OLD | NEW |
1 /* | 1 /* |
2 * Copyright (C) 2011 Google, Inc. All rights reserved. | 2 * Copyright (C) 2011 Google, Inc. All rights reserved. |
3 * | 3 * |
4 * Redistribution and use in source and binary forms, with or without | 4 * Redistribution and use in source and binary forms, with or without |
5 * modification, are permitted provided that the following conditions | 5 * modification, are permitted provided that the following conditions |
6 * are met: | 6 * are met: |
7 * 1. Redistributions of source code must retain the above copyright | 7 * 1. Redistributions of source code must retain the above copyright |
8 * notice, this list of conditions and the following disclaimer. | 8 * notice, this list of conditions and the following disclaimer. |
9 * 2. Redistributions in binary form must reproduce the above copyright | 9 * 2. Redistributions in binary form must reproduce the above copyright |
10 * notice, this list of conditions and the following disclaimer in the | 10 * notice, this list of conditions and the following disclaimer in the |
(...skipping 523 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
534 { | 534 { |
535 if (document.contentSecurityPolicy() && !document.contentSecurityPolicy()->a
llowPluginType(type, typeAttribute, url)) | 535 if (document.contentSecurityPolicy() && !document.contentSecurityPolicy()->a
llowPluginType(type, typeAttribute, url)) |
536 return false; | 536 return false; |
537 | 537 |
538 // CSP says that a plugin document in a nested browsing context should | 538 // CSP says that a plugin document in a nested browsing context should |
539 // inherit the plugin-types of its parent. | 539 // inherit the plugin-types of its parent. |
540 // | 540 // |
541 // FIXME: The plugin-types directive should be pushed down into the | 541 // FIXME: The plugin-types directive should be pushed down into the |
542 // current document instead of reaching up to the parent for it here. | 542 // current document instead of reaching up to the parent for it here. |
543 LocalFrame* frame = document.frame(); | 543 LocalFrame* frame = document.frame(); |
544 if (frame && frame->tree().parent() && frame->tree().parent()->isLocalFrame(
) && document.isPluginDocument()) { | 544 if (frame && frame->tree().parent() && document.isPluginDocument()) { |
545 ContentSecurityPolicy* parentCSP = toLocalFrame(frame->tree().parent())-
>document()->contentSecurityPolicy(); | 545 ContentSecurityPolicy* parentCSP = |
| 546 frame->tree().parent()->securityContext()->contentSecurityPolicy(); |
546 if (parentCSP && !parentCSP->allowPluginType(type, typeAttribute, url)) | 547 if (parentCSP && !parentCSP->allowPluginType(type, typeAttribute, url)) |
547 return false; | 548 return false; |
548 } | 549 } |
549 | 550 |
550 return true; | 551 return true; |
551 } | 552 } |
552 | 553 |
553 bool ContentSecurityPolicy::allowScriptFromSource(const KURL& url, const String&
nonce, RedirectStatus redirectStatus, ContentSecurityPolicy::ReportingStatus re
portingStatus) const | 554 bool ContentSecurityPolicy::allowScriptFromSource(const KURL& url, const String&
nonce, RedirectStatus redirectStatus, ContentSecurityPolicy::ReportingStatus re
portingStatus) const |
554 { | 555 { |
555 return isAllowedByAllWithURLWithNonce<&CSPDirectiveList::allowScriptFromSour
ce>(m_policies, url, nonce, redirectStatus, reportingStatus); | 556 return isAllowedByAllWithURLWithNonce<&CSPDirectiveList::allowScriptFromSour
ce>(m_policies, url, nonce, redirectStatus, reportingStatus); |
(...skipping 284 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
840 | 841 |
841 void ContentSecurityPolicy::reportViolation(const String& directiveText, const S
tring& effectiveDirective, const String& consoleMessage, const KURL& blockedURL,
const Vector<String>& reportEndpoints, const String& header, ViolationType viol
ationType, LocalFrame* contextFrame, RedirectStatus redirectStatus, int contextL
ine) | 842 void ContentSecurityPolicy::reportViolation(const String& directiveText, const S
tring& effectiveDirective, const String& consoleMessage, const KURL& blockedURL,
const Vector<String>& reportEndpoints, const String& header, ViolationType viol
ationType, LocalFrame* contextFrame, RedirectStatus redirectStatus, int contextL
ine) |
842 { | 843 { |
843 ASSERT(violationType == URLViolation || blockedURL.isEmpty()); | 844 ASSERT(violationType == URLViolation || blockedURL.isEmpty()); |
844 | 845 |
845 // TODO(lukasza): Support sending reports from OOPIFs - https://crbug.com/61
1232 | 846 // TODO(lukasza): Support sending reports from OOPIFs - https://crbug.com/61
1232 |
846 // (or move CSP child-src and frame-src checks to the browser process - see | 847 // (or move CSP child-src and frame-src checks to the browser process - see |
847 // https://crbug.com/376522). | 848 // https://crbug.com/376522). |
848 if (!m_executionContext && !contextFrame) { | 849 if (!m_executionContext && !contextFrame) { |
849 DCHECK(equalIgnoringCase(effectiveDirective, ContentSecurityPolicy::Chil
dSrc) | 850 DCHECK(equalIgnoringCase(effectiveDirective, ContentSecurityPolicy::Chil
dSrc) |
850 || equalIgnoringCase(effectiveDirective, ContentSecurityPolicy::Fram
eSrc)); | 851 || equalIgnoringCase(effectiveDirective, ContentSecurityPolicy::Fram
eSrc) |
| 852 || equalIgnoringCase(effectiveDirective, ContentSecurityPolicy::Plug
inTypes)); |
851 return; | 853 return; |
852 } | 854 } |
853 | 855 |
854 ASSERT((m_executionContext && !contextFrame) || (equalIgnoringCase(effective
Directive, ContentSecurityPolicy::FrameAncestors) && contextFrame)); | 856 ASSERT((m_executionContext && !contextFrame) || (equalIgnoringCase(effective
Directive, ContentSecurityPolicy::FrameAncestors) && contextFrame)); |
855 | 857 |
856 // FIXME: Support sending reports from worker. | 858 // FIXME: Support sending reports from worker. |
857 Document* document = contextFrame ? contextFrame->document() : this->documen
t(); | 859 Document* document = contextFrame ? contextFrame->document() : this->documen
t(); |
858 if (!document) | 860 if (!document) |
859 return; | 861 return; |
860 | 862 |
(...skipping 258 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1119 // Collisions have no security impact, so we can save space by storing only
the string's hash rather than the whole report. | 1121 // Collisions have no security impact, so we can save space by storing only
the string's hash rather than the whole report. |
1120 return !m_violationReportsSent.contains(report.impl()->hash()); | 1122 return !m_violationReportsSent.contains(report.impl()->hash()); |
1121 } | 1123 } |
1122 | 1124 |
1123 void ContentSecurityPolicy::didSendViolationReport(const String& report) | 1125 void ContentSecurityPolicy::didSendViolationReport(const String& report) |
1124 { | 1126 { |
1125 m_violationReportsSent.add(report.impl()->hash()); | 1127 m_violationReportsSent.add(report.impl()->hash()); |
1126 } | 1128 } |
1127 | 1129 |
1128 } // namespace blink | 1130 } // namespace blink |
OLD | NEW |