OLD | NEW |
---|---|
1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #ifndef CSPDirectiveList_h | 5 #ifndef CSPDirectiveList_h |
6 #define CSPDirectiveList_h | 6 #define CSPDirectiveList_h |
7 | 7 |
8 #include "core/fetch/Resource.h" | 8 #include "core/fetch/Resource.h" |
9 #include "core/frame/csp/ContentSecurityPolicy.h" | 9 #include "core/frame/csp/ContentSecurityPolicy.h" |
10 #include "core/frame/csp/MediaListDirective.h" | 10 #include "core/frame/csp/MediaListDirective.h" |
(...skipping 48 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
59 // result of a redirect. After a redirect, source paths are usually | 59 // result of a redirect. After a redirect, source paths are usually |
60 // ignored to stop a page from learning the path to which the | 60 // ignored to stop a page from learning the path to which the |
61 // request was redirected, but this is not a concern for ancestors, | 61 // request was redirected, but this is not a concern for ancestors, |
62 // because a child frame can't manipulate the URL of a cross-origin | 62 // because a child frame can't manipulate the URL of a cross-origin |
63 // parent. | 63 // parent. |
64 bool allowAncestors(LocalFrame*, const KURL&, ContentSecurityPolicy::Reporti ngStatus) const; | 64 bool allowAncestors(LocalFrame*, const KURL&, ContentSecurityPolicy::Reporti ngStatus) const; |
65 bool allowScriptHash(const CSPHashValue&, ContentSecurityPolicy::InlineType) const; | 65 bool allowScriptHash(const CSPHashValue&, ContentSecurityPolicy::InlineType) const; |
66 bool allowStyleHash(const CSPHashValue&, ContentSecurityPolicy::InlineType) const; | 66 bool allowStyleHash(const CSPHashValue&, ContentSecurityPolicy::InlineType) const; |
67 bool allowDynamic() const; | 67 bool allowDynamic() const; |
68 | 68 |
69 bool allowRequestWithoutMetadata(WebURLRequest::RequestContext, const KURL&, const IntegrityMetadataSet&, ContentSecurityPolicy::ReportingStatus) const; | |
jww
2016/06/11 22:45:12
nit: I'd prefer that this have 'Integrity' somewhe
Sergey Shekyan
2016/06/20 07:12:00
I renamed it to "allowRequestWithoutIntegrity". Tr
| |
70 | |
69 bool strictMixedContentChecking() const { return m_strictMixedContentCheckin gEnforced; } | 71 bool strictMixedContentChecking() const { return m_strictMixedContentCheckin gEnforced; } |
70 void reportMixedContent(const KURL& mixedURL, ResourceRequest::RedirectStatu s) const; | 72 void reportMixedContent(const KURL& mixedURL, ResourceRequest::RedirectStatu s) const; |
71 | 73 |
72 const String& evalDisabledErrorMessage() const { return m_evalDisabledErrorM essage; } | 74 const String& evalDisabledErrorMessage() const { return m_evalDisabledErrorM essage; } |
73 ReflectedXSSDisposition getReflectedXSSDisposition() const { return m_reflec tedXSSDisposition; } | 75 ReflectedXSSDisposition getReflectedXSSDisposition() const { return m_reflec tedXSSDisposition; } |
74 ReferrerPolicy getReferrerPolicy() const { return m_referrerPolicy; } | 76 ReferrerPolicy getReferrerPolicy() const { return m_referrerPolicy; } |
75 bool didSetReferrerPolicy() const { return m_didSetReferrerPolicy; } | 77 bool didSetReferrerPolicy() const { return m_didSetReferrerPolicy; } |
76 bool isReportOnly() const { return m_reportOnly; } | 78 bool isReportOnly() const { return m_reportOnly; } |
77 const Vector<String>& reportEndpoints() const { return m_reportEndpoints; } | 79 const Vector<String>& reportEndpoints() const { return m_reportEndpoints; } |
80 const Vector<String>& requireSRIForTokens() const { return m_requireSRIFor; } | |
78 bool isFrameAncestorsEnforced() const { return m_frameAncestors.get() && !m_ reportOnly; } | 81 bool isFrameAncestorsEnforced() const { return m_frameAncestors.get() && !m_ reportOnly; } |
79 | 82 |
80 // Used to copy plugin-types into a plugin document in a nested | 83 // Used to copy plugin-types into a plugin document in a nested |
81 // browsing context. | 84 // browsing context. |
82 bool hasPluginTypes() const { return !!m_pluginTypes; } | 85 bool hasPluginTypes() const { return !!m_pluginTypes; } |
83 const String& pluginTypesText() const; | 86 const String& pluginTypesText() const; |
84 | 87 |
85 bool shouldSendCSPHeader(Resource::Type) const; | 88 bool shouldSendCSPHeader(Resource::Type) const; |
86 | 89 |
87 DECLARE_TRACE(); | 90 DECLARE_TRACE(); |
88 | 91 |
89 private: | 92 private: |
90 FRIEND_TEST_ALL_PREFIXES(CSPDirectiveListTest, IsMatchingNoncePresent); | 93 FRIEND_TEST_ALL_PREFIXES(CSPDirectiveListTest, IsMatchingNoncePresent); |
Mike West
2016/06/10 09:25:15
Please add parsing tests to CSPDirectiveListTest t
| |
91 | 94 |
