| OLD | NEW |
|---|
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "core/frame/csp/CSPSourceList.h" | 5 #include "core/frame/csp/CSPSourceList.h" |
| 6 | 6 |
| 7 #include "core/frame/csp/CSPSource.h" | 7 #include "core/frame/csp/CSPSource.h" |
| 8 #include "core/frame/csp/ContentSecurityPolicy.h" | 8 #include "core/frame/csp/ContentSecurityPolicy.h" |
| 9 #include "platform/weborigin/KURL.h" | 9 #include "platform/weborigin/KURL.h" |
| 10 #include "platform/weborigin/SecurityOrigin.h" | 10 #include "platform/weborigin/SecurityOrigin.h" |
| (...skipping 29 matching lines...) Expand all Loading... |
| 40 , m_allowInline(false) | 40 , m_allowInline(false) |
| 41 , m_allowEval(false) | 41 , m_allowEval(false) |
| 42 , m_allowDynamic(false) | 42 , m_allowDynamic(false) |
| 43 , m_allowHashedAttributes(false) | 43 , m_allowHashedAttributes(false) |
| 44 , m_hashAlgorithmsUsed(0) | 44 , m_hashAlgorithmsUsed(0) |
| 45 { | 45 { |
| 46 } | 46 } |
| 47 | 47 |
| 48 bool CSPSourceList::matches(const KURL& url, ResourceRequest::RedirectStatus red
irectStatus) const | 48 bool CSPSourceList::matches(const KURL& url, ResourceRequest::RedirectStatus red
irectStatus) const |
| 49 { | 49 { |
| 50 // The CSP spec specifically states that data:, blob:, and filesystem URLs | 50 // The CSP spec specifically states that only http:, https:, ws: and wss: sh
ould |
| 51 // should not be captured by a '*" source | 51 // be captured by a '*" source. |
| 52 // (http://www.w3.org/TR/CSP2/#source-list-guid-matching). Thus, in the | 52 // (https://w3c.github.io/webappsec-csp/#match-url-to-source-expression). Th
us, |
| 53 // case of a full wildcard, data:, blob:, and filesystem: URLs are | 53 // in the case of a full wildcard, URLs with any other schemes are |
| 54 // explicitly checked for in the source list before allowing them through. | 54 // explicitly checked for in the source list before allowing them through. |
| 55 if (m_allowStar) { | 55 if (m_allowStar) { |
| 56 if (url.protocolIs("blob") || url.protocolIs("data") || url.protocolIs("
filesystem")) | 56 if (url.protocolIsInHTTPFamily() || url.protocolIs("ws") || url.protocol
Is("wss")) |
| 57 return hasSourceMatchInList(url, redirectStatus); | 57 return true; |
| 58 return true; | 58 |
| 59 return hasSourceMatchInList(url, redirectStatus); |
| 59 } | 60 } |
| 60 | 61 |
| 61 KURL effectiveURL = m_policy->selfMatchesInnerURL() && SecurityOrigin::shoul
dUseInnerURL(url) ? SecurityOrigin::extractInnerURL(url) : url; | 62 KURL effectiveURL = m_policy->selfMatchesInnerURL() && SecurityOrigin::shoul
dUseInnerURL(url) ? SecurityOrigin::extractInnerURL(url) : url; |
| 62 | 63 |
| 63 if (m_allowSelf && m_policy->urlMatchesSelf(effectiveURL)) | 64 if (m_allowSelf && m_policy->urlMatchesSelf(effectiveURL)) |
| 64 return true; | 65 return true; |
| 65 | 66 |
| 66 return hasSourceMatchInList(effectiveURL, redirectStatus); | 67 return hasSourceMatchInList(effectiveURL, redirectStatus); |
| 67 } | 68 } |
| 68 | 69 |
| (...skipping 466 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 535 return false; | 536 return false; |
| 536 } | 537 } |
| 537 | 538 |
| 538 DEFINE_TRACE(CSPSourceList) | 539 DEFINE_TRACE(CSPSourceList) |
| 539 { | 540 { |
| 540 visitor->trace(m_policy); | 541 visitor->trace(m_policy); |
| 541 visitor->trace(m_list); | 542 visitor->trace(m_list); |
| 542 } | 543 } |
| 543 | 544 |
| 544 } // namespace blink | 545 } // namespace blink |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2209113002:
Change wildcard source expression matching to conform latest spec (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master