OLD | NEW |
| (Empty) |
1 /* | |
2 * Copyright (C) 2012 Google, Inc. All rights reserved. | |
3 * | |
4 * Redistribution and use in source and binary forms, with or without | |
5 * modification, are permitted provided that the following conditions | |
6 * are met: | |
7 * 1. Redistributions of source code must retain the above copyright | |
8 * notice, this list of conditions and the following disclaimer. | |
9 * 2. Redistributions in binary form must reproduce the above copyright | |
10 * notice, this list of conditions and the following disclaimer in the | |
11 * documentation and/or other materials provided with the distribution. | |
12 * | |
13 * THIS SOFTWARE IS PROVIDED BY GOOGLE INC. ``AS IS'' AND ANY | |
14 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
15 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR | |
16 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE COMPUTER, INC. OR | |
17 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, | |
18 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, | |
19 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR | |
20 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY | |
21 * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT | |
22 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE | |
23 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | |
24 */ | |
25 | |
26 #include "config.h" | |
27 #include "core/frame/DOMSecurityPolicy.h" | |
28 | |
29 #include "core/dom/DOMStringList.h" | |
30 #include "core/dom/ExecutionContext.h" | |
31 #include "core/frame/ContentSecurityPolicy.h" | |
32 #include "wtf/text/TextPosition.h" | |
33 | |
34 namespace WebCore { | |
35 | |
36 namespace { | |
37 | |
38 bool isPolicyActiveInContext(ExecutionContext* context) | |
39 { | |
40 // If the ExecutionContext has been destroyed, there's no active policy. | |
41 if (!context) | |
42 return false; | |
43 | |
44 return context->contentSecurityPolicy()->isActive(); | |
45 } | |
46 | |
47 template<bool (ContentSecurityPolicy::*allowWithType)(const String&, const Strin
g&, const KURL&, ContentSecurityPolicy::ReportingStatus) const> | |
48 bool isAllowedWithType(ExecutionContext* context, const String& type) | |
49 { | |
50 if (!isPolicyActiveInContext(context)) | |
51 return true; | |
52 | |
53 return (context->contentSecurityPolicy()->*allowWithType)(type, type, KURL()
, ContentSecurityPolicy::SuppressReport); | |
54 } | |
55 | |
56 template<bool (ContentSecurityPolicy::*allowWithURL)(const KURL&, ContentSecurit
yPolicy::ReportingStatus) const> | |
57 bool isAllowedWithURL(ExecutionContext* context, const String& url) | |
58 { | |
59 if (!isPolicyActiveInContext(context)) | |
60 return true; | |
61 | |
62 KURL parsedURL = context->completeURL(url); | |
63 if (!parsedURL.isValid()) | |
64 return false; // FIXME: Figure out how to throw a JavaScript error. | |
65 | |
66 return (context->contentSecurityPolicy()->*allowWithURL)(parsedURL, ContentS
ecurityPolicy::SuppressReport); | |
67 } | |
68 | |
69 template<bool (ContentSecurityPolicy::*allowWithContext)(const String&, const WT
F::OrdinalNumber&, ContentSecurityPolicy::ReportingStatus) const> | |
70 bool isAllowed(ExecutionContext* context) | |
71 { | |
72 if (!isPolicyActiveInContext(context)) | |
73 return true; | |
74 | |
75 return (context->contentSecurityPolicy()->*allowWithContext)(String(), WTF::
OrdinalNumber::beforeFirst(), ContentSecurityPolicy::SuppressReport); | |
