OLD | NEW |
1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "core/frame/csp/CSPDirectiveList.h" | 5 #include "core/frame/csp/CSPDirectiveList.h" |
6 | 6 |
7 #include "core/dom/Document.h" | 7 #include "core/dom/Document.h" |
8 #include "core/dom/SecurityContext.h" | 8 #include "core/dom/SecurityContext.h" |
9 #include "core/dom/SpaceSplitString.h" | 9 #include "core/dom/SpaceSplitString.h" |
10 #include "core/frame/LocalFrame.h" | 10 #include "core/frame/LocalFrame.h" |
(...skipping 56 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
67 String message = "Refused to evaluate a string as JavaScript because 'un
safe-eval' is not an allowed source of script in the following Content Security
Policy directive: \"" + directives->operativeDirective(directives->m_scriptSrc.g
et())->text() + "\".\n"; | 67 String message = "Refused to evaluate a string as JavaScript because 'un
safe-eval' is not an allowed source of script in the following Content Security
Policy directive: \"" + directives->operativeDirective(directives->m_scriptSrc.g
et())->text() + "\".\n"; |
68 directives->setEvalDisabledErrorMessage(message); | 68 directives->setEvalDisabledErrorMessage(message); |
69 } | 69 } |
70 | 70 |
71 if (directives->isReportOnly() && source != ContentSecurityPolicyHeaderSourc
eMeta && directives->reportEndpoints().isEmpty()) | 71 if (directives->isReportOnly() && source != ContentSecurityPolicyHeaderSourc
eMeta && directives->reportEndpoints().isEmpty()) |
72 policy->reportMissingReportURI(String(begin, end - begin)); | 72 policy->reportMissingReportURI(String(begin, end - begin)); |
73 | 73 |
74 return directives; | 74 return directives; |
75 } | 75 } |
76 | 76 |
77 void CSPDirectiveList::reportViolation(const String& directiveText, const String
& effectiveDirective, const String& consoleMessage, const KURL& blockedURL) cons
t | 77 void CSPDirectiveList::reportViolation(const String& directiveText, const String
& effectiveDirective, const String& consoleMessage, const KURL& blockedURL, Reso
urceRequest::RedirectStatus redirectStatus) const |
78 { | 78 { |
79 String message = m_reportOnly ? "[Report Only] " + consoleMessage : consoleM
essage; | 79 String message = m_reportOnly ? "[Report Only] " + consoleMessage : consoleM
essage; |
80 m_policy->logToConsole(ConsoleMessage::create(SecurityMessageSource, ErrorMe
ssageLevel, message)); | 80 m_policy->logToConsole(ConsoleMessage::create(SecurityMessageSource, ErrorMe
ssageLevel, message)); |
81 m_policy->reportViolation(directiveText, effectiveDirective, message, blocke
dURL, m_reportEndpoints, m_header, ContentSecurityPolicy::URLViolation); | 81 m_policy->reportViolation(directiveText, effectiveDirective, message, blocke
dURL, m_reportEndpoints, m_header, ContentSecurityPolicy::URLViolation, nullptr,
redirectStatus); |
82 } | 82 } |
83 | 83 |
84 void CSPDirectiveList::reportViolationWithFrame(const String& directiveText, con
st String& effectiveDirective, const String& consoleMessage, const KURL& blocked
URL, LocalFrame* frame) const | 84 void CSPDirectiveList::reportViolationWithFrame(const String& directiveText, con
st String& effectiveDirective, const String& consoleMessage, const KURL& blocked
URL, LocalFrame* frame) const |
85 { | 85 { |
86 String message = m_reportOnly ? "[Report Only] " + consoleMessage : consoleM
essage; | 86 String message = m_reportOnly ? "[Report Only] " + consoleMessage : consoleM
essage; |
87 m_policy->logToConsole(ConsoleMessage::create(SecurityMessageSource, ErrorMe
ssageLevel, message), frame); | 87 m_policy->logToConsole(ConsoleMessage::create(SecurityMessageSource, ErrorMe
ssageLevel, message), frame); |
88 m_policy->reportViolation(directiveText, effectiveDirective, message, blocke
dURL, m_reportEndpoints, m_header, ContentSecurityPolicy::URLViolation, frame); | 88 m_policy->reportViolation(directiveText, effectiveDirective, message, blocke
dURL, m_reportEndpoints, m_header, ContentSecurityPolicy::URLViolation, frame); |
89 } | 89 } |
90 | 90 |
91 void CSPDirectiveList::reportViolationWithLocation(const String& directiveText,
const String& effectiveDirective, const String& consoleMessage, const KURL& bloc
kedURL, const String& contextURL, const WTF::OrdinalNumber& contextLine) const | 91 void CSPDirectiveList::reportViolationWithLocation(const String& directiveText,
