OLD | NEW |
1 /* | 1 /* |
2 * Copyright (C) 2011 Google, Inc. All rights reserved. | 2 * Copyright (C) 2011 Google, Inc. All rights reserved. |
3 * | 3 * |
4 * Redistribution and use in source and binary forms, with or without | 4 * Redistribution and use in source and binary forms, with or without |
5 * modification, are permitted provided that the following conditions | 5 * modification, are permitted provided that the following conditions |
6 * are met: | 6 * are met: |
7 * 1. Redistributions of source code must retain the above copyright | 7 * 1. Redistributions of source code must retain the above copyright |
8 * notice, this list of conditions and the following disclaimer. | 8 * notice, this list of conditions and the following disclaimer. |
9 * 2. Redistributions in binary form must reproduce the above copyright | 9 * 2. Redistributions in binary form must reproduce the above copyright |
10 * notice, this list of conditions and the following disclaimer in the | 10 * notice, this list of conditions and the following disclaimer in the |
(...skipping 866 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
877 bool allowStyleFromSource(const KURL&, ContentSecurityPolicy::ReportingStatu
s) const; | 877 bool allowStyleFromSource(const KURL&, ContentSecurityPolicy::ReportingStatu
s) const; |
878 bool allowFontFromSource(const KURL&, ContentSecurityPolicy::ReportingStatus
) const; | 878 bool allowFontFromSource(const KURL&, ContentSecurityPolicy::ReportingStatus
) const; |
879 bool allowMediaFromSource(const KURL&, ContentSecurityPolicy::ReportingStatu
s) const; | 879 bool allowMediaFromSource(const KURL&, ContentSecurityPolicy::ReportingStatu
s) const; |
880 bool allowConnectToSource(const KURL&, ContentSecurityPolicy::ReportingStatu
s) const; | 880 bool allowConnectToSource(const KURL&, ContentSecurityPolicy::ReportingStatu
s) const; |
881 bool allowFormAction(const KURL&, ContentSecurityPolicy::ReportingStatus) co
nst; | 881 bool allowFormAction(const KURL&, ContentSecurityPolicy::ReportingStatus) co
nst; |
882 bool allowBaseURI(const KURL&, ContentSecurityPolicy::ReportingStatus) const
; | 882 bool allowBaseURI(const KURL&, ContentSecurityPolicy::ReportingStatus) const
; |
883 bool allowScriptNonce(const String&) const; | 883 bool allowScriptNonce(const String&) const; |
884 bool allowStyleNonce(const String&) const; | 884 bool allowStyleNonce(const String&) const; |
885 bool allowScriptHash(const SourceHashValue&) const; | 885 bool allowScriptHash(const SourceHashValue&) const; |
886 | 886 |
887 void gatherReportURIs(DOMStringList&) const; | |
888 const String& evalDisabledErrorMessage() const { return m_evalDisabledErrorM
essage; } | 887 const String& evalDisabledErrorMessage() const { return m_evalDisabledErrorM
essage; } |
889 ReflectedXSSDisposition reflectedXSSDisposition() const { return m_reflected
XSSDisposition; } | 888 ReflectedXSSDisposition reflectedXSSDisposition() const { return m_reflected
XSSDisposition; } |
890 bool isReportOnly() const { return m_reportOnly; } | 889 bool isReportOnly() const { return m_reportOnly; } |
891 const Vector<KURL>& reportURIs() const { return m_reportURIs; } | 890 const Vector<KURL>& reportURIs() const { return m_reportURIs; } |
892 | 891 |
893 private: | 892 private: |
894 CSPDirectiveList(ContentSecurityPolicy*, ContentSecurityPolicy::HeaderType); | 893 CSPDirectiveList(ContentSecurityPolicy*, ContentSecurityPolicy::HeaderType); |
895 | 894 |
896 bool parseDirective(const UChar* begin, const UChar* end, String& name, Stri
ng& value); | 895 bool parseDirective(const UChar* begin, const UChar* end, String& name, Stri
ng& value); |
897 void parseReportURI(const String& name, const String& value); | 896 void parseReportURI(const String& name, const String& value); |
(...skipping 326 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1224 checkSource(operativeDirective(m_mediaSrc.get()), url); | 1223 checkSource(operativeDirective(m_mediaSrc.get()), url); |
1225 } | 1224 } |
1226 | 1225 |
1227 bool CSPDirectiveList::allowConnectToSource(const KURL& url, ContentSecurityPoli
cy::ReportingStatus reportingStatus) const | 1226 bool CSPDirectiveList::allowConnectToSource(const KURL& url, ContentSecurityPoli
cy::ReportingStatus reportingStatus) const |
1228 { | 1227 { |
