OLD | NEW |
1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "core/frame/csp/CSPDirectiveList.h" | 5 #include "core/frame/csp/CSPDirectiveList.h" |
6 | 6 |
7 #include "core/dom/Document.h" | 7 #include "core/dom/Document.h" |
8 #include "core/dom/SecurityContext.h" | 8 #include "core/dom/SecurityContext.h" |
9 #include "core/dom/SpaceSplitString.h" | 9 #include "core/dom/SpaceSplitString.h" |
10 #include "core/frame/LocalFrame.h" | 10 #include "core/frame/LocalFrame.h" |
(...skipping 121 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
132 bool CSPDirectiveList::checkHashedAttributes(SourceListDirective* directive) con
st | 132 bool CSPDirectiveList::checkHashedAttributes(SourceListDirective* directive) con
st |
133 { | 133 { |
134 return !directive || directive->allowHashedAttributes(); | 134 return !directive || directive->allowHashedAttributes(); |
135 } | 135 } |
136 | 136 |
137 bool CSPDirectiveList::checkDynamic(SourceListDirective* directive) const | 137 bool CSPDirectiveList::checkDynamic(SourceListDirective* directive) const |
138 { | 138 { |
139 return !directive || directive->allowDynamic(); | 139 return !directive || directive->allowDynamic(); |
140 } | 140 } |
141 | 141 |
| 142 void CSPDirectiveList::reportMixedContent(const KURL& mixedURL) const |
| 143 { |
| 144 if (strictMixedContentChecking()) |
| 145 m_policy->reportViolation(ContentSecurityPolicy::BlockAllMixedContent, C
ontentSecurityPolicy::BlockAllMixedContent, String(), mixedURL, m_reportEndpoint
s, m_header, ContentSecurityPolicy::URLViolation); |
| 146 } |
| 147 |
142 bool CSPDirectiveList::checkSource(SourceListDirective* directive, const KURL& u
rl, ContentSecurityPolicy::RedirectStatus redirectStatus) const | 148 bool CSPDirectiveList::checkSource(SourceListDirective* directive, const KURL& u
rl, ContentSecurityPolicy::RedirectStatus redirectStatus) const |
143 { | 149 { |
144 // If |url| is empty, fall back to the policy URL to ensure that <object>'s | 150 // If |url| is empty, fall back to the policy URL to ensure that <object>'s |
145 // without a `src` can be blocked/allowed, as they can still load plugins | 151 // without a `src` can be blocked/allowed, as they can still load plugins |
146 // even though they don't actually have a URL. | 152 // even though they don't actually have a URL. |
147 return !directive || directive->allows(url.isEmpty() ? m_policy->url() : url
, redirectStatus); | 153 return !directive || directive->allows(url.isEmpty() ? m_policy->url() : url
, redirectStatus); |
148 } | 154 } |
149 | 155 |
150 bool CSPDirectiveList::checkAncestors(SourceListDirective* directive, LocalFrame
* frame) const | 156 bool CSPDirectiveList::checkAncestors(SourceListDirective* directive, LocalFrame
* frame) const |
151 { | 157 { |
(...skipping 480 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
632 return; | 638 return; |
633 } | 639 } |
634 m_treatAsPublicAddress = true; | 640 m_treatAsPublicAddress = true; |
635 m_policy->treatAsPublicAddress(); | 641 m_policy->treatAsPublicAddress(); |
636 if (!value.isEmpty()) | 642 if (!value.isEmpty()) |
637 m_policy->reportValueForEmptyDirective(name, value); | 643 m_policy->reportValueForEmptyDirective(name, value); |
638 } | 644 } |
639 | 645 |
640 void CSPDirectiveList::enforceStrictMixedContentChecking(const String& name, con
st String& value) | 646 void CSPDirectiveList::enforceStrictMixedContentChecking(const String& name, con
st String& value) |
641 { | 647 { |
642 if (m_reportOnly) { | |
643 m_policy->reportInvalidInReportOnly(name); | |
644 return; | |
645 } | |
646 if (m_strictMixedContentCheckingEnforced) { | 648 if (m_strictMixedContentCheckingEnforced) { |
647 m_policy->reportDuplicateDirective(name); | 649 m_policy->reportDuplicateDirective(name); |
648 return; | 650 return; |
649 } | 651 } |
650 m_strictMixedContentCheckingEnforced = true; | |
651 m_policy->enforceStrictMixedContentChecking(); | |
652 if (!value.isEmpty()) | 652 if (!value.isEmpty()) |
653 m_policy->reportValueForEmptyDirective(name, value); | 653 m_policy->reportValueForEmptyDirective(name, value); |
| 654 |
| 655 m_strictMixedContentCheckingEnforced = true; |
| 656 |
| 657 if (!m_reportOnly) |
| 658 m_policy->enforceStrictMixedContentChecking(); |
654 } | 659 } |
655 | 660 |
656 void CSPDirectiveList::enableInsecureRequestsUpgrade(const String& name, const S
tring& value) | 661 void CSPDirectiveList::enableInsecureRequestsUpgrade(const String& name, const S
tring& value) |
657 { | 662 { |
658 if (m_reportOnly) { | 663 if (m_reportOnly) { |
659 m_policy->reportInvalidInReportOnly(name); | 664 m_policy->reportInvalidInReportOnly(name); |
660 return; | 665 return; |
661 } | 666 } |
662 if (m_upgradeInsecureRequests) { | 667 if (m_upgradeInsecureRequests) { |
663 m_policy->reportDuplicateDirective(name); | 668 m_policy->reportDuplicateDirective(name); |
(...skipping 175 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
839 visitor->trace(m_imgSrc); | 844 visitor->trace(m_imgSrc); |
840 visitor->trace(m_mediaSrc); | 845 visitor->trace(m_mediaSrc); |
841 visitor->trace(m_manifestSrc); | 846 visitor->trace(m_manifestSrc); |
842 visitor->trace(m_objectSrc); | 847 visitor->trace(m_objectSrc); |
843 visitor->trace(m_scriptSrc); | 848 visitor->trace(m_scriptSrc); |
844 visitor->trace(m_styleSrc); | 849 visitor->trace(m_styleSrc); |
845 } | 850 } |
846 | 851 |
847 | 852 |
848 } // namespace blink | 853 } // namespace blink |
OLD | NEW |