Chromium Code Reviews Chromium Code Reviews
Issue 14949017:
Implementation of W3C compliant CSP script-src nonce. (Closed)
Base URL: https://chromium.googlesource.com/chromium/blink.git@master| OLD | NEW |
|---|---|
| 1 /* | 1 /* |
| 2 * Copyright (C) 2012 Google, Inc. All rights reserved. | 2 * Copyright (C) 2012 Google, Inc. All rights reserved. |
| 3 * | 3 * |
| 4 * Redistribution and use in source and binary forms, with or without | 4 * Redistribution and use in source and binary forms, with or without |
| 5 * modification, are permitted provided that the following conditions | 5 * modification, are permitted provided that the following conditions |
| 6 * are met: | 6 * are met: |
| 7 * 1. Redistributions of source code must retain the above copyright | 7 * 1. Redistributions of source code must retain the above copyright |
| 8 * notice, this list of conditions and the following disclaimer. | 8 * notice, this list of conditions and the following disclaimer. |
| 9 * 2. Redistributions in binary form must reproduce the above copyright | 9 * 2. Redistributions in binary form must reproduce the above copyright |
| 10 * notice, this list of conditions and the following disclaimer in the | 10 * notice, this list of conditions and the following disclaimer in the |
| (...skipping 52 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 63 if (!isPolicyActiveInContext(context)) | 63 if (!isPolicyActiveInContext(context)) |
| 64 return true; | 64 return true; |
| 65 | 65 |
| 66 KURL parsedURL = context->completeURL(url); | 66 KURL parsedURL = context->completeURL(url); |
| 67 if (!parsedURL.isValid()) | 67 if (!parsedURL.isValid()) |
| 68 return false; // FIXME: Figure out how to throw a JavaScript error. | 68 return false; // FIXME: Figure out how to throw a JavaScript error. |
| 69 | 69 |
| 70 return (context->contentSecurityPolicy()->*allowWithURL)(parsedURL, ContentS ecurityPolicy::SuppressReport); | 70 return (context->contentSecurityPolicy()->*allowWithURL)(parsedURL, ContentS ecurityPolicy::SuppressReport); |
| 71 } | 71 } |
| 72 | 72 |
| 73 template<bool (ContentSecurityPolicy::*allowWithURLAndNonce)(const KURL&, const String&, ContentSecurityPolicy::ReportingStatus) const> | |
| 74 bool isAllowedWithURLAndNonce(ScriptExecutionContext* context, const String& url , const String& nonce) | |
| 75 { | |
| 76 if (!isPolicyActiveInContext(context)) | |
| 77 return true; | |
| 78 | |
| 79 KURL parsedURL = context->completeURL(url); | |
| 80 if (!parsedURL.isValid()) | |
| 81 return false; // FIXME: Figure out how to throw a JavaScript error. | |
| 82 | |
| 83 return (context->contentSecurityPolicy()->*allowWithURLAndNonce)(parsedURL, nonce, ContentSecurityPolicy::SuppressReport); | |
| 84 } | |
| 85 | |
| 86 template<bool (ContentSecurityPolicy::*allowWithNonce)(const String&, const Stri ng&, const WTF::OrdinalNumber&, ContentSecurityPolicy::ReportingStatus) const> | |
| 87 bool isAllowedWithNonce(ScriptExecutionContext* context, const String& nonce) | |
| 88 { | |
| 89 if (!isPolicyActiveInContext(context)) | |
| 90 return true; | |
| 91 | |
| 92 return (context->contentSecurityPolicy()->*allowWithNonce)(nonce, String(), WTF::OrdinalNumber::beforeFirst(), ContentSecurityPolicy::SuppressReport); | |
| 93 } | |
| 94 | |
| 73 template<bool (ContentSecurityPolicy::*allowWithContext)(const String&, const WT F::OrdinalNumber&, ContentSecurityPolicy::ReportingStatus) const> | 95 template<bool (ContentSecurityPolicy::*allowWithContext)(const String&, const WT F::OrdinalNumber&, ContentSecurityPolicy::ReportingStatus) const> |
| 74 bool isAllowed(ScriptExecutionContext* context) | 96 bool isAllowed(ScriptExecutionContext* context) |
| 75 { | 97 { |
| 76 if (!isPolicyActiveInContext(context)) | 98 if (!isPolicyActiveInContext(context)) |
| 77 return true; | 99 return true; |
| 78 | 100 |
| 79 return (context->contentSecurityPolicy()->*allowWithContext)(String(), WTF:: OrdinalNumber::beforeFirst(), ContentSecurityPolicy::SuppressReport); | 101 return (context->contentSecurityPolicy()->*allowWithContext)(String(), WTF:: OrdinalNumber::beforeFirst(), ContentSecurityPolicy::SuppressReport); |
| 80 } | 102 } |
| 81 | |
|
abarth-chromium
2013/05/14 05:58:16
You should leave this blank line.
jww
2013/05/14 20:49:30
Done.
