| OLD | NEW |
|---|
| (Empty) |
| 1 /* | |
| 2 * Copyright (C) 2012 Google, Inc. All rights reserved. | |
| 3 * | |
| 4 * Redistribution and use in source and binary forms, with or without | |
| 5 * modification, are permitted provided that the following conditions | |
| 6 * are met: | |
| 7 * 1. Redistributions of source code must retain the above copyright | |
| 8 * notice, this list of conditions and the following disclaimer. | |
| 9 * 2. Redistributions in binary form must reproduce the above copyright | |
| 10 * notice, this list of conditions and the following disclaimer in the | |
| 11 * documentation and/or other materials provided with the distribution. | |
| 12 * | |
| 13 * THIS SOFTWARE IS PROVIDED BY GOOGLE INC. ``AS IS'' AND ANY | |
| 14 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
| 15 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR | |
| 16 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE COMPUTER, INC. OR | |
| 17 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, | |
| 18 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, | |
| 19 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR | |
| 20 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY | |
| 21 * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT | |
| 22 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE | |
| 23 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | |
| 24 */ | |
| 25 | |
| 26 #include "config.h" | |
| 27 #include "core/frame/DOMSecurityPolicy.h" | |
| 28 | |
| 29 #include "core/dom/DOMStringList.h" | |
| 30 #include "core/dom/ExecutionContext.h" | |
| 31 #include "core/frame/ContentSecurityPolicy.h" | |
| 32 #include "wtf/text/TextPosition.h" | |
| 33 | |
| 34 namespace WebCore { | |
| 35 | |
| 36 namespace { | |
| 37 | |
| 38 bool isPolicyActiveInContext(ExecutionContext* context) | |
| 39 { | |
| 40 // If the ExecutionContext has been destroyed, there's no active policy. | |
| 41 if (!context) | |
| 42 return false; | |
| 43 | |
| 44 return context->contentSecurityPolicy()->isActive(); | |
| 45 } | |
| 46 | |
| 47 template<bool (ContentSecurityPolicy::*allowWithType)(const String&, const Strin
g&, const KURL&, ContentSecurityPolicy::ReportingStatus) const> | |
| 48 bool isAllowedWithType(ExecutionContext* context, const String& type) | |
| 49 { | |
| 50 if (!isPolicyActiveInContext(context)) | |
| 51 return true; | |
| 52 | |
| 53 return (context->contentSecurityPolicy()->*allowWithType)(type, type, KURL()
, ContentSecurityPolicy::SuppressReport); | |
| 54 } | |
| 55 | |
| 56 template<bool (ContentSecurityPolicy::*allowWithURL)(const KURL&, ContentSecurit
yPolicy::ReportingStatus) const> | |
| 57 bool isAllowedWithURL(ExecutionContext* context, const String& url) | |
| 58 { | |
| 59 if (!isPolicyActiveInContext(context)) | |
| 60 return true; | |
| 61 | |
| 62 KURL parsedURL = context->completeURL(url); | |
| 63 if (!parsedURL.isValid()) | |
| 64 return false; // FIXME: Figure out how to throw a JavaScript error. | |
| 65 | |
| 66 return (context->contentSecurityPolicy()->*allowWithURL)(parsedURL, ContentS
ecurityPolicy::SuppressReport); | |
| 67 } | |
| 68 | |
| 69 template<bool (ContentSecurityPolicy::*allowWithContext)(const String&, const WT
F::OrdinalNumber&, ContentSecurityPolicy::ReportingStatus) const> | |
| 70 bool isAllowed(ExecutionContext* context) | |
| 71 { | |
| 72 if (!isPolicyActiveInContext(context)) | |
| 73 return true; | |
| 74 | |
| 75 return (context->contentSecurityPolicy()->*allowWithContext)(String(), WTF::
OrdinalNumber::beforeFirst(), ContentSecurityPolicy::SuppressReport); | |
| 76 } | |
| 77 | |
| 78 } // namespace | |
| 79 | |
| 80 DOMSecurityPolicy::DOMSecurityPolicy(ExecutionContext* context) | |
