OLD | NEW |
1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "core/frame/csp/CSPSourceList.h" | 5 #include "core/frame/csp/CSPSourceList.h" |
6 | 6 |
7 #include "core/frame/csp/CSPSource.h" | 7 #include "core/frame/csp/CSPSource.h" |
8 #include "core/frame/csp/ContentSecurityPolicy.h" | 8 #include "core/frame/csp/ContentSecurityPolicy.h" |
9 #include "platform/ParsingUtilities.h" | 9 #include "platform/ParsingUtilities.h" |
10 #include "platform/weborigin/KURL.h" | 10 #include "platform/weborigin/KURL.h" |
(...skipping 20 matching lines...) Expand all Loading... |
31 return true; | 31 return true; |
32 } | 32 } |
33 | 33 |
34 CSPSourceList::CSPSourceList(ContentSecurityPolicy* policy, const String& direct
iveName) | 34 CSPSourceList::CSPSourceList(ContentSecurityPolicy* policy, const String& direct
iveName) |
35 : m_policy(policy) | 35 : m_policy(policy) |
36 , m_directiveName(directiveName) | 36 , m_directiveName(directiveName) |
37 , m_allowSelf(false) | 37 , m_allowSelf(false) |
38 , m_allowStar(false) | 38 , m_allowStar(false) |
39 , m_allowInline(false) | 39 , m_allowInline(false) |
40 , m_allowEval(false) | 40 , m_allowEval(false) |
| 41 , m_allowDynamic(false) |
41 , m_hashAlgorithmsUsed(0) | 42 , m_hashAlgorithmsUsed(0) |
42 { | 43 { |
43 } | 44 } |
44 | 45 |
45 bool CSPSourceList::matches(const KURL& url, ContentSecurityPolicy::RedirectStat
us redirectStatus) const | 46 bool CSPSourceList::matches(const KURL& url, ContentSecurityPolicy::RedirectStat
us redirectStatus) const |
46 { | 47 { |
47 // The CSP spec specifically states that data:, blob:, and filesystem URLs | 48 // The CSP spec specifically states that data:, blob:, and filesystem URLs |
48 // should not be captured by a '*" source | 49 // should not be captured by a '*" source |
49 // (http://www.w3.org/TR/CSP2/#source-list-guid-matching). Thus, in the | 50 // (http://www.w3.org/TR/CSP2/#source-list-guid-matching). Thus, in the |
50 // case of a full wildcard, data:, blob:, and filesystem: URLs are | 51 // case of a full wildcard, data:, blob:, and filesystem: URLs are |
(...skipping 15 matching lines...) Expand all Loading... |
66 bool CSPSourceList::allowInline() const | 67 bool CSPSourceList::allowInline() const |
67 { | 68 { |
68 return m_allowInline; | 69 return m_allowInline; |
69 } | 70 } |
70 | 71 |
71 bool CSPSourceList::allowEval() const | 72 bool CSPSourceList::allowEval() const |
72 { | 73 { |
73 return m_allowEval; | 74 return m_allowEval; |
74 } | 75 } |
75 | 76 |
| 77 bool CSPSourceList::allowDynamic() const |
| 78 { |
| 79 return m_allowDynamic; |
| 80 } |
| 81 |
76 bool CSPSourceList::allowNonce(const String& nonce) const | 82 bool CSPSourceList::allowNonce(const String& nonce) const |
77 { | 83 { |
78 return !nonce.isNull() && m_nonces.contains(nonce); | 84 return !nonce.isNull() && m_nonces.contains(nonce); |
79 } | 85 } |
80 | 86 |
81 bool CSPSourceList::allowHash(const CSPHashValue& hashValue) const | 87 bool CSPSourceList::allowHash(const CSPHashValue& hashValue) const |
82 { | 88 { |
83 return m_hashes.contains(hashValue); | 89 return m_hashes.contains(hashValue); |