const String& effectiveDirective, const String& consoleMessage, const KURL& bloc
kedURL, const String& contextURL, const WTF::OrdinalNumber& contextLine) const |
(...skipping 40 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
132 bool CSPDirectiveList::checkHashedAttributes(SourceListDirective* directive) con
st | 132 bool CSPDirectiveList::checkHashedAttributes(SourceListDirective* directive) con
st |
133 { | 133 { |
134 return !directive || directive->allowHashedAttributes(); | 134 return !directive || directive->allowHashedAttributes(); |
135 } | 135 } |
136 | 136 |
137 bool CSPDirectiveList::checkDynamic(SourceListDirective* directive) const | 137 bool CSPDirectiveList::checkDynamic(SourceListDirective* directive) const |
138 { | 138 { |
139 return !directive || directive->allowDynamic(); | 139 return !directive || directive->allowDynamic(); |
140 } | 140 } |
141 | 141 |
142 void CSPDirectiveList::reportMixedContent(const KURL& mixedURL) const | 142 void CSPDirectiveList::reportMixedContent(const KURL& mixedURL, ResourceRequest:
:RedirectStatus redirectStatus) const |
143 { | 143 { |
144 if (strictMixedContentChecking()) | 144 if (strictMixedContentChecking()) |
145 m_policy->reportViolation(ContentSecurityPolicy::BlockAllMixedContent, C
ontentSecurityPolicy::BlockAllMixedContent, String(), mixedURL, m_reportEndpoint
s, m_header, ContentSecurityPolicy::URLViolation); | 145 m_policy->reportViolation(ContentSecurityPolicy::BlockAllMixedContent, C
ontentSecurityPolicy::BlockAllMixedContent, String(), mixedURL, m_reportEndpoint
s, m_header, ContentSecurityPolicy::URLViolation, nullptr, redirectStatus); |
146 } | 146 } |
147 | 147 |
148 bool CSPDirectiveList::checkSource(SourceListDirective* directive, const KURL& u
rl, ResourceRequest::RedirectStatus redirectStatus) const | 148 bool CSPDirectiveList::checkSource(SourceListDirective* directive, const KURL& u
rl, ResourceRequest::RedirectStatus redirectStatus) const |
149 { | 149 { |
150 // If |url| is empty, fall back to the policy URL to ensure that <object>'s | 150 // If |url| is empty, fall back to the policy URL to ensure that <object>'s |
151 // without a `src` can be blocked/allowed, as they can still load plugins | 151 // without a `src` can be blocked/allowed, as they can still load plugins |
152 // even though they don't actually have a URL. | 152 // even though they don't actually have a URL. |
153 return !directive || directive->allows(url.isEmpty() ? m_policy->url() : url
, redirectStatus); | 153 return !directive || directive->allows(url.isEmpty() ? m_policy->url() : url
, redirectStatus); |
154 } | 154 } |
155 | 155 |
(...skipping 54 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
210 | 210 |
211 bool CSPDirectiveList::checkMediaTypeAndReportViolation(MediaListDirective* dire
ctive, const String& type, const String& typeAttribute, const String& consoleMes
sage) const | 211 bool CSPDirectiveList::checkMediaTypeAndReportViolation(MediaListDirective* dire
ctive, const String& type, const String& typeAttribute, const String& consoleMes
sage) const |
212 { | 212 { |
213 if (checkMediaType(directive, type, typeAttribute)) | 213 if (checkMediaType(directive, type, typeAttribute)) |
214 return true; | 214 return true; |
215 | 215 |
216 String message = consoleMessage + "\'" + directive->text() + "\'."; | 216 String message = consoleMessage + "\'" + directive->text() + "\'."; |
217 if (typeAttribute.isEmpty()) | 217 if (typeAttribute.isEmpty()) |
218 message = message + " When enforcing the 'plugin-types' directive, the p
lugin's media type must be explicitly declared with a 'type' attribute on the co
ntaining element (e.g. '<object type=\"[TYPE GOES HERE]\" ...>')."; | 218 message = message + " When enforcing the 'plugin-types' directive, the p
lugin's media type must be explicitly declared with a 'type' attribute on the co
ntaining element (e.g. '<object type=\"[TYPE GOES HERE]\" ...>')."; |
219 | 219 |
220 reportViolation(directive->text(), ContentSecurityPolicy::PluginTypes, messa
ge + "\n", KURL()); | 220 // 'RedirectStatus::NoRedirect' is safe here, as we do the media type check
before actually |
| 221 // loading data; this means that we shouldn't leak redirect targets, as we w
on't have had a |
| 222 // chance to redirect yet. |
