| OLD | NEW |
|---|
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "core/frame/csp/CSPDirectiveList.h" | 5 #include "core/frame/csp/CSPDirectiveList.h" |
| 6 | 6 |
| 7 #include "core/dom/Document.h" | 7 #include "core/dom/Document.h" |
| 8 #include "core/dom/SecurityContext.h" | 8 #include "core/dom/SecurityContext.h" |
| 9 #include "core/dom/SpaceSplitString.h" | 9 #include "core/dom/SpaceSplitString.h" |
| 10 #include "core/frame/LocalFrame.h" | 10 #include "core/frame/LocalFrame.h" |
| (...skipping 121 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 132 bool CSPDirectiveList::checkHashedAttributes(SourceListDirective* directive) con
st | 132 bool CSPDirectiveList::checkHashedAttributes(SourceListDirective* directive) con
st |
| 133 { | 133 { |
| 134 return !directive || directive->allowHashedAttributes(); | 134 return !directive || directive->allowHashedAttributes(); |
| 135 } | 135 } |
| 136 | 136 |
| 137 bool CSPDirectiveList::checkDynamic(SourceListDirective* directive) const | 137 bool CSPDirectiveList::checkDynamic(SourceListDirective* directive) const |
| 138 { | 138 { |
| 139 return !directive || directive->allowDynamic(); | 139 return !directive || directive->allowDynamic(); |
| 140 } | 140 } |
| 141 | 141 |
| 142 void CSPDirectiveList::reportMixedContent(const KURL& mixedURL) const |
| 143 { |
| 144 if (strictMixedContentChecking()) |
| 145 m_policy->reportViolation(ContentSecurityPolicy::BlockAllMixedContent, C
ontentSecurityPolicy::BlockAllMixedContent, String(), mixedURL, m_reportEndpoint
s, m_header, ContentSecurityPolicy::URLViolation); |
| 146 } |
| 147 |
| 142 bool CSPDirectiveList::checkSource(SourceListDirective* directive, const KURL& u
rl, ContentSecurityPolicy::RedirectStatus redirectStatus) const | 148 bool CSPDirectiveList::checkSource(SourceListDirective* directive, const KURL& u
rl, ContentSecurityPolicy::RedirectStatus redirectStatus) const |
| 143 { | 149 { |
| 144 // If |url| is empty, fall back to the policy URL to ensure that <object>'s | 150 // If |url| is empty, fall back to the policy URL to ensure that <object>'s |
| 145 // without a `src` can be blocked/allowed, as they can still load plugins | 151 // without a `src` can be blocked/allowed, as they can still load plugins |
| 146 // even though they don't actually have a URL. | 152 // even though they don't actually have a URL. |
| 147 return !directive || directive->allows(url.isEmpty() ? m_policy->url() : url
, redirectStatus); | 153 return !directive || directive->allows(url.isEmpty() ? m_policy->url() : url
, redirectStatus); |
| 148 } | 154 } |
| 149 | 155 |
| 150 bool CSPDirectiveList::checkAncestors(SourceListDirective* directive, LocalFrame
* frame) const | 156 bool CSPDirectiveList::checkAncestors(SourceListDirective* directive, LocalFrame
* frame) const |
| 151 { | 157 { |
| (...skipping 480 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 632 return; | 638 return; |
| 633 } | 639 } |
| 634 m_treatAsPublicAddress = true; | 640 m_treatAsPublicAddress = true; |
| 635 m_policy->treatAsPublicAddress(); | 641 m_policy->treatAsPublicAddress(); |
| 636 if (!value.isEmpty()) | 642 if (!value.isEmpty()) |
| 637 m_policy->reportValueForEmptyDirective(name, value); | 643 m_policy->reportValueForEmptyDirective(name, value); |
| 638 } | 644 } |
| 639 | 645 |
| 640 void CSPDirectiveList::enforceStrictMixedContentChecking(const String& name, con
st String& value) | 646 void CSPDirectiveList::enforceStrictMixedContentChecking(const String& name, con
st String& value) |
| 641 { | 647 { |
| 642 if (m_reportOnly) { | |
| 643 m_policy->reportInvalidInReportOnly(name); | |
| 644 return; | |
| 645 } | |
| 646 if (m_strictMixedContentCheckingEnforced) { | 648 if (m_strictMixedContentCheckingEnforced) { |
| 647 m_policy->reportDuplicateDirective(name); | 649 m_policy->reportDuplicateDirective(name); |
| 648 return; | 650 return; |
| 649 } | 651 } |
| 650 m_strictMixedContentCheckingEnforced = true; | |
| 651 m_policy->enforceStrictMixedContentChecking(); | |
| 652 if (!value.isEmpty()) | 652 if (!value.isEmpty()) |
| 653 m_policy->reportValueForEmptyDirective(name, value); | 653 m_policy->reportValueForEmptyDirective(name, value); |
| 654 |
| 655 m_strictMixedContentCheckingEnforced = true; |
| 656 |
| 657 if (!m_reportOnly) |
| 658 m_policy->enforceStrictMixedContentChecking(); |
| 654 } | 659 } |
| 655 | 660 |
| 656 void CSPDirectiveList::enableInsecureRequestsUpgrade(const String& name, const S
tring& value) | 661 void CSPDirectiveList::enableInsecureRequestsUpgrade(const String& name, const S
tring& value) |
| 657 { | 662 { |
| 658 if (m_reportOnly) { | 663 if (m_reportOnly) { |
| 659 m_policy->reportInvalidInReportOnly(name); | 664 m_policy->reportInvalidInReportOnly(name); |
| 660 return; | 665 return; |
| 661 } | 666 } |
| 662 if (m_upgradeInsecureRequests) { | 667 if (m_upgradeInsecureRequests) { |
| 663 m_policy->reportDuplicateDirective(name); | 668 m_policy->reportDuplicateDirective(name); |
| (...skipping 175 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 839 visitor->trace(m_imgSrc); | 844 visitor->trace(m_imgSrc); |
| 840 visitor->trace(m_mediaSrc); | 845 visitor->trace(m_mediaSrc); |
| 841 visitor->trace(m_manifestSrc); | 846 visitor->trace(m_manifestSrc); |
| 842 visitor->trace(m_objectSrc); | 847 visitor->trace(m_objectSrc); |
| 843 visitor->trace(m_scriptSrc); | 848 visitor->trace(m_scriptSrc); |
| 844 visitor->trace(m_styleSrc); | 849 visitor->trace(m_styleSrc); |
| 845 } | 850 } |
| 846 | 851 |
| 847 | 852 |
| 848 } // namespace blink | 853 } // namespace blink |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2002003002:
Generate CSP violation reports for 'block-all-mixed-content' (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master