OLD | NEW |
---|---|
1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #ifndef CSPDirectiveList_h | 5 #ifndef CSPDirectiveList_h |
6 #define CSPDirectiveList_h | 6 #define CSPDirectiveList_h |
7 | 7 |
8 #include "core/fetch/Resource.h" | 8 #include "core/fetch/Resource.h" |
9 #include "core/frame/csp/ContentSecurityPolicy.h" | 9 #include "core/frame/csp/ContentSecurityPolicy.h" |
10 #include "core/frame/csp/MediaListDirective.h" | 10 #include "core/frame/csp/MediaListDirective.h" |
(...skipping 48 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
59 // result of a redirect. After a redirect, source paths are usually | 59 // result of a redirect. After a redirect, source paths are usually |
60 // ignored to stop a page from learning the path to which the | 60 // ignored to stop a page from learning the path to which the |
61 // request was redirected, but this is not a concern for ancestors, | 61 // request was redirected, but this is not a concern for ancestors, |
62 // because a child frame can't manipulate the URL of a cross-origin | 62 // because a child frame can't manipulate the URL of a cross-origin |
63 // parent. | 63 // parent. |
64 bool allowAncestors(LocalFrame*, const KURL&, ContentSecurityPolicy::Reporti ngStatus) const; | 64 bool allowAncestors(LocalFrame*, const KURL&, ContentSecurityPolicy::Reporti ngStatus) const; |
65 bool allowScriptHash(const CSPHashValue&, ContentSecurityPolicy::InlineType) const; | 65 bool allowScriptHash(const CSPHashValue&, ContentSecurityPolicy::InlineType) const; |
66 bool allowStyleHash(const CSPHashValue&, ContentSecurityPolicy::InlineType) const; | 66 bool allowStyleHash(const CSPHashValue&, ContentSecurityPolicy::InlineType) const; |
67 bool allowDynamic() const; | 67 bool allowDynamic() const; |
68 | 68 |
69 bool allowRequestWithoutIntegrity(WebURLRequest::RequestContext, const KURL& , ResourceRequest::RedirectStatus, ContentSecurityPolicy::ReportingStatus) const ; | |
70 | |
69 bool strictMixedContentChecking() const { return m_strictMixedContentCheckin gEnforced; } | 71 bool strictMixedContentChecking() const { return m_strictMixedContentCheckin gEnforced; } |
70 void reportMixedContent(const KURL& mixedURL, ResourceRequest::RedirectStatu s) const; | 72 void reportMixedContent(const KURL& mixedURL, ResourceRequest::RedirectStatu s) const; |
71 | 73 |
72 const String& evalDisabledErrorMessage() const { return m_evalDisabledErrorM essage; } | 74 const String& evalDisabledErrorMessage() const { return m_evalDisabledErrorM essage; } |
73 ReflectedXSSDisposition getReflectedXSSDisposition() const { return m_reflec tedXSSDisposition; } | 75 ReflectedXSSDisposition getReflectedXSSDisposition() const { return m_reflec tedXSSDisposition; } |
74 ReferrerPolicy getReferrerPolicy() const { return m_referrerPolicy; } | 76 ReferrerPolicy getReferrerPolicy() const { return m_referrerPolicy; } |
75 bool didSetReferrerPolicy() const { return m_didSetReferrerPolicy; } | 77 bool didSetReferrerPolicy() const { return m_didSetReferrerPolicy; } |
76 bool isReportOnly() const { return m_reportOnly; } | 78 bool isReportOnly() const { return m_reportOnly; } |
77 const Vector<String>& reportEndpoints() const { return m_reportEndpoints; } | 79 const Vector<String>& reportEndpoints() const { return m_reportEndpoints; } |
80 uint8_t requireSRIForTokens() const { return m_requireSRIFor; } | |
78 bool isFrameAncestorsEnforced() const { return m_frameAncestors.get() && !m_ reportOnly; } | 81 bool isFrameAncestorsEnforced() const { return m_frameAncestors.get() && !m_ reportOnly; } |
79 | 82 |
80 // Used to copy plugin-types into a plugin document in a nested | 83 // Used to copy plugin-types into a plugin document in a nested |
81 // browsing context. | 84 // browsing context. |
82 bool hasPluginTypes() const { return !!m_pluginTypes; } | 85 bool hasPluginTypes() const { return !!m_pluginTypes; } |
83 const String& pluginTypesText() const; | 86 const String& pluginTypesText() const; |
84 | 87 |
85 bool shouldSendCSPHeader(Resource::Type) const; | 88 bool shouldSendCSPHeader(Resource::Type) const; |
86 | 89 |
87 DECLARE_TRACE(); | 90 DECLARE_TRACE(); |
88 | 91 |
89 private: | 92 private: |
90 FRIEND_TEST_ALL_PREFIXES(CSPDirectiveListTest, IsMatchingNoncePresent); | 93 FRIEND_TEST_ALL_PREFIXES(CSPDirectiveListTest, IsMatchingNoncePresent); |
91 | 94 |
95 enum RequireSRIForToken { | |
96 None = 0, | |
97 Script = 1 << 1, | |
Mike West
2016/06/20 08:11:37
Nit: Start with 0.
