| OLD | NEW |
|---|
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "core/frame/csp/CSPSourceList.h" | 5 #include "core/frame/csp/CSPSourceList.h" |
| 6 | 6 |
| 7 #include "core/frame/csp/CSPSource.h" | 7 #include "core/frame/csp/CSPSource.h" |
| 8 #include "core/frame/csp/ContentSecurityPolicy.h" | 8 #include "core/frame/csp/ContentSecurityPolicy.h" |
| 9 #include "platform/ParsingUtilities.h" | 9 #include "platform/ParsingUtilities.h" |
| 10 #include "platform/weborigin/KURL.h" | 10 #include "platform/weborigin/KURL.h" |
| (...skipping 21 matching lines...) Expand all Loading... |
| 32 } | 32 } |
| 33 | 33 |
| 34 CSPSourceList::CSPSourceList(ContentSecurityPolicy* policy, const String& direct
iveName) | 34 CSPSourceList::CSPSourceList(ContentSecurityPolicy* policy, const String& direct
iveName) |
| 35 : m_policy(policy) | 35 : m_policy(policy) |
| 36 , m_directiveName(directiveName) | 36 , m_directiveName(directiveName) |
| 37 , m_allowSelf(false) | 37 , m_allowSelf(false) |
| 38 , m_allowStar(false) | 38 , m_allowStar(false) |
| 39 , m_allowInline(false) | 39 , m_allowInline(false) |
| 40 , m_allowEval(false) | 40 , m_allowEval(false) |
| 41 , m_allowDynamic(false) | 41 , m_allowDynamic(false) |
| 42 , m_allowHashedAttributes(false) |
| 42 , m_hashAlgorithmsUsed(0) | 43 , m_hashAlgorithmsUsed(0) |
| 43 { | 44 { |
| 44 } | 45 } |
| 45 | 46 |
| 46 bool CSPSourceList::matches(const KURL& url, ContentSecurityPolicy::RedirectStat
us redirectStatus) const | 47 bool CSPSourceList::matches(const KURL& url, ContentSecurityPolicy::RedirectStat
us redirectStatus) const |
| 47 { | 48 { |
| 48 // The CSP spec specifically states that data:, blob:, and filesystem URLs | 49 // The CSP spec specifically states that data:, blob:, and filesystem URLs |
| 49 // should not be captured by a '*" source | 50 // should not be captured by a '*" source |
| 50 // (http://www.w3.org/TR/CSP2/#source-list-guid-matching). Thus, in the | 51 // (http://www.w3.org/TR/CSP2/#source-list-guid-matching). Thus, in the |
| 51 // case of a full wildcard, data:, blob:, and filesystem: URLs are | 52 // case of a full wildcard, data:, blob:, and filesystem: URLs are |
| (...skipping 30 matching lines...) Expand all Loading... |
| 82 bool CSPSourceList::allowNonce(const String& nonce) const | 83 bool CSPSourceList::allowNonce(const String& nonce) const |
| 83 { | 84 { |
| 84 return !nonce.isNull() && m_nonces.contains(nonce); | 85 return !nonce.isNull() && m_nonces.contains(nonce); |
| 85 } | 86 } |
| 86 | 87 |
| 87 bool CSPSourceList::allowHash(const CSPHashValue& hashValue) const | 88 bool CSPSourceList::allowHash(const CSPHashValue& hashValue) const |
| 88 { | 89 { |
| 89 return m_hashes.contains(hashValue); | 90 return m_hashes.contains(hashValue); |
| 90 } | 91 } |
| 91 | 92 |
| 93 bool CSPSourceList::allowHashedAttributes() const |
| 94 { |
| 95 return m_allowHashedAttributes; |
| 96 } |
| 97 |
| 92 uint8_t CSPSourceList::hashAlgorithmsUsed() const | 98 uint8_t CSPSourceList::hashAlgorithmsUsed() const |
| 93 { | 99 { |
| 94 return m_hashAlgorithmsUsed; | 100 return m_hashAlgorithmsUsed; |
| 95 } | 101 } |
| 96 | 102 |
| 97 bool CSPSourceList::isHashOrNoncePresent() const | 103 bool CSPSourceList::isHashOrNoncePresent() const |
| 98 { | 104 { |
| 99 return !m_nonces.isEmpty() || m_hashAlgorithmsUsed != ContentSecurityPolicyH
ashAlgorithmNone; | 105 return !m_nonces.isEmpty() || m_hashAlgorithmsUsed != ContentSecurityPolicyH
ashAlgorithmNone; |
| 100 } | 106 } |
| 101 | 107 |
