OLD | NEW |
1 /* | 1 /* |
2 * Copyright (C) 2011 Google, Inc. All rights reserved. | 2 * Copyright (C) 2011 Google, Inc. All rights reserved. |
3 * | 3 * |
4 * Redistribution and use in source and binary forms, with or without | 4 * Redistribution and use in source and binary forms, with or without |
5 * modification, are permitted provided that the following conditions | 5 * modification, are permitted provided that the following conditions |
6 * are met: | 6 * are met: |
7 * 1. Redistributions of source code must retain the above copyright | 7 * 1. Redistributions of source code must retain the above copyright |
8 * notice, this list of conditions and the following disclaimer. | 8 * notice, this list of conditions and the following disclaimer. |
9 * 2. Redistributions in binary form must reproduce the above copyright | 9 * 2. Redistributions in binary form must reproduce the above copyright |
10 * notice, this list of conditions and the following disclaimer in the | 10 * notice, this list of conditions and the following disclaimer in the |
(...skipping 87 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
98 // Mixed Content Directive | 98 // Mixed Content Directive |
99 // https://w3c.github.io/webappsec/specs/mixedcontent/#strict-mode | 99 // https://w3c.github.io/webappsec/specs/mixedcontent/#strict-mode |
100 static const char BlockAllMixedContent[]; | 100 static const char BlockAllMixedContent[]; |
101 | 101 |
102 // https://w3c.github.io/webappsec/specs/upgrade/ | 102 // https://w3c.github.io/webappsec/specs/upgrade/ |
103 static const char UpgradeInsecureRequests[]; | 103 static const char UpgradeInsecureRequests[]; |
104 | 104 |
105 // https://mikewest.github.io/cors-rfc1918/#csp | 105 // https://mikewest.github.io/cors-rfc1918/#csp |
106 static const char TreatAsPublicAddress[]; | 106 static const char TreatAsPublicAddress[]; |
107 | 107 |
| 108 // https://w3c.github.io/webappsec-subresource-integrity/#require-sri-for |
| 109 static const char RequireSRIFor[]; |
| 110 |
108 enum ReportingStatus { | 111 enum ReportingStatus { |
109 SendReport, | 112 SendReport, |
110 SuppressReport | 113 SuppressReport |
111 }; | 114 }; |
112 | 115 |
113 enum ExceptionStatus { | 116 enum ExceptionStatus { |
114 WillThrowException, | 117 WillThrowException, |
115 WillNotThrowException | 118 WillNotThrowException |
116 }; | 119 }; |
117 | 120 |
(...skipping 80 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
198 // Hash functions check all policies relating to use of a script/style | 201 // Hash functions check all policies relating to use of a script/style |
199 // with the given hash and return true all CSP policies allow it. | 202 // with the given hash and return true all CSP policies allow it. |
200 // If these return true, callers can then process the content or | 203 // If these return true, callers can then process the content or |
201 // issue a load and be safe disabling any further CSP checks. | 204 // issue a load and be safe disabling any further CSP checks. |
202 // | 205 // |
203 // TODO(mkwst): Fold hashes into 'allow{Script,Style}' checks above, just | 206 // TODO(mkwst): Fold hashes into 'allow{Script,Style}' checks above, just |
204 // as we've done with nonces. https://crbug.com/617065 | 207 // as we've done with nonces. https://crbug.com/617065 |
205 bool allowScriptWithHash(const String& source, InlineType) const; | 208 bool allowScriptWithHash(const String& source, InlineType) const; |
206 bool allowStyleWithHash(const String& source, InlineType) const; | 209 bool allowStyleWithHash(const String& source, InlineType) const; |
207 | 210 |
208 bool allowRequest(WebURLRequest::RequestContext, const KURL&, const String&
nonce, RedirectStatus = RedirectStatus::NoRedirect, ReportingStatus = SendReport
) const; | 211 bool allowRequestWithoutIntegrity(WebURLRequest::RequestContext, const KURL&
, RedirectStatus = RedirectStatus::NoRedirect, ReportingStatus = SendReport) con
st; |
| 212 |
| 213 bool allowRequest(WebURLRequest::RequestContext, const KURL&, const String&
