Chromium Code Reviews Chromium Code Reviews
Issue 2331213002:
Add `disposition` to SecurityPolicyViolationEvent (Closed)
| OLD | NEW |
|---|---|
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "core/frame/csp/CSPDirectiveList.h" | 5 #include "core/frame/csp/CSPDirectiveList.h" |
| 6 | 6 |
| 7 #include "bindings/core/v8/SourceLocation.h" | 7 #include "bindings/core/v8/SourceLocation.h" |
| 8 #include "core/dom/Document.h" | 8 #include "core/dom/Document.h" |
| 9 #include "core/dom/SecurityContext.h" | 9 #include "core/dom/SecurityContext.h" |
| 10 #include "core/dom/SpaceSplitString.h" | 10 #include "core/dom/SpaceSplitString.h" |
| (...skipping 60 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 71 } | 71 } |
| 72 | 72 |
| 73 if (directives->isReportOnly() && source != ContentSecurityPolicyHeaderSourc eMeta && directives->reportEndpoints().isEmpty()) | 73 if (directives->isReportOnly() && source != ContentSecurityPolicyHeaderSourc eMeta && directives->reportEndpoints().isEmpty()) |
| 74 policy->reportMissingReportURI(String(begin, end - begin)); | 74 policy->reportMissingReportURI(String(begin, end - begin)); |
| 75 | 75 |
| 76 return directives; | 76 return directives; |
| 77 } | 77 } |
| 78 | 78 |
| 79 void CSPDirectiveList::reportViolation(const String& directiveText, const String & effectiveDirective, const String& consoleMessage, const KURL& blockedURL, Reso urceRequest::RedirectStatus redirectStatus) const | 79 void CSPDirectiveList::reportViolation(const String& directiveText, const String & effectiveDirective, const String& consoleMessage, const KURL& blockedURL, Reso urceRequest::RedirectStatus redirectStatus) const |
| 80 { | 80 { |
| 81 String message = m_reportOnly ? "[Report Only] " + consoleMessage : consoleM essage; | 81 String message; |
| 82 ContentSecurityPolicy::DispositionType dispositionType; | |
|
Mike West
2016/09/14 13:03:01
If you move to `ContentSecurityPolicyHeaderType`,
Sergey Shekyan
2016/09/16 05:36:45
It is confusing to me. I can refactor in another P
| |
| 83 if (m_reportOnly) { | |
| 84 message = "[Report Only] " + consoleMessage; | |
| 85 dispositionType = ContentSecurityPolicy::Report; | |
| 86 } else { | |
| 87 message = consoleMessage; | |
| 88 dispositionType = ContentSecurityPolicy::Enforce; | |
| 89 } | |
| 90 | |
| 82 m_policy->logToConsole(ConsoleMessage::create(SecurityMessageSource, ErrorMe ssageLevel, message)); | 91 m_policy->logToConsole(ConsoleMessage::create(SecurityMessageSource, ErrorMe ssageLevel, message)); |
| 83 m_policy->reportViolation(directiveText, effectiveDirective, message, blocke dURL, m_reportEndpoints, m_header, ContentSecurityPolicy::URLViolation, nullptr, redirectStatus); | 92 m_policy->reportViolation(directiveText, dispositionType, effectiveDirective , message, blockedURL, m_reportEndpoints, m_header, ContentSecurityPolicy::URLVi olation, nullptr, redirectStatus); |
| 84 } | 93 } |
| 85 | 94 |
| 86 void CSPDirectiveList::reportViolationWithFrame(const String& directiveText, con st String& effectiveDirective, const String& consoleMessage, const KURL& blocked URL, LocalFrame* frame) const | 95 void CSPDirectiveList::reportViolationWithFrame(const String& directiveText, con st String& effectiveDirective, const String& consoleMessage, const KURL& blocked URL, LocalFrame* frame) const |
| 87 { | 96 { |
| 88 String message = m_reportOnly ? "[Report Only] " + consoleMessage : consoleM essage; | 97 String message; |
| 98 ContentSecurityPolicy::DispositionType dispositionType; | |
| 99 if (m_reportOnly) { | |
| 100 message = "[Report Only] " + consoleMessage; | |
| 101 dispositionType = ContentSecurityPolicy::Report; | |
| 102 } else { | |
| 103 message = consoleMessage; | |
| 104 dispositionType = ContentSecurityPolicy::Enforce; | |
| 105 } | |
| 106 | |
| 89 m_policy->logToConsole(ConsoleMessage::create(SecurityMessageSource, ErrorMe ssageLevel, message), frame); | 107 m_policy->logToConsole(ConsoleMessage::create(SecurityMessageSource, ErrorMe ssageLevel, message), frame); |
