| OLD | NEW |
|---|
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "core/frame/csp/CSPDirectiveList.h" | 5 #include "core/frame/csp/CSPDirectiveList.h" |
| 6 | 6 |
| 7 #include "core/dom/Document.h" | 7 #include "core/dom/Document.h" |
| 8 #include "core/dom/SecurityContext.h" | 8 #include "core/dom/SecurityContext.h" |
| 9 #include "core/dom/SpaceSplitString.h" | 9 #include "core/dom/SpaceSplitString.h" |
| 10 #include "core/frame/LocalFrame.h" | 10 #include "core/frame/LocalFrame.h" |
| (...skipping 122 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 133 bool CSPDirectiveList::checkHashedAttributes(SourceListDirective* directive) con
st | 133 bool CSPDirectiveList::checkHashedAttributes(SourceListDirective* directive) con
st |
| 134 { | 134 { |
| 135 return !directive || directive->allowHashedAttributes(); | 135 return !directive || directive->allowHashedAttributes(); |
| 136 } | 136 } |
| 137 | 137 |
| 138 bool CSPDirectiveList::checkDynamic(SourceListDirective* directive) const | 138 bool CSPDirectiveList::checkDynamic(SourceListDirective* directive) const |
| 139 { | 139 { |
| 140 return !directive || directive->allowDynamic(); | 140 return !directive || directive->allowDynamic(); |
| 141 } | 141 } |
| 142 | 142 |
| 143 void CSPDirectiveList::reportMixedContent(const KURL& mixedURL) const |
| 144 { |
| 145 m_policy->reportViolation(ContentSecurityPolicy::BlockAllMixedContent, Conte
ntSecurityPolicy::BlockAllMixedContent, String(), mixedURL, m_reportEndpoints, m
_header, ContentSecurityPolicy::URLViolation); |
| 146 } |
| 147 |
| 143 bool CSPDirectiveList::checkSource(SourceListDirective* directive, const KURL& u
rl, ContentSecurityPolicy::RedirectStatus redirectStatus) const | 148 bool CSPDirectiveList::checkSource(SourceListDirective* directive, const KURL& u
rl, ContentSecurityPolicy::RedirectStatus redirectStatus) const |
| 144 { | 149 { |
| 145 // If |url| is empty, fall back to the policy URL to ensure that <object>'s | 150 // If |url| is empty, fall back to the policy URL to ensure that <object>'s |
| 146 // without a `src` can be blocked/allowed, as they can still load plugins | 151 // without a `src` can be blocked/allowed, as they can still load plugins |
| 147 // even though they don't actually have a URL. | 152 // even though they don't actually have a URL. |
| 148 return !directive || directive->allows(url.isEmpty() ? m_policy->url() : url
, redirectStatus); | 153 return !directive || directive->allows(url.isEmpty() ? m_policy->url() : url
, redirectStatus); |
| 149 } | 154 } |
| 150 | 155 |
| 151 bool CSPDirectiveList::checkAncestors(SourceListDirective* directive, LocalFrame
* frame) const | 156 bool CSPDirectiveList::checkAncestors(SourceListDirective* directive, LocalFrame
* frame) const |
| 152 { | 157 { |
| (...skipping 480 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 633 return; | 638 return; |
| 634 } | 639 } |
| 635 m_treatAsPublicAddress = true; | 640 m_treatAsPublicAddress = true; |
| 636 m_policy->treatAsPublicAddress(); | 641 m_policy->treatAsPublicAddress(); |
| 637 if (!value.isEmpty()) | 642 if (!value.isEmpty()) |
| 638 m_policy->reportValueForEmptyDirective(name, value); | 643 m_policy->reportValueForEmptyDirective(name, value); |
| 639 } | 644 } |
| 640 | 645 |
| 641 void CSPDirectiveList::enforceStrictMixedContentChecking(const String& name, con
st String& value) | 646 void CSPDirectiveList::enforceStrictMixedContentChecking(const String& name, con
st String& value) |
| 642 { | 647 { |
| 643 if (m_reportOnly) { | |
| 644 m_policy->reportInvalidInReportOnly(name); | |
| 645 return; | |
| 646 } | |
| 647 if (m_strictMixedContentCheckingEnforced) { | 648 if (m_strictMixedContentCheckingEnforced) { |
| 648 m_policy->reportDuplicateDirective(name); | 649 m_policy->reportDuplicateDirective(name); |
| 649 return; | 650 return; |
| 650 } | 651 } |
| 651 m_strictMixedContentCheckingEnforced = true; | |
| 652 m_policy->enforceStrictMixedContentChecking(); | |
| 653 if (!value.isEmpty()) | 652 if (!value.isEmpty()) |
| 654 m_policy->reportValueForEmptyDirective(name, value); | 653 m_policy->reportValueForEmptyDirective(name, value); |
| 654 |
| 655 m_strictMixedContentCheckingEnforced = true; |
| 656 |
| 657 if (!m_reportOnly) |
| 658 m_policy->enforceStrictMixedContentChecking(); |
| 655 } | 659 } |
| 656 | 660 |
| 657 void CSPDirectiveList::enableInsecureRequestsUpgrade(const String& name, const S
tring& value) | 661 void CSPDirectiveList::enableInsecureRequestsUpgrade(const String& name, const S
tring& value) |
| 658 { | 662 { |
| 659 if (m_reportOnly) { | 663 if (m_reportOnly) { |
| 660 m_policy->reportInvalidInReportOnly(name); | 664 m_policy->reportInvalidInReportOnly(name); |
| 661 return; | 665 return; |
| 662 } | 666 } |
| 663 if (m_upgradeInsecureRequests) { | 667 if (m_upgradeInsecureRequests) { |
| 664 m_policy->reportDuplicateDirective(name); | 668 m_policy->reportDuplicateDirective(name); |
| (...skipping 175 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 840 visitor->trace(m_imgSrc); | 844 visitor->trace(m_imgSrc); |
| 841 visitor->trace(m_mediaSrc); | 845 visitor->trace(m_mediaSrc); |
| 842 visitor->trace(m_manifestSrc); | 846 visitor->trace(m_manifestSrc); |
| 843 visitor->trace(m_objectSrc); | 847 visitor->trace(m_objectSrc); |
| 844 visitor->trace(m_scriptSrc); | 848 visitor->trace(m_scriptSrc); |
| 845 visitor->trace(m_styleSrc); | 849 visitor->trace(m_styleSrc); |
| 846 } | 850 } |
| 847 | 851 |
| 848 | 852 |
| 849 } // namespace blink | 853 } // namespace blink |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2002003002:
Generate CSP violation reports for 'block-all-mixed-content' (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master