nonce, const IntegrityMetadataSet&, RedirectStatus = RedirectStatus::NoRedirect,
ReportingStatus = SendReport) const; |
209 | 214 |
210 void usesScriptHashAlgorithms(uint8_t ContentSecurityPolicyHashAlgorithm); | 215 void usesScriptHashAlgorithms(uint8_t ContentSecurityPolicyHashAlgorithm); |
211 void usesStyleHashAlgorithms(uint8_t ContentSecurityPolicyHashAlgorithm); | 216 void usesStyleHashAlgorithms(uint8_t ContentSecurityPolicyHashAlgorithm); |
212 | 217 |
213 ReflectedXSSDisposition getReflectedXSSDisposition() const; | 218 ReflectedXSSDisposition getReflectedXSSDisposition() const; |
214 | 219 |
215 bool didSetReferrerPolicy() const; | 220 bool didSetReferrerPolicy() const; |
216 | 221 |
217 void setOverrideAllowInlineStyle(bool); | 222 void setOverrideAllowInlineStyle(bool); |
218 void setOverrideURLForSelf(const KURL&); | 223 void setOverrideURLForSelf(const KURL&); |
219 | 224 |
220 bool isActive() const; | 225 bool isActive() const; |
221 | 226 |
222 // If a frame is passed in, the message will be logged to its active documen
t's console. | 227 // If a frame is passed in, the message will be logged to its active documen
t's console. |
223 // Otherwise, the message will be logged to this object's |m_executionContex
t|. | 228 // Otherwise, the message will be logged to this object's |m_executionContex
t|. |
224 void logToConsole(ConsoleMessage*, LocalFrame* = nullptr); | 229 void logToConsole(ConsoleMessage*, LocalFrame* = nullptr); |
225 | 230 |
226 void reportDirectiveAsSourceExpression(const String& directiveName, const St
ring& sourceExpression); | 231 void reportDirectiveAsSourceExpression(const String& directiveName, const St
ring& sourceExpression); |
227 void reportDuplicateDirective(const String&); | 232 void reportDuplicateDirective(const String&); |
228 void reportInvalidDirectiveValueCharacter(const String& directiveName, const
String& value); | 233 void reportInvalidDirectiveValueCharacter(const String& directiveName, const
String& value); |
229 void reportInvalidPathCharacter(const String& directiveName, const String& v
alue, const char); | 234 void reportInvalidPathCharacter(const String& directiveName, const String& v
alue, const char); |
230 void reportInvalidPluginTypes(const String&); | 235 void reportInvalidPluginTypes(const String&); |
| 236 void reportInvalidRequireSRIForTokens(const String&); |
231 void reportInvalidSandboxFlags(const String&); | 237 void reportInvalidSandboxFlags(const String&); |
232 void reportInvalidSourceExpression(const String& directiveName, const String
& source); | 238 void reportInvalidSourceExpression(const String& directiveName, const String
& source); |
233 void reportInvalidReflectedXSS(const String&); | 239 void reportInvalidReflectedXSS(const String&); |
234 void reportMissingReportURI(const String&); | 240 void reportMissingReportURI(const String&); |
235 void reportUnsupportedDirective(const String&); | 241 void reportUnsupportedDirective(const String&); |
236 void reportInvalidInReportOnly(const String&); | 242 void reportInvalidInReportOnly(const String&); |
237 void reportInvalidDirectiveInMeta(const String& directiveName); | 243 void reportInvalidDirectiveInMeta(const String& directiveName); |
238 void reportInvalidReferrer(const String&); | 244 void reportInvalidReferrer(const String&); |
239 void reportReportOnlyInMeta(const String&); | 245 void reportReportOnlyInMeta(const String&); |
240 void reportMetaOutsideHead(const String&); | 246 void reportMetaOutsideHead(const String&); |
(...skipping 72 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
313 String m_disableEvalErrorMessage; | 319 String m_disableEvalErrorMessage; |
314 SecurityContext::InsecureRequestsPolicy m_insecureRequestsPolicy; | 320 SecurityContext::InsecureRequestsPolicy m_insecureRequestsPolicy; |
315 | 321 |
316 Member<CSPSource> m_selfSource; | 322 Member<CSPSource> m_selfSource; |
317 String m_selfProtocol; | 323 String m_selfProtocol; |
318 }; | 324 }; |
319 | 325 |
320 } // namespace blink | 326 } // namespace blink |
321 | 327 |
322 #endif | 328 #endif |
OLD | NEW |