OLD | NEW |
1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "core/frame/csp/CSPDirectiveList.h" | 5 #include "core/frame/csp/CSPDirectiveList.h" |
6 | 6 |
7 #include "core/dom/Document.h" | 7 #include "core/dom/Document.h" |
8 #include "core/dom/SecurityContext.h" | 8 #include "core/dom/SecurityContext.h" |
9 #include "core/dom/SpaceSplitString.h" | 9 #include "core/dom/SpaceSplitString.h" |
10 #include "core/frame/LocalFrame.h" | 10 #include "core/frame/LocalFrame.h" |
(...skipping 35 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
46 , m_headerType(type) | 46 , m_headerType(type) |
47 , m_headerSource(source) | 47 , m_headerSource(source) |
48 , m_reportOnly(false) | 48 , m_reportOnly(false) |
49 , m_hasSandboxPolicy(false) | 49 , m_hasSandboxPolicy(false) |
50 , m_hasSuboriginPolicy(false) | 50 , m_hasSuboriginPolicy(false) |
51 , m_reflectedXSSDisposition(ReflectedXSSUnset) | 51 , m_reflectedXSSDisposition(ReflectedXSSUnset) |
52 , m_didSetReferrerPolicy(false) | 52 , m_didSetReferrerPolicy(false) |
53 , m_referrerPolicy(ReferrerPolicyDefault) | 53 , m_referrerPolicy(ReferrerPolicyDefault) |
54 , m_strictMixedContentCheckingEnforced(false) | 54 , m_strictMixedContentCheckingEnforced(false) |
55 , m_upgradeInsecureRequests(false) | 55 , m_upgradeInsecureRequests(false) |
| 56 , m_treatAsPublicAddress(false) |
56 { | 57 { |
57 m_reportOnly = type == ContentSecurityPolicyHeaderTypeReport; | 58 m_reportOnly = type == ContentSecurityPolicyHeaderTypeReport; |
58 } | 59 } |
59 | 60 |
60 PassOwnPtr<CSPDirectiveList> CSPDirectiveList::create(ContentSecurityPolicy* pol
icy, const UChar* begin, const UChar* end, ContentSecurityPolicyHeaderType type,
ContentSecurityPolicyHeaderSource source) | 61 PassOwnPtr<CSPDirectiveList> CSPDirectiveList::create(ContentSecurityPolicy* pol
icy, const UChar* begin, const UChar* end, ContentSecurityPolicyHeaderType type,
ContentSecurityPolicyHeaderSource source) |
61 { | 62 { |
62 OwnPtr<CSPDirectiveList> directives = adoptPtr(new CSPDirectiveList(policy,
type, source)); | 63 OwnPtr<CSPDirectiveList> directives = adoptPtr(new CSPDirectiveList(policy,
type, source)); |
63 directives->parse(begin, end); | 64 directives->parse(begin, end); |
64 | 65 |
65 if (!directives->checkEval(directives->operativeDirective(directives->m_scri
ptSrc.get()))) { | 66 if (!directives->checkEval(directives->operativeDirective(directives->m_scri
ptSrc.get()))) { |
(...skipping 516 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
582 return; | 583 return; |
583 } | 584 } |
584 m_hasSandboxPolicy = true; | 585 m_hasSandboxPolicy = true; |
585 String invalidTokens; | 586 String invalidTokens; |
586 SpaceSplitString policyTokens(AtomicString(sandboxPolicy), SpaceSplitString:
:ShouldNotFoldCase); | 587 SpaceSplitString policyTokens(AtomicString(sandboxPolicy), SpaceSplitString:
:ShouldNotFoldCase); |
587 m_policy->enforceSandboxFlags(parseSandboxPolicy(policyTokens, invalidTokens
)); | 588 m_policy->enforceSandboxFlags(parseSandboxPolicy(policyTokens, invalidTokens
)); |
588 if (!invalidTokens.isNull()) | 589 if (!invalidTokens.isNull()) |
