Disallow CSP source * matching of data:, blob:, and filesystem: URLs

third_party/WebKit/Source/core/frame/csp/CSPSourceList.cpp

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "config.h"
 #include "core/frame/csp/CSPSourceList.h"
 
 #include "core/frame/csp/CSPSource.h"
 #include "core/frame/csp/ContentSecurityPolicy.h"
 #include "platform/ParsingUtilities.h"
@@ skipping 27 matching lines @@
     , m_allowSelf(false)
     , m_allowStar(false)
     , m_allowInline(false)
     , m_allowEval(false)
     , m_hashAlgorithmsUsed(0)
 {
 }
 
 bool CSPSourceList::matches(const KURL& url, ContentSecurityPolicy::RedirectStatus redirectStatus) const
 {
-    if (m_allowStar)
+

[Mike West, 2015/09/25 13:53:41]

Nit: Drop the newline.

[jww, 2015/09/25 15:32:15]

Done.

+    // The CSP spec specifically states that data:, blob:, and filesystem URLs
+    // should not be captured by a '*" source:
+    // http://www.w3.org/TR/CSP2/#source-list-guid-matching, so there is an
+    // explicit check for those protocols here.
+    if (m_allowStar && !url.protocolIs("blob") && !url.protocolIs("data") && !url.protocolIs("filesystem"))
         return true;
 
     KURL effectiveURL = m_policy->selfMatchesInnerURL() && SecurityOrigin::shouldUseInnerURL(url) ? SecurityOrigin::extractInnerURL(url) : url;
 
     if (m_allowSelf && m_policy->urlMatchesSelf(effectiveURL))
         return true;
 
     for (size_t i = 0; i < m_list.size(); ++i) {
         if (m_list[i].matches(effectiveURL, redirectStatus))
             return true;
@@ skipping 426 matching lines @@
 }
 
 void CSPSourceList::addSourceHash(const ContentSecurityPolicyHashAlgorithm& algorithm, const DigestValue& hash)
 {
     m_hashes.add(CSPHashValue(algorithm, hash));
     m_hashAlgorithmsUsed |= algorithm;
 }
 
 
 } // namespace blink