OLD | NEW |
1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "core/frame/csp/CSPDirectiveList.h" | 5 #include "core/frame/csp/CSPDirectiveList.h" |
6 | 6 |
7 #include "bindings/core/v8/SourceLocation.h" | 7 #include "bindings/core/v8/SourceLocation.h" |
8 #include "core/dom/Document.h" | 8 #include "core/dom/Document.h" |
9 #include "core/dom/SecurityContext.h" | 9 #include "core/dom/SecurityContext.h" |
10 #include "core/dom/SpaceSplitString.h" | 10 #include "core/dom/SpaceSplitString.h" |
(...skipping 79 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
90 void CSPDirectiveList::reportViolation( | 90 void CSPDirectiveList::reportViolation( |
91 const String& directiveText, | 91 const String& directiveText, |
92 const String& effectiveDirective, | 92 const String& effectiveDirective, |
93 const String& consoleMessage, | 93 const String& consoleMessage, |
94 const KURL& blockedURL, | 94 const KURL& blockedURL, |
95 ResourceRequest::RedirectStatus redirectStatus) const { | 95 ResourceRequest::RedirectStatus redirectStatus) const { |
96 String message = | 96 String message = |
97 isReportOnly() ? "[Report Only] " + consoleMessage : consoleMessage; | 97 isReportOnly() ? "[Report Only] " + consoleMessage : consoleMessage; |
98 m_policy->logToConsole(ConsoleMessage::create(SecurityMessageSource, | 98 m_policy->logToConsole(ConsoleMessage::create(SecurityMessageSource, |
99 ErrorMessageLevel, message)); | 99 ErrorMessageLevel, message)); |
100 m_policy->reportViolation( | 100 m_policy->reportViolation(directiveText, effectiveDirective, message, |
101 directiveText, effectiveDirective, message, blockedURL, m_reportEndpoints, | 101 blockedURL, m_reportEndpoints, m_header, |
102 m_header, ContentSecurityPolicy::URLViolation, nullptr, redirectStatus); | 102 m_headerType, ContentSecurityPolicy::URLViolation, |
| 103 nullptr, redirectStatus); |
103 } | 104 } |
104 | 105 |
105 void CSPDirectiveList::reportViolationWithFrame( | 106 void CSPDirectiveList::reportViolationWithFrame( |
106 const String& directiveText, | 107 const String& directiveText, |
107 const String& effectiveDirective, | 108 const String& effectiveDirective, |
108 const String& consoleMessage, | 109 const String& consoleMessage, |
109 const KURL& blockedURL, | 110 const KURL& blockedURL, |
110 LocalFrame* frame) const { | 111 LocalFrame* frame) const { |
111 String message = | 112 String message = |
112 isReportOnly() ? "[Report Only] " + consoleMessage : consoleMessage; | 113 isReportOnly() ? "[Report Only] " + consoleMessage : consoleMessage; |
113 m_policy->logToConsole( | 114 m_policy->logToConsole( |
114 ConsoleMessage::create(SecurityMessageSource, ErrorMessageLevel, message), | 115 ConsoleMessage::create(SecurityMessageSource, ErrorMessageLevel, message), |
115 frame); | 116 frame); |
116 m_policy->reportViolation(directiveText, effectiveDirective, message, | 117 m_policy->reportViolation( |
117 blockedURL, m_reportEndpoints, m_header, | 118 directiveText, effectiveDirective, message, blockedURL, m_reportEndpoints, |
118 ContentSecurityPolicy::URLViolation, frame); | 119 m_header, m_headerType, ContentSecurityPolicy::URLViolation, frame); |
119 } | 120 } |
120 | 121 |
121 void CSPDirectiveList::reportViolationWithLocation( | 122 void CSPDirectiveList::reportViolationWithLocation( |
122 const String& directiveText, | 123 const String& directiveText, |
123 const String& effectiveDirective, | 124 const String& effectiveDirective, |
124 const String& consoleMessage, | 125 const String& consoleMessage, |
