Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(57)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp

Issue 1747263002: CORS-RFC1918: Introduce 'treat-as-public-address' CSP directive (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@iprange
Patch Set: feedback/rebase Created 4 years, 9 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.h ('k') | third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.h » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2014 The Chromium Authors. All rights reserved. 1 // Copyright 2014 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "core/frame/csp/CSPDirectiveList.h" 5 #include "core/frame/csp/CSPDirectiveList.h"
6 6
7 #include "core/dom/Document.h" 7 #include "core/dom/Document.h"
8 #include "core/dom/SecurityContext.h" 8 #include "core/dom/SecurityContext.h"
9 #include "core/dom/SpaceSplitString.h" 9 #include "core/dom/SpaceSplitString.h"
10 #include "core/frame/LocalFrame.h" 10 #include "core/frame/LocalFrame.h"
(...skipping 35 matching lines...) Expand 10 before | Expand all | Expand 10 after
46 , m_headerType(type) 46 , m_headerType(type)
47 , m_headerSource(source) 47 , m_headerSource(source)
48 , m_reportOnly(false) 48 , m_reportOnly(false)
49 , m_hasSandboxPolicy(false) 49 , m_hasSandboxPolicy(false)
50 , m_hasSuboriginPolicy(false) 50 , m_hasSuboriginPolicy(false)
51 , m_reflectedXSSDisposition(ReflectedXSSUnset) 51 , m_reflectedXSSDisposition(ReflectedXSSUnset)
52 , m_didSetReferrerPolicy(false) 52 , m_didSetReferrerPolicy(false)
53 , m_referrerPolicy(ReferrerPolicyDefault) 53 , m_referrerPolicy(ReferrerPolicyDefault)
54 , m_strictMixedContentCheckingEnforced(false) 54 , m_strictMixedContentCheckingEnforced(false)
55 , m_upgradeInsecureRequests(false) 55 , m_upgradeInsecureRequests(false)
56 , m_treatAsPublicAddress(false)
56 { 57 {
57 m_reportOnly = type == ContentSecurityPolicyHeaderTypeReport; 58 m_reportOnly = type == ContentSecurityPolicyHeaderTypeReport;
58 } 59 }
59 60
60 PassOwnPtr<CSPDirectiveList> CSPDirectiveList::create(ContentSecurityPolicy* pol icy, const UChar* begin, const UChar* end, ContentSecurityPolicyHeaderType type, ContentSecurityPolicyHeaderSource source) 61 PassOwnPtr<CSPDirectiveList> CSPDirectiveList::create(ContentSecurityPolicy* pol icy, const UChar* begin, const UChar* end, ContentSecurityPolicyHeaderType type, ContentSecurityPolicyHeaderSource source)
61 { 62 {
62 OwnPtr<CSPDirectiveList> directives = adoptPtr(new CSPDirectiveList(policy, type, source)); 63 OwnPtr<CSPDirectiveList> directives = adoptPtr(new CSPDirectiveList(policy, type, source));
63 directives->parse(begin, end); 64 directives->parse(begin, end);
64 65
65 if (!directives->checkEval(directives->operativeDirective(directives->m_scri ptSrc.get()))) { 66 if (!directives->checkEval(directives->operativeDirective(directives->m_scri ptSrc.get()))) {
(...skipping 516 matching lines...) Expand 10 before | Expand all | Expand 10 after
582 return; 583 return;
583 } 584 }
584 m_hasSandboxPolicy = true; 585 m_hasSandboxPolicy = true;
585 String invalidTokens; 586 String invalidTokens;
586 SpaceSplitString policyTokens(AtomicString(sandboxPolicy), SpaceSplitString: :ShouldNotFoldCase); 587 SpaceSplitString policyTokens(AtomicString(sandboxPolicy), SpaceSplitString: :ShouldNotFoldCase);
587 m_policy->enforceSandboxFlags(parseSandboxPolicy(policyTokens, invalidTokens )); 588 m_policy->enforceSandboxFlags(parseSandboxPolicy(policyTokens, invalidTokens ));
