OLD | NEW |
1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "core/frame/csp/CSPDirectiveList.h" | 5 #include "core/frame/csp/CSPDirectiveList.h" |
6 | 6 |
7 #include "core/dom/Document.h" | 7 #include "core/dom/Document.h" |
8 #include "core/dom/SecurityContext.h" | 8 #include "core/dom/SecurityContext.h" |
9 #include "core/dom/SpaceSplitString.h" | 9 #include "core/dom/SpaceSplitString.h" |
10 #include "core/frame/LocalFrame.h" | 10 #include "core/frame/LocalFrame.h" |
(...skipping 113 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
124 return !directive || directive->allowNonce(nonce); | 124 return !directive || directive->allowNonce(nonce); |
125 } | 125 } |
126 | 126 |
127 bool CSPDirectiveList::checkHash(SourceListDirective* directive, const CSPHashVa
lue& hashValue) const | 127 bool CSPDirectiveList::checkHash(SourceListDirective* directive, const CSPHashVa
lue& hashValue) const |
128 { | 128 { |
129 return !directive || directive->allowHash(hashValue); | 129 return !directive || directive->allowHash(hashValue); |
130 } | 130 } |
131 | 131 |
132 bool CSPDirectiveList::checkDynamic(SourceListDirective* directive) const | 132 bool CSPDirectiveList::checkDynamic(SourceListDirective* directive) const |
133 { | 133 { |
| 134 if (!m_policy->experimentalFeaturesEnabled()) |
| 135 return false; |
134 return !directive || directive->allowDynamic(); | 136 return !directive || directive->allowDynamic(); |
135 } | 137 } |
136 | 138 |
137 bool CSPDirectiveList::checkSource(SourceListDirective* directive, const KURL& u
rl, ContentSecurityPolicy::RedirectStatus redirectStatus) const | 139 bool CSPDirectiveList::checkSource(SourceListDirective* directive, const KURL& u
rl, ContentSecurityPolicy::RedirectStatus redirectStatus) const |
138 { | 140 { |
139 // If |url| is empty, fall back to the policy URL to ensure that <object>'s | 141 // If |url| is empty, fall back to the policy URL to ensure that <object>'s |
140 // without a `src` can be blocked/allowed, as they can still load plugins | 142 // without a `src` can be blocked/allowed, as they can still load plugins |
141 // even though they don't actually have a URL. | 143 // even though they don't actually have a URL. |
142 return !directive || directive->allows(url.isEmpty() ? m_policy->url() : url
, redirectStatus); | 144 return !directive || directive->allows(url.isEmpty() ? m_policy->url() : url
, redirectStatus); |
143 } | 145 } |
(...skipping 86 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
230 if (!m_reportOnly) { | 232 if (!m_reportOnly) { |
231 if (isScript) | 233 if (isScript) |
232 m_policy->reportBlockedScriptExecutionToInspector(directive->text())
; | 234 m_policy->reportBlockedScriptExecutionToInspector(directive->text())
; |
233 return false; | 235 return false; |
234 } | 236 } |
235 return true; | 237 return true; |
236 } | 238 } |
237 | 239 |
238 bool CSPDirectiveList::checkSourceAndReportViolation(SourceListDirective* direct
ive, const KURL& url, const String& effectiveDirective, ContentSecurityPolicy::R
edirectStatus redirectStatus) const | 240 bool CSPDirectiveList::checkSourceAndReportViolation(SourceListDirective* direct
ive, const KURL& url, const String& effectiveDirective, ContentSecurityPolicy::R
edirectStatus redirectStatus) const |
239 { | 241 { |
240 if (checkSource(directive, url, redirectStatus)) | 242 if (!directive) |
| 243 return true; |
| 244 |
| 245 // We ignore URL-based whitelists if we're allowing dynamic script injection
. |
| 246 if (checkSource(directive, url, redirectStatus) && !checkDynamic(directive)) |
241 return true; | 247 return true; |
242 | 248 |
243 String prefix; | 249 String prefix; |
244 if (ContentSecurityPolicy::BaseURI == effectiveDirective) | 250 if (ContentSecurityPolicy::BaseURI == effectiveDirective) |
245 prefix = "Refused to set the document's base URI to '"; | 251 prefix = "Refused to set the document's base URI to '"; |
246 else if (ContentSecurityPolicy::ChildSrc == effectiveDirective) | 252 else if (ContentSecurityPolicy::ChildSrc == effectiveDirective) |
247 prefix = "Refused to create a child context containing '"; | 253 prefix = "Refused to create a child context containing '"; |
248 else if (ContentSecurityPolicy::ConnectSrc == effectiveDirective) | 254 else if (ContentSecurityPolicy::ConnectSrc == effectiveDirective) |
249 prefix = "Refused to connect to '"; | 255 prefix = "Refused to connect to '"; |