125 const KURL& blockedURL, | 126 const KURL& blockedURL, |
126 const String& contextURL, | 127 const String& contextURL, |
127 const WTF::OrdinalNumber& contextLine) const { | 128 const WTF::OrdinalNumber& contextLine) const { |
128 String message = | 129 String message = |
129 isReportOnly() ? "[Report Only] " + consoleMessage : consoleMessage; | 130 isReportOnly() ? "[Report Only] " + consoleMessage : consoleMessage; |
130 m_policy->logToConsole(ConsoleMessage::create( | 131 m_policy->logToConsole(ConsoleMessage::create( |
131 SecurityMessageSource, ErrorMessageLevel, message, | 132 SecurityMessageSource, ErrorMessageLevel, message, |
132 SourceLocation::capture(contextURL, contextLine.oneBasedInt(), 0))); | 133 SourceLocation::capture(contextURL, contextLine.oneBasedInt(), 0))); |
133 m_policy->reportViolation( | 134 m_policy->reportViolation( |
134 directiveText, effectiveDirective, message, blockedURL, m_reportEndpoints, | 135 directiveText, effectiveDirective, message, blockedURL, m_reportEndpoints, |
135 m_header, ContentSecurityPolicy::InlineViolation, nullptr, | 136 m_header, m_headerType, ContentSecurityPolicy::InlineViolation, nullptr, |
136 RedirectStatus::NoRedirect, contextLine.oneBasedInt()); | 137 RedirectStatus::NoRedirect, contextLine.oneBasedInt()); |
137 } | 138 } |
138 | 139 |
139 void CSPDirectiveList::reportViolationWithState( | 140 void CSPDirectiveList::reportViolationWithState( |
140 const String& directiveText, | 141 const String& directiveText, |
141 const String& effectiveDirective, | 142 const String& effectiveDirective, |
142 const String& message, | 143 const String& message, |
143 const KURL& blockedURL, | 144 const KURL& blockedURL, |
144 ScriptState* scriptState, | 145 ScriptState* scriptState, |
145 const ContentSecurityPolicy::ExceptionStatus exceptionStatus) const { | 146 const ContentSecurityPolicy::ExceptionStatus exceptionStatus) const { |
146 String reportMessage = isReportOnly() ? "[Report Only] " + message : message; | 147 String reportMessage = isReportOnly() ? "[Report Only] " + message : message; |
147 // Print a console message if it won't be redundant with a | 148 // Print a console message if it won't be redundant with a |
148 // JavaScript exception that the caller will throw. (Exceptions will | 149 // JavaScript exception that the caller will throw. (Exceptions will |
149 // never get thrown in report-only mode because the caller won't see | 150 // never get thrown in report-only mode because the caller won't see |
150 // a violation.) | 151 // a violation.) |
151 if (isReportOnly() || | 152 if (isReportOnly() || |
152 exceptionStatus == ContentSecurityPolicy::WillNotThrowException) { | 153 exceptionStatus == ContentSecurityPolicy::WillNotThrowException) { |
153 ConsoleMessage* consoleMessage = ConsoleMessage::create( | 154 ConsoleMessage* consoleMessage = ConsoleMessage::create( |
154 SecurityMessageSource, ErrorMessageLevel, reportMessage); | 155 SecurityMessageSource, ErrorMessageLevel, reportMessage); |
155 m_policy->logToConsole(consoleMessage); | 156 m_policy->logToConsole(consoleMessage); |
156 } | 157 } |
157 m_policy->reportViolation(directiveText, effectiveDirective, message, | 158 m_policy->reportViolation(directiveText, effectiveDirective, message, |
158 blockedURL, m_reportEndpoints, m_header, | 159 blockedURL, m_reportEndpoints, m_header, |
159 ContentSecurityPolicy::EvalViolation); | 160 m_headerType, ContentSecurityPolicy::EvalViolation); |
160 } | 161 } |
161 | 162 |
