Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(39)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: Source/core/frame/ContentSecurityPolicy.h

Issue 143113003: CSP 1.1: Ignore report-only inside <meta>. (Closed) Base URL: svn://svn.chromium.org/blink/trunk
Patch Set: Nit. Created 6 years, 11 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « Source/core/dom/Document.cpp ('k') | Source/core/frame/ContentSecurityPolicy.cpp » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 /* 1 /*
2 * Copyright (C) 2011 Google, Inc. All rights reserved. 2 * Copyright (C) 2011 Google, Inc. All rights reserved.
3 * 3 *
4 * Redistribution and use in source and binary forms, with or without 4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions 5 * modification, are permitted provided that the following conditions
6 * are met: 6 * are met:
7 * 1. Redistributions of source code must retain the above copyright 7 * 1. Redistributions of source code must retain the above copyright
8 * notice, this list of conditions and the following disclaimer. 8 * notice, this list of conditions and the following disclaimer.
9 * 2. Redistributions in binary form must reproduce the above copyright 9 * 2. Redistributions in binary form must reproduce the above copyright
10 * notice, this list of conditions and the following disclaimer in the 10 * notice, this list of conditions and the following disclaimer in the
(...skipping 51 matching lines...) Expand 10 before | Expand all | Expand 10 after
62 } 62 }
63 ~ContentSecurityPolicy(); 63 ~ContentSecurityPolicy();
64 64
65 void copyStateFrom(const ContentSecurityPolicy*); 65 void copyStateFrom(const ContentSecurityPolicy*);
66 66
67 enum HeaderType { 67 enum HeaderType {
68 Report, 68 Report,
69 Enforce, 69 Enforce,
70 }; 70 };
71 71
72 enum HeaderSource {
73 HeaderSourceHTTP,
74 HeaderSourceMeta
75 };
76
72 enum ReportingStatus { 77 enum ReportingStatus {
73 SendReport, 78 SendReport,
74 SuppressReport 79 SuppressReport
75 }; 80 };
76 81
77 enum HashAlgorithms { 82 enum HashAlgorithms {
78 HashAlgorithmsNone = 0, 83 HashAlgorithmsNone = 0,
79 HashAlgorithmsSha1 = 1 << 1, 84 HashAlgorithmsSha1 = 1 << 1,
80 HashAlgorithmsSha256 = 1 << 2 85 HashAlgorithmsSha256 = 1 << 2
81 }; 86 };
82 87
83 void didReceiveHeaders(const ContentSecurityPolicyResponseHeaders&); 88 void didReceiveHeaders(const ContentSecurityPolicyResponseHeaders&);
84 void didReceiveHeader(const String&, HeaderType); 89 void didReceiveHeader(const String&, HeaderType, HeaderSource);
85 90
86 // These functions are wrong because they assume that there is only one head er. 91 // These functions are wrong because they assume that there is only one head er.
87 // FIXME: Replace them with functions that return vectors. 92 // FIXME: Replace them with functions that return vectors.
88 const String& deprecatedHeader() const; 93 const String& deprecatedHeader() const;
89 HeaderType deprecatedHeaderType() const; 94 HeaderType deprecatedHeaderType() const;
90 95
91 bool allowJavaScriptURLs(const String& contextURL, const WTF::OrdinalNumber& contextLine, ReportingStatus = SendReport) const; 96 bool allowJavaScriptURLs(const String& contextURL, const WTF::OrdinalNumber& contextLine, ReportingStatus = SendReport) const;
92 bool allowInlineEventHandlers(const String& contextURL, const WTF::OrdinalNu mber& contextLine, ReportingStatus = SendReport) const; 97 bool allowInlineEventHandlers(const String& contextURL, const WTF::OrdinalNu mber& contextLine, ReportingStatus = SendReport) const;
93 bool allowInlineScript(const String& contextURL, const WTF::OrdinalNumber& c ontextLine, ReportingStatus = SendReport) const; 98 bool allowInlineScript(const String& contextURL, const WTF::OrdinalNumber& c ontextLine, ReportingStatus = SendReport) const;
94 bool allowInlineStyle(const String& contextURL, const WTF::OrdinalNumber& co ntextLine, ReportingStatus = SendReport) const; 99 bool allowInlineStyle(const String& contextURL, const WTF::OrdinalNumber& co ntextLine, ReportingStatus = SendReport) const;
(...skipping 34 matching lines...) Expand 10 before | Expand all | Expand 10 after
129 void reportInvalidDirectiveValueCharacter(const String& directiveName, const String& value) const; 134 void reportInvalidDirectiveValueCharacter(const String& directiveName, const String& value) const;
