| OLD | NEW |
|---|
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "core/frame/csp/CSPDirectiveList.h" | 5 #include "core/frame/csp/CSPDirectiveList.h" |
| 6 | 6 |
| 7 #include "bindings/core/v8/SourceLocation.h" | 7 #include "bindings/core/v8/SourceLocation.h" |
| 8 #include "core/dom/Document.h" | 8 #include "core/dom/Document.h" |
| 9 #include "core/dom/SecurityContext.h" | 9 #include "core/dom/SecurityContext.h" |
| 10 #include "core/dom/SpaceSplitString.h" | 10 #include "core/dom/SpaceSplitString.h" |
| (...skipping 79 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 90 void CSPDirectiveList::reportViolation( | 90 void CSPDirectiveList::reportViolation( |
| 91 const String& directiveText, | 91 const String& directiveText, |
| 92 const String& effectiveDirective, | 92 const String& effectiveDirective, |
| 93 const String& consoleMessage, | 93 const String& consoleMessage, |
| 94 const KURL& blockedURL, | 94 const KURL& blockedURL, |
| 95 ResourceRequest::RedirectStatus redirectStatus) const { | 95 ResourceRequest::RedirectStatus redirectStatus) const { |
| 96 String message = | 96 String message = |
| 97 isReportOnly() ? "[Report Only] " + consoleMessage : consoleMessage; | 97 isReportOnly() ? "[Report Only] " + consoleMessage : consoleMessage; |
| 98 m_policy->logToConsole(ConsoleMessage::create(SecurityMessageSource, | 98 m_policy->logToConsole(ConsoleMessage::create(SecurityMessageSource, |
| 99 ErrorMessageLevel, message)); | 99 ErrorMessageLevel, message)); |
| 100 m_policy->reportViolation( | 100 m_policy->reportViolation(directiveText, effectiveDirective, message, |
| 101 directiveText, effectiveDirective, message, blockedURL, m_reportEndpoints, | 101 blockedURL, m_reportEndpoints, m_header, |
| 102 m_header, ContentSecurityPolicy::URLViolation, nullptr, redirectStatus); | 102 m_headerType, ContentSecurityPolicy::URLViolation, |
| 103 nullptr, redirectStatus); |
| 103 } | 104 } |
| 104 | 105 |
| 105 void CSPDirectiveList::reportViolationWithFrame( | 106 void CSPDirectiveList::reportViolationWithFrame( |
| 106 const String& directiveText, | 107 const String& directiveText, |
| 107 const String& effectiveDirective, | 108 const String& effectiveDirective, |
| 108 const String& consoleMessage, | 109 const String& consoleMessage, |
| 109 const KURL& blockedURL, | 110 const KURL& blockedURL, |
| 110 LocalFrame* frame) const { | 111 LocalFrame* frame) const { |
| 111 String message = | 112 String message = |
| 112 isReportOnly() ? "[Report Only] " + consoleMessage : consoleMessage; | 113 isReportOnly() ? "[Report Only] " + consoleMessage : consoleMessage; |
| 113 m_policy->logToConsole( | 114 m_policy->logToConsole( |
| 114 ConsoleMessage::create(SecurityMessageSource, ErrorMessageLevel, message), | 115 ConsoleMessage::create(SecurityMessageSource, ErrorMessageLevel, message), |
| 115 frame); | 116 frame); |
| 116 m_policy->reportViolation(directiveText, effectiveDirective, message, | 117 m_policy->reportViolation( |
| 117 blockedURL, m_reportEndpoints, m_header, | 118 directiveText, effectiveDirective, message, blockedURL, m_reportEndpoints, |
| 118 ContentSecurityPolicy::URLViolation, frame); | 119 m_header, m_headerType, ContentSecurityPolicy::URLViolation, frame); |
| 119 } | 120 } |
| 120 | 121 |
| 121 void CSPDirectiveList::reportViolationWithLocation( | 122 void CSPDirectiveList::reportViolationWithLocation( |
| 122 const String& directiveText, | 123 const String& directiveText, |
| 123 const String& effectiveDirective, | 124 const String& effectiveDirective, |
| 124 const String& consoleMessage, | 125 const String& consoleMessage, |
| 125 const KURL& blockedURL, | 126 const KURL& blockedURL, |
