| OLD | NEW |
|---|
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "core/frame/csp/CSPDirectiveList.h" | 5 #include "core/frame/csp/CSPDirectiveList.h" |
| 6 | 6 |
| 7 #include "core/dom/Document.h" | 7 #include "core/dom/Document.h" |
| 8 #include "core/dom/SecurityContext.h" | 8 #include "core/dom/SecurityContext.h" |
| 9 #include "core/dom/SpaceSplitString.h" | 9 #include "core/dom/SpaceSplitString.h" |
| 10 #include "core/frame/LocalFrame.h" | 10 #include "core/frame/LocalFrame.h" |
| (...skipping 113 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 124 return !directive || directive->allowNonce(nonce); | 124 return !directive || directive->allowNonce(nonce); |
| 125 } | 125 } |
| 126 | 126 |
| 127 bool CSPDirectiveList::checkHash(SourceListDirective* directive, const CSPHashVa
lue& hashValue) const | 127 bool CSPDirectiveList::checkHash(SourceListDirective* directive, const CSPHashVa
lue& hashValue) const |
| 128 { | 128 { |
| 129 return !directive || directive->allowHash(hashValue); | 129 return !directive || directive->allowHash(hashValue); |
| 130 } | 130 } |
| 131 | 131 |
| 132 bool CSPDirectiveList::checkDynamic(SourceListDirective* directive) const | 132 bool CSPDirectiveList::checkDynamic(SourceListDirective* directive) const |
| 133 { | 133 { |
| 134 if (!m_policy->experimentalFeaturesEnabled()) |
| 135 return false; |
| 134 return !directive || directive->allowDynamic(); | 136 return !directive || directive->allowDynamic(); |
| 135 } | 137 } |
| 136 | 138 |
| 137 bool CSPDirectiveList::checkSource(SourceListDirective* directive, const KURL& u
rl, ContentSecurityPolicy::RedirectStatus redirectStatus) const | 139 bool CSPDirectiveList::checkSource(SourceListDirective* directive, const KURL& u
rl, ContentSecurityPolicy::RedirectStatus redirectStatus) const |
| 138 { | 140 { |
| 139 // If |url| is empty, fall back to the policy URL to ensure that <object>'s | 141 // If |url| is empty, fall back to the policy URL to ensure that <object>'s |
| 140 // without a `src` can be blocked/allowed, as they can still load plugins | 142 // without a `src` can be blocked/allowed, as they can still load plugins |
| 141 // even though they don't actually have a URL. | 143 // even though they don't actually have a URL. |
| 142 return !directive || directive->allows(url.isEmpty() ? m_policy->url() : url
, redirectStatus); | 144 return !directive || directive->allows(url.isEmpty() ? m_policy->url() : url
, redirectStatus); |
| 143 } | 145 } |
| (...skipping 86 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 230 if (!m_reportOnly) { | 232 if (!m_reportOnly) { |
| 231 if (isScript) | 233 if (isScript) |
| 232 m_policy->reportBlockedScriptExecutionToInspector(directive->text())
; | 234 m_policy->reportBlockedScriptExecutionToInspector(directive->text())
; |
| 233 return false; | 235 return false; |
| 234 } | 236 } |
| 235 return true; | 237 return true; |
| 236 } | 238 } |
| 237 | 239 |
| 238 bool CSPDirectiveList::checkSourceAndReportViolation(SourceListDirective* direct
ive, const KURL& url, const String& effectiveDirective, ContentSecurityPolicy::R
edirectStatus redirectStatus) const | 240 bool CSPDirectiveList::checkSourceAndReportViolation(SourceListDirective* direct
ive, const KURL& url, const String& effectiveDirective, ContentSecurityPolicy::R
edirectStatus redirectStatus) const |
| 239 { | 241 { |
| 240 if (checkSource(directive, url, redirectStatus)) | 242 if (!directive) |
| 243 return true; |
| 244 |
| 245 // We ignore URL-based whitelists if we're allowing dynamic script injection
. |
| 246 if (checkSource(directive, url, redirectStatus) && !checkDynamic(directive)) |
| 241 return true; | 247 return true; |
| 242 | 248 |
| 243 String prefix; | 249 String prefix; |
| 244 if (ContentSecurityPolicy::BaseURI == effectiveDirective) | 250 if (ContentSecurityPolicy::BaseURI == effectiveDirective) |
| 245 prefix = "Refused to set the document's base URI to '"; | 251 prefix = "Refused to set the document's base URI to '"; |
| 246 else if (ContentSecurityPolicy::ChildSrc == effectiveDirective) | 252 else if (ContentSecurityPolicy::ChildSrc == effectiveDirective) |
| 247 prefix = "Refused to create a child context containing '"; | 253 prefix = "Refused to create a child context containing '"; |
| 248 else if (ContentSecurityPolicy::ConnectSrc == effectiveDirective) | 254 else if (ContentSecurityPolicy::ConnectSrc == effectiveDirective) |
| 249 prefix = "Refused to connect to '"; | 255 prefix = "Refused to connect to '"; |
| 250 else if (ContentSecurityPolicy::FontSrc == effectiveDirective) | 256 else if (ContentSecurityPolicy::FontSrc == effectiveDirective) |
