| OLD | NEW |
|---|
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "core/frame/csp/CSPSourceList.h" | 5 #include "core/frame/csp/CSPSourceList.h" |
| 6 | 6 |
| 7 #include "core/frame/csp/CSPSource.h" | 7 #include "core/frame/csp/CSPSource.h" |
| 8 #include "core/frame/csp/ContentSecurityPolicy.h" | 8 #include "core/frame/csp/ContentSecurityPolicy.h" |
| 9 #include "platform/ParsingUtilities.h" | 9 #include "platform/ParsingUtilities.h" |
| 10 #include "platform/weborigin/KURL.h" | 10 #include "platform/weborigin/KURL.h" |
| (...skipping 20 matching lines...) Expand all Loading... |
| 31 return true; | 31 return true; |
| 32 } | 32 } |
| 33 | 33 |
| 34 CSPSourceList::CSPSourceList(ContentSecurityPolicy* policy, const String& direct
iveName) | 34 CSPSourceList::CSPSourceList(ContentSecurityPolicy* policy, const String& direct
iveName) |
| 35 : m_policy(policy) | 35 : m_policy(policy) |
| 36 , m_directiveName(directiveName) | 36 , m_directiveName(directiveName) |
| 37 , m_allowSelf(false) | 37 , m_allowSelf(false) |
| 38 , m_allowStar(false) | 38 , m_allowStar(false) |
| 39 , m_allowInline(false) | 39 , m_allowInline(false) |
| 40 , m_allowEval(false) | 40 , m_allowEval(false) |
| 41 , m_allowDynamic(false) |
| 41 , m_hashAlgorithmsUsed(0) | 42 , m_hashAlgorithmsUsed(0) |
| 42 { | 43 { |
| 43 } | 44 } |
| 44 | 45 |
| 45 bool CSPSourceList::matches(const KURL& url, ContentSecurityPolicy::RedirectStat
us redirectStatus) const | 46 bool CSPSourceList::matches(const KURL& url, ContentSecurityPolicy::RedirectStat
us redirectStatus) const |
| 46 { | 47 { |
| 47 // The CSP spec specifically states that data:, blob:, and filesystem URLs | 48 // The CSP spec specifically states that data:, blob:, and filesystem URLs |
| 48 // should not be captured by a '*" source | 49 // should not be captured by a '*" source |
| 49 // (http://www.w3.org/TR/CSP2/#source-list-guid-matching). Thus, in the | 50 // (http://www.w3.org/TR/CSP2/#source-list-guid-matching). Thus, in the |
| 50 // case of a full wildcard, data:, blob:, and filesystem: URLs are | 51 // case of a full wildcard, data:, blob:, and filesystem: URLs are |
| (...skipping 15 matching lines...) Expand all Loading... |
| 66 bool CSPSourceList::allowInline() const | 67 bool CSPSourceList::allowInline() const |
| 67 { | 68 { |
| 68 return m_allowInline; | 69 return m_allowInline; |
| 69 } | 70 } |
| 70 | 71 |
| 71 bool CSPSourceList::allowEval() const | 72 bool CSPSourceList::allowEval() const |
| 72 { | 73 { |
| 73 return m_allowEval; | 74 return m_allowEval; |
| 74 } | 75 } |
| 75 | 76 |
| 77 bool CSPSourceList::allowDynamic() const |
| 78 { |
| 79 return m_allowDynamic; |
| 80 } |
| 81 |
| 76 bool CSPSourceList::allowNonce(const String& nonce) const | 82 bool CSPSourceList::allowNonce(const String& nonce) const |
| 77 { | 83 { |
| 78 return !nonce.isNull() && m_nonces.contains(nonce); | 84 return !nonce.isNull() && m_nonces.contains(nonce); |
| 79 } | 85 } |
| 80 | 86 |
| 81 bool CSPSourceList::allowHash(const CSPHashValue& hashValue) const | 87 bool CSPSourceList::allowHash(const CSPHashValue& hashValue) const |
| 82 { | 88 { |
| 83 return m_hashes.contains(hashValue); | 89 return m_hashes.contains(hashValue); |
| 84 } | 90 } |
| 85 | 91 |