| 126 const String& contextURL, | 127 const String& contextURL, |
| 127 const WTF::OrdinalNumber& contextLine) const { | 128 const WTF::OrdinalNumber& contextLine) const { |
| 128 String message = | 129 String message = |
| 129 isReportOnly() ? "[Report Only] " + consoleMessage : consoleMessage; | 130 isReportOnly() ? "[Report Only] " + consoleMessage : consoleMessage; |
| 130 m_policy->logToConsole(ConsoleMessage::create( | 131 m_policy->logToConsole(ConsoleMessage::create( |
| 131 SecurityMessageSource, ErrorMessageLevel, message, | 132 SecurityMessageSource, ErrorMessageLevel, message, |
| 132 SourceLocation::capture(contextURL, contextLine.oneBasedInt(), 0))); | 133 SourceLocation::capture(contextURL, contextLine.oneBasedInt(), 0))); |
| 133 m_policy->reportViolation( | 134 m_policy->reportViolation( |
| 134 directiveText, effectiveDirective, message, blockedURL, m_reportEndpoints, | 135 directiveText, effectiveDirective, message, blockedURL, m_reportEndpoints, |
| 135 m_header, ContentSecurityPolicy::InlineViolation, nullptr, | 136 m_header, m_headerType, ContentSecurityPolicy::InlineViolation, nullptr, |
| 136 RedirectStatus::NoRedirect, contextLine.oneBasedInt()); | 137 RedirectStatus::NoRedirect, contextLine.oneBasedInt()); |
| 137 } | 138 } |
| 138 | 139 |
| 139 void CSPDirectiveList::reportViolationWithState( | 140 void CSPDirectiveList::reportViolationWithState( |
| 140 const String& directiveText, | 141 const String& directiveText, |
| 141 const String& effectiveDirective, | 142 const String& effectiveDirective, |
| 142 const String& message, | 143 const String& message, |
| 143 const KURL& blockedURL, | 144 const KURL& blockedURL, |
| 144 ScriptState* scriptState, | 145 ScriptState* scriptState, |
| 145 const ContentSecurityPolicy::ExceptionStatus exceptionStatus) const { | 146 const ContentSecurityPolicy::ExceptionStatus exceptionStatus) const { |
| 146 String reportMessage = isReportOnly() ? "[Report Only] " + message : message; | 147 String reportMessage = isReportOnly() ? "[Report Only] " + message : message; |
| 147 // Print a console message if it won't be redundant with a | 148 // Print a console message if it won't be redundant with a |
| 148 // JavaScript exception that the caller will throw. (Exceptions will | 149 // JavaScript exception that the caller will throw. (Exceptions will |
| 149 // never get thrown in report-only mode because the caller won't see | 150 // never get thrown in report-only mode because the caller won't see |
| 150 // a violation.) | 151 // a violation.) |
| 151 if (isReportOnly() || | 152 if (isReportOnly() || |
| 152 exceptionStatus == ContentSecurityPolicy::WillNotThrowException) { | 153 exceptionStatus == ContentSecurityPolicy::WillNotThrowException) { |
| 153 ConsoleMessage* consoleMessage = ConsoleMessage::create( | 154 ConsoleMessage* consoleMessage = ConsoleMessage::create( |
| 154 SecurityMessageSource, ErrorMessageLevel, reportMessage); | 155 SecurityMessageSource, ErrorMessageLevel, reportMessage); |
| 155 m_policy->logToConsole(consoleMessage); | 156 m_policy->logToConsole(consoleMessage); |
| 156 } | 157 } |
| 157 m_policy->reportViolation(directiveText, effectiveDirective, message, | 158 m_policy->reportViolation(directiveText, effectiveDirective, message, |
| 158 blockedURL, m_reportEndpoints, m_header, | 159 blockedURL, m_reportEndpoints, m_header, |
| 159 ContentSecurityPolicy::EvalViolation); | 160 m_headerType, ContentSecurityPolicy::EvalViolation); |
| 160 } | 161 } |
| 161 | 162 |
| 162 bool CSPDirectiveList::checkEval(SourceListDirective* directive) const { | 163 bool CSPDirectiveList::checkEval(SourceListDirective* directive) const { |