92 CSPDirectiveList(ContentSecurityPolicy*, ContentSecurityPolicyHeaderType, Co ntentSecurityPolicyHeaderSource); | 95 CSPDirectiveList(ContentSecurityPolicy*, ContentSecurityPolicyHeaderType, Co ntentSecurityPolicyHeaderSource); |
93 | 96 |
94 bool parseDirective(const UChar* begin, const UChar* end, String& name, Stri ng& value); | 97 bool parseDirective(const UChar* begin, const UChar* end, String& name, Stri ng& value); |
98 void parseRequireSRIFor(const String& name, const String& value); | |
95 void parseReportURI(const String& name, const String& value); | 99 void parseReportURI(const String& name, const String& value); |
96 void parsePluginTypes(const String& name, const String& value); | 100 void parsePluginTypes(const String& name, const String& value); |
97 void parseReflectedXSS(const String& name, const String& value); | 101 void parseReflectedXSS(const String& name, const String& value); |
98 void parseReferrer(const String& name, const String& value); | 102 void parseReferrer(const String& name, const String& value); |
99 void addDirective(const String& name, const String& value); | 103 void addDirective(const String& name, const String& value); |
100 void applySandboxPolicy(const String& name, const String& sandboxPolicy); | 104 void applySandboxPolicy(const String& name, const String& sandboxPolicy); |
101 void enforceStrictMixedContentChecking(const String& name, const String& val ue); | 105 void enforceStrictMixedContentChecking(const String& name, const String& val ue); |
102 void enableInsecureRequestsUpgrade(const String& name, const String& value); | 106 void enableInsecureRequestsUpgrade(const String& name, const String& value); |
103 void treatAsPublicAddress(const String& name, const String& value); | 107 void treatAsPublicAddress(const String& name, const String& value); |
104 | 108 |
105 template <class CSPDirectiveType> | 109 template <class CSPDirectiveType> |
106 void setCSPDirective(const String& name, const String& value, Member<CSPDire ctiveType>&); | 110 void setCSPDirective(const String& name, const String& value, Member<CSPDire ctiveType>&); |
107 | 111 |
108 SourceListDirective* operativeDirective(SourceListDirective*) const; | 112 SourceListDirective* operativeDirective(SourceListDirective*) const; |
109 SourceListDirective* operativeDirective(SourceListDirective*, SourceListDire ctive* override) const; | 113 SourceListDirective* operativeDirective(SourceListDirective*, SourceListDire ctive* override) const; |
110 void reportViolation(const String& directiveText, const String& effectiveDir ective, const String& consoleMessage, const KURL& blockedURL, ResourceRequest::R edirectStatus) const; | 114 void reportViolation(const String& directiveText, const String& effectiveDir ective, const String& consoleMessage, const KURL& blockedURL, ResourceRequest::R edirectStatus) const; |
111 void reportViolationWithFrame(const String& directiveText, const String& eff ectiveDirective, const String& consoleMessage, const KURL& blockedURL, LocalFram e*) const; | 115 void reportViolationWithFrame(const String& directiveText, const String& eff ectiveDirective, const String& consoleMessage, const KURL& blockedURL, LocalFram e*) const; |
112 void reportViolationWithLocation(const String& directiveText, const String& effectiveDirective, const String& consoleMessage, const KURL& blockedURL, const String& contextURL, const WTF::OrdinalNumber& contextLine) const; | 116 void reportViolationWithLocation(const String& directiveText, const String& effectiveDirective, const String& consoleMessage, const KURL& blockedURL, const String& contextURL, const WTF::OrdinalNumber& contextLine) const; |
113 void reportViolationWithState(const String& directiveText, const String& eff ectiveDirective, const String& message, const KURL& blockedURL, ScriptState*, co nst ContentSecurityPolicy::ExceptionStatus) const; | 117 void reportViolationWithState(const String& directiveText, const String& eff ectiveDirective, const String& message, const KURL& blockedURL, ScriptState*, co nst ContentSecurityPolicy::ExceptionStatus) const; |
114 | 118 |
115 bool checkEval(SourceListDirective*) const; | 119 bool checkEval(SourceListDirective*) const; |
116 bool checkInline(SourceListDirective*) const; | 120 bool checkInline(SourceListDirective*) const; |
117 bool checkDynamic(SourceListDirective*) const; | 121 bool checkDynamic(SourceListDirective*) const; |
118 bool isMatchingNoncePresent(SourceListDirective*, const String&) const; | 122 bool isMatchingNoncePresent(SourceListDirective*, const String&) const; |
119 bool checkHash(SourceListDirective*, const CSPHashValue&) const; | 123 bool checkHash(SourceListDirective*, const CSPHashValue&) const; |
