OLD | NEW |
1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "core/frame/csp/CSPDirectiveList.h" | 5 #include "core/frame/csp/CSPDirectiveList.h" |
6 | 6 |
7 #include "core/dom/Document.h" | 7 #include "core/dom/Document.h" |
8 #include "core/dom/SecurityContext.h" | 8 #include "core/dom/SecurityContext.h" |
9 #include "core/dom/SpaceSplitString.h" | 9 #include "core/dom/SpaceSplitString.h" |
10 #include "core/frame/LocalFrame.h" | 10 #include "core/frame/LocalFrame.h" |
(...skipping 122 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
133 bool CSPDirectiveList::checkHashedAttributes(SourceListDirective* directive) con
st | 133 bool CSPDirectiveList::checkHashedAttributes(SourceListDirective* directive) con
st |
134 { | 134 { |
135 return !directive || directive->allowHashedAttributes(); | 135 return !directive || directive->allowHashedAttributes(); |
136 } | 136 } |
137 | 137 |
138 bool CSPDirectiveList::checkDynamic(SourceListDirective* directive) const | 138 bool CSPDirectiveList::checkDynamic(SourceListDirective* directive) const |
139 { | 139 { |
140 return !directive || directive->allowDynamic(); | 140 return !directive || directive->allowDynamic(); |
141 } | 141 } |
142 | 142 |
| 143 void CSPDirectiveList::reportMixedContent(const KURL& mixedURL) const |
| 144 { |
| 145 m_policy->reportViolation(ContentSecurityPolicy::BlockAllMixedContent, Conte
ntSecurityPolicy::BlockAllMixedContent, String(), mixedURL, m_reportEndpoints, m
_header, ContentSecurityPolicy::URLViolation); |
| 146 } |
| 147 |
143 bool CSPDirectiveList::checkSource(SourceListDirective* directive, const KURL& u
rl, ContentSecurityPolicy::RedirectStatus redirectStatus) const | 148 bool CSPDirectiveList::checkSource(SourceListDirective* directive, const KURL& u
rl, ContentSecurityPolicy::RedirectStatus redirectStatus) const |
144 { | 149 { |
145 // If |url| is empty, fall back to the policy URL to ensure that <object>'s | 150 // If |url| is empty, fall back to the policy URL to ensure that <object>'s |
146 // without a `src` can be blocked/allowed, as they can still load plugins | 151 // without a `src` can be blocked/allowed, as they can still load plugins |
147 // even though they don't actually have a URL. | 152 // even though they don't actually have a URL. |
148 return !directive || directive->allows(url.isEmpty() ? m_policy->url() : url
, redirectStatus); | 153 return !directive || directive->allows(url.isEmpty() ? m_policy->url() : url
, redirectStatus); |
149 } | 154 } |
150 | 155 |
151 bool CSPDirectiveList::checkAncestors(SourceListDirective* directive, LocalFrame
* frame) const | 156 bool CSPDirectiveList::checkAncestors(SourceListDirective* directive, LocalFrame
* frame) const |
152 { | 157 { |
(...skipping 480 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
633 return; | 638 return; |
634 } | 639 } |
635 m_treatAsPublicAddress = true; | 640 m_treatAsPublicAddress = true; |
636 m_policy->treatAsPublicAddress(); | 641 m_policy->treatAsPublicAddress(); |
637 if (!value.isEmpty()) | 642 if (!value.isEmpty()) |
638 m_policy->reportValueForEmptyDirective(name, value); | 643 m_policy->reportValueForEmptyDirective(name, value); |
639 } | 644 } |
640 | 645 |
641 void CSPDirectiveList::enforceStrictMixedContentChecking(const String& name, con
st String& value) | 646 void CSPDirectiveList::enforceStrictMixedContentChecking(const String& name, con
st String& value) |
642 { | 647 { |
643 if (m_reportOnly) { | |
644 m_policy->reportInvalidInReportOnly(name); | |
645 return; | |
646 } | |
647 if (m_strictMixedContentCheckingEnforced) { | 648 if (m_strictMixedContentCheckingEnforced) { |
648 m_policy->reportDuplicateDirective(name); | 649 m_policy->reportDuplicateDirective(name); |
649 return; | 650 return; |
650 } | 651 } |
651 m_strictMixedContentCheckingEnforced = true; | |
652 m_policy->enforceStrictMixedContentChecking(); | |
653 if (!value.isEmpty()) | 652 if (!value.isEmpty()) |
654 m_policy->reportValueForEmptyDirective(name, value); | 653 m_policy->reportValueForEmptyDirective(name, value); |
| 654 |
| 655 m_strictMixedContentCheckingEnforced = true; |
| 656 |
| 657 if (!m_reportOnly) |
| 658 m_policy->enforceStrictMixedContentChecking(); |
655 } | 659 } |
656 | 660 |
657 void CSPDirectiveList::enableInsecureRequestsUpgrade(const String& name, const S
tring& value) | 661 void CSPDirectiveList::enableInsecureRequestsUpgrade(const String& name, const S
tring& value) |
658 { | 662 { |
659 if (m_reportOnly) { | 663 if (m_reportOnly) { |
660 m_policy->reportInvalidInReportOnly(name); | 664 m_policy->reportInvalidInReportOnly(name); |
661 return; | 665 return; |
662 } | 666 } |
663 if (m_upgradeInsecureRequests) { | 667 if (m_upgradeInsecureRequests) { |
664 m_policy->reportDuplicateDirective(name); | 668 m_policy->reportDuplicateDirective(name); |
(...skipping 175 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
840 visitor->trace(m_imgSrc); | 844 visitor->trace(m_imgSrc); |
841 visitor->trace(m_mediaSrc); | 845 visitor->trace(m_mediaSrc); |
842 visitor->trace(m_manifestSrc); | 846 visitor->trace(m_manifestSrc); |
843 visitor->trace(m_objectSrc); | 847 visitor->trace(m_objectSrc); |
844 visitor->trace(m_scriptSrc); | 848 visitor->trace(m_scriptSrc); |
845 visitor->trace(m_styleSrc); | 849 visitor->trace(m_styleSrc); |
846 } | 850 } |
847 | 851 |
848 | 852 |
849 } // namespace blink | 853 } // namespace blink |
OLD | NEW |