| |
| 82 } // namespace | 103 } // namespace |
| 83 | 104 |
| 84 DOMSecurityPolicy::DOMSecurityPolicy(ScriptExecutionContext* context) | 105 DOMSecurityPolicy::DOMSecurityPolicy(ScriptExecutionContext* context) |
| 85 : ContextDestructionObserver(context) | 106 : ContextDestructionObserver(context) |
| 86 { | 107 { |
| 87 } | 108 } |
| 88 | 109 |
| 89 DOMSecurityPolicy::~DOMSecurityPolicy() | 110 DOMSecurityPolicy::~DOMSecurityPolicy() |
| 90 { | 111 { |
| 91 } | 112 } |
| 92 | 113 |
| 93 bool DOMSecurityPolicy::isActive() const | 114 bool DOMSecurityPolicy::isActive() const |
| 94 { | 115 { |
| 95 return isPolicyActiveInContext(scriptExecutionContext()); | 116 return isPolicyActiveInContext(scriptExecutionContext()); |
| 96 } | 117 } |
| 97 | 118 |
| 98 PassRefPtr<DOMStringList> DOMSecurityPolicy::reportURIs() const | 119 PassRefPtr<DOMStringList> DOMSecurityPolicy::reportURIs() const |
| 99 { | 120 { |
| 100 RefPtr<DOMStringList> result = DOMStringList::create(); | 121 RefPtr<DOMStringList> result = DOMStringList::create(); |
| 101 | 122 |
| 102 if (isActive()) | 123 if (isActive()) |
| 103 scriptExecutionContext()->contentSecurityPolicy()->gatherReportURIs(*res ult.get()); | 124 scriptExecutionContext()->contentSecurityPolicy()->gatherReportURIs(*res ult.get()); |
| 104 | 125 |
| 105 return result.release(); | 126 return result.release(); |
| 106 } | 127 } |
| 107 | 128 |
| 108 bool DOMSecurityPolicy::allowsInlineScript() const | 129 bool DOMSecurityPolicy::allowsInlineScript() const |
| 109 { | 130 { |
| 110 return isAllowed<&ContentSecurityPolicy::allowInlineScript>(scriptExecutionC ontext()); | 131 return isAllowedWithNonce<&ContentSecurityPolicy::allowInlineScript>(scriptE xecutionContext(), String()); |
| 111 } | 132 } |
| 112 | 133 |
| 113 bool DOMSecurityPolicy::allowsInlineStyle() const | 134 bool DOMSecurityPolicy::allowsInlineStyle() const |
| 114 { | 135 { |
| 115 return isAllowed<&ContentSecurityPolicy::allowInlineStyle>(scriptExecutionCo ntext()); | 136 return isAllowed<&ContentSecurityPolicy::allowInlineStyle>(scriptExecutionCo ntext()); |
| 116 } | 137 } |
| 117 | 138 |
| 118 bool DOMSecurityPolicy::allowsEval() const | 139 bool DOMSecurityPolicy::allowsEval() const |
| 119 { | 140 { |
| 120 if (!isActive()) | 141 if (!isActive()) |
| (...skipping 38 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 159 return isAllowedWithURL<&ContentSecurityPolicy::allowObjectFromSource>(scrip tExecutionContext(), url); | 180 return isAllowedWithURL<&ContentSecurityPolicy::allowObjectFromSource>(scrip tExecutionContext(), url); |
| 160 } | 181 } |
| 161 | 182 |
| 162 bool DOMSecurityPolicy::allowsPluginType(const String& type) const | 183 bool DOMSecurityPolicy::allowsPluginType(const String& type) const |
| 163 { | 184 { |
| 164 return isAllowedWithType<&ContentSecurityPolicy::allowPluginType>(scriptExec utionContext(), type); | 185 return isAllowedWithType<&ContentSecurityPolicy::allowPluginType>(scriptExec utionContext(), type); |
| 165 } | 186 } |
| 166 | 187 |
| 167 bool DOMSecurityPolicy::allowsScriptFrom(const String& url) const | 188 bool DOMSecurityPolicy::allowsScriptFrom(const String& url) const |
| 168 { | 189 { |
| 169 return isAllowedWithURL<&ContentSecurityPolicy::allowScriptFromSource>(scrip tExecutionContext(), url); | 190 return isAllowedWithURLAndNonce<&ContentSecurityPolicy::allowScriptFromSourc e>(scriptExecutionContext(), url, String()); |
| 170 } | 191 } |
| 171 | 192 |
| 172 bool DOMSecurityPolicy::allowsStyleFrom(const String& url) const | 193 bool DOMSecurityPolicy::allowsStyleFrom(const String& url) const |
| 173 { | 194 { |
| 174 return isAllowedWithURL<&ContentSecurityPolicy::allowStyleFromSource>(script ExecutionContext(), url); | 195 return isAllowedWithURL<&ContentSecurityPolicy::allowStyleFromSource>(script ExecutionContext(), url); |
| 175 } | 196 } |
| 176 | 197 |
| 177 } // namespace WebCore | 198 } // namespace WebCore |
| OLD | NEW |
