OLD | NEW |
1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "core/frame/csp/CSPSourceList.h" | 5 #include "core/frame/csp/CSPSourceList.h" |
6 | 6 |
7 #include "core/frame/csp/CSPSource.h" | 7 #include "core/frame/csp/CSPSource.h" |
8 #include "core/frame/csp/ContentSecurityPolicy.h" | 8 #include "core/frame/csp/ContentSecurityPolicy.h" |
9 #include "platform/weborigin/KURL.h" | 9 #include "platform/weborigin/KURL.h" |
10 #include "platform/weborigin/SecurityOrigin.h" | 10 #include "platform/weborigin/SecurityOrigin.h" |
(...skipping 29 matching lines...) Expand all Loading... |
40 , m_allowInline(false) | 40 , m_allowInline(false) |
41 , m_allowEval(false) | 41 , m_allowEval(false) |
42 , m_allowDynamic(false) | 42 , m_allowDynamic(false) |
43 , m_allowHashedAttributes(false) | 43 , m_allowHashedAttributes(false) |
44 , m_hashAlgorithmsUsed(0) | 44 , m_hashAlgorithmsUsed(0) |
45 { | 45 { |
46 } | 46 } |
47 | 47 |
48 bool CSPSourceList::matches(const KURL& url, ResourceRequest::RedirectStatus red
irectStatus) const | 48 bool CSPSourceList::matches(const KURL& url, ResourceRequest::RedirectStatus red
irectStatus) const |
49 { | 49 { |
50 // The CSP spec specifically states that data:, blob:, and filesystem URLs | 50 // The CSP spec specifically states that only http:, https:, ws: and wss: sh
ould |
51 // should not be captured by a '*" source | 51 // be captured by a '*" source. |
52 // (http://www.w3.org/TR/CSP2/#source-list-guid-matching). Thus, in the | 52 // (https://w3c.github.io/webappsec-csp/#match-url-to-source-expression). Th
us, |
53 // case of a full wildcard, data:, blob:, and filesystem: URLs are | 53 // in the case of a full wildcard, URLs with any other schemes are |
54 // explicitly checked for in the source list before allowing them through. | 54 // explicitly checked for in the source list before allowing them through. |
55 if (m_allowStar) { | 55 if (m_allowStar) { |
56 if (url.protocolIs("blob") || url.protocolIs("data") || url.protocolIs("
filesystem")) | 56 if (url.protocolIsInHTTPFamily() || url.protocolIs("ws") || url.protocol
Is("wss")) |
57 return hasSourceMatchInList(url, redirectStatus); | 57 return true; |
58 return true; | 58 |
| 59 return hasSourceMatchInList(url, redirectStatus); |
59 } | 60 } |
60 | 61 |
61 KURL effectiveURL = m_policy->selfMatchesInnerURL() && SecurityOrigin::shoul
dUseInnerURL(url) ? SecurityOrigin::extractInnerURL(url) : url; | 62 KURL effectiveURL = m_policy->selfMatchesInnerURL() && SecurityOrigin::shoul
dUseInnerURL(url) ? SecurityOrigin::extractInnerURL(url) : url; |
62 | 63 |
63 if (m_allowSelf && m_policy->urlMatchesSelf(effectiveURL)) | 64 if (m_allowSelf && m_policy->urlMatchesSelf(effectiveURL)) |
64 return true; | 65 return true; |
65 | 66 |
66 return hasSourceMatchInList(effectiveURL, redirectStatus); | 67 return hasSourceMatchInList(effectiveURL, redirectStatus); |
67 } | 68 } |
68 | 69 |
(...skipping 466 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
535 return false; | 536 return false; |
536 } | 537 } |
537 | 538 |
538 DEFINE_TRACE(CSPSourceList) | 539 DEFINE_TRACE(CSPSourceList) |
539 { | 540 { |
540 visitor->trace(m_policy); | 541 visitor->trace(m_policy); |
541 visitor->trace(m_list); | 542 visitor->trace(m_list); |
542 } | 543 } |
543 | 544 |
544 } // namespace blink | 545 } // namespace blink |
OLD | NEW |