| 163 return !directive || directive->allowEval(); | 164 return !directive || directive->allowEval(); |
| 164 } | 165 } |
| 165 | 166 |
| 166 bool CSPDirectiveList::checkInline(SourceListDirective* directive) const { | 167 bool CSPDirectiveList::checkInline(SourceListDirective* directive) const { |
| 167 return !directive || | 168 return !directive || |
| 168 (directive->allowInline() && !directive->isHashOrNoncePresent()); | 169 (directive->allowInline() && !directive->isHashOrNoncePresent()); |
| 169 } | 170 } |
| (...skipping 13 matching lines...) Expand all Loading... |
| 183 return !directive || directive->allowHashedAttributes(); | 184 return !directive || directive->allowHashedAttributes(); |
| 184 } | 185 } |
| 185 | 186 |
| 186 bool CSPDirectiveList::checkDynamic(SourceListDirective* directive) const { | 187 bool CSPDirectiveList::checkDynamic(SourceListDirective* directive) const { |
| 187 return !directive || directive->allowDynamic(); | 188 return !directive || directive->allowDynamic(); |
| 188 } | 189 } |
| 189 | 190 |
| 190 void CSPDirectiveList::reportMixedContent( | 191 void CSPDirectiveList::reportMixedContent( |
| 191 const KURL& mixedURL, | 192 const KURL& mixedURL, |
| 192 ResourceRequest::RedirectStatus redirectStatus) const { | 193 ResourceRequest::RedirectStatus redirectStatus) const { |
| 193 if (strictMixedContentChecking()) | 194 if (strictMixedContentChecking()) { |
| 194 m_policy->reportViolation(ContentSecurityPolicy::BlockAllMixedContent, | 195 m_policy->reportViolation(ContentSecurityPolicy::BlockAllMixedContent, |
| 195 ContentSecurityPolicy::BlockAllMixedContent, | 196 ContentSecurityPolicy::BlockAllMixedContent, |
| 196 String(), mixedURL, m_reportEndpoints, m_header, | 197 String(), mixedURL, m_reportEndpoints, m_header, |
| 197 ContentSecurityPolicy::URLViolation, nullptr, | 198 m_headerType, ContentSecurityPolicy::URLViolation, |
| 198 redirectStatus); | 199 nullptr, redirectStatus); |
| 200 } |
| 199 } | 201 } |
| 200 | 202 |
| 201 bool CSPDirectiveList::checkSource( | 203 bool CSPDirectiveList::checkSource( |
| 202 SourceListDirective* directive, | 204 SourceListDirective* directive, |
| 203 const KURL& url, | 205 const KURL& url, |
| 204 ResourceRequest::RedirectStatus redirectStatus) const { | 206 ResourceRequest::RedirectStatus redirectStatus) const { |
| 205 // If |url| is empty, fall back to the policy URL to ensure that <object>'s | 207 // If |url| is empty, fall back to the policy URL to ensure that <object>'s |
| 206 // without a `src` can be blocked/allowed, as they can still load plugins | 208 // without a `src` can be blocked/allowed, as they can still load plugins |
| 207 // even though they don't actually have a URL. | 209 // even though they don't actually have a URL. |
| 208 return !directive || | 210 return !directive || |
| (...skipping 1025 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1234 visitor->trace(m_frameSrc); | 1236 visitor->trace(m_frameSrc); |
| 1235 visitor->trace(m_imgSrc); | 1237 visitor->trace(m_imgSrc); |
| 1236 visitor->trace(m_mediaSrc); | 1238 visitor->trace(m_mediaSrc); |
| 1237 visitor->trace(m_manifestSrc); | 1239 visitor->trace(m_manifestSrc); |
| 1238 visitor->trace(m_objectSrc); | 1240 visitor->trace(m_objectSrc); |
| 1239 visitor->trace(m_scriptSrc); | 1241 visitor->trace(m_scriptSrc); |
| 1240 visitor->trace(m_styleSrc); | 1242 visitor->trace(m_styleSrc); |
| 1241 } | 1243 } |
| 1242 | 1244 |
| 1243 } // namespace blink | 1245 } // namespace blink |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2331213002:
Add `disposition` to SecurityPolicyViolationEvent (Closed)
