Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(1)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp

Issue 2331213002: Add `disposition` to SecurityPolicyViolationEvent (Closed)
Patch Set: Update SecurityPolicyViolationEventInit.idl Created 4 years, 3 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« third_party/WebKit/Source/core/events/SecurityPolicyViolationEvent.idl ('K') | « third_party/WebKit/Source/core/events/SecurityPolicyViolationEventInit.idl ('k') | third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.h » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2014 The Chromium Authors. All rights reserved. 1 // Copyright 2014 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "core/frame/csp/CSPDirectiveList.h" 5 #include "core/frame/csp/CSPDirectiveList.h"
6 6
7 #include "bindings/core/v8/SourceLocation.h" 7 #include "bindings/core/v8/SourceLocation.h"
8 #include "core/dom/Document.h" 8 #include "core/dom/Document.h"
9 #include "core/dom/SecurityContext.h" 9 #include "core/dom/SecurityContext.h"
10 #include "core/dom/SpaceSplitString.h" 10 #include "core/dom/SpaceSplitString.h"
(...skipping 62 matching lines...) Expand 10 before | Expand all | Expand 10 after
73 if (directives->isReportOnly() && source != ContentSecurityPolicyHeaderSourc eMeta && directives->reportEndpoints().isEmpty()) 73 if (directives->isReportOnly() && source != ContentSecurityPolicyHeaderSourc eMeta && directives->reportEndpoints().isEmpty())
74 policy->reportMissingReportURI(String(begin, end - begin)); 74 policy->reportMissingReportURI(String(begin, end - begin));
75 75
76 return directives; 76 return directives;
77 } 77 }
78 78
79 void CSPDirectiveList::reportViolation(const String& directiveText, const String & effectiveDirective, const String& consoleMessage, const KURL& blockedURL, Reso urceRequest::RedirectStatus redirectStatus) const 79 void CSPDirectiveList::reportViolation(const String& directiveText, const String & effectiveDirective, const String& consoleMessage, const KURL& blockedURL, Reso urceRequest::RedirectStatus redirectStatus) const
80 { 80 {
81 String message = m_reportOnly ? "[Report Only] " + consoleMessage : consoleM essage; 81 String message = m_reportOnly ? "[Report Only] " + consoleMessage : consoleM essage;
82 m_policy->logToConsole(ConsoleMessage::create(SecurityMessageSource, ErrorMe ssageLevel, message)); 82 m_policy->logToConsole(ConsoleMessage::create(SecurityMessageSource, ErrorMe ssageLevel, message));
83 m_policy->reportViolation(directiveText, effectiveDirective, message, blocke dURL, m_reportEndpoints, m_header, ContentSecurityPolicy::URLViolation, nullptr, redirectStatus); 83 m_policy->reportViolation(directiveText, effectiveDirective, message, blocke dURL, m_reportEndpoints, m_header, m_headerType, ContentSecurityPolicy::URLViola tion, nullptr, redirectStatus);
84 } 84 }
85 85
86 void CSPDirectiveList::reportViolationWithFrame(const String& directiveText, con st String& effectiveDirective, const String& consoleMessage, const KURL& blocked URL, LocalFrame* frame) const 86 void CSPDirectiveList::reportViolationWithFrame(const String& directiveText, con st String& effectiveDirective, const String& consoleMessage, const KURL& blocked URL, LocalFrame* frame) const
87 { 87 {
88 String message = m_reportOnly ? "[Report Only] " + consoleMessage : consoleM essage; 88 String message = m_reportOnly ? "[Report Only] " + consoleMessage : consoleM essage;
89 m_policy->logToConsole(ConsoleMessage::create(SecurityMessageSource, ErrorMe ssageLevel, message), frame); 89 m_policy->logToConsole(ConsoleMessage::create(SecurityMessageSource, ErrorMe ssageLevel, message), frame);
90 m_policy->reportViolation(directiveText, effectiveDirective, message, blocke dURL, m_reportEndpoints, m_header, ContentSecurityPolicy::URLViolation, frame); 90 m_policy->reportViolation(directiveText, effectiveDirective, message, blocke dURL, m_reportEndpoints, m_header, m_headerType, ContentSecurityPolicy::URLViola tion, frame);
91 } 91 }
92 92
93 void CSPDirectiveList::reportViolationWithLocation(const String& directiveText, const String& effectiveDirective, const String& consoleMessage, const KURL& bloc kedURL, const String& contextURL, const WTF::OrdinalNumber& contextLine) const 93 void CSPDirectiveList::reportViolationWithLocation(const String& directiveText, const String& effectiveDirective, const String& consoleMessage, const KURL& bloc kedURL, const String& contextURL, const WTF::OrdinalNumber& contextLine) const
94 { 94 {
95 String message = m_reportOnly ? "[Report Only] " + consoleMessage : consoleM essage; 95 String message = m_reportOnly ? "[Report Only] " + consoleMessage : consoleM essage;
96 m_policy->logToConsole(ConsoleMessage::create(SecurityMessageSource, ErrorMe ssageLevel, message, SourceLocation::capture(contextURL, contextLine.oneBasedInt (), 0))); 96 m_policy->logToConsole(ConsoleMessage::create(SecurityMessageSource, ErrorMe ssageLevel, message, SourceLocation::capture(contextURL, contextLine.oneBasedInt (), 0)));
