Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(552)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.h

Issue 1923273002: CSP: Allow hashed inline event handlers only with 'unsafe-hashed-attributes' (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Created 4 years, 7 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « third_party/WebKit/Source/core/frame/csp/CSPSourceListTest.cpp ('k') | third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 /* 1 /*
2 * Copyright (C) 2011 Google, Inc. All rights reserved. 2 * Copyright (C) 2011 Google, Inc. All rights reserved.
3 * 3 *
4 * Redistribution and use in source and binary forms, with or without 4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions 5 * modification, are permitted provided that the following conditions
6 * are met: 6 * are met:
7 * 1. Redistributions of source code must retain the above copyright 7 * 1. Redistributions of source code must retain the above copyright
8 * notice, this list of conditions and the following disclaimer. 8 * notice, this list of conditions and the following disclaimer.
9 * 2. Redistributions in binary form must reproduce the above copyright 9 * 2. Redistributions in binary form must reproduce the above copyright
10 * notice, this list of conditions and the following disclaimer in the 10 * notice, this list of conditions and the following disclaimer in the
(...skipping 111 matching lines...) Expand 10 before | Expand all | Expand 10 after
122 // This covers the possible values of a violation's 'resource', as defined i n 122 // This covers the possible values of a violation's 'resource', as defined i n
123 // https://w3c.github.io/webappsec-csp/#violation-resource. By the time we 123 // https://w3c.github.io/webappsec-csp/#violation-resource. By the time we
124 // generate a report, we're guaranteed that the value isn't 'null', so we do n't 124 // generate a report, we're guaranteed that the value isn't 'null', so we do n't
125 // need that state in this enum. 125 // need that state in this enum.
126 enum ViolationType { 126 enum ViolationType {
127 InlineViolation, 127 InlineViolation,
128 EvalViolation, 128 EvalViolation,
129 URLViolation 129 URLViolation
130 }; 130 };
131 131
132 enum class InlineType {
133 Block,
134 Attribute
135 };
136
132 static ContentSecurityPolicy* create() 137 static ContentSecurityPolicy* create()
133 { 138 {
134 return new ContentSecurityPolicy(); 139 return new ContentSecurityPolicy();
135 } 140 }
136 ~ContentSecurityPolicy(); 141 ~ContentSecurityPolicy();
137 DECLARE_TRACE(); 142 DECLARE_TRACE();
138 143
139 void bindToExecutionContext(ExecutionContext*); 144 void bindToExecutionContext(ExecutionContext*);
140 void copyStateFrom(const ContentSecurityPolicy*); 145 void copyStateFrom(const ContentSecurityPolicy*);
141 void copyPluginTypesFrom(const ContentSecurityPolicy*); 146 void copyPluginTypesFrom(const ContentSecurityPolicy*);
142 147
143 void didReceiveHeaders(const ContentSecurityPolicyResponseHeaders&); 148 void didReceiveHeaders(const ContentSecurityPolicyResponseHeaders&);
144 void didReceiveHeader(const String&, ContentSecurityPolicyHeaderType, Conten tSecurityPolicyHeaderSource); 149 void didReceiveHeader(const String&, ContentSecurityPolicyHeaderType, Conten tSecurityPolicyHeaderSource);
145 150
146 PassOwnPtr<Vector<CSPHeaderAndType>> headers() const; 151 PassOwnPtr<Vector<CSPHeaderAndType>> headers() const;
147 152
148 bool allowJavaScriptURLs(const String& contextURL, const WTF::OrdinalNumber& contextLine, ReportingStatus = SendReport) const; 153 bool allowJavaScriptURLs(const String& contextURL, const WTF::OrdinalNumber& contextLine, ReportingStatus = SendReport) const;
149 bool allowInlineEventHandlers(const String& contextURL, const WTF::OrdinalNu mber& contextLine, ReportingStatus = SendReport) const; 154 bool allowInlineEventHandler(const String& source, const String& contextURL, const WTF::OrdinalNumber& contextLine, ReportingStatus = SendReport) const;
150 bool allowInlineScript(const String& contextURL, const WTF::OrdinalNumber& c ontextLine, const String& scriptContent, ReportingStatus = SendReport) const; 155 bool allowInlineScript(const String& contextURL, const WTF::OrdinalNumber& c ontextLine, const String& scriptContent, ReportingStatus = SendReport) const;
151 bool allowInlineStyle(const String& contextURL, const WTF::OrdinalNumber& co ntextLine, const String& styleContent, ReportingStatus = SendReport) const; 156 bool allowInlineStyle(const String& contextURL, const WTF::OrdinalNumber& co ntextLine, const String& styleContent, ReportingStatus = SendReport) const;
152 // When the reporting status is |SendReport|, the |ExceptionStatus| 157 // When the reporting status is |SendReport|, the |ExceptionStatus|
153 // should indicate whether the caller will throw a JavaScript 158 // should indicate whether the caller will throw a JavaScript
154 // exception in the event of a violation. When the caller will throw 159 // exception in the event of a violation. When the caller will throw
155 // an exception, ContentSecurityPolicy does not log a violation 160 // an exception, ContentSecurityPolicy does not log a violation
156 // message to the console because it would be redundant. 161 // message to the console because it would be redundant.
