OLD | NEW |
1 /* | 1 /* |
2 * Copyright (C) 2011 Google, Inc. All rights reserved. | 2 * Copyright (C) 2011 Google, Inc. All rights reserved. |
3 * | 3 * |
4 * Redistribution and use in source and binary forms, with or without | 4 * Redistribution and use in source and binary forms, with or without |
5 * modification, are permitted provided that the following conditions | 5 * modification, are permitted provided that the following conditions |
6 * are met: | 6 * are met: |
7 * 1. Redistributions of source code must retain the above copyright | 7 * 1. Redistributions of source code must retain the above copyright |
8 * notice, this list of conditions and the following disclaimer. | 8 * notice, this list of conditions and the following disclaimer. |
9 * 2. Redistributions in binary form must reproduce the above copyright | 9 * 2. Redistributions in binary form must reproduce the above copyright |
10 * notice, this list of conditions and the following disclaimer in the | 10 * notice, this list of conditions and the following disclaimer in the |
(...skipping 111 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
122 // This covers the possible values of a violation's 'resource', as defined i
n | 122 // This covers the possible values of a violation's 'resource', as defined i
n |
123 // https://w3c.github.io/webappsec-csp/#violation-resource. By the time we | 123 // https://w3c.github.io/webappsec-csp/#violation-resource. By the time we |
124 // generate a report, we're guaranteed that the value isn't 'null', so we do
n't | 124 // generate a report, we're guaranteed that the value isn't 'null', so we do
n't |
125 // need that state in this enum. | 125 // need that state in this enum. |
126 enum ViolationType { | 126 enum ViolationType { |
127 InlineViolation, | 127 InlineViolation, |
128 EvalViolation, | 128 EvalViolation, |
129 URLViolation | 129 URLViolation |
130 }; | 130 }; |
131 | 131 |
| 132 enum class InlineType { |
| 133 Block, |
| 134 Attribute |
| 135 }; |
| 136 |
132 static ContentSecurityPolicy* create() | 137 static ContentSecurityPolicy* create() |
133 { | 138 { |
134 return new ContentSecurityPolicy(); | 139 return new ContentSecurityPolicy(); |
135 } | 140 } |
136 ~ContentSecurityPolicy(); | 141 ~ContentSecurityPolicy(); |
137 DECLARE_TRACE(); | 142 DECLARE_TRACE(); |
138 | 143 |
139 void bindToExecutionContext(ExecutionContext*); | 144 void bindToExecutionContext(ExecutionContext*); |
140 void copyStateFrom(const ContentSecurityPolicy*); | 145 void copyStateFrom(const ContentSecurityPolicy*); |
141 void copyPluginTypesFrom(const ContentSecurityPolicy*); | 146 void copyPluginTypesFrom(const ContentSecurityPolicy*); |
142 | 147 |
143 void didReceiveHeaders(const ContentSecurityPolicyResponseHeaders&); | 148 void didReceiveHeaders(const ContentSecurityPolicyResponseHeaders&); |
144 void didReceiveHeader(const String&, ContentSecurityPolicyHeaderType, Conten
tSecurityPolicyHeaderSource); | 149 void didReceiveHeader(const String&, ContentSecurityPolicyHeaderType, Conten
tSecurityPolicyHeaderSource); |
145 | 150 |
146 PassOwnPtr<Vector<CSPHeaderAndType>> headers() const; | 151 PassOwnPtr<Vector<CSPHeaderAndType>> headers() const; |
147 | 152 |
148 bool allowJavaScriptURLs(const String& contextURL, const WTF::OrdinalNumber&
contextLine, ReportingStatus = SendReport) const; | 153 bool allowJavaScriptURLs(const String& contextURL, const WTF::OrdinalNumber&
contextLine, ReportingStatus = SendReport) const; |
149 bool allowInlineEventHandlers(const String& contextURL, const WTF::OrdinalNu
mber& contextLine, ReportingStatus = SendReport) const; | 154 bool allowInlineEventHandler(const String& source, const String& contextURL,
const WTF::OrdinalNumber& contextLine, ReportingStatus = SendReport) const; |
150 bool allowInlineScript(const String& contextURL, const WTF::OrdinalNumber& c
ontextLine, const String& scriptContent, ReportingStatus = SendReport) const; | 155 bool allowInlineScript(const String& contextURL, const WTF::OrdinalNumber& c
ontextLine, const String& scriptContent, ReportingStatus = SendReport) const; |
151 bool allowInlineStyle(const String& contextURL, const WTF::OrdinalNumber& co
ntextLine, const String& styleContent, ReportingStatus = SendReport) const; | 156 bool allowInlineStyle(const String& contextURL, const WTF::OrdinalNumber& co
