Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(189)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: Source/core/frame/ContentSecurityPolicy.cpp

Issue 150893004: CSP: 'self' should be handled correctly in sandboxes. (Closed) Base URL: https://chromium.googlesource.com/chromium/blink.git@master
Patch Set: Rebase Created 6 years, 10 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « LayoutTests/http/tests/security/contentSecurityPolicy/script-src-self-in-srcdoc-sandbox-expected.txt ('k') | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 /* 1 /*
2 * Copyright (C) 2011 Google, Inc. All rights reserved. 2 * Copyright (C) 2011 Google, Inc. All rights reserved.
3 * 3 *
4 * Redistribution and use in source and binary forms, with or without 4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions 5 * modification, are permitted provided that the following conditions
6 * are met: 6 * are met:
7 * 1. Redistributions of source code must retain the above copyright 7 * 1. Redistributions of source code must retain the above copyright
8 * notice, this list of conditions and the following disclaimer. 8 * notice, this list of conditions and the following disclaimer.
9 * 2. Redistributions in binary form must reproduce the above copyright 9 * 2. Redistributions in binary form must reproduce the above copyright
10 * notice, this list of conditions and the following disclaimer in the 10 * notice, this list of conditions and the following disclaimer in the
(...skipping 223 matching lines...) Expand 10 before | Expand all | Expand 10 after
234 return false; 234 return false;
235 if (isSchemeOnly()) 235 if (isSchemeOnly())
236 return true; 236 return true;
237 return hostMatches(url) && portMatches(url) && pathMatches(url); 237 return hostMatches(url) && portMatches(url) && pathMatches(url);
238 } 238 }
239 239
240 private: 240 private:
241 bool schemeMatches(const KURL& url) const 241 bool schemeMatches(const KURL& url) const
242 { 242 {
243 if (m_scheme.isEmpty()) { 243 if (m_scheme.isEmpty()) {
244 String protectedResourceScheme(m_policy->securityOrigin()->protocol( )); 244 String protectedResourceScheme(m_policy->url().protocol());
245 if (equalIgnoringCase("http", protectedResourceScheme)) 245 if (equalIgnoringCase("http", protectedResourceScheme))
246 return url.protocolIs("http") || url.protocolIs("https"); 246 return url.protocolIs("http") || url.protocolIs("https");
247 return equalIgnoringCase(url.protocol(), protectedResourceScheme); 247 return equalIgnoringCase(url.protocol(), protectedResourceScheme);
248 } 248 }
249 return equalIgnoringCase(url.protocol(), m_scheme); 249 return equalIgnoringCase(url.protocol(), m_scheme);
250 } 250 }
251 251
252 bool hostMatches(const KURL& url) const 252 bool hostMatches(const KURL& url) const
253 { 253 {
254 const String& host = url.host(); 254 const String& host = url.host();
(...skipping 453 matching lines...) Expand 10 before | Expand all | Expand 10 after
708 if (position != end) 708 if (position != end)
709 return false; 709 return false;
710 710
711 bool ok; 711 bool ok;
712 port = charactersToIntStrict(begin, end - begin, &ok); 712 port = charactersToIntStrict(begin, end - begin, &ok);
713 return ok; 713 return ok;
714 } 714 }
715 715
716 void CSPSourceList::addSourceSelf() 716 void CSPSourceList::addSourceSelf()
717 { 717 {
718 m_list.append(CSPSource(m_policy, m_policy->securityOrigin()->protocol(), m_ policy->securityOrigin()->host(), m_policy->securityOrigin()->port(), String(), false, false)); 718 if (Document* document = m_policy->document()) {
719 // srcdoc documents should use their parent document's URL as 'self', so walk the chain.
720 Frame* frame = document->frame();
721 while (frame->document()->isSrcdocDocument() && frame->tree().parent())
722 frame = frame->tree().parent();
723 document = frame->document();
724 m_list.append(CSPSource(m_policy, document->url().protocol(), document-> url().host(), document->url().port(), String(), false, false));
725 } else {
726 m_list.append(CSPSource(m_policy, m_policy->url().protocol(), m_policy-> url().host(), m_policy->url().port(), String(), false, false));
727 }
719 } 728 }
720 729
721 void CSPSourceList::addSourceStar() 730 void CSPSourceList::addSourceStar()
722 { 731 {
723 m_allowStar = true; 732 m_allowStar = true;
724 } 733 }
725 734
726 void CSPSourceList::addSourceUnsafeInline() 735 void CSPSourceList::addSourceUnsafeInline()
727 { 736 {
728 m_allowInline = true; 737 m_allowInline = true;
(...skipping 1577 matching lines...) Expand 10 before | Expand all | Expand 10 after
2306 // Collisions have no security impact, so we can save space by storing only the string's hash rather than the whole report. 2315 // Collisions have no security impact, so we can save space by storing only the string's hash rather than the whole report.
2307 return !m_violationReportsSent.contains(report.impl()->hash()); 2316 return !m_violationReportsSent.contains(report.impl()->hash());
2308 } 2317 }
2309 2318
2310 void ContentSecurityPolicy::didSendViolationReport(const String& report) 2319 void ContentSecurityPolicy::didSendViolationReport(const String& report)
2311 { 2320 {
2312 m_violationReportsSent.add(report.impl()->hash()); 2321 m_violationReportsSent.add(report.impl()->hash());
2313 } 2322 }
2314 2323
2315 } // namespace WebCore 2324 } // namespace WebCore
OLDNEW
« no previous file with comments | « LayoutTests/http/tests/security/contentSecurityPolicy/script-src-self-in-srcdoc-sandbox-expected.txt ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698