130 void reportInvalidPathCharacter(const String& directiveName, const String& v alue, const char) const; 135 void reportInvalidPathCharacter(const String& directiveName, const String& v alue, const char) const;
131 void reportInvalidPluginTypes(const String&) const; 136 void reportInvalidPluginTypes(const String&) const;
132 void reportInvalidSandboxFlags(const String&) const; 137 void reportInvalidSandboxFlags(const String&) const;
133 void reportInvalidSourceExpression(const String& directiveName, const String & source) const; 138 void reportInvalidSourceExpression(const String& directiveName, const String & source) const;
134 void reportInvalidReflectedXSS(const String&) const; 139 void reportInvalidReflectedXSS(const String&) const;
135 void reportMissingReportURI(const String&) const; 140 void reportMissingReportURI(const String&) const;
136 void reportUnsupportedDirective(const String&) const; 141 void reportUnsupportedDirective(const String&) const;
137 void reportInvalidInReportOnly(const String&) const; 142 void reportInvalidInReportOnly(const String&) const;
138 void reportInvalidReferrer(const String&) const; 143 void reportInvalidReferrer(const String&) const;
144 void reportReportOnlyInMeta(const String&) const;
139 void reportViolation(const String& directiveText, const String& effectiveDir ective, const String& consoleMessage, const KURL& blockedURL, const Vector<KURL> & reportURIs, const String& header); 145 void reportViolation(const String& directiveText, const String& effectiveDir ective, const String& consoleMessage, const KURL& blockedURL, const Vector<KURL> & reportURIs, const String& header);
140 146
141 void reportBlockedScriptExecutionToInspector(const String& directiveText) co nst; 147 void reportBlockedScriptExecutionToInspector(const String& directiveText) co nst;
142 148
143 const KURL url() const; 149 const KURL url() const;
144 KURL completeURL(const String&) const; 150 KURL completeURL(const String&) const;
145 SecurityOrigin* securityOrigin() const; 151 SecurityOrigin* securityOrigin() const;
146 void enforceSandboxFlags(SandboxFlags) const; 152 void enforceSandboxFlags(SandboxFlags) const;
147 String evalDisabledErrorMessage() const; 153 String evalDisabledErrorMessage() const;
148 154
149 bool experimentalFeaturesEnabled() const; 155 bool experimentalFeaturesEnabled() const;
150 156
151 static bool shouldBypassMainWorld(ExecutionContext*); 157 static bool shouldBypassMainWorld(ExecutionContext*);
152 158
153 ExecutionContextClient* client() { return m_client; } 159 ExecutionContextClient* client() { return m_client; }
154 160
155 private: 161 private:
156 explicit ContentSecurityPolicy(ExecutionContextClient*); 162 explicit ContentSecurityPolicy(ExecutionContextClient*);
157 163
158 void logToConsole(const String& message) const; 164 void logToConsole(const String& message) const;
159 void addPolicyFromHeaderValue(const String&, HeaderType); 165 void addPolicyFromHeaderValue(const String&, HeaderType, HeaderSource);
160 166
161 bool shouldSendViolationReport(const String&) const; 167 bool shouldSendViolationReport(const String&) const;
162 void didSendViolationReport(const String&); 168 void didSendViolationReport(const String&);
163 169
164 ExecutionContextClient* m_client; 170 ExecutionContextClient* m_client;
165 bool m_overrideInlineStyleAllowed; 171 bool m_overrideInlineStyleAllowed;
166 CSPDirectiveListVector m_policies; 172 CSPDirectiveListVector m_policies;
167 173
168 HashSet<unsigned, AlreadyHashed> m_violationReportsSent; 174 HashSet<unsigned, AlreadyHashed> m_violationReportsSent;
169 175
170 // We put the hash functions used on the policy object so that we only need 176 // We put the hash functions used on the policy object so that we only need
171 // to calculate a hash once and then distribute it to all of the directives 177 // to calculate a hash once and then distribute it to all of the directives
172 // for validation. 178 // for validation.
173 uint8_t m_scriptHashAlgorithmsUsed; 179 uint8_t m_scriptHashAlgorithmsUsed;
174 uint8_t m_styleHashAlgorithmsUsed; 180 uint8_t m_styleHashAlgorithmsUsed;
175 }; 181 };
176 182
177 } 183 }
178 184
179 #endif 185 #endif
OLDNEW
« no previous file with comments | « Source/core/dom/Document.cpp ('k') | Source/core/frame/ContentSecurityPolicy.cpp » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698