1229 return reportingStatus == ContentSecurityPolicy::SendReport ? | 1228 return reportingStatus == ContentSecurityPolicy::SendReport ? |
1230 checkSourceAndReportViolation(operativeDirective(m_connectSrc.get()), ur
l, connectSrc) : | 1229 checkSourceAndReportViolation(operativeDirective(m_connectSrc.get()), ur
l, connectSrc) : |
1231 checkSource(operativeDirective(m_connectSrc.get()), url); | 1230 checkSource(operativeDirective(m_connectSrc.get()), url); |
1232 } | 1231 } |
1233 | 1232 |
1234 void CSPDirectiveList::gatherReportURIs(DOMStringList& list) const | |
1235 { | |
1236 for (size_t i = 0; i < m_reportURIs.size(); ++i) | |
1237 list.append(m_reportURIs[i].string()); | |
1238 } | |
1239 | |
1240 bool CSPDirectiveList::allowFormAction(const KURL& url, ContentSecurityPolicy::R
eportingStatus reportingStatus) const | 1233 bool CSPDirectiveList::allowFormAction(const KURL& url, ContentSecurityPolicy::R
eportingStatus reportingStatus) const |
1241 { | 1234 { |
1242 return reportingStatus == ContentSecurityPolicy::SendReport ? | 1235 return reportingStatus == ContentSecurityPolicy::SendReport ? |
1243 checkSourceAndReportViolation(m_formAction.get(), url, formAction) : | 1236 checkSourceAndReportViolation(m_formAction.get(), url, formAction) : |
1244 checkSource(m_formAction.get(), url); | 1237 checkSource(m_formAction.get(), url); |
1245 } | 1238 } |
1246 | 1239 |
1247 bool CSPDirectiveList::allowBaseURI(const KURL& url, ContentSecurityPolicy::Repo
rtingStatus reportingStatus) const | 1240 bool CSPDirectiveList::allowBaseURI(const KURL& url, ContentSecurityPolicy::Repo
rtingStatus reportingStatus) const |
1248 { | 1241 { |
1249 return reportingStatus == ContentSecurityPolicy::SendReport ? | 1242 return reportingStatus == ContentSecurityPolicy::SendReport ? |
(...skipping 528 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1778 ReflectedXSSDisposition ContentSecurityPolicy::reflectedXSSDisposition() const | 1771 ReflectedXSSDisposition ContentSecurityPolicy::reflectedXSSDisposition() const |
1779 { | 1772 { |
1780 ReflectedXSSDisposition disposition = ReflectedXSSUnset; | 1773 ReflectedXSSDisposition disposition = ReflectedXSSUnset; |
1781 for (size_t i = 0; i < m_policies.size(); ++i) { | 1774 for (size_t i = 0; i < m_policies.size(); ++i) { |
1782 if (m_policies[i]->reflectedXSSDisposition() > disposition) | 1775 if (m_policies[i]->reflectedXSSDisposition() > disposition) |
1783 disposition = std::max(disposition, m_policies[i]->reflectedXSSDispo
sition()); | 1776 disposition = std::max(disposition, m_policies[i]->reflectedXSSDispo
sition()); |
1784 } | 1777 } |
1785 return disposition; | 1778 return disposition; |
1786 } | 1779 } |
1787 | 1780 |
1788 void ContentSecurityPolicy::gatherReportURIs(DOMStringList& list) const | |
1789 { | |
1790 for (size_t i = 0; i < m_policies.size(); ++i) | |
1791 m_policies[i]->gatherReportURIs(list); | |
1792 } | |
1793 | |
1794 SecurityOrigin* ContentSecurityPolicy::securityOrigin() const | 1781 SecurityOrigin* ContentSecurityPolicy::securityOrigin() const |
1795 { | 1782 { |
1796 return m_client->securityContext().securityOrigin(); | 1783 return m_client->securityContext().securityOrigin(); |
1797 } | 1784 } |
1798 | 1785 |
1799 const KURL ContentSecurityPolicy::url() const | 1786 const KURL ContentSecurityPolicy::url() const |
1800 { | 1787 { |
1801 return m_client->contextURL(); | 1788 return m_client->contextURL(); |
1802 } | 1789 } |
1803 | 1790 |
(...skipping 219 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
2023 // Collisions have no security impact, so we can save space by storing only
the string's hash rather than the whole report. | 2010 // Collisions have no security impact, so we can save space by storing only
the string's hash rather than the whole report. |
2024 return !m_violationReportsSent.contains(report.impl()->hash()); | 2011 return !m_violationReportsSent.contains(report.impl()->hash()); |
2025 } | 2012 } |
2026 | 2013 |
2027 void ContentSecurityPolicy::didSendViolationReport(const String& report) | 2014 void ContentSecurityPolicy::didSendViolationReport(const String& report) |
2028 { | 2015 { |
2029 m_violationReportsSent.add(report.impl()->hash()); | 2016 m_violationReportsSent.add(report.impl()->hash()); |
2030 } | 2017 } |
2031 | 2018 |
2032 } // namespace WebCore | 2019 } // namespace WebCore |
OLD | NEW |