OLD | NEW |
---|---|
1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "core/frame/csp/CSPDirectiveList.h" | 5 #include "core/frame/csp/CSPDirectiveList.h" |
6 | 6 |
7 #include "bindings/core/v8/SourceLocation.h" | 7 #include "bindings/core/v8/SourceLocation.h" |
8 #include "core/dom/Document.h" | 8 #include "core/dom/Document.h" |
9 #include "core/dom/SecurityContext.h" | 9 #include "core/dom/SecurityContext.h" |
10 #include "core/dom/SpaceSplitString.h" | 10 #include "core/dom/SpaceSplitString.h" |
(...skipping 60 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
71 } | 71 } |
72 | 72 |
73 if (directives->isReportOnly() && source != ContentSecurityPolicyHeaderSourc eMeta && directives->reportEndpoints().isEmpty()) | 73 if (directives->isReportOnly() && source != ContentSecurityPolicyHeaderSourc eMeta && directives->reportEndpoints().isEmpty()) |
74 policy->reportMissingReportURI(String(begin, end - begin)); | 74 policy->reportMissingReportURI(String(begin, end - begin)); |
75 | 75 |
76 return directives; | 76 return directives; |
77 } | 77 } |
78 | 78 |
79 void CSPDirectiveList::reportViolation(const String& directiveText, const String & effectiveDirective, const String& consoleMessage, const KURL& blockedURL, Reso urceRequest::RedirectStatus redirectStatus) const | 79 void CSPDirectiveList::reportViolation(const String& directiveText, const String & effectiveDirective, const String& consoleMessage, const KURL& blockedURL, Reso urceRequest::RedirectStatus redirectStatus) const |
80 { | 80 { |
81 String message = m_reportOnly ? "[Report Only] " + consoleMessage : consoleM essage; | 81 String message; |
82 ContentSecurityPolicy::DispositionType dispositionType; | |
Mike West
2016/09/14 13:03:01
If you move to `ContentSecurityPolicyHeaderType`,
Sergey Shekyan
2016/09/16 05:36:45
It is confusing to me. I can refactor in another P
| |
83 if (m_reportOnly) { | |
84 message = "[Report Only] " + consoleMessage; | |
85 dispositionType = ContentSecurityPolicy::Report; | |
86 } else { | |
87 message = consoleMessage; | |
88 dispositionType = ContentSecurityPolicy::Enforce; | |
89 } | |
90 | |
82 m_policy->logToConsole(ConsoleMessage::create(SecurityMessageSource, ErrorMe ssageLevel, message)); | 91 m_policy->logToConsole(ConsoleMessage::create(SecurityMessageSource, ErrorMe ssageLevel, message)); |
83 m_policy->reportViolation(directiveText, effectiveDirective, message, blocke dURL, m_reportEndpoints, m_header, ContentSecurityPolicy::URLViolation, nullptr, redirectStatus); | 92 m_policy->reportViolation(directiveText, dispositionType, effectiveDirective , message, blockedURL, m_reportEndpoints, m_header, ContentSecurityPolicy::URLVi olation, nullptr, redirectStatus); |
84 } | 93 } |
85 | 94 |
86 void CSPDirectiveList::reportViolationWithFrame(const String& directiveText, con st String& effectiveDirective, const String& consoleMessage, const KURL& blocked URL, LocalFrame* frame) const | 95 void CSPDirectiveList::reportViolationWithFrame(const String& directiveText, con st String& effectiveDirective, const String& consoleMessage, const KURL& blocked URL, LocalFrame* frame) const |
87 { | 96 { |
88 String message = m_reportOnly ? "[Report Only] " + consoleMessage : consoleM essage; | 97 String message; |
98 ContentSecurityPolicy::DispositionType dispositionType; | |
99 if (m_reportOnly) { | |
100 message = "[Report Only] " + consoleMessage; | |
101 dispositionType = ContentSecurityPolicy::Report; | |
102 } else { | |
103 message = consoleMessage; | |
104 dispositionType = ContentSecurityPolicy::Enforce; | |
105 } | |
106 | |
89 m_policy->logToConsole(ConsoleMessage::create(SecurityMessageSource, ErrorMe ssageLevel, message), frame); | 107 m_policy->logToConsole(ConsoleMessage::create(SecurityMessageSource, ErrorMe ssageLevel, message), frame); |