76 } | |
77 | |
78 } // namespace | |
79 | |
80 DOMSecurityPolicy::DOMSecurityPolicy(ExecutionContext* context) | |
81 : ContextLifecycleObserver(context) | |
82 { | |
83 ScriptWrappable::init(this); | |
84 } | |
85 | |
86 DOMSecurityPolicy::~DOMSecurityPolicy() | |
87 { | |
88 } | |
89 | |
90 bool DOMSecurityPolicy::isActive() const | |
91 { | |
92 return isPolicyActiveInContext(executionContext()); | |
93 } | |
94 | |
95 PassRefPtr<DOMStringList> DOMSecurityPolicy::reportURIs() const | |
96 { | |
97 RefPtr<DOMStringList> result = DOMStringList::create(); | |
98 | |
99 if (isActive()) | |
100 executionContext()->contentSecurityPolicy()->gatherReportURIs(*result.ge
t()); | |
101 | |
102 return result.release(); | |
103 } | |
104 | |
105 bool DOMSecurityPolicy::allowsInlineScript() const | |
106 { | |
107 return isAllowed<&ContentSecurityPolicy::allowInlineScript>(executionContext
()); | |
108 } | |
109 | |
110 bool DOMSecurityPolicy::allowsInlineStyle() const | |
111 { | |
112 return isAllowed<&ContentSecurityPolicy::allowInlineStyle>(executionContext(
)); | |
113 } | |
114 | |
115 bool DOMSecurityPolicy::allowsEval() const | |
116 { | |
117 if (!isActive()) | |
118 return true; | |
119 | |
120 return executionContext()->contentSecurityPolicy()->allowEval(0, ContentSecu
rityPolicy::SuppressReport); | |
121 } | |
122 | |
123 | |
124 bool DOMSecurityPolicy::allowsConnectionTo(const String& url) const | |
125 { | |
126 return isAllowedWithURL<&ContentSecurityPolicy::allowConnectToSource>(execut
ionContext(), url); | |
127 } | |
128 | |
129 bool DOMSecurityPolicy::allowsFontFrom(const String& url) const | |
130 { | |
131 return isAllowedWithURL<&ContentSecurityPolicy::allowFontFromSource>(executi
onContext(), url); | |
132 } | |
133 | |
134 bool DOMSecurityPolicy::allowsFormAction(const String& url) const | |
135 { | |
136 return isAllowedWithURL<&ContentSecurityPolicy::allowFormAction>(executionCo
ntext(), url); | |
137 } | |
138 | |
139 bool DOMSecurityPolicy::allowsFrameFrom(const String& url) const | |
140 { | |
141 return isAllowedWithURL<&ContentSecurityPolicy::allowChildFrameFromSource>(e
xecutionContext(), url); | |
142 } | |
143 | |
144 bool DOMSecurityPolicy::allowsImageFrom(const String& url) const | |
145 { | |
146 return isAllowedWithURL<&ContentSecurityPolicy::allowImageFromSource>(execut
ionContext(), url); | |
147 } | |
148 | |
149 bool DOMSecurityPolicy::allowsMediaFrom(const String& url) const | |
150 { | |
151 return isAllowedWithURL<&ContentSecurityPolicy::allowMediaFromSource>(execut
ionContext(), url); | |
152 } | |
153 | |
154 bool DOMSecurityPolicy::allowsObjectFrom(const String& url) const | |
155 { | |
156 return isAllowedWithURL<&ContentSecurityPolicy::allowObjectFromSource>(execu
tionContext(), url); | |
157 } | |
158 | |
159 bool DOMSecurityPolicy::allowsPluginType(const String& type) const | |
160 { | |
161 return isAllowedWithType<&ContentSecurityPolicy::allowPluginType>(executionC
ontext(), type); | |
162 } | |
163 | |
164 bool DOMSecurityPolicy::allowsScriptFrom(const String& url) const | |
165 { | |
166 return isAllowedWithURL<&ContentSecurityPolicy::allowScriptFromSource>(execu
tionContext(), url); | |
167 } | |
168 | |
169 bool DOMSecurityPolicy::allowsStyleFrom(const String& url) const | |
170 { | |
171 return isAllowedWithURL<&ContentSecurityPolicy::allowStyleFromSource>(execut
ionContext(), url); | |
172 } | |
173 | |
174 } // namespace WebCore | |
OLD | NEW |