Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(828)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: Source/core/frame/ContentSecurityPolicy.cpp

Issue 138033019: CSP 1.1: Apply hashes to style elements. (Closed) Base URL: svn://svn.chromium.org/blink/trunk
Patch Set: Created 6 years, 11 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « Source/core/frame/ContentSecurityPolicy.h ('k') | no next file » | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: Source/core/frame/ContentSecurityPolicy.cpp
diff --git a/Source/core/frame/ContentSecurityPolicy.cpp b/Source/core/frame/ContentSecurityPolicy.cpp
index 4c3cbe42472a78353ff0c53ffac601e356ea6179..ec90e2aab0e3606640956ea8dee1ccbaa4dd1915 100644
--- a/Source/core/frame/ContentSecurityPolicy.cpp
+++ b/Source/core/frame/ContentSecurityPolicy.cpp
@@ -883,6 +883,7 @@ public:
bool allowScriptNonce(const String&) const;
bool allowStyleNonce(const String&) const;
bool allowScriptHash(const SourceHashValue&) const;
+ bool allowStyleHash(const SourceHashValue&) const;
void gatherReportURIs(DOMStringList&) const;
const String& evalDisabledErrorMessage() const { return m_evalDisabledErrorMessage; }
@@ -1266,6 +1267,11 @@ bool CSPDirectiveList::allowScriptHash(const SourceHashValue& hashValue) const
return checkHash(operativeDirective(m_scriptSrc.get()), hashValue);
}
+bool CSPDirectiveList::allowStyleHash(const SourceHashValue& hashValue) const
+{
+ return checkHash(operativeDirective(m_styleSrc.get()), hashValue);
+}
+
// policy = directive-list
// directive-list = [ directive *( ";" [ directive ] ) ]
//
@@ -1462,6 +1468,7 @@ void CSPDirectiveList::addDirective(const String& name, const String& value)
setCSPDirective<SourceListDirective>(name, value, m_imgSrc);
} else if (equalIgnoringCase(name, styleSrc)) {
setCSPDirective<SourceListDirective>(name, value, m_styleSrc);
+ m_policy->usesStyleHashAlgorithms(m_styleSrc->hashAlgorithmsUsed());
} else if (equalIgnoringCase(name, fontSrc)) {
setCSPDirective<SourceListDirective>(name, value, m_fontSrc);
} else if (equalIgnoringCase(name, mediaSrc)) {
@@ -1491,7 +1498,8 @@ void CSPDirectiveList::addDirective(const String& name, const String& value)
ContentSecurityPolicy::ContentSecurityPolicy(ExecutionContextClient* client)
: m_client(client)
, m_overrideInlineStyleAllowed(false)
- , m_sourceHashAlgorithmsUsed(HashAlgorithmsNone)
+ , m_scriptHashAlgorithmsUsed(HashAlgorithmsNone)
+ , m_styleHashAlgorithmsUsed(HashAlgorithmsNone)
{
}
@@ -1703,11 +1711,12 @@ bool ContentSecurityPolicy::allowStyleNonce(const String& nonce) const
return isAllowedByAllWithNonce<&CSPDirectiveList::allowStyleNonce>(m_policies, nonce);
}
+// TODO(jww) We don't currently have a WTF SHA256 implementation. Once we
+// have that, we should implement a proper check for sha256 hash values in
+// both allowScriptHash and allowStyleHash.
bool ContentSecurityPolicy::allowScriptHash(const String& source) const
{
- // TODO(jww) We don't currently have a WTF SHA256 implementation. Once we
- // have that, we should implement a proper check for sha256 hash values here.
- if (HashAlgorithmsSha1 & m_sourceHashAlgorithmsUsed) {
+ if (HashAlgorithmsSha1 & m_scriptHashAlgorithmsUsed) {
Vector<uint8_t, 20> digest;
SHA1 sourceSha1;
sourceSha1.addBytes(UTF8Encoding().normalizeAndEncode(source, WTF::EntitiesForUnencodables));
@@ -1720,9 +1729,29 @@ bool ContentSecurityPolicy::allowScriptHash(const String& source) const
return false;
}
+bool ContentSecurityPolicy::allowStyleHash(const String& source) const
+{
+ if (HashAlgorithmsSha1 & m_styleHashAlgorithmsUsed) {
+ Vector<uint8_t, 20> digest;
+ SHA1 sourceSha1;
+ sourceSha1.addBytes(UTF8Encoding().normalizeAndEncode(source, WTF::EntitiesForUnencodables));
+ sourceSha1.computeHash(digest);
+
+ if (isAllowedByAllWithHash<&CSPDirectiveList::allowStyleHash>(m_policies, SourceHashValue(HashAlgorithmsSha1, Vector<uint8_t>(digest))))
+ return true;
+ }
+
+ return false;
+}
+
void ContentSecurityPolicy::usesScriptHashAlgorithms(uint8_t algorithms)
{
- m_sourceHashAlgorithmsUsed |= algorithms;
+ m_scriptHashAlgorithmsUsed |= algorithms;
+}
+
+void ContentSecurityPolicy::usesStyleHashAlgorithms(uint8_t algorithms)
+{
+ m_styleHashAlgorithmsUsed |= algorithms;
}
bool ContentSecurityPolicy::allowObjectFromSource(const KURL& url, ContentSecurityPolicy::ReportingStatus reportingStatus) const
« no previous file with comments | « Source/core/frame/ContentSecurityPolicy.h ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698