84 } | 90 } |
85 | 91 |
(...skipping 71 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
157 if (equalIgnoringCase("'unsafe-inline'", begin, end - begin)) { | 163 if (equalIgnoringCase("'unsafe-inline'", begin, end - begin)) { |
158 addSourceUnsafeInline(); | 164 addSourceUnsafeInline(); |
159 return true; | 165 return true; |
160 } | 166 } |
161 | 167 |
162 if (equalIgnoringCase("'unsafe-eval'", begin, end - begin)) { | 168 if (equalIgnoringCase("'unsafe-eval'", begin, end - begin)) { |
163 addSourceUnsafeEval(); | 169 addSourceUnsafeEval(); |
164 return true; | 170 return true; |
165 } | 171 } |
166 | 172 |
| 173 if (equalIgnoringCase("'unsafe-dynamic'", begin, end - begin)) { |
| 174 addSourceUnsafeDynamic(); |
| 175 return true; |
| 176 } |
| 177 |
167 String nonce; | 178 String nonce; |
168 if (!parseNonce(begin, end, nonce)) | 179 if (!parseNonce(begin, end, nonce)) |
169 return false; | 180 return false; |
170 | 181 |
171 if (!nonce.isNull()) { | 182 if (!nonce.isNull()) { |
172 addSourceNonce(nonce); | 183 addSourceNonce(nonce); |
173 return true; | 184 return true; |
174 } | 185 } |
175 | 186 |
176 DigestValue hash; | 187 DigestValue hash; |
(...skipping 297 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
474 void CSPSourceList::addSourceUnsafeInline() | 485 void CSPSourceList::addSourceUnsafeInline() |
475 { | 486 { |
476 m_allowInline = true; | 487 m_allowInline = true; |
477 } | 488 } |
478 | 489 |
479 void CSPSourceList::addSourceUnsafeEval() | 490 void CSPSourceList::addSourceUnsafeEval() |
480 { | 491 { |
481 m_allowEval = true; | 492 m_allowEval = true; |
482 } | 493 } |
483 | 494 |
| 495 void CSPSourceList::addSourceUnsafeDynamic() |
| 496 { |
| 497 m_allowDynamic = true; |
| 498 } |
| 499 |
484 void CSPSourceList::addSourceNonce(const String& nonce) | 500 void CSPSourceList::addSourceNonce(const String& nonce) |
485 { | 501 { |
486 m_nonces.add(nonce); | 502 m_nonces.add(nonce); |
487 } | 503 } |
488 | 504 |
489 void CSPSourceList::addSourceHash(const ContentSecurityPolicyHashAlgorithm& algo
rithm, const DigestValue& hash) | 505 void CSPSourceList::addSourceHash(const ContentSecurityPolicyHashAlgorithm& algo
rithm, const DigestValue& hash) |
490 { | 506 { |
491 m_hashes.add(CSPHashValue(algorithm, hash)); | 507 m_hashes.add(CSPHashValue(algorithm, hash)); |
492 m_hashAlgorithmsUsed |= algorithm; | 508 m_hashAlgorithmsUsed |= algorithm; |
493 } | 509 } |
494 | 510 |
495 bool CSPSourceList::hasSourceMatchInList(const KURL& url, ContentSecurityPolicy:
:RedirectStatus redirectStatus) const | 511 bool CSPSourceList::hasSourceMatchInList(const KURL& url, ContentSecurityPolicy:
:RedirectStatus redirectStatus) const |
496 { | 512 { |
497 for (size_t i = 0; i < m_list.size(); ++i) { | 513 for (size_t i = 0; i < m_list.size(); ++i) { |
498 if (m_list[i].matches(url, redirectStatus)) | 514 if (m_list[i].matches(url, redirectStatus)) |
499 return true; | 515 return true; |
500 } | 516 } |
501 | 517 |
502 return false; | 518 return false; |
503 } | 519 } |
504 | 520 |
505 } // namespace blink | 521 } // namespace blink |
OLD | NEW |