OLD | NEW |
1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "core/frame/csp/CSPDirectiveList.h" | 5 #include "core/frame/csp/CSPDirectiveList.h" |
6 | 6 |
7 #include "bindings/core/v8/SourceLocation.h" | 7 #include "bindings/core/v8/SourceLocation.h" |
8 #include "core/dom/Document.h" | 8 #include "core/dom/Document.h" |
9 #include "core/dom/SecurityContext.h" | 9 #include "core/dom/SecurityContext.h" |
10 #include "core/dom/SpaceSplitString.h" | 10 #include "core/dom/SpaceSplitString.h" |
(...skipping 62 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
73 if (directives->isReportOnly() && source != ContentSecurityPolicyHeaderSourc
eMeta && directives->reportEndpoints().isEmpty()) | 73 if (directives->isReportOnly() && source != ContentSecurityPolicyHeaderSourc
eMeta && directives->reportEndpoints().isEmpty()) |
74 policy->reportMissingReportURI(String(begin, end - begin)); | 74 policy->reportMissingReportURI(String(begin, end - begin)); |
75 | 75 |
76 return directives; | 76 return directives; |
77 } | 77 } |
78 | 78 |
79 void CSPDirectiveList::reportViolation(const String& directiveText, const String
& effectiveDirective, const String& consoleMessage, const KURL& blockedURL, Reso
urceRequest::RedirectStatus redirectStatus) const | 79 void CSPDirectiveList::reportViolation(const String& directiveText, const String
& effectiveDirective, const String& consoleMessage, const KURL& blockedURL, Reso
urceRequest::RedirectStatus redirectStatus) const |
80 { | 80 { |
81 String message = m_reportOnly ? "[Report Only] " + consoleMessage : consoleM
essage; | 81 String message = m_reportOnly ? "[Report Only] " + consoleMessage : consoleM
essage; |
82 m_policy->logToConsole(ConsoleMessage::create(SecurityMessageSource, ErrorMe
ssageLevel, message)); | 82 m_policy->logToConsole(ConsoleMessage::create(SecurityMessageSource, ErrorMe
ssageLevel, message)); |
83 m_policy->reportViolation(directiveText, effectiveDirective, message, blocke
dURL, m_reportEndpoints, m_header, ContentSecurityPolicy::URLViolation, nullptr,
redirectStatus); | 83 m_policy->reportViolation(directiveText, effectiveDirective, message, blocke
dURL, m_reportEndpoints, m_header, m_headerType, ContentSecurityPolicy::URLViola
tion, nullptr, redirectStatus); |
84 } | 84 } |
85 | 85 |
86 void CSPDirectiveList::reportViolationWithFrame(const String& directiveText, con
st String& effectiveDirective, const String& consoleMessage, const KURL& blocked
URL, LocalFrame* frame) const | 86 void CSPDirectiveList::reportViolationWithFrame(const String& directiveText, con
st String& effectiveDirective, const String& consoleMessage, const KURL& blocked
URL, LocalFrame* frame) const |
87 { | 87 { |
88 String message = m_reportOnly ? "[Report Only] " + consoleMessage : consoleM
essage; | 88 String message = m_reportOnly ? "[Report Only] " + consoleMessage : consoleM
essage; |
89 m_policy->logToConsole(ConsoleMessage::create(SecurityMessageSource, ErrorMe
ssageLevel, message), frame); | 89 m_policy->logToConsole(ConsoleMessage::create(SecurityMessageSource, ErrorMe
ssageLevel, message), frame); |
90 m_policy->reportViolation(directiveText, effectiveDirective, message, blocke
dURL, m_reportEndpoints, m_header, ContentSecurityPolicy::URLViolation, frame); | 90 m_policy->reportViolation(directiveText, effectiveDirective, message, blocke
dURL, m_reportEndpoints, m_header, m_headerType, ContentSecurityPolicy::URLViola
tion, frame); |
91 } | 91 } |
92 | 92 |
93 void CSPDirectiveList::reportViolationWithLocation(const String& directiveText,