162 bool CSPDirectiveList::checkEval(SourceListDirective* directive) const { | 163 bool CSPDirectiveList::checkEval(SourceListDirective* directive) const { |
163 return !directive || directive->allowEval(); | 164 return !directive || directive->allowEval(); |
164 } | 165 } |
165 | 166 |
166 bool CSPDirectiveList::checkInline(SourceListDirective* directive) const { | 167 bool CSPDirectiveList::checkInline(SourceListDirective* directive) const { |
167 return !directive || | 168 return !directive || |
168 (directive->allowInline() && !directive->isHashOrNoncePresent()); | 169 (directive->allowInline() && !directive->isHashOrNoncePresent()); |
169 } | 170 } |
(...skipping 13 matching lines...) Expand all Loading... |
183 return !directive || directive->allowHashedAttributes(); | 184 return !directive || directive->allowHashedAttributes(); |
184 } | 185 } |
185 | 186 |
186 bool CSPDirectiveList::checkDynamic(SourceListDirective* directive) const { | 187 bool CSPDirectiveList::checkDynamic(SourceListDirective* directive) const { |
187 return !directive || directive->allowDynamic(); | 188 return !directive || directive->allowDynamic(); |
188 } | 189 } |
189 | 190 |
190 void CSPDirectiveList::reportMixedContent( | 191 void CSPDirectiveList::reportMixedContent( |
191 const KURL& mixedURL, | 192 const KURL& mixedURL, |
192 ResourceRequest::RedirectStatus redirectStatus) const { | 193 ResourceRequest::RedirectStatus redirectStatus) const { |
193 if (strictMixedContentChecking()) | 194 if (strictMixedContentChecking()) { |
194 m_policy->reportViolation(ContentSecurityPolicy::BlockAllMixedContent, | 195 m_policy->reportViolation(ContentSecurityPolicy::BlockAllMixedContent, |
195 ContentSecurityPolicy::BlockAllMixedContent, | 196 ContentSecurityPolicy::BlockAllMixedContent, |
196 String(), mixedURL, m_reportEndpoints, m_header, | 197 String(), mixedURL, m_reportEndpoints, m_header, |
197 ContentSecurityPolicy::URLViolation, nullptr, | 198 m_headerType, ContentSecurityPolicy::URLViolation, |
198 redirectStatus); | 199 nullptr, redirectStatus); |
| 200 } |
199 } | 201 } |
200 | 202 |
201 bool CSPDirectiveList::checkSource( | 203 bool CSPDirectiveList::checkSource( |
202 SourceListDirective* directive, | 204 SourceListDirective* directive, |
203 const KURL& url, | 205 const KURL& url, |
204 ResourceRequest::RedirectStatus redirectStatus) const { | 206 ResourceRequest::RedirectStatus redirectStatus) const { |
205 // If |url| is empty, fall back to the policy URL to ensure that <object>'s | 207 // If |url| is empty, fall back to the policy URL to ensure that <object>'s |
206 // without a `src` can be blocked/allowed, as they can still load plugins | 208 // without a `src` can be blocked/allowed, as they can still load plugins |
207 // even though they don't actually have a URL. | 209 // even though they don't actually have a URL. |
208 return !directive || | 210 return !directive || |
(...skipping 1025 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1234 visitor->trace(m_frameSrc); | 1236 visitor->trace(m_frameSrc); |
1235 visitor->trace(m_imgSrc); | 1237 visitor->trace(m_imgSrc); |
1236 visitor->trace(m_mediaSrc); | 1238 visitor->trace(m_mediaSrc); |
1237 visitor->trace(m_manifestSrc); | 1239 visitor->trace(m_manifestSrc); |
1238 visitor->trace(m_objectSrc); | 1240 visitor->trace(m_objectSrc); |
1239 visitor->trace(m_scriptSrc); | 1241 visitor->trace(m_scriptSrc); |
1240 visitor->trace(m_styleSrc); | 1242 visitor->trace(m_styleSrc); |
1241 } | 1243 } |
1242 | 1244 |
1243 } // namespace blink | 1245 } // namespace blink |
OLD | NEW |