| 223 reportViolation(directive->text(), ContentSecurityPolicy::PluginTypes, messa
ge + "\n", KURL(), ResourceRequest::RedirectStatus::NoRedirect); |
221 return denyIfEnforcingPolicy(); | 224 return denyIfEnforcingPolicy(); |
222 } | 225 } |
223 | 226 |
224 bool CSPDirectiveList::checkInlineAndReportViolation(SourceListDirective* direct
ive, const String& consoleMessage, const String& contextURL, const WTF::OrdinalN
umber& contextLine, bool isScript, const String& hashValue) const | 227 bool CSPDirectiveList::checkInlineAndReportViolation(SourceListDirective* direct
ive, const String& consoleMessage, const String& contextURL, const WTF::OrdinalN
umber& contextLine, bool isScript, const String& hashValue) const |
225 { | 228 { |
226 if (checkInline(directive)) | 229 if (checkInline(directive)) |
227 return true; | 230 return true; |
228 | 231 |
229 String suffix = String(); | 232 String suffix = String(); |
230 if (directive->allowInline() && directive->isHashOrNoncePresent()) { | 233 if (directive->allowInline() && directive->isHashOrNoncePresent()) { |
(...skipping 49 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
280 prefix = "Refused to load the script '"; | 283 prefix = "Refused to load the script '"; |
281 else if (ContentSecurityPolicy::StyleSrc == effectiveDirective) | 284 else if (ContentSecurityPolicy::StyleSrc == effectiveDirective) |
282 prefix = "Refused to load the stylesheet '"; | 285 prefix = "Refused to load the stylesheet '"; |
283 | 286 |
284 String suffix = String(); | 287 String suffix = String(); |
285 if (checkDynamic(directive)) | 288 if (checkDynamic(directive)) |
286 suffix = " 'unsafe-dynamic' is present, so host-based whitelisting is di
sabled."; | 289 suffix = " 'unsafe-dynamic' is present, so host-based whitelisting is di
sabled."; |
287 if (directive == m_defaultSrc) | 290 if (directive == m_defaultSrc) |
288 suffix = suffix + " Note that '" + effectiveDirective + "' was not expli
citly set, so 'default-src' is used as a fallback."; | 291 suffix = suffix + " Note that '" + effectiveDirective + "' was not expli
citly set, so 'default-src' is used as a fallback."; |
289 | 292 |
290 reportViolation(directive->text(), effectiveDirective, prefix + url.elidedSt
ring() + "' because it violates the following Content Security Policy directive:
\"" + directive->text() + "\"." + suffix + "\n", url); | 293 reportViolation(directive->text(), effectiveDirective, prefix + url.elidedSt
ring() + "' because it violates the following Content Security Policy directive:
\"" + directive->text() + "\"." + suffix + "\n", url, redirectStatus); |
291 return denyIfEnforcingPolicy(); | 294 return denyIfEnforcingPolicy(); |
292 } | 295 } |
293 | 296 |
294 bool CSPDirectiveList::checkAncestorsAndReportViolation(SourceListDirective* dir
ective, LocalFrame* frame, const KURL& url) const | 297 bool CSPDirectiveList::checkAncestorsAndReportViolation(SourceListDirective* dir
ective, LocalFrame* frame, const KURL& url) const |
295 { | 298 { |
296 if (checkAncestors(directive, frame)) | 299 if (checkAncestors(directive, frame)) |
297 return true; | 300 return true; |
298 | 301 |
299 reportViolationWithFrame(directive->text(), "frame-ancestors", "Refused to d
isplay '" + url.elidedString() + "' in a frame because an ancestor violates the
following Content Security Policy directive: \"" + directive->text() + "\".", ur
l, frame); | 302 reportViolationWithFrame(directive->text(), "frame-ancestors", "Refused to d
isplay '" + url.elidedString() + "' in a frame because an ancestor violates the
following Content Security Policy directive: \"" + directive->text() + "\".", ur
l, frame); |
300 return denyIfEnforcingPolicy(); | 303 return denyIfEnforcingPolicy(); |
(...skipping 549 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
850 visitor->trace(m_imgSrc); | 853 visitor->trace(m_imgSrc); |
851 visitor->trace(m_mediaSrc); | 854 visitor->trace(m_mediaSrc); |
852 visitor->trace(m_manifestSrc); | 855 visitor->trace(m_manifestSrc); |
853 visitor->trace(m_objectSrc); | 856 visitor->trace(m_objectSrc); |
854 visitor->trace(m_scriptSrc); | 857 visitor->trace(m_scriptSrc); |
855 visitor->trace(m_styleSrc); | 858 visitor->trace(m_styleSrc); |
856 } | 859 } |
857 | 860 |
858 | 861 |
859 } // namespace blink | 862 } // namespace blink |
OLD | NEW |