const String& effectiveDirective, const String& consoleMessage, const KURL& bloc
kedURL, const String& contextURL, const WTF::OrdinalNumber& contextLine) const | 93 void CSPDirectiveList::reportViolationWithLocation(const String& directiveText,
const String& effectiveDirective, const String& consoleMessage, const KURL& bloc
kedURL, const String& contextURL, const WTF::OrdinalNumber& contextLine) const |
94 { | 94 { |
95 String message = m_reportOnly ? "[Report Only] " + consoleMessage : consoleM
essage; | 95 String message = m_reportOnly ? "[Report Only] " + consoleMessage : consoleM
essage; |
96 m_policy->logToConsole(ConsoleMessage::create(SecurityMessageSource, ErrorMe
ssageLevel, message, SourceLocation::capture(contextURL, contextLine.oneBasedInt
(), 0))); | 96 m_policy->logToConsole(ConsoleMessage::create(SecurityMessageSource, ErrorMe
ssageLevel, message, SourceLocation::capture(contextURL, contextLine.oneBasedInt
(), 0))); |
97 m_policy->reportViolation(directiveText, effectiveDirective, message, blocke
dURL, m_reportEndpoints, m_header, ContentSecurityPolicy::InlineViolation, nullp
tr, RedirectStatus::NoRedirect, contextLine.oneBasedInt()); | 97 m_policy->reportViolation(directiveText, effectiveDirective, message, blocke
dURL, m_reportEndpoints, m_header, m_headerType, ContentSecurityPolicy::InlineVi
olation, nullptr, RedirectStatus::NoRedirect, contextLine.oneBasedInt()); |
98 } | 98 } |
99 | 99 |
100 void CSPDirectiveList::reportViolationWithState(const String& directiveText, con
st String& effectiveDirective, const String& message, const KURL& blockedURL, Sc
riptState* scriptState, const ContentSecurityPolicy::ExceptionStatus exceptionSt
atus) const | 100 void CSPDirectiveList::reportViolationWithState(const String& directiveText, con
st String& effectiveDirective, const String& message, const KURL& blockedURL, Sc
riptState* scriptState, const ContentSecurityPolicy::ExceptionStatus exceptionSt
atus) const |
101 { | 101 { |
102 String reportMessage = m_reportOnly ? "[Report Only] " + message : message; | 102 String reportMessage = m_reportOnly ? "[Report Only] " + message : message; |
103 // Print a console message if it won't be redundant with a | 103 // Print a console message if it won't be redundant with a |
104 // JavaScript exception that the caller will throw. (Exceptions will | 104 // JavaScript exception that the caller will throw. (Exceptions will |
105 // never get thrown in report-only mode because the caller won't see | 105 // never get thrown in report-only mode because the caller won't see |
106 // a violation.) | 106 // a violation.) |
107 if (m_reportOnly || exceptionStatus == ContentSecurityPolicy::WillNotThrowEx
ception) { | 107 if (m_reportOnly || exceptionStatus == ContentSecurityPolicy::WillNotThrowEx
ception) { |
108 ConsoleMessage* consoleMessage = ConsoleMessage::create(SecurityMessageS
ource, ErrorMessageLevel, reportMessage); | 108 ConsoleMessage* consoleMessage = ConsoleMessage::create(SecurityMessageS
ource, ErrorMessageLevel, reportMessage); |
109 m_policy->logToConsole(consoleMessage); | 109 m_policy->logToConsole(consoleMessage); |
110 } | 110 } |
111 m_policy->reportViolation(directiveText, effectiveDirective, message, blocke
dURL, m_reportEndpoints, m_header, ContentSecurityPolicy::EvalViolation); | 111 m_policy->reportViolation(directiveText, effectiveDirective, message, blocke
dURL, m_reportEndpoints, m_header, m_headerType, ContentSecurityPolicy::EvalViol
ation); |