90 m_policy->reportViolation(directiveText, effectiveDirective, message, blocke dURL, m_reportEndpoints, m_header, ContentSecurityPolicy::URLViolation, frame); | 108 m_policy->reportViolation(directiveText, dispositionType, effectiveDirective , message, blockedURL, m_reportEndpoints, m_header, ContentSecurityPolicy::URLVi olation, frame); |
91 } | 109 } |
92 | 110 |
93 void CSPDirectiveList::reportViolationWithLocation(const String& directiveText, const String& effectiveDirective, const String& consoleMessage, const KURL& bloc kedURL, const String& contextURL, const WTF::OrdinalNumber& contextLine) const | 111 void CSPDirectiveList::reportViolationWithLocation(const String& directiveText, const String& effectiveDirective, const String& consoleMessage, const KURL& bloc kedURL, const String& contextURL, const WTF::OrdinalNumber& contextLine) const |
94 { | 112 { |
95 String message = m_reportOnly ? "[Report Only] " + consoleMessage : consoleM essage; | 113 String message; |
114 ContentSecurityPolicy::DispositionType dispositionType; | |
115 if (m_reportOnly) { | |
116 message = "[Report Only] " + consoleMessage; | |
117 dispositionType = ContentSecurityPolicy::Report; | |
118 } else { | |
119 message = consoleMessage; | |
120 dispositionType = ContentSecurityPolicy::Enforce; | |
121 } | |
122 | |
96 m_policy->logToConsole(ConsoleMessage::create(SecurityMessageSource, ErrorMe ssageLevel, message, SourceLocation::capture(contextURL, contextLine.oneBasedInt (), 0))); | 123 m_policy->logToConsole(ConsoleMessage::create(SecurityMessageSource, ErrorMe ssageLevel, message, SourceLocation::capture(contextURL, contextLine.oneBasedInt (), 0))); |
97 m_policy->reportViolation(directiveText, effectiveDirective, message, blocke dURL, m_reportEndpoints, m_header, ContentSecurityPolicy::InlineViolation, nullp tr, RedirectStatus::NoRedirect, contextLine.oneBasedInt()); | 124 m_policy->reportViolation(directiveText, dispositionType, effectiveDirective , message, blockedURL, m_reportEndpoints, m_header, ContentSecurityPolicy::Inlin eViolation, nullptr, RedirectStatus::NoRedirect, contextLine.oneBasedInt()); |
98 } | 125 } |
99 | 126 |
100 void CSPDirectiveList::reportViolationWithState(const String& directiveText, con st String& effectiveDirective, const String& message, const KURL& blockedURL, Sc riptState* scriptState, const ContentSecurityPolicy::ExceptionStatus exceptionSt atus) const | 127 void CSPDirectiveList::reportViolationWithState(const String& directiveText, con st String& effectiveDirective, const String& message, const KURL& blockedURL, Sc riptState* scriptState, const ContentSecurityPolicy::ExceptionStatus exceptionSt atus) const |
101 { | 128 { |
102 String reportMessage = m_reportOnly ? "[Report Only] " + message : message; | 129 String reportMessage; |
130 ContentSecurityPolicy::DispositionType dispositionType; | |
131 if (m_reportOnly) { | |
132 reportMessage = "[Report Only] " + message; | |
133 dispositionType = ContentSecurityPolicy::Report; | |
134 } else { | |
135 reportMessage = message; | |
136 dispositionType = ContentSecurityPolicy::Enforce; | |
137 } | |
138 | |
103 // Print a console message if it won't be redundant with a | 139 // Print a console message if it won't be redundant with a |
104 // JavaScript exception that the caller will throw. (Exceptions will | 140 // JavaScript exception that the caller will throw. (Exceptions will |
105 // never get thrown in report-only mode because the caller won't see | 141 // never get thrown in report-only mode because the caller won't see |
106 // a violation.) | 142 // a violation.) |
107 if (m_reportOnly || exceptionStatus == ContentSecurityPolicy::WillNotThrowEx ception) { | 143 if (m_reportOnly || exceptionStatus == ContentSecurityPolicy::WillNotThrowEx ception) { |
108 ConsoleMessage* consoleMessage = ConsoleMessage::create(SecurityMessageS ource, ErrorMessageLevel, reportMessage); | 144 ConsoleMessage* consoleMessage = ConsoleMessage::create(SecurityMessageS ource, ErrorMessageLevel, reportMessage); |
109 m_policy->logToConsole(consoleMessage); | 145 m_policy->logToConsole(consoleMessage); |