| (...skipping 66 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 168 if (equalIgnoringCase("'unsafe-eval'", begin, end - begin)) { | 174 if (equalIgnoringCase("'unsafe-eval'", begin, end - begin)) { |
| 169 addSourceUnsafeEval(); | 175 addSourceUnsafeEval(); |
| 170 return true; | 176 return true; |
| 171 } | 177 } |
| 172 | 178 |
| 173 if (equalIgnoringCase("'unsafe-dynamic'", begin, end - begin)) { | 179 if (equalIgnoringCase("'unsafe-dynamic'", begin, end - begin)) { |
| 174 addSourceUnsafeDynamic(); | 180 addSourceUnsafeDynamic(); |
| 175 return true; | 181 return true; |
| 176 } | 182 } |
| 177 | 183 |
| 184 if (equalIgnoringCase("'unsafe-hashed-attributes'", begin, end - begin)) { |
| 185 addSourceUnsafeHashedAttributes(); |
| 186 return true; |
| 187 } |
| 188 |
| 178 String nonce; | 189 String nonce; |
| 179 if (!parseNonce(begin, end, nonce)) | 190 if (!parseNonce(begin, end, nonce)) |
| 180 return false; | 191 return false; |
| 181 | 192 |
| 182 if (!nonce.isNull()) { | 193 if (!nonce.isNull()) { |
| 183 addSourceNonce(nonce); | 194 addSourceNonce(nonce); |
| 184 return true; | 195 return true; |
| 185 } | 196 } |
| 186 | 197 |
| 187 DigestValue hash; | 198 DigestValue hash; |
| (...skipping 302 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 490 void CSPSourceList::addSourceUnsafeEval() | 501 void CSPSourceList::addSourceUnsafeEval() |
| 491 { | 502 { |
| 492 m_allowEval = true; | 503 m_allowEval = true; |
| 493 } | 504 } |
| 494 | 505 |
| 495 void CSPSourceList::addSourceUnsafeDynamic() | 506 void CSPSourceList::addSourceUnsafeDynamic() |
| 496 { | 507 { |
| 497 m_allowDynamic = true; | 508 m_allowDynamic = true; |
| 498 } | 509 } |
| 499 | 510 |
| 511 void CSPSourceList::addSourceUnsafeHashedAttributes() |
| 512 { |
| 513 m_allowHashedAttributes = true; |
| 514 } |
| 515 |
| 500 void CSPSourceList::addSourceNonce(const String& nonce) | 516 void CSPSourceList::addSourceNonce(const String& nonce) |
| 501 { | 517 { |
| 502 m_nonces.add(nonce); | 518 m_nonces.add(nonce); |
| 503 } | 519 } |
| 504 | 520 |
| 505 void CSPSourceList::addSourceHash(const ContentSecurityPolicyHashAlgorithm& algo
rithm, const DigestValue& hash) | 521 void CSPSourceList::addSourceHash(const ContentSecurityPolicyHashAlgorithm& algo
rithm, const DigestValue& hash) |
| 506 { | 522 { |
| 507 m_hashes.add(CSPHashValue(algorithm, hash)); | 523 m_hashes.add(CSPHashValue(algorithm, hash)); |
| 508 m_hashAlgorithmsUsed |= algorithm; | 524 m_hashAlgorithmsUsed |= algorithm; |
| 509 } | 525 } |
| 510 | 526 |
| 511 bool CSPSourceList::hasSourceMatchInList(const KURL& url, ContentSecurityPolicy:
:RedirectStatus redirectStatus) const | 527 bool CSPSourceList::hasSourceMatchInList(const KURL& url, ContentSecurityPolicy:
:RedirectStatus redirectStatus) const |
| 512 { | 528 { |
| 513 for (size_t i = 0; i < m_list.size(); ++i) { | 529 for (size_t i = 0; i < m_list.size(); ++i) { |
| 514 if (m_list[i]->matches(url, redirectStatus)) | 530 if (m_list[i]->matches(url, redirectStatus)) |
| 515 return true; | 531 return true; |
| 516 } | 532 } |
| 517 | 533 |
| 518 return false; | 534 return false; |
| 519 } | 535 } |
| 520 | 536 |
| 521 DEFINE_TRACE(CSPSourceList) | 537 DEFINE_TRACE(CSPSourceList) |
| 522 { | 538 { |
| 523 visitor->trace(m_policy); | 539 visitor->trace(m_policy); |
| 524 visitor->trace(m_list); | 540 visitor->trace(m_list); |
| 525 } | 541 } |
| 526 | 542 |
| 527 } // namespace blink | 543 } // namespace blink |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1923273002:
CSP: Allow hashed inline event handlers only with 'unsafe-hashed-attributes' (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master