112 } | 112 } |
113 | 113 |
114 bool CSPDirectiveList::checkEval(SourceListDirective* directive) const | 114 bool CSPDirectiveList::checkEval(SourceListDirective* directive) const |
115 { | 115 { |
116 return !directive || directive->allowEval(); | 116 return !directive || directive->allowEval(); |
117 } | 117 } |
118 | 118 |
119 bool CSPDirectiveList::checkInline(SourceListDirective* directive) const | 119 bool CSPDirectiveList::checkInline(SourceListDirective* directive) const |
120 { | 120 { |
121 return !directive || (directive->allowInline() && !directive->isHashOrNonceP
resent()); | 121 return !directive || (directive->allowInline() && !directive->isHashOrNonceP
resent()); |
(...skipping 15 matching lines...) Expand all Loading... |
137 } | 137 } |
138 | 138 |
139 bool CSPDirectiveList::checkDynamic(SourceListDirective* directive) const | 139 bool CSPDirectiveList::checkDynamic(SourceListDirective* directive) const |
140 { | 140 { |
141 return !directive || directive->allowDynamic(); | 141 return !directive || directive->allowDynamic(); |
142 } | 142 } |
143 | 143 |
144 void CSPDirectiveList::reportMixedContent(const KURL& mixedURL, ResourceRequest:
:RedirectStatus redirectStatus) const | 144 void CSPDirectiveList::reportMixedContent(const KURL& mixedURL, ResourceRequest:
:RedirectStatus redirectStatus) const |
145 { | 145 { |
146 if (strictMixedContentChecking()) | 146 if (strictMixedContentChecking()) |
147 m_policy->reportViolation(ContentSecurityPolicy::BlockAllMixedContent, C
ontentSecurityPolicy::BlockAllMixedContent, String(), mixedURL, m_reportEndpoint
s, m_header, ContentSecurityPolicy::URLViolation, nullptr, redirectStatus); | 147 m_policy->reportViolation(ContentSecurityPolicy::BlockAllMixedContent, C
ontentSecurityPolicy::BlockAllMixedContent, String(), mixedURL, m_reportEndpoint
s, m_header, m_headerType, ContentSecurityPolicy::URLViolation, nullptr, redirec
tStatus); |
148 } | 148 } |
149 | 149 |
150 bool CSPDirectiveList::checkSource(SourceListDirective* directive, const KURL& u
rl, ResourceRequest::RedirectStatus redirectStatus) const | 150 bool CSPDirectiveList::checkSource(SourceListDirective* directive, const KURL& u
rl, ResourceRequest::RedirectStatus redirectStatus) const |
151 { | 151 { |
152 // If |url| is empty, fall back to the policy URL to ensure that <object>'s | 152 // If |url| is empty, fall back to the policy URL to ensure that <object>'s |
153 // without a `src` can be blocked/allowed, as they can still load plugins | 153 // without a `src` can be blocked/allowed, as they can still load plugins |
154 // even though they don't actually have a URL. | 154 // even though they don't actually have a URL. |
155 return !directive || directive->allows(url.isEmpty() ? m_policy->url() : url
, redirectStatus); | 155 return !directive || directive->allows(url.isEmpty() ? m_policy->url() : url
, redirectStatus); |
156 } | 156 } |
157 | 157 |
(...skipping 806 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
964 visitor->trace(m_imgSrc); | 964 visitor->trace(m_imgSrc); |
965 visitor->trace(m_mediaSrc); | 965 visitor->trace(m_mediaSrc); |
966 visitor->trace(m_manifestSrc); | 966 visitor->trace(m_manifestSrc); |
967 visitor->trace(m_objectSrc); | 967 visitor->trace(m_objectSrc); |
968 visitor->trace(m_scriptSrc); | 968 visitor->trace(m_scriptSrc); |
969 visitor->trace(m_styleSrc); | 969 visitor->trace(m_styleSrc); |
970 } | 970 } |
971 | 971 |
972 | 972 |
973 } // namespace blink | 973 } // namespace blink |
OLD | NEW |