110 } | 146 } |
111 m_policy->reportViolation(directiveText, effectiveDirective, message, blocke dURL, m_reportEndpoints, m_header, ContentSecurityPolicy::EvalViolation); | 147 m_policy->reportViolation(directiveText, dispositionType, effectiveDirective , message, blockedURL, m_reportEndpoints, m_header, ContentSecurityPolicy::EvalV iolation); |
112 } | 148 } |
113 | 149 |
114 bool CSPDirectiveList::checkEval(SourceListDirective* directive) const | 150 bool CSPDirectiveList::checkEval(SourceListDirective* directive) const |
115 { | 151 { |
116 return !directive || directive->allowEval(); | 152 return !directive || directive->allowEval(); |
117 } | 153 } |
118 | 154 |
119 bool CSPDirectiveList::checkInline(SourceListDirective* directive) const | 155 bool CSPDirectiveList::checkInline(SourceListDirective* directive) const |
120 { | 156 { |
121 return !directive || (directive->allowInline() && !directive->isHashOrNonceP resent()); | 157 return !directive || (directive->allowInline() && !directive->isHashOrNonceP resent()); |
(...skipping 15 matching lines...) Expand all Loading... | |
137 } | 173 } |
138 | 174 |
139 bool CSPDirectiveList::checkDynamic(SourceListDirective* directive) const | 175 bool CSPDirectiveList::checkDynamic(SourceListDirective* directive) const |
140 { | 176 { |
141 return !directive || directive->allowDynamic(); | 177 return !directive || directive->allowDynamic(); |
142 } | 178 } |
143 | 179 |
144 void CSPDirectiveList::reportMixedContent(const KURL& mixedURL, ResourceRequest: :RedirectStatus redirectStatus) const | 180 void CSPDirectiveList::reportMixedContent(const KURL& mixedURL, ResourceRequest: :RedirectStatus redirectStatus) const |
145 { | 181 { |
146 if (strictMixedContentChecking()) | 182 if (strictMixedContentChecking()) |
147 m_policy->reportViolation(ContentSecurityPolicy::BlockAllMixedContent, C ontentSecurityPolicy::BlockAllMixedContent, String(), mixedURL, m_reportEndpoint s, m_header, ContentSecurityPolicy::URLViolation, nullptr, redirectStatus); | 183 m_policy->reportViolation(ContentSecurityPolicy::BlockAllMixedContent, m _reportOnly ? ContentSecurityPolicy::Report : ContentSecurityPolicy::Enforce, Co ntentSecurityPolicy::BlockAllMixedContent, String(), mixedURL, m_reportEndpoints , m_header, ContentSecurityPolicy::URLViolation, nullptr, redirectStatus); |
148 } | 184 } |
149 | 185 |
150 bool CSPDirectiveList::checkSource(SourceListDirective* directive, const KURL& u rl, ResourceRequest::RedirectStatus redirectStatus) const | 186 bool CSPDirectiveList::checkSource(SourceListDirective* directive, const KURL& u rl, ResourceRequest::RedirectStatus redirectStatus) const |
151 { | 187 { |
152 // If |url| is empty, fall back to the policy URL to ensure that <object>'s | 188 // If |url| is empty, fall back to the policy URL to ensure that <object>'s |
153 // without a `src` can be blocked/allowed, as they can still load plugins | 189 // without a `src` can be blocked/allowed, as they can still load plugins |
154 // even though they don't actually have a URL. | 190 // even though they don't actually have a URL. |
155 return !directive || directive->allows(url.isEmpty() ? m_policy->url() : url , redirectStatus); | 191 return !directive || directive->allows(url.isEmpty() ? m_policy->url() : url , redirectStatus); |
156 } | 192 } |
157 | 193 |
(...skipping 806 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
964 visitor->trace(m_imgSrc); | 1000 visitor->trace(m_imgSrc); |
965 visitor->trace(m_mediaSrc); | 1001 visitor->trace(m_mediaSrc); |
966 visitor->trace(m_manifestSrc); | 1002 visitor->trace(m_manifestSrc); |
967 visitor->trace(m_objectSrc); | 1003 visitor->trace(m_objectSrc); |
968 visitor->trace(m_scriptSrc); | 1004 visitor->trace(m_scriptSrc); |
969 visitor->trace(m_styleSrc); | 1005 visitor->trace(m_styleSrc); |
970 } | 1006 } |
971 | 1007 |
972 | 1008 |
973 } // namespace blink | 1009 } // namespace blink |
OLD | NEW |