589 m_policy->reportInvalidSandboxFlags(invalidTokens); | 590 m_policy->reportInvalidSandboxFlags(invalidTokens); |
590 } | 591 } |
591 | 592 |
| 593 void CSPDirectiveList::treatAsPublicAddress(const String& name, const String& va
lue) |
| 594 { |
| 595 if (m_reportOnly) { |
| 596 m_policy->reportInvalidInReportOnly(name); |
| 597 return; |
| 598 } |
| 599 if (m_treatAsPublicAddress) { |
| 600 m_policy->reportDuplicateDirective(name); |
| 601 return; |
| 602 } |
| 603 m_treatAsPublicAddress = true; |
| 604 m_policy->treatAsPublicAddress(); |
| 605 if (!value.isEmpty()) |
| 606 m_policy->reportValueForEmptyDirective(name, value); |
| 607 } |
| 608 |
592 void CSPDirectiveList::enforceStrictMixedContentChecking(const String& name, con
st String& value) | 609 void CSPDirectiveList::enforceStrictMixedContentChecking(const String& name, con
st String& value) |
593 { | 610 { |
594 if (m_reportOnly) { | 611 if (m_reportOnly) { |
595 m_policy->reportInvalidInReportOnly(name); | 612 m_policy->reportInvalidInReportOnly(name); |
596 return; | 613 return; |
597 } | 614 } |
598 if (m_strictMixedContentCheckingEnforced) { | 615 if (m_strictMixedContentCheckingEnforced) { |
599 m_policy->reportDuplicateDirective(name); | 616 m_policy->reportDuplicateDirective(name); |
600 return; | 617 return; |
601 } | 618 } |
(...skipping 212 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
814 } else if (equalIgnoringCase(name, ContentSecurityPolicy::Referrer)) { | 831 } else if (equalIgnoringCase(name, ContentSecurityPolicy::Referrer)) { |
815 parseReferrer(name, value); | 832 parseReferrer(name, value); |
816 } else if (equalIgnoringCase(name, ContentSecurityPolicy::UpgradeInsecureReq
uests)) { | 833 } else if (equalIgnoringCase(name, ContentSecurityPolicy::UpgradeInsecureReq
uests)) { |
817 enableInsecureRequestsUpgrade(name, value); | 834 enableInsecureRequestsUpgrade(name, value); |
818 } else if (equalIgnoringCase(name, ContentSecurityPolicy::BlockAllMixedConte
nt)) { | 835 } else if (equalIgnoringCase(name, ContentSecurityPolicy::BlockAllMixedConte
nt)) { |
819 enforceStrictMixedContentChecking(name, value); | 836 enforceStrictMixedContentChecking(name, value); |
820 } else if (equalIgnoringCase(name, ContentSecurityPolicy::ManifestSrc)) { | 837 } else if (equalIgnoringCase(name, ContentSecurityPolicy::ManifestSrc)) { |
821 setCSPDirective<SourceListDirective>(name, value, m_manifestSrc); | 838 setCSPDirective<SourceListDirective>(name, value, m_manifestSrc); |
822 } else if (RuntimeEnabledFeatures::suboriginsEnabled() && equalIgnoringCase(
name, ContentSecurityPolicy::Suborigin)) { | 839 } else if (RuntimeEnabledFeatures::suboriginsEnabled() && equalIgnoringCase(
name, ContentSecurityPolicy::Suborigin)) { |
823 applySuboriginPolicy(name, value); | 840 applySuboriginPolicy(name, value); |
| 841 } else if (equalIgnoringCase(name, ContentSecurityPolicy::TreatAsPublicAddre
ss)) { |
| 842 treatAsPublicAddress(name, value); |
824 } else { | 843 } else { |
825 m_policy->reportUnsupportedDirective(name); | 844 m_policy->reportUnsupportedDirective(name); |
826 } | 845 } |
827 } | 846 } |
828 | 847 |
829 | 848 |
830 } // namespace blink | 849 } // namespace blink |
OLD | NEW |