) { |
| 1592 applySandboxPolicy(name, value); | 1623 applySandboxPolicy(name, value); |
| 1593 } else if (equalIgnoringCase(name, reportURI)) { | 1624 } else if (equalIgnoringCase(name, reportURI)) { |
| 1594 parseReportURI(name, value); | 1625 parseReportURI(name, value); |
| 1595 } else if (m_policy->experimentalFeaturesEnabled()) { | 1626 } else if (m_policy->experimentalFeaturesEnabled()) { |
| 1596 if (equalIgnoringCase(name, baseURI)) | 1627 if (equalIgnoringCase(name, baseURI)) |
| 1597 setCSPDirective<SourceListDirective>(name, value, m_baseURI); | 1628 setCSPDirective<SourceListDirective>(name, value, m_baseURI); |
| 1629 else if (equalIgnoringCase(name, childSrc)) |
| 1630 setCSPDirective<SourceListDirective>(name, value, m_childSrc); |
| 1598 else if (equalIgnoringCase(name, formAction)) | 1631 else if (equalIgnoringCase(name, formAction)) |
| 1599 setCSPDirective<SourceListDirective>(name, value, m_formAction); | 1632 setCSPDirective<SourceListDirective>(name, value, m_formAction); |
| 1600 else if (equalIgnoringCase(name, frameAncestors)) | 1633 else if (equalIgnoringCase(name, frameAncestors)) |
| 1601 setCSPDirective<SourceListDirective>(name, value, m_frameAncestors); | 1634 setCSPDirective<SourceListDirective>(name, value, m_frameAncestors); |
| 1602 else if (equalIgnoringCase(name, pluginTypes)) | 1635 else if (equalIgnoringCase(name, pluginTypes)) |
| 1603 setCSPDirective<MediaListDirective>(name, value, m_pluginTypes); | 1636 setCSPDirective<MediaListDirective>(name, value, m_pluginTypes); |
| 1604 else if (equalIgnoringCase(name, reflectedXSS)) | 1637 else if (equalIgnoringCase(name, reflectedXSS)) |
| 1605 parseReflectedXSS(name, value); | 1638 parseReflectedXSS(name, value); |
| 1606 else if (equalIgnoringCase(name, referrer)) | 1639 else if (equalIgnoringCase(name, referrer)) |
| 1607 parseReferrer(name, value); | 1640 parseReferrer(name, value); |
| (...skipping 330 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1938 bool ContentSecurityPolicy::allowBaseURI(const KURL& url, ContentSecurityPolicy:
:ReportingStatus reportingStatus) const | 1971 bool ContentSecurityPolicy::allowBaseURI(const KURL& url, ContentSecurityPolicy:
:ReportingStatus reportingStatus) const |
| 1939 { | 1972 { |
| 1940 return isAllowedByAllWithURL<&CSPDirectiveList::allowBaseURI>(m_policies, ur
l, reportingStatus); | 1973 return isAllowedByAllWithURL<&CSPDirectiveList::allowBaseURI>(m_policies, ur
l, reportingStatus); |
| 1941 } | 1974 } |
| 1942 | 1975 |
| 1943 bool ContentSecurityPolicy::allowAncestors(Frame* frame, ContentSecurityPolicy::
ReportingStatus reportingStatus) const | 1976 bool ContentSecurityPolicy::allowAncestors(Frame* frame, ContentSecurityPolicy::
ReportingStatus reportingStatus) const |
| 1944 { | 1977 { |
| 1945 return isAllowedByAllWithFrame<&CSPDirectiveList::allowAncestors>(m_policies
, frame, reportingStatus); | 1978 return isAllowedByAllWithFrame<&CSPDirectiveList::allowAncestors>(m_policies
, frame, reportingStatus); |
| 1946 } | 1979 } |
| 1947 | 1980 |
| 1981 bool ContentSecurityPolicy::allowChildContextFromSource(const KURL& url, Content
SecurityPolicy::ReportingStatus reportingStatus) const |
| 1982 { |
| 1983 return isAllowedByAllWithURL<&CSPDirectiveList::allowChildContextFromSource>
(m_policies, url, reportingStatus); |
| 1984 } |
| 1985 |
| 1948 bool ContentSecurityPolicy::isActive() const | 1986 bool ContentSecurityPolicy::isActive() const |
| 1949 { | 1987 { |
| 1950 return !m_policies.isEmpty(); | 1988 return !m_policies.isEmpty(); |
| 1951 } | 1989 } |
| 1952 | 1990 |
| 1953 ReflectedXSSDisposition ContentSecurityPolicy::reflectedXSSDisposition() const | 1991 ReflectedXSSDisposition ContentSecurityPolicy::reflectedXSSDisposition() const |
| 1954 { | 1992 { |
| 1955 ReflectedXSSDisposition disposition = ReflectedXSSUnset; | 1993 ReflectedXSSDisposition disposition = ReflectedXSSUnset; |
| 1956 for (size_t i = 0; i < m_policies.size(); ++i) { | 1994 for (size_t i = 0; i < m_policies.size(); ++i) { |
| 1957 if (m_policies[i]->reflectedXSSDisposition() > disposition) | 1995 if (m_policies[i]->reflectedXSSDisposition() > disposition) |
| (...skipping 273 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 2231 // Collisions have no security impact, so we can save space by storing only
the string's hash rather than the whole report. | 2269 // Collisions have no security impact, so we can save space by storing only
the string's hash rather than the whole report. |
| 2232 return !m_violationReportsSent.contains(report.impl()->hash()); | 2270 return !m_violationReportsSent.contains(report.impl()->hash()); |
| 2233 } | 2271 } |
| 2234 | 2272 |
| 2235 void ContentSecurityPolicy::didSendViolationReport(const String& report) | 2273 void ContentSecurityPolicy::didSendViolationReport(const String& report) |
| 2236 { | 2274 { |
| 2237 m_violationReportsSent.add(report.impl()->hash()); | 2275 m_violationReportsSent.add(report.impl()->hash()); |
| 2238 } | 2276 } |
| 2239 | 2277 |
| 2240 } // namespace WebCore | 2278 } // namespace WebCore |
| OLD | NEW |