| 81 : ContextLifecycleObserver(context) | |
| 82 { | |
| 83 ScriptWrappable::init(this); | |
| 84 } | |
| 85 | |
| 86 DOMSecurityPolicy::~DOMSecurityPolicy() | |
| 87 { | |
| 88 } | |
| 89 | |
| 90 bool DOMSecurityPolicy::isActive() const | |
| 91 { | |
| 92 return isPolicyActiveInContext(executionContext()); | |
| 93 } | |
| 94 | |
| 95 PassRefPtr<DOMStringList> DOMSecurityPolicy::reportURIs() const | |
| 96 { | |
| 97 RefPtr<DOMStringList> result = DOMStringList::create(); | |
| 98 | |
| 99 if (isActive()) | |
| 100 executionContext()->contentSecurityPolicy()->gatherReportURIs(*result.ge
t()); | |
| 101 | |
| 102 return result.release(); | |
| 103 } | |
| 104 | |
| 105 bool DOMSecurityPolicy::allowsInlineScript() const | |
| 106 { | |
| 107 return isAllowed<&ContentSecurityPolicy::allowInlineScript>(executionContext
()); | |
| 108 } | |
| 109 | |
| 110 bool DOMSecurityPolicy::allowsInlineStyle() const | |
| 111 { | |
| 112 return isAllowed<&ContentSecurityPolicy::allowInlineStyle>(executionContext(
)); | |
| 113 } | |
| 114 | |
| 115 bool DOMSecurityPolicy::allowsEval() const | |
| 116 { | |
| 117 if (!isActive()) | |
| 118 return true; | |
| 119 | |
| 120 return executionContext()->contentSecurityPolicy()->allowEval(0, ContentSecu
rityPolicy::SuppressReport); | |
| 121 } | |
| 122 | |
| 123 | |
| 124 bool DOMSecurityPolicy::allowsConnectionTo(const String& url) const | |
| 125 { | |
| 126 return isAllowedWithURL<&ContentSecurityPolicy::allowConnectToSource>(execut
ionContext(), url); | |
| 127 } | |
| 128 | |
| 129 bool DOMSecurityPolicy::allowsFontFrom(const String& url) const | |
| 130 { | |
| 131 return isAllowedWithURL<&ContentSecurityPolicy::allowFontFromSource>(executi
onContext(), url); | |
| 132 } | |
| 133 | |
| 134 bool DOMSecurityPolicy::allowsFormAction(const String& url) const | |
| 135 { | |
| 136 return isAllowedWithURL<&ContentSecurityPolicy::allowFormAction>(executionCo
ntext(), url); | |
| 137 } | |
| 138 | |
| 139 bool DOMSecurityPolicy::allowsFrameFrom(const String& url) const | |
| 140 { | |
| 141 return isAllowedWithURL<&ContentSecurityPolicy::allowChildFrameFromSource>(e
xecutionContext(), url); | |
| 142 } | |
| 143 | |
| 144 bool DOMSecurityPolicy::allowsImageFrom(const String& url) const | |
| 145 { | |
| 146 return isAllowedWithURL<&ContentSecurityPolicy::allowImageFromSource>(execut
ionContext(), url); | |
| 147 } | |
| 148 | |
| 149 bool DOMSecurityPolicy::allowsMediaFrom(const String& url) const | |
| 150 { | |
| 151 return isAllowedWithURL<&ContentSecurityPolicy::allowMediaFromSource>(execut
ionContext(), url); | |
| 152 } | |
| 153 | |
| 154 bool DOMSecurityPolicy::allowsObjectFrom(const String& url) const | |
| 155 { | |
| 156 return isAllowedWithURL<&ContentSecurityPolicy::allowObjectFromSource>(execu
tionContext(), url); | |
| 157 } | |
| 158 | |
| 159 bool DOMSecurityPolicy::allowsPluginType(const String& type) const | |
| 160 { | |
| 161 return isAllowedWithType<&ContentSecurityPolicy::allowPluginType>(executionC
ontext(), type); | |
| 162 } | |
| 163 | |
| 164 bool DOMSecurityPolicy::allowsScriptFrom(const String& url) const | |
| 165 { | |
| 166 return isAllowedWithURL<&ContentSecurityPolicy::allowScriptFromSource>(execu
tionContext(), url); | |
| 167 } | |
| 168 | |
| 169 bool DOMSecurityPolicy::allowsStyleFrom(const String& url) const | |
| 170 { | |
| 171 return isAllowedWithURL<&ContentSecurityPolicy::allowStyleFromSource>(execut
ionContext(), url); | |
| 172 } | |
| 173 | |
| 174 } // namespace WebCore | |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 132613003:
CSP 1.1: Remove the 'SecurityPolicy' interface. (Closed)
Base URL: svn://svn.chromium.org/blink/trunk