OLD | NEW |
1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "core/frame/csp/CSPDirectiveList.h" | 5 #include "core/frame/csp/CSPDirectiveList.h" |
6 | 6 |
7 #include "core/dom/Document.h" | 7 #include "core/dom/Document.h" |
8 #include "core/dom/SecurityContext.h" | 8 #include "core/dom/SecurityContext.h" |
9 #include "core/dom/SpaceSplitString.h" | 9 #include "core/dom/SpaceSplitString.h" |
10 #include "core/frame/LocalFrame.h" | 10 #include "core/frame/LocalFrame.h" |
(...skipping 112 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
123 bool CSPDirectiveList::checkNonce(SourceListDirective* directive, const String&
nonce) const | 123 bool CSPDirectiveList::checkNonce(SourceListDirective* directive, const String&
nonce) const |
124 { | 124 { |
125 return !directive || directive->allowNonce(nonce); | 125 return !directive || directive->allowNonce(nonce); |
126 } | 126 } |
127 | 127 |
128 bool CSPDirectiveList::checkHash(SourceListDirective* directive, const CSPHashVa
lue& hashValue) const | 128 bool CSPDirectiveList::checkHash(SourceListDirective* directive, const CSPHashVa
lue& hashValue) const |
129 { | 129 { |
130 return !directive || directive->allowHash(hashValue); | 130 return !directive || directive->allowHash(hashValue); |
131 } | 131 } |
132 | 132 |
| 133 bool CSPDirectiveList::checkHashedAttributes(SourceListDirective* directive) con
st |
| 134 { |
| 135 return !directive || directive->allowHashedAttributes(); |
| 136 } |
| 137 |
133 bool CSPDirectiveList::checkDynamic(SourceListDirective* directive) const | 138 bool CSPDirectiveList::checkDynamic(SourceListDirective* directive) const |
134 { | 139 { |
135 return !directive || directive->allowDynamic(); | 140 return !directive || directive->allowDynamic(); |
136 } | 141 } |
137 | 142 |
138 bool CSPDirectiveList::checkSource(SourceListDirective* directive, const KURL& u
rl, ContentSecurityPolicy::RedirectStatus redirectStatus) const | 143 bool CSPDirectiveList::checkSource(SourceListDirective* directive, const KURL& u
rl, ContentSecurityPolicy::RedirectStatus redirectStatus) const |
139 { | 144 { |
140 // If |url| is empty, fall back to the policy URL to ensure that <object>'s | 145 // If |url| is empty, fall back to the policy URL to ensure that <object>'s |
141 // without a `src` can be blocked/allowed, as they can still load plugins | 146 // without a `src` can be blocked/allowed, as they can still load plugins |
142 // even though they don't actually have a URL. | 147 // even though they don't actually have a URL. |
(...skipping 273 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
416 bool CSPDirectiveList::allowScriptNonce(const String& nonce) const | 421 bool CSPDirectiveList::allowScriptNonce(const String& nonce) const |
417 { | 422 { |
418 return checkNonce(operativeDirective(m_scriptSrc.get()), nonce); | 423 return checkNonce(operativeDirective(m_scriptSrc.get()), nonce); |
419 } | 424 } |
420 | 425 |
421 bool CSPDirectiveList::allowStyleNonce(const String& nonce) const | 426 bool CSPDirectiveList::allowStyleNonce(const String& nonce) const |
422 { | 427 { |
423 return checkNonce(operativeDirective(m_styleSrc.get()), nonce); | 428 return checkNonce(operativeDirective(m_styleSrc.get()), nonce); |
424 } | 429 } |
425 | 430 |
426 bool CSPDirectiveList::allowScriptHash(const CSPHashValue& hashValue) const | 431 bool CSPDirectiveList::allowScriptHash(const CSPHashValue& hashValue, ContentSec
urityPolicy::InlineType type) const |
427 { | 432 { |
| 433 if (type == ContentSecurityPolicy::InlineType::Attribute) { |
| 434 if (!m_policy->experimentalFeaturesEnabled()) |
| 435 return false; |
| 436 if (!checkHashedAttributes(operativeDirective(m_scriptSrc.get()))) |
| 437 return false; |
| 438 } |
428 return checkHash(operativeDirective(m_scriptSrc.get()), hashValue); | 439 return checkHash(operativeDirective(m_scriptSrc.get()), hashValue); |
429 } | 440 } |
430 | 441 |
431 bool CSPDirectiveList::allowStyleHash(const CSPHashValue& hashValue) const | 442 bool CSPDirectiveList::allowStyleHash(const CSPHashValue& hashValue, ContentSecu
rityPolicy::InlineType type) const |
432 { | 443 { |
| 444 if (type != ContentSecurityPolicy::InlineType::Block) |
| 445 return false; |
433 return checkHash(operativeDirective(m_styleSrc.get()), hashValue); | 446 return checkHash(operativeDirective(m_styleSrc.get()), hashValue); |
434 } | 447 } |
435 | 448 |
436 bool CSPDirectiveList::allowDynamic() const | 449 bool CSPDirectiveList::allowDynamic() const |
437 { | 450 { |
438 return checkDynamic(operativeDirective(m_scriptSrc.get())); | 451 return checkDynamic(operativeDirective(m_scriptSrc.get())); |
439 } | 452 } |
440 | 453 |
441 const String& CSPDirectiveList::pluginTypesText() const | 454 const String& CSPDirectiveList::pluginTypesText() const |
442 { | 455 { |
(...skipping 384 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
827 visitor->trace(m_imgSrc); | 840 visitor->trace(m_imgSrc); |
828 visitor->trace(m_mediaSrc); | 841 visitor->trace(m_mediaSrc); |
829 visitor->trace(m_manifestSrc); | 842 visitor->trace(m_manifestSrc); |
830 visitor->trace(m_objectSrc); | 843 visitor->trace(m_objectSrc); |
831 visitor->trace(m_scriptSrc); | 844 visitor->trace(m_scriptSrc); |
832 visitor->trace(m_styleSrc); | 845 visitor->trace(m_styleSrc); |
833 } | 846 } |
834 | 847 |
835 | 848 |
836 } // namespace blink | 849 } // namespace blink |
OLD | NEW |