250 else if (ContentSecurityPolicy::FontSrc == effectiveDirective) | 256 else if (ContentSecurityPolicy::FontSrc == effectiveDirective) |
251 prefix = "Refused to load the font '"; | 257 prefix = "Refused to load the font '"; |
252 else if (ContentSecurityPolicy::FormAction == effectiveDirective) | 258 else if (ContentSecurityPolicy::FormAction == effectiveDirective) |
253 prefix = "Refused to send form data to '"; | 259 prefix = "Refused to send form data to '"; |
254 else if (ContentSecurityPolicy::FrameSrc == effectiveDirective) | 260 else if (ContentSecurityPolicy::FrameSrc == effectiveDirective) |
255 prefix = "Refused to frame '"; | 261 prefix = "Refused to frame '"; |
256 else if (ContentSecurityPolicy::ImgSrc == effectiveDirective) | 262 else if (ContentSecurityPolicy::ImgSrc == effectiveDirective) |
257 prefix = "Refused to load the image '"; | 263 prefix = "Refused to load the image '"; |
258 else if (ContentSecurityPolicy::MediaSrc == effectiveDirective) | 264 else if (ContentSecurityPolicy::MediaSrc == effectiveDirective) |
259 prefix = "Refused to load media from '"; | 265 prefix = "Refused to load media from '"; |
260 else if (ContentSecurityPolicy::ManifestSrc == effectiveDirective) | 266 else if (ContentSecurityPolicy::ManifestSrc == effectiveDirective) |
261 prefix = "Refused to load manifest from '"; | 267 prefix = "Refused to load manifest from '"; |
262 else if (ContentSecurityPolicy::ObjectSrc == effectiveDirective) | 268 else if (ContentSecurityPolicy::ObjectSrc == effectiveDirective) |
263 prefix = "Refused to load plugin data from '"; | 269 prefix = "Refused to load plugin data from '"; |
264 else if (ContentSecurityPolicy::ScriptSrc == effectiveDirective) | 270 else if (ContentSecurityPolicy::ScriptSrc == effectiveDirective) |
265 prefix = "Refused to load the script '"; | 271 prefix = "Refused to load the script '"; |
266 else if (ContentSecurityPolicy::StyleSrc == effectiveDirective) | 272 else if (ContentSecurityPolicy::StyleSrc == effectiveDirective) |
267 prefix = "Refused to load the stylesheet '"; | 273 prefix = "Refused to load the stylesheet '"; |
268 | 274 |
269 String suffix = String(); | 275 String suffix = String(); |
| 276 if (checkDynamic(directive)) |
| 277 suffix = " 'unsafe-dynamic' is present, so host-based whitelisting is di
sabled."; |
270 if (directive == m_defaultSrc) | 278 if (directive == m_defaultSrc) |
271 suffix = " Note that '" + effectiveDirective + "' was not explicitly set
, so 'default-src' is used as a fallback."; | 279 suffix = suffix + " Note that '" + effectiveDirective + "' was not expli
citly set, so 'default-src' is used as a fallback."; |
272 | 280 |
273 reportViolation(directive->text(), effectiveDirective, prefix + url.elidedSt
ring() + "' because it violates the following Content Security Policy directive:
\"" + directive->text() + "\"." + suffix + "\n", url); | 281 reportViolation(directive->text(), effectiveDirective, prefix + url.elidedSt
ring() + "' because it violates the following Content Security Policy directive:
\"" + directive->text() + "\"." + suffix + "\n", url); |
274 return denyIfEnforcingPolicy(); | 282 return denyIfEnforcingPolicy(); |
275 } | 283 } |
276 | 284 |
277 bool CSPDirectiveList::checkAncestorsAndReportViolation(SourceListDirective* dir
ective, LocalFrame* frame, const KURL& url) const | 285 bool CSPDirectiveList::checkAncestorsAndReportViolation(SourceListDirective* dir
ective, LocalFrame* frame, const KURL& url) const |
278 { | 286 { |
279 if (checkAncestors(directive, frame)) | 287 if (checkAncestors(directive, frame)) |
280 return true; | 288 return true; |
281 | 289 |
(...skipping 531 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
813 setCSPDirective<SourceListDirective>(name, value, m_manifestSrc); | 821 setCSPDirective<SourceListDirective>(name, value, m_manifestSrc); |
814 } else if (RuntimeEnabledFeatures::suboriginsEnabled() && equalIgnoringCase(
name, ContentSecurityPolicy::Suborigin)) { | 822 } else if (RuntimeEnabledFeatures::suboriginsEnabled() && equalIgnoringCase(
name, ContentSecurityPolicy::Suborigin)) { |
815 applySuboriginPolicy(name, value); | 823 applySuboriginPolicy(name, value); |
816 } else { | 824 } else { |
817 m_policy->reportUnsupportedDirective(name); | 825 m_policy->reportUnsupportedDirective(name); |
818 } | 826 } |
819 } | 827 } |
820 | 828 |
821 | 829 |
822 } // namespace blink | 830 } // namespace blink |
OLD | NEW |