| |
98 Style = 1 << 2 | |
99 }; | |
100 | |
92 CSPDirectiveList(ContentSecurityPolicy*, ContentSecurityPolicyHeaderType, Co ntentSecurityPolicyHeaderSource); | 101 CSPDirectiveList(ContentSecurityPolicy*, ContentSecurityPolicyHeaderType, Co ntentSecurityPolicyHeaderSource); |
93 | 102 |
94 bool parseDirective(const UChar* begin, const UChar* end, String& name, Stri ng& value); | 103 bool parseDirective(const UChar* begin, const UChar* end, String& name, Stri ng& value); |
104 void parseRequireSRIFor(const String& name, const String& value); | |
95 void parseReportURI(const String& name, const String& value); | 105 void parseReportURI(const String& name, const String& value); |
96 void parsePluginTypes(const String& name, const String& value); | 106 void parsePluginTypes(const String& name, const String& value); |
97 void parseReflectedXSS(const String& name, const String& value); | 107 void parseReflectedXSS(const String& name, const String& value); |
98 void parseReferrer(const String& name, const String& value); | 108 void parseReferrer(const String& name, const String& value); |
99 void addDirective(const String& name, const String& value); | 109 void addDirective(const String& name, const String& value); |
100 void applySandboxPolicy(const String& name, const String& sandboxPolicy); | 110 void applySandboxPolicy(const String& name, const String& sandboxPolicy); |
101 void enforceStrictMixedContentChecking(const String& name, const String& val ue); | 111 void enforceStrictMixedContentChecking(const String& name, const String& val ue); |
102 void enableInsecureRequestsUpgrade(const String& name, const String& value); | 112 void enableInsecureRequestsUpgrade(const String& name, const String& value); |
103 void treatAsPublicAddress(const String& name, const String& value); | 113 void treatAsPublicAddress(const String& name, const String& value); |
104 | 114 |
105 template <class CSPDirectiveType> | 115 template <class CSPDirectiveType> |
106 void setCSPDirective(const String& name, const String& value, Member<CSPDire ctiveType>&); | 116 void setCSPDirective(const String& name, const String& value, Member<CSPDire ctiveType>&); |
107 | 117 |
108 SourceListDirective* operativeDirective(SourceListDirective*) const; | 118 SourceListDirective* operativeDirective(SourceListDirective*) const; |
109 SourceListDirective* operativeDirective(SourceListDirective*, SourceListDire ctive* override) const; | 119 SourceListDirective* operativeDirective(SourceListDirective*, SourceListDire ctive* override) const; |
110 void reportViolation(const String& directiveText, const String& effectiveDir ective, const String& consoleMessage, const KURL& blockedURL, ResourceRequest::R edirectStatus) const; | 120 void reportViolation(const String& directiveText, const String& effectiveDir ective, const String& consoleMessage, const KURL& blockedURL, ResourceRequest::R edirectStatus) const; |
111 void reportViolationWithFrame(const String& directiveText, const String& eff ectiveDirective, const String& consoleMessage, const KURL& blockedURL, LocalFram e*) const; | 121 void reportViolationWithFrame(const String& directiveText, const String& eff ectiveDirective, const String& consoleMessage, const KURL& blockedURL, LocalFram e*) const; |
112 void reportViolationWithLocation(const String& directiveText, const String& effectiveDirective, const String& consoleMessage, const KURL& blockedURL, const String& contextURL, const WTF::OrdinalNumber& contextLine) const; | 122 void reportViolationWithLocation(const String& directiveText, const String& effectiveDirective, const String& consoleMessage, const KURL& blockedURL, const String& contextURL, const WTF::OrdinalNumber& contextLine) const; |
113 void reportViolationWithState(const String& directiveText, const String& eff ectiveDirective, const String& message, const KURL& blockedURL, ScriptState*, co nst ContentSecurityPolicy::ExceptionStatus) const; | 123 void reportViolationWithState(const String& directiveText, const String& eff ectiveDirective, const String& message, const KURL& blockedURL, ScriptState*, co nst ContentSecurityPolicy::ExceptionStatus) const; |
114 | 124 |
115 bool checkEval(SourceListDirective*) const; | 125 bool checkEval(SourceListDirective*) const; |
116 bool checkInline(SourceListDirective*) const; | 126 bool checkInline(SourceListDirective*) const; |
117 bool checkDynamic(SourceListDirective*) const; | 127 bool checkDynamic(SourceListDirective*) const; |
118 bool isMatchingNoncePresent(SourceListDirective*, const String&) const; | 128 bool isMatchingNoncePresent(SourceListDirective*, const String&) const; |
119 bool checkHash(SourceListDirective*, const CSPHashValue&) const; | 129 bool checkHash(SourceListDirective*, const CSPHashValue&) const; |
