| OLD | NEW |
|---|
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "core/frame/csp/CSPDirectiveList.h" | 5 #include "core/frame/csp/CSPDirectiveList.h" |
| 6 | 6 |
| 7 #include "core/dom/Document.h" | 7 #include "core/dom/Document.h" |
| 8 #include "core/dom/SecurityContext.h" | 8 #include "core/dom/SecurityContext.h" |
| 9 #include "core/dom/SpaceSplitString.h" | 9 #include "core/dom/SpaceSplitString.h" |
| 10 #include "core/frame/LocalFrame.h" | 10 #include "core/frame/LocalFrame.h" |
| (...skipping 112 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 123 bool CSPDirectiveList::checkNonce(SourceListDirective* directive, const String&
nonce) const | 123 bool CSPDirectiveList::checkNonce(SourceListDirective* directive, const String&
nonce) const |
| 124 { | 124 { |
| 125 return !directive || directive->allowNonce(nonce); | 125 return !directive || directive->allowNonce(nonce); |
| 126 } | 126 } |
| 127 | 127 |
| 128 bool CSPDirectiveList::checkHash(SourceListDirective* directive, const CSPHashVa
lue& hashValue) const | 128 bool CSPDirectiveList::checkHash(SourceListDirective* directive, const CSPHashVa
lue& hashValue) const |
| 129 { | 129 { |
| 130 return !directive || directive->allowHash(hashValue); | 130 return !directive || directive->allowHash(hashValue); |
| 131 } | 131 } |
| 132 | 132 |
| 133 bool CSPDirectiveList::checkHashedAttributes(SourceListDirective* directive) con
st |
| 134 { |
| 135 return !directive || directive->allowHashedAttributes(); |
| 136 } |
| 137 |
| 133 bool CSPDirectiveList::checkDynamic(SourceListDirective* directive) const | 138 bool CSPDirectiveList::checkDynamic(SourceListDirective* directive) const |
| 134 { | 139 { |
| 135 return !directive || directive->allowDynamic(); | 140 return !directive || directive->allowDynamic(); |
| 136 } | 141 } |
| 137 | 142 |
| 138 bool CSPDirectiveList::checkSource(SourceListDirective* directive, const KURL& u
rl, ContentSecurityPolicy::RedirectStatus redirectStatus) const | 143 bool CSPDirectiveList::checkSource(SourceListDirective* directive, const KURL& u
rl, ContentSecurityPolicy::RedirectStatus redirectStatus) const |
| 139 { | 144 { |
| 140 // If |url| is empty, fall back to the policy URL to ensure that <object>'s | 145 // If |url| is empty, fall back to the policy URL to ensure that <object>'s |
| 141 // without a `src` can be blocked/allowed, as they can still load plugins | 146 // without a `src` can be blocked/allowed, as they can still load plugins |
| 142 // even though they don't actually have a URL. | 147 // even though they don't actually have a URL. |
| (...skipping 273 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 416 bool CSPDirectiveList::allowScriptNonce(const String& nonce) const | 421 bool CSPDirectiveList::allowScriptNonce(const String& nonce) const |
| 417 { | 422 { |
| 418 return checkNonce(operativeDirective(m_scriptSrc.get()), nonce); | 423 return checkNonce(operativeDirective(m_scriptSrc.get()), nonce); |
| 419 } | 424 } |
| 420 | 425 |
| 421 bool CSPDirectiveList::allowStyleNonce(const String& nonce) const | 426 bool CSPDirectiveList::allowStyleNonce(const String& nonce) const |
| 422 { | 427 { |
| 423 return checkNonce(operativeDirective(m_styleSrc.get()), nonce); | 428 return checkNonce(operativeDirective(m_styleSrc.get()), nonce); |
| 424 } | 429 } |
| 425 | 430 |
| 426 bool CSPDirectiveList::allowScriptHash(const CSPHashValue& hashValue) const | 431 bool CSPDirectiveList::allowScriptHash(const CSPHashValue& hashValue, ContentSec
urityPolicy::InlineType type) const |
| 427 { | 432 { |
| 433 if (type == ContentSecurityPolicy::InlineType::Attribute) { |
| 434 if (!m_policy->experimentalFeaturesEnabled()) |
| 435 return false; |
| 436 if (!checkHashedAttributes(operativeDirective(m_scriptSrc.get()))) |
| 437 return false; |
| 438 } |
| 428 return checkHash(operativeDirective(m_scriptSrc.get()), hashValue); | 439 return checkHash(operativeDirective(m_scriptSrc.get()), hashValue); |
| 429 } | 440 } |
| 430 | 441 |
| 431 bool CSPDirectiveList::allowStyleHash(const CSPHashValue& hashValue) const | 442 bool CSPDirectiveList::allowStyleHash(const CSPHashValue& hashValue, ContentSecu
rityPolicy::InlineType type) const |
| 432 { | 443 { |
| 444 if (type != ContentSecurityPolicy::InlineType::Block) |
| 445 return false; |
| 433 return checkHash(operativeDirective(m_styleSrc.get()), hashValue); | 446 return checkHash(operativeDirective(m_styleSrc.get()), hashValue); |
| 434 } | 447 } |
| 435 | 448 |
| 436 bool CSPDirectiveList::allowDynamic() const | 449 bool CSPDirectiveList::allowDynamic() const |
| 437 { | 450 { |
| 438 return checkDynamic(operativeDirective(m_scriptSrc.get())); | 451 return checkDynamic(operativeDirective(m_scriptSrc.get())); |
| 439 } | 452 } |
| 440 | 453 |
| 441 const String& CSPDirectiveList::pluginTypesText() const | 454 const String& CSPDirectiveList::pluginTypesText() const |
| 442 { | 455 { |
| (...skipping 384 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 827 visitor->trace(m_imgSrc); | 840 visitor->trace(m_imgSrc); |
| 828 visitor->trace(m_mediaSrc); | 841 visitor->trace(m_mediaSrc); |
| 829 visitor->trace(m_manifestSrc); | 842 visitor->trace(m_manifestSrc); |
| 830 visitor->trace(m_objectSrc); | 843 visitor->trace(m_objectSrc); |
| 831 visitor->trace(m_scriptSrc); | 844 visitor->trace(m_scriptSrc); |
| 832 visitor->trace(m_styleSrc); | 845 visitor->trace(m_styleSrc); |
| 833 } | 846 } |
| 834 | 847 |
| 835 | 848 |
| 836 } // namespace blink | 849 } // namespace blink |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1923273002:
CSP: Allow hashed inline event handlers only with 'unsafe-hashed-attributes' (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master