| 90 m_policy->reportViolation(directiveText, effectiveDirective, message, blocke dURL, m_reportEndpoints, m_header, ContentSecurityPolicy::URLViolation, frame); | 108 m_policy->reportViolation(directiveText, dispositionType, effectiveDirective , message, blockedURL, m_reportEndpoints, m_header, ContentSecurityPolicy::URLVi olation, frame); |
| 91 } | 109 } |
| 92 | 110 |
| 93 void CSPDirectiveList::reportViolationWithLocation(const String& directiveText, const String& effectiveDirective, const String& consoleMessage, const KURL& bloc kedURL, const String& contextURL, const WTF::OrdinalNumber& contextLine) const | 111 void CSPDirectiveList::reportViolationWithLocation(const String& directiveText, const String& effectiveDirective, const String& consoleMessage, const KURL& bloc kedURL, const String& contextURL, const WTF::OrdinalNumber& contextLine) const |
| 94 { | 112 { |
| 95 String message = m_reportOnly ? "[Report Only] " + consoleMessage : consoleM essage; | 113 String message; |
| 114 ContentSecurityPolicy::DispositionType dispositionType; | |
| 115 if (m_reportOnly) { | |
| 116 message = "[Report Only] " + consoleMessage; | |
| 117 dispositionType = ContentSecurityPolicy::Report; | |
| 118 } else { | |
| 119 message = consoleMessage; | |
| 120 dispositionType = ContentSecurityPolicy::Enforce; | |
| 121 } | |
| 122 | |
| 96 m_policy->logToConsole(ConsoleMessage::create(SecurityMessageSource, ErrorMe ssageLevel, message, SourceLocation::capture(contextURL, contextLine.oneBasedInt (), 0))); | 123 m_policy->logToConsole(ConsoleMessage::create(SecurityMessageSource, ErrorMe ssageLevel, message, SourceLocation::capture(contextURL, contextLine.oneBasedInt (), 0))); |
| 97 m_policy->reportViolation(directiveText, effectiveDirective, message, blocke dURL, m_reportEndpoints, m_header, ContentSecurityPolicy::InlineViolation, nullp tr, RedirectStatus::NoRedirect, contextLine.oneBasedInt()); | 124 m_policy->reportViolation(directiveText, dispositionType, effectiveDirective , message, blockedURL, m_reportEndpoints, m_header, ContentSecurityPolicy::Inlin eViolation, nullptr, RedirectStatus::NoRedirect, contextLine.oneBasedInt()); |
| 98 } | 125 } |
| 99 | 126 |
| 100 void CSPDirectiveList::reportViolationWithState(const String& directiveText, con st String& effectiveDirective, const String& message, const KURL& blockedURL, Sc riptState* scriptState, const ContentSecurityPolicy::ExceptionStatus exceptionSt atus) const | 127 void CSPDirectiveList::reportViolationWithState(const String& directiveText, con st String& effectiveDirective, const String& message, const KURL& blockedURL, Sc riptState* scriptState, const ContentSecurityPolicy::ExceptionStatus exceptionSt atus) const |
| 101 { | 128 { |
| 102 String reportMessage = m_reportOnly ? "[Report Only] " + message : message; | 129 String reportMessage; |
| 130 ContentSecurityPolicy::DispositionType dispositionType; | |
| 131 if (m_reportOnly) { | |
| 132 reportMessage = "[Report Only] " + message; | |
| 133 dispositionType = ContentSecurityPolicy::Report; | |
| 134 } else { | |
| 135 reportMessage = message; | |
| 136 dispositionType = ContentSecurityPolicy::Enforce; | |
| 137 } | |
| 138 | |
| 103 // Print a console message if it won't be redundant with a | 139 // Print a console message if it won't be redundant with a |
| 104 // JavaScript exception that the caller will throw. (Exceptions will | 140 // JavaScript exception that the caller will throw. (Exceptions will |
| 105 // never get thrown in report-only mode because the caller won't see | 141 // never get thrown in report-only mode because the caller won't see |
| 106 // a violation.) | 142 // a violation.) |
| 107 if (m_reportOnly || exceptionStatus == ContentSecurityPolicy::WillNotThrowEx ception) { | 143 if (m_reportOnly || exceptionStatus == ContentSecurityPolicy::WillNotThrowEx ception) { |
| 108 ConsoleMessage* consoleMessage = ConsoleMessage::create(SecurityMessageS ource, ErrorMessageLevel, reportMessage); | 144 ConsoleMessage* consoleMessage = ConsoleMessage::create(SecurityMessageS ource, ErrorMessageLevel, reportMessage); |