120 bool checkHashedAttributes(SourceListDirective*) const; | 124 bool checkHashedAttributes(SourceListDirective*) const; |
121 bool checkSource(SourceListDirective*, const KURL&, ResourceRequest::Redirec tStatus) const; | 125 bool checkSource(SourceListDirective*, const KURL&, ResourceRequest::Redirec tStatus) const; |
122 bool checkMediaType(MediaListDirective*, const String& type, const String& t ypeAttribute) const; | 126 bool checkMediaType(MediaListDirective*, const String& type, const String& t ypeAttribute) const; |
123 bool checkAncestors(SourceListDirective*, LocalFrame*) const; | 127 bool checkAncestors(SourceListDirective*, LocalFrame*) const; |
128 bool checkIntegrityPresence(WebURLRequest::RequestContext, const IntegrityMe tadataSet&) const; | |
124 | 129 |
125 void setEvalDisabledErrorMessage(const String& errorMessage) { m_evalDisable dErrorMessage = errorMessage; } | 130 void setEvalDisabledErrorMessage(const String& errorMessage) { m_evalDisable dErrorMessage = errorMessage; } |
126 | 131 |
127 bool checkEvalAndReportViolation(SourceListDirective*, const String& console Message, ScriptState*, ContentSecurityPolicy::ExceptionStatus = ContentSecurityP olicy::WillNotThrowException) const; | 132 bool checkEvalAndReportViolation(SourceListDirective*, const String& console Message, ScriptState*, ContentSecurityPolicy::ExceptionStatus = ContentSecurityP olicy::WillNotThrowException) const; |
128 bool checkInlineAndReportViolation(SourceListDirective*, const String& conso leMessage, const String& contextURL, const WTF::OrdinalNumber& contextLine, bool isScript, const String& hashValue) const; | 133 bool checkInlineAndReportViolation(SourceListDirective*, const String& conso leMessage, const String& contextURL, const WTF::OrdinalNumber& contextLine, bool isScript, const String& hashValue) const; |
129 | 134 |
130 bool checkSourceAndReportViolation(SourceListDirective*, const KURL&, const String& effectiveDirective, ResourceRequest::RedirectStatus) const; | 135 bool checkSourceAndReportViolation(SourceListDirective*, const KURL&, const String& effectiveDirective, ResourceRequest::RedirectStatus) const; |
131 bool checkMediaTypeAndReportViolation(MediaListDirective*, const String& typ e, const String& typeAttribute, const String& consoleMessage) const; | 136 bool checkMediaTypeAndReportViolation(MediaListDirective*, const String& typ e, const String& typeAttribute, const String& consoleMessage) const; |
132 bool checkAncestorsAndReportViolation(SourceListDirective*, LocalFrame*, con st KURL&) const; | 137 bool checkAncestorsAndReportViolation(SourceListDirective*, LocalFrame*, con st KURL&) const; |
138 bool checkIntegrityPresenceAndReportViolation(WebURLRequest::RequestContext, const KURL&, const IntegrityMetadataSet&) const; | |
133 | 139 |
134 bool denyIfEnforcingPolicy() const { return m_reportOnly; } | 140 bool denyIfEnforcingPolicy() const { return m_reportOnly; } |
135 | 141 |
136 Member<ContentSecurityPolicy> m_policy; | 142 Member<ContentSecurityPolicy> m_policy; |
137 | 143 |
138 String m_header; | 144 String m_header; |
139 ContentSecurityPolicyHeaderType m_headerType; | 145 ContentSecurityPolicyHeaderType m_headerType; |
140 ContentSecurityPolicyHeaderSource m_headerSource; | 146 ContentSecurityPolicyHeaderSource m_headerSource; |
141 | 147 |
142 bool m_reportOnly; | 148 bool m_reportOnly; |
(...skipping 17 matching lines...) Expand all Loading... | |
160 Member<SourceListDirective> m_formAction; | 166 Member<SourceListDirective> m_formAction; |
161 Member<SourceListDirective> m_frameAncestors; | 167 Member<SourceListDirective> m_frameAncestors; |
162 Member<SourceListDirective> m_frameSrc; | 168 Member<SourceListDirective> m_frameSrc; |
163 Member<SourceListDirective> m_imgSrc; | 169 Member<SourceListDirective> m_imgSrc; |
164 Member<SourceListDirective> m_mediaSrc; | 170 Member<SourceListDirective> m_mediaSrc; |
165 Member<SourceListDirective> m_manifestSrc; | 171 Member<SourceListDirective> m_manifestSrc; |
166 Member<SourceListDirective> m_objectSrc; | 172 Member<SourceListDirective> m_objectSrc; |
167 Member<SourceListDirective> m_scriptSrc; | 173 Member<SourceListDirective> m_scriptSrc; |
168 Member<SourceListDirective> m_styleSrc; | 174 Member<SourceListDirective> m_styleSrc; |
169 | 175 |
176 Vector<String> m_requireSRIFor; | |
177 | |
170 Vector<String> m_reportEndpoints; | 178 Vector<String> m_reportEndpoints; |
171 | 179 |
172 String m_evalDisabledErrorMessage; | 180 String m_evalDisabledErrorMessage; |
173 }; | 181 }; |
174 | 182 |
175 } // namespace blink | 183 } // namespace blink |
176 | 184 |
177 #endif | 185 #endif |
OLD | NEW |