157 bool allowEval(ScriptState* = nullptr, ReportingStatus = SendReport, Excepti onStatus = WillNotThrowException) const; 162 bool allowEval(ScriptState* = nullptr, ReportingStatus = SendReport, Excepti onStatus = WillNotThrowException) const;
158 bool allowDynamic() const; 163 bool allowDynamic() const;
159 bool allowPluginType(const String& type, const String& typeAttribute, const KURL&, ReportingStatus = SendReport) const; 164 bool allowPluginType(const String& type, const String& typeAttribute, const KURL&, ReportingStatus = SendReport) const;
(...skipping 26 matching lines...) Expand all
186 bool isFrameAncestorsEnforced() const; 191 bool isFrameAncestorsEnforced() const;
187 192
188 // The nonce and hash allow functions are guaranteed to not have any side 193 // The nonce and hash allow functions are guaranteed to not have any side
189 // effects, including reporting. 194 // effects, including reporting.
190 // Nonce/Hash functions check all policies relating to use of a script/style 195 // Nonce/Hash functions check all policies relating to use of a script/style
191 // with the given nonce/hash and return true all CSP policies allow it. 196 // with the given nonce/hash and return true all CSP policies allow it.
192 // If these return true, callers can then process the content or 197 // If these return true, callers can then process the content or
193 // issue a load and be safe disabling any further CSP checks. 198 // issue a load and be safe disabling any further CSP checks.
194 bool allowScriptWithNonce(const String& nonce) const; 199 bool allowScriptWithNonce(const String& nonce) const;
195 bool allowStyleWithNonce(const String& nonce) const; 200 bool allowStyleWithNonce(const String& nonce) const;
196 bool allowScriptWithHash(const String& source) const; 201 bool allowScriptWithHash(const String& source, InlineType) const;
197 bool allowStyleWithHash(const String& source) const; 202 bool allowStyleWithHash(const String& source, InlineType) const;
198 203
199 bool allowRequest(WebURLRequest::RequestContext, const KURL&, RedirectStatus = DidNotRedirect, ReportingStatus = SendReport) const; 204 bool allowRequest(WebURLRequest::RequestContext, const KURL&, RedirectStatus = DidNotRedirect, ReportingStatus = SendReport) const;
200 205
201 void usesScriptHashAlgorithms(uint8_t ContentSecurityPolicyHashAlgorithm); 206 void usesScriptHashAlgorithms(uint8_t ContentSecurityPolicyHashAlgorithm);
202 void usesStyleHashAlgorithms(uint8_t ContentSecurityPolicyHashAlgorithm); 207 void usesStyleHashAlgorithms(uint8_t ContentSecurityPolicyHashAlgorithm);
203 208
204 ReflectedXSSDisposition getReflectedXSSDisposition() const; 209 ReflectedXSSDisposition getReflectedXSSDisposition() const;
205 210
206 bool didSetReferrerPolicy() const; 211 bool didSetReferrerPolicy() const;
207 212
(...skipping 88 matching lines...) Expand 10 before | Expand all | Expand 10 after
296 String m_disableEvalErrorMessage; 301 String m_disableEvalErrorMessage;
297 SecurityContext::InsecureRequestsPolicy m_insecureRequestsPolicy; 302 SecurityContext::InsecureRequestsPolicy m_insecureRequestsPolicy;
298 303
299 Member<CSPSource> m_selfSource; 304 Member<CSPSource> m_selfSource;
300 String m_selfProtocol; 305 String m_selfProtocol;
301 }; 306 };
302 307
303 } // namespace blink 308 } // namespace blink
304 309
305 #endif 310 #endif
OLDNEW
« no previous file with comments | « third_party/WebKit/Source/core/frame/csp/CSPSourceListTest.cpp ('k') | third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698