OLD | NEW |
---|---|
1 /* | 1 /* |
2 * Copyright (C) 2011 Adam Barth. All Rights Reserved. | 2 * Copyright (C) 2011 Adam Barth. All Rights Reserved. |
3 * Copyright (C) 2011 Daniel Bates (dbates@intudata.com). | 3 * Copyright (C) 2011 Daniel Bates (dbates@intudata.com). |
4 * | 4 * |
5 * Redistribution and use in source and binary forms, with or without | 5 * Redistribution and use in source and binary forms, with or without |
6 * modification, are permitted provided that the following conditions | 6 * modification, are permitted provided that the following conditions |
7 * are met: | 7 * are met: |
8 * 1. Redistributions of source code must retain the above copyright | 8 * 1. Redistributions of source code must retain the above copyright |
9 * notice, this list of conditions and the following disclaimer. | 9 * notice, this list of conditions and the following disclaimer. |
10 * 2. Redistributions in binary form must reproduce the above copyright | 10 * 2. Redistributions in binary form must reproduce the above copyright |
(...skipping 209 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
220 , m_didSendValidCSPHeader(false) | 220 , m_didSendValidCSPHeader(false) |
221 , m_didSendValidXSSProtectionHeader(false) | 221 , m_didSendValidXSSProtectionHeader(false) |
222 , m_state(Uninitialized) | 222 , m_state(Uninitialized) |
223 , m_scriptTagNestingLevel(0) | 223 , m_scriptTagNestingLevel(0) |
224 , m_encoding(UTF8Encoding()) | 224 , m_encoding(UTF8Encoding()) |
225 { | 225 { |
226 // Although tempting to call init() at this point, the various objects | 226 // Although tempting to call init() at this point, the various objects |
227 // we want to reference might not all have been constructed yet. | 227 // we want to reference might not all have been constructed yet. |
228 } | 228 } |
229 | 229 |
230 void XSSAuditor::initForFragment() | |
231 { | |
232 ASSERT(isMainThread()); | |
233 ASSERT(m_state == Uninitialized); | |
234 m_state = Initialized; | |
235 // When parsing a fragment, we don't enable the XSS auditor because it's | |
236 // too much overhead. | |
237 ASSERT(!m_isEnabled); | |
238 } | |
239 | |
230 void XSSAuditor::init(Document* document, XSSAuditorDelegate* auditorDelegate) | 240 void XSSAuditor::init(Document* document, XSSAuditorDelegate* auditorDelegate) |
231 { | 241 { |
232 const size_t miniumLengthForSuffixTree = 512; // FIXME: Tune this parameter. | 242 const size_t miniumLengthForSuffixTree = 512; // FIXME: Tune this parameter. |
233 const int suffixTreeDepth = 5; | 243 const int suffixTreeDepth = 5; |
234 | 244 |
235 ASSERT(isMainThread()); | 245 ASSERT(isMainThread()); |
236 if (m_state == Initialized) | 246 if (m_state == Initialized) |
237 return; | 247 return; |
238 ASSERT(m_state == Uninitialized); | 248 ASSERT(m_state == Uninitialized); |
239 m_state = Initialized; | 249 m_state = Initialized; |
(...skipping 77 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
317 | 327 |
318 if (m_decodedURL.isEmpty() && m_decodedHTTPBody.isEmpty()) { | 328 if (m_decodedURL.isEmpty() && m_decodedHTTPBody.isEmpty()) { |
319 m_isEnabled = false; | 329 m_isEnabled = false; |
320 return; | 330 return; |
321 } | 331 } |
322 } | 332 } |
323 | 333 |
324 PassOwnPtr<XSSInfo> XSSAuditor::filterToken(const FilterTokenRequest& request) | 334 PassOwnPtr<XSSInfo> XSSAuditor::filterToken(const FilterTokenRequest& request) |
325 { | 335 { |
326 ASSERT(m_state == Initialized); | 336 ASSERT(m_state == Initialized); |
327 if (!m_isEnabled || m_xssProtection == ContentSecurityPolicy::AllowReflected XSS) | 337 if (!m_isEnabled || m_xssProtection == ContentSecurityPolicy::AllowReflected XSS) |
tonyg
2013/04/22 16:06:01
Would it be cleaner to flip the order of the !m_is
abarth-chromium
2013/04/22 18:14:55
Yeah, that makes a lot of sense.
| |
328 return nullptr; | 338 return nullptr; |
329 | 339 |
330 bool didBlockScript = false; | 340 bool didBlockScript = false; |
331 if (request.token.type() == HTMLToken::StartTag) | 341 if (request.token.type() == HTMLToken::StartTag) |
332 didBlockScript = filterStartToken(request); | 342 didBlockScript = filterStartToken(request); |
333 else if (m_scriptTagNestingLevel) { | 343 else if (m_scriptTagNestingLevel) { |
334 if (request.token.type() == HTMLToken::Character) | 344 if (request.token.type() == HTMLToken::Character) |
335 didBlockScript = filterCharacterToken(request); | 345 didBlockScript = filterCharacterToken(request); |
336 else if (request.token.type() == HTMLToken::EndTag) | 346 else if (request.token.type() == HTMLToken::EndTag) |
337 filterEndToken(request); | 347 filterEndToken(request); |
(...skipping 389 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
727 | 737 |
728 bool XSSAuditor::isSafeToSendToAnotherThread() const | 738 bool XSSAuditor::isSafeToSendToAnotherThread() const |
729 { | 739 { |
730 return m_documentURL.isSafeToSendToAnotherThread() | 740 return m_documentURL.isSafeToSendToAnotherThread() |
731 && m_decodedURL.isSafeToSendToAnotherThread() | 741 && m_decodedURL.isSafeToSendToAnotherThread() |
732 && m_decodedHTTPBody.isSafeToSendToAnotherThread() | 742 && m_decodedHTTPBody.isSafeToSendToAnotherThread() |
733 && m_cachedDecodedSnippet.isSafeToSendToAnotherThread(); | 743 && m_cachedDecodedSnippet.isSafeToSendToAnotherThread(); |
734 } | 744 } |
735 | 745 |
736 } // namespace WebCore | 746 } // namespace WebCore |
OLD | NEW |