| 109 m_policy->logToConsole(consoleMessage); | 145 m_policy->logToConsole(consoleMessage); |
| 110 } | 146 } |
| 111 m_policy->reportViolation(directiveText, effectiveDirective, message, blocke dURL, m_reportEndpoints, m_header, ContentSecurityPolicy::EvalViolation); | 147 m_policy->reportViolation(directiveText, dispositionType, effectiveDirective , message, blockedURL, m_reportEndpoints, m_header, ContentSecurityPolicy::EvalV iolation); |
| 112 } | 148 } |
| 113 | 149 |
| 114 bool CSPDirectiveList::checkEval(SourceListDirective* directive) const | 150 bool CSPDirectiveList::checkEval(SourceListDirective* directive) const |
| 115 { | 151 { |
| 116 return !directive || directive->allowEval(); | 152 return !directive || directive->allowEval(); |
| 117 } | 153 } |
| 118 | 154 |
| 119 bool CSPDirectiveList::checkInline(SourceListDirective* directive) const | 155 bool CSPDirectiveList::checkInline(SourceListDirective* directive) const |
| 120 { | 156 { |
| 121 return !directive || (directive->allowInline() && !directive->isHashOrNonceP resent()); | 157 return !directive || (directive->allowInline() && !directive->isHashOrNonceP resent()); |
| (...skipping 15 matching lines...) Expand all Loading... | |
| 137 } | 173 } |
| 138 | 174 |
| 139 bool CSPDirectiveList::checkDynamic(SourceListDirective* directive) const | 175 bool CSPDirectiveList::checkDynamic(SourceListDirective* directive) const |
| 140 { | 176 { |
| 141 return !directive || directive->allowDynamic(); | 177 return !directive || directive->allowDynamic(); |
| 142 } | 178 } |
| 143 | 179 |
| 144 void CSPDirectiveList::reportMixedContent(const KURL& mixedURL, ResourceRequest: :RedirectStatus redirectStatus) const | 180 void CSPDirectiveList::reportMixedContent(const KURL& mixedURL, ResourceRequest: :RedirectStatus redirectStatus) const |
| 145 { | 181 { |
| 146 if (strictMixedContentChecking()) | 182 if (strictMixedContentChecking()) |
| 147 m_policy->reportViolation(ContentSecurityPolicy::BlockAllMixedContent, C ontentSecurityPolicy::BlockAllMixedContent, String(), mixedURL, m_reportEndpoint s, m_header, ContentSecurityPolicy::URLViolation, nullptr, redirectStatus); | 183 m_policy->reportViolation(ContentSecurityPolicy::BlockAllMixedContent, m _reportOnly ? ContentSecurityPolicy::Report : ContentSecurityPolicy::Enforce, Co ntentSecurityPolicy::BlockAllMixedContent, String(), mixedURL, m_reportEndpoints , m_header, ContentSecurityPolicy::URLViolation, nullptr, redirectStatus); |
| 148 } | 184 } |
| 149 | 185 |
| 150 bool CSPDirectiveList::checkSource(SourceListDirective* directive, const KURL& u rl, ResourceRequest::RedirectStatus redirectStatus) const | 186 bool CSPDirectiveList::checkSource(SourceListDirective* directive, const KURL& u rl, ResourceRequest::RedirectStatus redirectStatus) const |
| 151 { | 187 { |
| 152 // If |url| is empty, fall back to the policy URL to ensure that <object>'s | 188 // If |url| is empty, fall back to the policy URL to ensure that <object>'s |
| 153 // without a `src` can be blocked/allowed, as they can still load plugins | 189 // without a `src` can be blocked/allowed, as they can still load plugins |
| 154 // even though they don't actually have a URL. | 190 // even though they don't actually have a URL. |
| 155 return !directive || directive->allows(url.isEmpty() ? m_policy->url() : url , redirectStatus); | 191 return !directive || directive->allows(url.isEmpty() ? m_policy->url() : url , redirectStatus); |
| 156 } | 192 } |
| 157 | 193 |
| (...skipping 806 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 964 visitor->trace(m_imgSrc); | 1000 visitor->trace(m_imgSrc); |
| 965 visitor->trace(m_mediaSrc); | 1001 visitor->trace(m_mediaSrc); |
| 966 visitor->trace(m_manifestSrc); | 1002 visitor->trace(m_manifestSrc); |
| 967 visitor->trace(m_objectSrc); | 1003 visitor->trace(m_objectSrc); |
| 968 visitor->trace(m_scriptSrc); | 1004 visitor->trace(m_scriptSrc); |
| 969 visitor->trace(m_styleSrc); | 1005 visitor->trace(m_styleSrc); |
| 970 } | 1006 } |
| 971 | 1007 |
| 972 | 1008 |
| 973 } // namespace blink | 1009 } // namespace blink |
| OLD | NEW |
