OLD | NEW |
---|---|
1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "config.h" | 5 #include "config.h" |
6 #include "core/frame/csp/CSPSourceList.h" | 6 #include "core/frame/csp/CSPSourceList.h" |
7 | 7 |
8 #include "core/frame/csp/CSPSource.h" | 8 #include "core/frame/csp/CSPSource.h" |
9 #include "core/frame/csp/ContentSecurityPolicy.h" | 9 #include "core/frame/csp/ContentSecurityPolicy.h" |
10 #include "platform/ParsingUtilities.h" | 10 #include "platform/ParsingUtilities.h" |
(...skipping 27 matching lines...) Expand all Loading... | |
38 , m_allowSelf(false) | 38 , m_allowSelf(false) |
39 , m_allowStar(false) | 39 , m_allowStar(false) |
40 , m_allowInline(false) | 40 , m_allowInline(false) |
41 , m_allowEval(false) | 41 , m_allowEval(false) |
42 , m_hashAlgorithmsUsed(0) | 42 , m_hashAlgorithmsUsed(0) |
43 { | 43 { |
44 } | 44 } |
45 | 45 |
46 bool CSPSourceList::matches(const KURL& url, ContentSecurityPolicy::RedirectStat us redirectStatus) const | 46 bool CSPSourceList::matches(const KURL& url, ContentSecurityPolicy::RedirectStat us redirectStatus) const |
47 { | 47 { |
48 if (m_allowStar) | 48 |
Mike West
2015/09/25 13:53:41
Nit: Drop the newline.
jww
2015/09/25 15:32:15
Done.
| |
49 // The CSP spec specifically states that data:, blob:, and filesystem URLs | |
50 // should not be captured by a '*" source: | |
51 // http://www.w3.org/TR/CSP2/#source-list-guid-matching, so there is an | |
52 // explicit check for those protocols here. | |
53 if (m_allowStar && !url.protocolIs("blob") && !url.protocolIs("data") && !ur l.protocolIs("filesystem")) | |
49 return true; | 54 return true; |
50 | 55 |
51 KURL effectiveURL = m_policy->selfMatchesInnerURL() && SecurityOrigin::shoul dUseInnerURL(url) ? SecurityOrigin::extractInnerURL(url) : url; | 56 KURL effectiveURL = m_policy->selfMatchesInnerURL() && SecurityOrigin::shoul dUseInnerURL(url) ? SecurityOrigin::extractInnerURL(url) : url; |
52 | 57 |
53 if (m_allowSelf && m_policy->urlMatchesSelf(effectiveURL)) | 58 if (m_allowSelf && m_policy->urlMatchesSelf(effectiveURL)) |
54 return true; | 59 return true; |
55 | 60 |
56 for (size_t i = 0; i < m_list.size(); ++i) { | 61 for (size_t i = 0; i < m_list.size(); ++i) { |
57 if (m_list[i].matches(effectiveURL, redirectStatus)) | 62 if (m_list[i].matches(effectiveURL, redirectStatus)) |
58 return true; | 63 return true; |
(...skipping 426 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
485 } | 490 } |
486 | 491 |
487 void CSPSourceList::addSourceHash(const ContentSecurityPolicyHashAlgorithm& algo rithm, const DigestValue& hash) | 492 void CSPSourceList::addSourceHash(const ContentSecurityPolicyHashAlgorithm& algo rithm, const DigestValue& hash) |
488 { | 493 { |
489 m_hashes.add(CSPHashValue(algorithm, hash)); | 494 m_hashes.add(CSPHashValue(algorithm, hash)); |
490 m_hashAlgorithmsUsed |= algorithm; | 495 m_hashAlgorithmsUsed |= algorithm; |
491 } | 496 } |
492 | 497 |
493 | 498 |
494 } // namespace blink | 499 } // namespace blink |
OLD | NEW |