OLD | NEW |
1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "config.h" | 5 #include "config.h" |
6 #include "core/frame/csp/CSPSourceList.h" | 6 #include "core/frame/csp/CSPSourceList.h" |
7 | 7 |
8 #include "core/frame/csp/CSPSource.h" | 8 #include "core/frame/csp/CSPSource.h" |
9 #include "core/frame/csp/ContentSecurityPolicy.h" | 9 #include "core/frame/csp/ContentSecurityPolicy.h" |
10 #include "platform/ParsingUtilities.h" | 10 #include "platform/ParsingUtilities.h" |
(...skipping 27 matching lines...) Expand all Loading... |
38 , m_allowSelf(false) | 38 , m_allowSelf(false) |
39 , m_allowStar(false) | 39 , m_allowStar(false) |
40 , m_allowInline(false) | 40 , m_allowInline(false) |
41 , m_allowEval(false) | 41 , m_allowEval(false) |
42 , m_hashAlgorithmsUsed(0) | 42 , m_hashAlgorithmsUsed(0) |
43 { | 43 { |
44 } | 44 } |
45 | 45 |
46 bool CSPSourceList::matches(const KURL& url, ContentSecurityPolicy::RedirectStat
us redirectStatus) const | 46 bool CSPSourceList::matches(const KURL& url, ContentSecurityPolicy::RedirectStat
us redirectStatus) const |
47 { | 47 { |
48 if (m_allowStar) | 48 // The CSP spec specifically states that data:, blob:, and filesystem URLs |
| 49 // should not be captured by a '*" source |
| 50 // (http://www.w3.org/TR/CSP2/#source-list-guid-matching). Thus, in the |
| 51 // case of a full wildcard, data:, blob:, and filesystem: URLs are |
| 52 // explicitly checked for in the source list before allowing them through. |
| 53 if (m_allowStar) { |
| 54 if (url.protocolIs("blob") || url.protocolIs("data") || url.protocolIs("
filesystem")) |
| 55 return hasSourceMatchInList(url, redirectStatus); |
49 return true; | 56 return true; |
| 57 } |
50 | 58 |
51 KURL effectiveURL = m_policy->selfMatchesInnerURL() && SecurityOrigin::shoul
dUseInnerURL(url) ? SecurityOrigin::extractInnerURL(url) : url; | 59 KURL effectiveURL = m_policy->selfMatchesInnerURL() && SecurityOrigin::shoul
dUseInnerURL(url) ? SecurityOrigin::extractInnerURL(url) : url; |
52 | 60 |
53 if (m_allowSelf && m_policy->urlMatchesSelf(effectiveURL)) | 61 if (m_allowSelf && m_policy->urlMatchesSelf(effectiveURL)) |
54 return true; | 62 return true; |
55 | 63 |
56 for (size_t i = 0; i < m_list.size(); ++i) { | 64 return hasSourceMatchInList(effectiveURL, redirectStatus); |
57 if (m_list[i].matches(effectiveURL, redirectStatus)) | |
58 return true; | |
59 } | |
60 | |
61 return false; | |
62 } | 65 } |
63 | 66 |
64 bool CSPSourceList::allowInline() const | 67 bool CSPSourceList::allowInline() const |
65 { | 68 { |
66 return m_allowInline; | 69 return m_allowInline; |
67 } | 70 } |
68 | 71 |
69 bool CSPSourceList::allowEval() const | 72 bool CSPSourceList::allowEval() const |
70 { | 73 { |
71 return m_allowEval; | 74 return m_allowEval; |
(...skipping 411 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
483 { | 486 { |
484 m_nonces.add(nonce); | 487 m_nonces.add(nonce); |
485 } | 488 } |
486 | 489 |
487 void CSPSourceList::addSourceHash(const ContentSecurityPolicyHashAlgorithm& algo
rithm, const DigestValue& hash) | 490 void CSPSourceList::addSourceHash(const ContentSecurityPolicyHashAlgorithm& algo
rithm, const DigestValue& hash) |
488 { | 491 { |
489 m_hashes.add(CSPHashValue(algorithm, hash)); | 492 m_hashes.add(CSPHashValue(algorithm, hash)); |
490 m_hashAlgorithmsUsed |= algorithm; | 493 m_hashAlgorithmsUsed |= algorithm; |
491 } | 494 } |
492 | 495 |
| 496 bool CSPSourceList::hasSourceMatchInList(const KURL& url, ContentSecurityPolicy:
:RedirectStatus redirectStatus) const |
| 497 { |
| 498 for (size_t i = 0; i < m_list.size(); ++i) { |
| 499 if (m_list[i].matches(url, redirectStatus)) |
| 500 return true; |
| 501 } |
| 502 |
| 503 return false; |
| 504 } |
493 | 505 |
494 } // namespace blink | 506 } // namespace blink |
OLD | NEW |