588 if (!invalidTokens.isNull()) 589 if (!invalidTokens.isNull())
589 m_policy->reportInvalidSandboxFlags(invalidTokens); 590 m_policy->reportInvalidSandboxFlags(invalidTokens);
590 } 591 }
591 592
593 void CSPDirectiveList::treatAsPublicAddress(const String& name, const String& va lue)
594 {
595 if (m_reportOnly) {
596 m_policy->reportInvalidInReportOnly(name);
597 return;
598 }
599 if (m_treatAsPublicAddress) {
600 m_policy->reportDuplicateDirective(name);
601 return;
602 }
603 m_treatAsPublicAddress = true;
604 m_policy->treatAsPublicAddress();
605 if (!value.isEmpty())
606 m_policy->reportValueForEmptyDirective(name, value);
607 }
608
592 void CSPDirectiveList::enforceStrictMixedContentChecking(const String& name, con st String& value) 609 void CSPDirectiveList::enforceStrictMixedContentChecking(const String& name, con st String& value)
593 { 610 {
594 if (m_reportOnly) { 611 if (m_reportOnly) {
595 m_policy->reportInvalidInReportOnly(name); 612 m_policy->reportInvalidInReportOnly(name);
596 return; 613 return;
597 } 614 }
598 if (m_strictMixedContentCheckingEnforced) { 615 if (m_strictMixedContentCheckingEnforced) {
599 m_policy->reportDuplicateDirective(name); 616 m_policy->reportDuplicateDirective(name);
600 return; 617 return;
601 } 618 }
(...skipping 212 matching lines...) Expand 10 before | Expand all | Expand 10 after
814 } else if (equalIgnoringCase(name, ContentSecurityPolicy::Referrer)) { 831 } else if (equalIgnoringCase(name, ContentSecurityPolicy::Referrer)) {
815 parseReferrer(name, value); 832 parseReferrer(name, value);
816 } else if (equalIgnoringCase(name, ContentSecurityPolicy::UpgradeInsecureReq uests)) { 833 } else if (equalIgnoringCase(name, ContentSecurityPolicy::UpgradeInsecureReq uests)) {
817 enableInsecureRequestsUpgrade(name, value); 834 enableInsecureRequestsUpgrade(name, value);
818 } else if (equalIgnoringCase(name, ContentSecurityPolicy::BlockAllMixedConte nt)) { 835 } else if (equalIgnoringCase(name, ContentSecurityPolicy::BlockAllMixedConte nt)) {
819 enforceStrictMixedContentChecking(name, value); 836 enforceStrictMixedContentChecking(name, value);
820 } else if (equalIgnoringCase(name, ContentSecurityPolicy::ManifestSrc)) { 837 } else if (equalIgnoringCase(name, ContentSecurityPolicy::ManifestSrc)) {
821 setCSPDirective<SourceListDirective>(name, value, m_manifestSrc); 838 setCSPDirective<SourceListDirective>(name, value, m_manifestSrc);
822 } else if (RuntimeEnabledFeatures::suboriginsEnabled() && equalIgnoringCase( name, ContentSecurityPolicy::Suborigin)) { 839 } else if (RuntimeEnabledFeatures::suboriginsEnabled() && equalIgnoringCase( name, ContentSecurityPolicy::Suborigin)) {
823 applySuboriginPolicy(name, value); 840 applySuboriginPolicy(name, value);
841 } else if (equalIgnoringCase(name, ContentSecurityPolicy::TreatAsPublicAddre ss)) {
842 treatAsPublicAddress(name, value);
824 } else { 843 } else {
825 m_policy->reportUnsupportedDirective(name); 844 m_policy->reportUnsupportedDirective(name);
826 } 845 }
827 } 846 }
828 847
829 848
830 } // namespace blink 849 } // namespace blink
OLDNEW
« no previous file with comments | « third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.h ('k') | third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.h » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698