OLD | NEW |
---|---|
1 /* | 1 /* |
2 * Copyright (C) 2011 Google, Inc. All rights reserved. | 2 * Copyright (C) 2011 Google, Inc. All rights reserved. |
3 * | 3 * |
4 * Redistribution and use in source and binary forms, with or without | 4 * Redistribution and use in source and binary forms, with or without |
5 * modification, are permitted provided that the following conditions | 5 * modification, are permitted provided that the following conditions |
6 * are met: | 6 * are met: |
7 * 1. Redistributions of source code must retain the above copyright | 7 * 1. Redistributions of source code must retain the above copyright |
8 * notice, this list of conditions and the following disclaimer. | 8 * notice, this list of conditions and the following disclaimer. |
9 * 2. Redistributions in binary form must reproduce the above copyright | 9 * 2. Redistributions in binary form must reproduce the above copyright |
10 * notice, this list of conditions and the following disclaimer in the | 10 * notice, this list of conditions and the following disclaimer in the |
(...skipping 284 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
295 | 295 |
296 void parse(const UChar* begin, const UChar* end); | 296 void parse(const UChar* begin, const UChar* end); |
297 | 297 |
298 bool matches(const KURL&); | 298 bool matches(const KURL&); |
299 bool allowInline() const { return m_allowInline; } | 299 bool allowInline() const { return m_allowInline; } |
300 bool allowEval() const { return m_allowEval; } | 300 bool allowEval() const { return m_allowEval; } |
301 bool allowNonce(const String& nonce) const { return !nonce.isNull() && m_non ces.contains(nonce); } | 301 bool allowNonce(const String& nonce) const { return !nonce.isNull() && m_non ces.contains(nonce); } |
302 bool allowHash(const SourceHashValue& hashValue) const { return m_hashes.con tains(hashValue); } | 302 bool allowHash(const SourceHashValue& hashValue) const { return m_hashes.con tains(hashValue); } |
303 uint8_t hashAlgorithmsUsed() const { return m_hashAlgorithmsUsed; } | 303 uint8_t hashAlgorithmsUsed() const { return m_hashAlgorithmsUsed; } |
304 | 304 |
305 bool isHashOrNoncePresent() const { return !m_nonces.isEmpty() || m_hashAlgo rithmsUsed != ContentSecurityPolicy::HashAlgorithmsNone; } | |
306 | |
305 private: | 307 private: |
306 bool parseSource(const UChar* begin, const UChar* end, String& scheme, Strin g& host, int& port, String& path, bool& hostHasWildcard, bool& portHasWildcard); | 308 bool parseSource(const UChar* begin, const UChar* end, String& scheme, Strin g& host, int& port, String& path, bool& hostHasWildcard, bool& portHasWildcard); |
307 bool parseScheme(const UChar* begin, const UChar* end, String& scheme); | 309 bool parseScheme(const UChar* begin, const UChar* end, String& scheme); |
308 bool parseHost(const UChar* begin, const UChar* end, String& host, bool& hos tHasWildcard); | 310 bool parseHost(const UChar* begin, const UChar* end, String& host, bool& hos tHasWildcard); |
309 bool parsePort(const UChar* begin, const UChar* end, int& port, bool& portHa sWildcard); | 311 bool parsePort(const UChar* begin, const UChar* end, int& port, bool& portHa sWildcard); |