ntextLine, const String& styleContent, ReportingStatus = SendReport) const; |
152 // When the reporting status is |SendReport|, the |ExceptionStatus| | 157 // When the reporting status is |SendReport|, the |ExceptionStatus| |
153 // should indicate whether the caller will throw a JavaScript | 158 // should indicate whether the caller will throw a JavaScript |
154 // exception in the event of a violation. When the caller will throw | 159 // exception in the event of a violation. When the caller will throw |
155 // an exception, ContentSecurityPolicy does not log a violation | 160 // an exception, ContentSecurityPolicy does not log a violation |
156 // message to the console because it would be redundant. | 161 // message to the console because it would be redundant. |
157 bool allowEval(ScriptState* = nullptr, ReportingStatus = SendReport, Excepti
onStatus = WillNotThrowException) const; | 162 bool allowEval(ScriptState* = nullptr, ReportingStatus = SendReport, Excepti
onStatus = WillNotThrowException) const; |
158 bool allowDynamic() const; | 163 bool allowDynamic() const; |
159 bool allowPluginType(const String& type, const String& typeAttribute, const
KURL&, ReportingStatus = SendReport) const; | 164 bool allowPluginType(const String& type, const String& typeAttribute, const
KURL&, ReportingStatus = SendReport) const; |
(...skipping 26 matching lines...) Expand all Loading... |
186 bool isFrameAncestorsEnforced() const; | 191 bool isFrameAncestorsEnforced() const; |
187 | 192 |
188 // The nonce and hash allow functions are guaranteed to not have any side | 193 // The nonce and hash allow functions are guaranteed to not have any side |
189 // effects, including reporting. | 194 // effects, including reporting. |
190 // Nonce/Hash functions check all policies relating to use of a script/style | 195 // Nonce/Hash functions check all policies relating to use of a script/style |
191 // with the given nonce/hash and return true all CSP policies allow it. | 196 // with the given nonce/hash and return true all CSP policies allow it. |
192 // If these return true, callers can then process the content or | 197 // If these return true, callers can then process the content or |
193 // issue a load and be safe disabling any further CSP checks. | 198 // issue a load and be safe disabling any further CSP checks. |
194 bool allowScriptWithNonce(const String& nonce) const; | 199 bool allowScriptWithNonce(const String& nonce) const; |
195 bool allowStyleWithNonce(const String& nonce) const; | 200 bool allowStyleWithNonce(const String& nonce) const; |
196 bool allowScriptWithHash(const String& source) const; | 201 bool allowScriptWithHash(const String& source, InlineType) const; |
197 bool allowStyleWithHash(const String& source) const; | 202 bool allowStyleWithHash(const String& source, InlineType) const; |
198 | 203 |
199 bool allowRequest(WebURLRequest::RequestContext, const KURL&, RedirectStatus
= DidNotRedirect, ReportingStatus = SendReport) const; | 204 bool allowRequest(WebURLRequest::RequestContext, const KURL&, RedirectStatus
= DidNotRedirect, ReportingStatus = SendReport) const; |
200 | 205 |
201 void usesScriptHashAlgorithms(uint8_t ContentSecurityPolicyHashAlgorithm); | 206 void usesScriptHashAlgorithms(uint8_t ContentSecurityPolicyHashAlgorithm); |
202 void usesStyleHashAlgorithms(uint8_t ContentSecurityPolicyHashAlgorithm); | 207 void usesStyleHashAlgorithms(uint8_t ContentSecurityPolicyHashAlgorithm); |
203 | 208 |
204 ReflectedXSSDisposition getReflectedXSSDisposition() const; | 209 ReflectedXSSDisposition getReflectedXSSDisposition() const; |
205 | 210 |
206 bool didSetReferrerPolicy() const; | 211 bool didSetReferrerPolicy() const; |
207 | 212 |
(...skipping 88 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
296 String m_disableEvalErrorMessage; | 301 String m_disableEvalErrorMessage; |
297 SecurityContext::InsecureRequestsPolicy m_insecureRequestsPolicy; | 302 SecurityContext::InsecureRequestsPolicy m_insecureRequestsPolicy; |
298 | 303 |
299 Member<CSPSource> m_selfSource; | 304 Member<CSPSource> m_selfSource; |
300 String m_selfProtocol; | 305 String m_selfProtocol; |
301 }; | 306 }; |
302 | 307 |
303 } // namespace blink | 308 } // namespace blink |
304 | 309 |
305 #endif | 310 #endif |
OLD | NEW |