| 251 prefix = "Refused to load the font '"; | 257 prefix = "Refused to load the font '"; |
| 252 else if (ContentSecurityPolicy::FormAction == effectiveDirective) | 258 else if (ContentSecurityPolicy::FormAction == effectiveDirective) |
| 253 prefix = "Refused to send form data to '"; | 259 prefix = "Refused to send form data to '"; |
| 254 else if (ContentSecurityPolicy::FrameSrc == effectiveDirective) | 260 else if (ContentSecurityPolicy::FrameSrc == effectiveDirective) |
| 255 prefix = "Refused to frame '"; | 261 prefix = "Refused to frame '"; |
| 256 else if (ContentSecurityPolicy::ImgSrc == effectiveDirective) | 262 else if (ContentSecurityPolicy::ImgSrc == effectiveDirective) |
| 257 prefix = "Refused to load the image '"; | 263 prefix = "Refused to load the image '"; |
| 258 else if (ContentSecurityPolicy::MediaSrc == effectiveDirective) | 264 else if (ContentSecurityPolicy::MediaSrc == effectiveDirective) |
| 259 prefix = "Refused to load media from '"; | 265 prefix = "Refused to load media from '"; |
| 260 else if (ContentSecurityPolicy::ManifestSrc == effectiveDirective) | 266 else if (ContentSecurityPolicy::ManifestSrc == effectiveDirective) |
| 261 prefix = "Refused to load manifest from '"; | 267 prefix = "Refused to load manifest from '"; |
| 262 else if (ContentSecurityPolicy::ObjectSrc == effectiveDirective) | 268 else if (ContentSecurityPolicy::ObjectSrc == effectiveDirective) |
| 263 prefix = "Refused to load plugin data from '"; | 269 prefix = "Refused to load plugin data from '"; |
| 264 else if (ContentSecurityPolicy::ScriptSrc == effectiveDirective) | 270 else if (ContentSecurityPolicy::ScriptSrc == effectiveDirective) |
| 265 prefix = "Refused to load the script '"; | 271 prefix = "Refused to load the script '"; |
| 266 else if (ContentSecurityPolicy::StyleSrc == effectiveDirective) | 272 else if (ContentSecurityPolicy::StyleSrc == effectiveDirective) |
| 267 prefix = "Refused to load the stylesheet '"; | 273 prefix = "Refused to load the stylesheet '"; |
| 268 | 274 |
| 269 String suffix = String(); | 275 String suffix = String(); |
| 276 if (checkDynamic(directive)) |
| 277 suffix = " 'unsafe-dynamic' is present, so host-based whitelisting is di
sabled."; |
| 270 if (directive == m_defaultSrc) | 278 if (directive == m_defaultSrc) |
| 271 suffix = " Note that '" + effectiveDirective + "' was not explicitly set
, so 'default-src' is used as a fallback."; | 279 suffix = suffix + " Note that '" + effectiveDirective + "' was not expli
citly set, so 'default-src' is used as a fallback."; |
| 272 | 280 |
| 273 reportViolation(directive->text(), effectiveDirective, prefix + url.elidedSt
ring() + "' because it violates the following Content Security Policy directive:
\"" + directive->text() + "\"." + suffix + "\n", url); | 281 reportViolation(directive->text(), effectiveDirective, prefix + url.elidedSt
ring() + "' because it violates the following Content Security Policy directive:
\"" + directive->text() + "\"." + suffix + "\n", url); |
| 274 return denyIfEnforcingPolicy(); | 282 return denyIfEnforcingPolicy(); |
| 275 } | 283 } |
| 276 | 284 |
| 277 bool CSPDirectiveList::checkAncestorsAndReportViolation(SourceListDirective* dir
ective, LocalFrame* frame, const KURL& url) const | 285 bool CSPDirectiveList::checkAncestorsAndReportViolation(SourceListDirective* dir
ective, LocalFrame* frame, const KURL& url) const |
| 278 { | 286 { |
| 279 if (checkAncestors(directive, frame)) | 287 if (checkAncestors(directive, frame)) |
| 280 return true; | 288 return true; |
| 281 | 289 |
| (...skipping 531 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 813 setCSPDirective<SourceListDirective>(name, value, m_manifestSrc); | 821 setCSPDirective<SourceListDirective>(name, value, m_manifestSrc); |
| 814 } else if (RuntimeEnabledFeatures::suboriginsEnabled() && equalIgnoringCase(
name, ContentSecurityPolicy::Suborigin)) { | 822 } else if (RuntimeEnabledFeatures::suboriginsEnabled() && equalIgnoringCase(
name, ContentSecurityPolicy::Suborigin)) { |
| 815 applySuboriginPolicy(name, value); | 823 applySuboriginPolicy(name, value); |
| 816 } else { | 824 } else { |
| 817 m_policy->reportUnsupportedDirective(name); | 825 m_policy->reportUnsupportedDirective(name); |
| 818 } | 826 } |
| 819 } | 827 } |
| 820 | 828 |
| 821 | 829 |
| 822 } // namespace blink | 830 } // namespace blink |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1730123002:
CSP3: Disable host-based whitelists in the presence of 'unsafe-dynamic'. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master