310 bool parsePath(const UChar* begin, const UChar* end, String& path); | 312 bool parsePath(const UChar* begin, const UChar* end, String& path); |
311 bool parseNonce(const UChar* begin, const UChar* end, String& nonce); | 313 bool parseNonce(const UChar* begin, const UChar* end, String& nonce); |
312 bool parseHash(const UChar* begin, const UChar* end, Vector<uint8_t>& hash, ContentSecurityPolicy::HashAlgorithms&); | 314 bool parseHash(const UChar* begin, const UChar* end, Vector<uint8_t>& hash, ContentSecurityPolicy::HashAlgorithms&); |
313 | 315 |
314 void addSourceSelf(); | 316 void addSourceSelf(); |
(...skipping 524 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
839 | 841 |
840 bool allows(const KURL& url) | 842 bool allows(const KURL& url) |
841 { | 843 { |
842 return m_sourceList.matches(url.isEmpty() ? policy()->url() : url); | 844 return m_sourceList.matches(url.isEmpty() ? policy()->url() : url); |
843 } | 845 } |
844 | 846 |
845 bool allowInline() const { return m_sourceList.allowInline(); } | 847 bool allowInline() const { return m_sourceList.allowInline(); } |
846 bool allowEval() const { return m_sourceList.allowEval(); } | 848 bool allowEval() const { return m_sourceList.allowEval(); } |
847 bool allowNonce(const String& nonce) const { return m_sourceList.allowNonce( nonce.stripWhiteSpace()); } | 849 bool allowNonce(const String& nonce) const { return m_sourceList.allowNonce( nonce.stripWhiteSpace()); } |
848 bool allowHash(const SourceHashValue& hashValue) const { return m_sourceList .allowHash(hashValue); } | 850 bool allowHash(const SourceHashValue& hashValue) const { return m_sourceList .allowHash(hashValue); } |
851 bool isHashOrNoncePresent() const { return m_sourceList.isHashOrNoncePresent (); } | |
849 | 852 |
850 uint8_t hashAlgorithmsUsed() const { return m_sourceList.hashAlgorithmsUsed( ); } | 853 uint8_t hashAlgorithmsUsed() const { return m_sourceList.hashAlgorithmsUsed( ); } |
851 | 854 |
852 private: | 855 private: |
853 CSPSourceList m_sourceList; | 856 CSPSourceList m_sourceList; |
854 }; | 857 }; |
855 | 858 |
856 class CSPDirectiveList { | 859 class CSPDirectiveList { |
857 WTF_MAKE_FAST_ALLOCATED; | 860 WTF_MAKE_FAST_ALLOCATED; |
858 public: | 861 public: |
(...skipping 139 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
998 m_policy->reportViolation(directiveText, effectiveDirective, message, blocke dURL, m_reportURIs, m_header); | 1001 m_policy->reportViolation(directiveText, effectiveDirective, message, blocke dURL, m_reportURIs, m_header); |
999 } | 1002 } |
1000 | 1003 |
1001 bool CSPDirectiveList::checkEval(SourceListDirective* directive) const | 1004 bool CSPDirectiveList::checkEval(SourceListDirective* directive) const |
1002 { | 1005 { |
1003 return !directive || directive->allowEval(); | 1006 return !directive || directive->allowEval(); |
1004 } | 1007 } |
1005 | 1008 |
1006 bool CSPDirectiveList::checkInline(SourceListDirective* directive) const | 1009 bool CSPDirectiveList::checkInline(SourceListDirective* directive) const |
1007 { | 1010 { |
1008 return !directive || directive->allowInline(); | 1011 return !directive || (directive->allowInline() && !directive->isHashOrNonceP resent()); |
jochen (gone - plz use gerrit)
2014/01/20 09:17:37
just a general note. checkInline() is a poor name.