120 bool checkHashedAttributes(SourceListDirective*) const; | 130 bool checkHashedAttributes(SourceListDirective*) const; |
121 bool checkSource(SourceListDirective*, const KURL&, ResourceRequest::Redirec tStatus) const; | 131 bool checkSource(SourceListDirective*, const KURL&, ResourceRequest::Redirec tStatus) const; |
122 bool checkMediaType(MediaListDirective*, const String& type, const String& t ypeAttribute) const; | 132 bool checkMediaType(MediaListDirective*, const String& type, const String& t ypeAttribute) const; |
123 bool checkAncestors(SourceListDirective*, LocalFrame*) const; | 133 bool checkAncestors(SourceListDirective*, LocalFrame*) const; |
134 bool checkRequestWithoutIntegrity(WebURLRequest::RequestContext) const; | |
124 | 135 |
125 void setEvalDisabledErrorMessage(const String& errorMessage) { m_evalDisable dErrorMessage = errorMessage; } | 136 void setEvalDisabledErrorMessage(const String& errorMessage) { m_evalDisable dErrorMessage = errorMessage; } |
126 | 137 |
127 bool checkEvalAndReportViolation(SourceListDirective*, const String& console Message, ScriptState*, ContentSecurityPolicy::ExceptionStatus = ContentSecurityP olicy::WillNotThrowException) const; | 138 bool checkEvalAndReportViolation(SourceListDirective*, const String& console Message, ScriptState*, ContentSecurityPolicy::ExceptionStatus = ContentSecurityP olicy::WillNotThrowException) const; |
128 bool checkInlineAndReportViolation(SourceListDirective*, const String& conso leMessage, const String& contextURL, const WTF::OrdinalNumber& contextLine, bool isScript, const String& hashValue) const; | 139 bool checkInlineAndReportViolation(SourceListDirective*, const String& conso leMessage, const String& contextURL, const WTF::OrdinalNumber& contextLine, bool isScript, const String& hashValue) const; |
129 | 140 |
130 bool checkSourceAndReportViolation(SourceListDirective*, const KURL&, const String& effectiveDirective, ResourceRequest::RedirectStatus) const; | 141 bool checkSourceAndReportViolation(SourceListDirective*, const KURL&, const String& effectiveDirective, ResourceRequest::RedirectStatus) const; |
131 bool checkMediaTypeAndReportViolation(MediaListDirective*, const String& typ e, const String& typeAttribute, const String& consoleMessage) const; | 142 bool checkMediaTypeAndReportViolation(MediaListDirective*, const String& typ e, const String& typeAttribute, const String& consoleMessage) const; |
132 bool checkAncestorsAndReportViolation(SourceListDirective*, LocalFrame*, con st KURL&) const; | 143 bool checkAncestorsAndReportViolation(SourceListDirective*, LocalFrame*, con st KURL&) const; |
144 bool checkRequestWithoutIntegrityAndReportViolation(WebURLRequest::RequestCo ntext, const KURL&, ResourceRequest::RedirectStatus) const; | |
133 | 145 |
134 bool denyIfEnforcingPolicy() const { return m_reportOnly; } | 146 bool denyIfEnforcingPolicy() const { return m_reportOnly; } |
135 | 147 |
136 Member<ContentSecurityPolicy> m_policy; | 148 Member<ContentSecurityPolicy> m_policy; |
137 | 149 |
138 String m_header; | 150 String m_header; |
139 ContentSecurityPolicyHeaderType m_headerType; | 151 ContentSecurityPolicyHeaderType m_headerType; |
140 ContentSecurityPolicyHeaderSource m_headerSource; | 152 ContentSecurityPolicyHeaderSource m_headerSource; |
141 | 153 |
142 bool m_reportOnly; | 154 bool m_reportOnly; |
(...skipping 17 matching lines...) Expand all Loading... | |
160 Member<SourceListDirective> m_formAction; | 172 Member<SourceListDirective> m_formAction; |
161 Member<SourceListDirective> m_frameAncestors; | 173 Member<SourceListDirective> m_frameAncestors; |
162 Member<SourceListDirective> m_frameSrc; | 174 Member<SourceListDirective> m_frameSrc; |
163 Member<SourceListDirective> m_imgSrc; | 175 Member<SourceListDirective> m_imgSrc; |
164 Member<SourceListDirective> m_mediaSrc; | 176 Member<SourceListDirective> m_mediaSrc; |
165 Member<SourceListDirective> m_manifestSrc; | 177 Member<SourceListDirective> m_manifestSrc; |
166 Member<SourceListDirective> m_objectSrc; | 178 Member<SourceListDirective> m_objectSrc; |
167 Member<SourceListDirective> m_scriptSrc; | 179 Member<SourceListDirective> m_scriptSrc; |
168 Member<SourceListDirective> m_styleSrc; | 180 Member<SourceListDirective> m_styleSrc; |
169 | 181 |
182 uint8_t m_requireSRIFor; | |
183 | |
170 Vector<String> m_reportEndpoints; | 184 Vector<String> m_reportEndpoints; |
171 | 185 |
172 String m_evalDisabledErrorMessage; | 186 String m_evalDisabledErrorMessage; |
173 }; | 187 }; |
174 | 188 |
175 } // namespace blink | 189 } // namespace blink |
176 | 190 |
177 #endif | 191 #endif |
OLD | NEW |