| (...skipping 71 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 157 if (equalIgnoringCase("'unsafe-inline'", begin, end - begin)) { | 163 if (equalIgnoringCase("'unsafe-inline'", begin, end - begin)) { |
| 158 addSourceUnsafeInline(); | 164 addSourceUnsafeInline(); |
| 159 return true; | 165 return true; |
| 160 } | 166 } |
| 161 | 167 |
| 162 if (equalIgnoringCase("'unsafe-eval'", begin, end - begin)) { | 168 if (equalIgnoringCase("'unsafe-eval'", begin, end - begin)) { |
| 163 addSourceUnsafeEval(); | 169 addSourceUnsafeEval(); |
| 164 return true; | 170 return true; |
| 165 } | 171 } |
| 166 | 172 |
| 173 if (equalIgnoringCase("'unsafe-dynamic'", begin, end - begin)) { |
| 174 addSourceUnsafeDynamic(); |
| 175 return true; |
| 176 } |
| 177 |
| 167 String nonce; | 178 String nonce; |
| 168 if (!parseNonce(begin, end, nonce)) | 179 if (!parseNonce(begin, end, nonce)) |
| 169 return false; | 180 return false; |
| 170 | 181 |
| 171 if (!nonce.isNull()) { | 182 if (!nonce.isNull()) { |
| 172 addSourceNonce(nonce); | 183 addSourceNonce(nonce); |
| 173 return true; | 184 return true; |
| 174 } | 185 } |
| 175 | 186 |
| 176 DigestValue hash; | 187 DigestValue hash; |
| (...skipping 297 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 474 void CSPSourceList::addSourceUnsafeInline() | 485 void CSPSourceList::addSourceUnsafeInline() |
| 475 { | 486 { |
| 476 m_allowInline = true; | 487 m_allowInline = true; |
| 477 } | 488 } |
| 478 | 489 |
| 479 void CSPSourceList::addSourceUnsafeEval() | 490 void CSPSourceList::addSourceUnsafeEval() |
| 480 { | 491 { |
| 481 m_allowEval = true; | 492 m_allowEval = true; |
| 482 } | 493 } |
| 483 | 494 |
| 495 void CSPSourceList::addSourceUnsafeDynamic() |
| 496 { |
| 497 m_allowDynamic = true; |
| 498 } |
| 499 |
| 484 void CSPSourceList::addSourceNonce(const String& nonce) | 500 void CSPSourceList::addSourceNonce(const String& nonce) |
| 485 { | 501 { |
| 486 m_nonces.add(nonce); | 502 m_nonces.add(nonce); |
| 487 } | 503 } |
| 488 | 504 |
| 489 void CSPSourceList::addSourceHash(const ContentSecurityPolicyHashAlgorithm& algo
rithm, const DigestValue& hash) | 505 void CSPSourceList::addSourceHash(const ContentSecurityPolicyHashAlgorithm& algo
rithm, const DigestValue& hash) |
| 490 { | 506 { |
| 491 m_hashes.add(CSPHashValue(algorithm, hash)); | 507 m_hashes.add(CSPHashValue(algorithm, hash)); |
| 492 m_hashAlgorithmsUsed |= algorithm; | 508 m_hashAlgorithmsUsed |= algorithm; |
| 493 } | 509 } |
| 494 | 510 |
| 495 bool CSPSourceList::hasSourceMatchInList(const KURL& url, ContentSecurityPolicy:
:RedirectStatus redirectStatus) const | 511 bool CSPSourceList::hasSourceMatchInList(const KURL& url, ContentSecurityPolicy:
:RedirectStatus redirectStatus) const |
| 496 { | 512 { |
| 497 for (size_t i = 0; i < m_list.size(); ++i) { | 513 for (size_t i = 0; i < m_list.size(); ++i) { |
| 498 if (m_list[i].matches(url, redirectStatus)) | 514 if (m_list[i].matches(url, redirectStatus)) |
| 499 return true; | 515 return true; |
| 500 } | 516 } |
| 501 | 517 |
| 502 return false; | 518 return false; |
| 503 } | 519 } |
| 504 | 520 |
| 505 } // namespace blink | 521 } // namespace blink |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1641533006:
CSP: Add an experimental 'unsafe-dynamic' source expression. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master