| |
1009 } | 1012 } |
1010 | 1013 |
1011 bool CSPDirectiveList::checkNonce(SourceListDirective* directive, const String& nonce) const | 1014 bool CSPDirectiveList::checkNonce(SourceListDirective* directive, const String& nonce) const |
1012 { | 1015 { |
1013 return !directive || directive->allowNonce(nonce); | 1016 return !directive || directive->allowNonce(nonce); |
1014 } | 1017 } |
1015 | 1018 |
1016 bool CSPDirectiveList::checkHash(SourceListDirective* directive, const SourceHas hValue& hashValue) const | 1019 bool CSPDirectiveList::checkHash(SourceListDirective* directive, const SourceHas hValue& hashValue) const |
1017 { | 1020 { |
1018 return !directive || directive->allowHash(hashValue); | 1021 return !directive || directive->allowHash(hashValue); |
(...skipping 47 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1066 reportViolation(directive->text(), pluginTypes, message + "\n", KURL()); | 1069 reportViolation(directive->text(), pluginTypes, message + "\n", KURL()); |
1067 return denyIfEnforcingPolicy(); | 1070 return denyIfEnforcingPolicy(); |
1068 } | 1071 } |
1069 | 1072 |
1070 bool CSPDirectiveList::checkInlineAndReportViolation(SourceListDirective* direct ive, const String& consoleMessage, const String& contextURL, const WTF::OrdinalN umber& contextLine, bool isScript) const | 1073 bool CSPDirectiveList::checkInlineAndReportViolation(SourceListDirective* direct ive, const String& consoleMessage, const String& contextURL, const WTF::OrdinalN umber& contextLine, bool isScript) const |
1071 { | 1074 { |
1072 if (checkInline(directive)) | 1075 if (checkInline(directive)) |
1073 return true; | 1076 return true; |
1074 | 1077 |
1075 String suffix = String(); | 1078 String suffix = String(); |
1076 if (directive == m_defaultSrc) | 1079 if (directive->allowInline() && directive->isHashOrNoncePresent()) { |
1080 // If inline is allowed, but a hash or nonce is present, we ignore 'unsa fe-inline'. Throw a reasonable error. | |
1081 suffix = " Note that 'unsafe-inline' is ignored if either a hash or nonc e value is present in the source list."; | |
1082 } else if (directive == m_defaultSrc) { | |
1077 suffix = " Note that '" + String(isScript ? "script" : "style") + "-src' was not explicitly set, so 'default-src' is used as a fallback."; | 1083 suffix = " Note that '" + String(isScript ? "script" : "style") + "-src' was not explicitly set, so 'default-src' is used as a fallback."; |
1084 } | |
1078 | 1085 |
1079 reportViolationWithLocation(directive->text(), isScript ? scriptSrc : styleS rc, consoleMessage + "\"" + directive->text() + "\"." + suffix + "\n", KURL(), c ontextURL, contextLine); | 1086 reportViolationWithLocation(directive->text(), isScript ? scriptSrc : styleS rc, consoleMessage + "\"" + directive->text() + "\"." + suffix + "\n", KURL(), c ontextURL, contextLine); |
1080 | 1087 |
1081 if (!m_reportOnly) { | 1088 if (!m_reportOnly) { |
1082 if (isScript) | 1089 if (isScript) |
1083 m_policy->reportBlockedScriptExecutionToInspector(directive->text()) ; | 1090 m_policy->reportBlockedScriptExecutionToInspector(directive->text()) ; |
1084 return false; | 1091 return false; |
1085 } | 1092 } |
1086 return true; | 1093 return true; |
1087 } | 1094 } |
(...skipping 931 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
2019 // Collisions have no security impact, so we can save space by storing only the string's hash rather than the whole report. | 2026 // Collisions have no security impact, so we can save space by storing only the string's hash rather than the whole report. |
2020 return !m_violationReportsSent.contains(report.impl()->hash()); | 2027 return !m_violationReportsSent.contains(report.impl()->hash()); |
2021 } | 2028 } |
2022 | 2029 |
2023 void ContentSecurityPolicy::didSendViolationReport(const String& report) | 2030 void ContentSecurityPolicy::didSendViolationReport(const String& report) |
2024 { | 2031 { |
2025 m_violationReportsSent.add(report.impl()->hash()); | 2032 m_violationReportsSent.add(report.impl()->hash()); |
2026 } | 2033 } |
2027 | 2034 |
2028 } // namespace WebCore | 2035 } // namespace WebCore |
OLD | NEW |