97 m_policy->reportViolation(directiveText, effectiveDirective, message, blocke dURL, m_reportEndpoints, m_header, ContentSecurityPolicy::InlineViolation, nullp tr, RedirectStatus::NoRedirect, contextLine.oneBasedInt()); 97 m_policy->reportViolation(directiveText, effectiveDirective, message, blocke dURL, m_reportEndpoints, m_header, m_headerType, ContentSecurityPolicy::InlineVi olation, nullptr, RedirectStatus::NoRedirect, contextLine.oneBasedInt());
98 } 98 }
99 99
100 void CSPDirectiveList::reportViolationWithState(const String& directiveText, con st String& effectiveDirective, const String& message, const KURL& blockedURL, Sc riptState* scriptState, const ContentSecurityPolicy::ExceptionStatus exceptionSt atus) const 100 void CSPDirectiveList::reportViolationWithState(const String& directiveText, con st String& effectiveDirective, const String& message, const KURL& blockedURL, Sc riptState* scriptState, const ContentSecurityPolicy::ExceptionStatus exceptionSt atus) const
101 { 101 {
102 String reportMessage = m_reportOnly ? "[Report Only] " + message : message; 102 String reportMessage = m_reportOnly ? "[Report Only] " + message : message;
103 // Print a console message if it won't be redundant with a 103 // Print a console message if it won't be redundant with a
104 // JavaScript exception that the caller will throw. (Exceptions will 104 // JavaScript exception that the caller will throw. (Exceptions will
105 // never get thrown in report-only mode because the caller won't see 105 // never get thrown in report-only mode because the caller won't see
106 // a violation.) 106 // a violation.)
107 if (m_reportOnly || exceptionStatus == ContentSecurityPolicy::WillNotThrowEx ception) { 107 if (m_reportOnly || exceptionStatus == ContentSecurityPolicy::WillNotThrowEx ception) {
108 ConsoleMessage* consoleMessage = ConsoleMessage::create(SecurityMessageS ource, ErrorMessageLevel, reportMessage); 108 ConsoleMessage* consoleMessage = ConsoleMessage::create(SecurityMessageS ource, ErrorMessageLevel, reportMessage);
109 m_policy->logToConsole(consoleMessage); 109 m_policy->logToConsole(consoleMessage);
110 } 110 }
111 m_policy->reportViolation(directiveText, effectiveDirective, message, blocke dURL, m_reportEndpoints, m_header, ContentSecurityPolicy::EvalViolation); 111 m_policy->reportViolation(directiveText, effectiveDirective, message, blocke dURL, m_reportEndpoints, m_header, m_headerType, ContentSecurityPolicy::EvalViol ation);
112 } 112 }
113 113
114 bool CSPDirectiveList::checkEval(SourceListDirective* directive) const 114 bool CSPDirectiveList::checkEval(SourceListDirective* directive) const
115 { 115 {
116 return !directive || directive->allowEval(); 116 return !directive || directive->allowEval();
117 } 117 }
118 118
119 bool CSPDirectiveList::checkInline(SourceListDirective* directive) const 119 bool CSPDirectiveList::checkInline(SourceListDirective* directive) const
120 { 120 {
121 return !directive || (directive->allowInline() && !directive->isHashOrNonceP resent()); 121 return !directive || (directive->allowInline() && !directive->isHashOrNonceP resent());
(...skipping 15 matching lines...) Expand all
137 } 137 }
138 138
139 bool CSPDirectiveList::checkDynamic(SourceListDirective* directive) const 139 bool CSPDirectiveList::checkDynamic(SourceListDirective* directive) const
140 { 140 {
141 return !directive || directive->allowDynamic(); 141 return !directive || directive->allowDynamic();
142 } 142 }
143 143
144 void CSPDirectiveList::reportMixedContent(const KURL& mixedURL, ResourceRequest: :RedirectStatus redirectStatus) const 144 void CSPDirectiveList::reportMixedContent(const KURL& mixedURL, ResourceRequest: :RedirectStatus redirectStatus) const
145 { 145 {
146 if (strictMixedContentChecking()) 146 if (strictMixedContentChecking())
147 m_policy->reportViolation(ContentSecurityPolicy::BlockAllMixedContent, C ontentSecurityPolicy::BlockAllMixedContent, String(), mixedURL, m_reportEndpoint s, m_header, ContentSecurityPolicy::URLViolation, nullptr, redirectStatus); 147 m_policy->reportViolation(ContentSecurityPolicy::BlockAllMixedContent, C ontentSecurityPolicy::BlockAllMixedContent, String(), mixedURL, m_reportEndpoint s, m_header, m_headerType, ContentSecurityPolicy::URLViolation, nullptr, redirec tStatus);
148 } 148 }
149 149
150 bool CSPDirectiveList::checkSource(SourceListDirective* directive, const KURL& u rl, ResourceRequest::RedirectStatus redirectStatus) const 150 bool CSPDirectiveList::checkSource(SourceListDirective* directive, const KURL& u rl, ResourceRequest::RedirectStatus redirectStatus) const
151 { 151 {
152 // If |url| is empty, fall back to the policy URL to ensure that <object>'s 152 // If |url| is empty, fall back to the policy URL to ensure that <object>'s
153 // without a `src` can be blocked/allowed, as they can still load plugins 153 // without a `src` can be blocked/allowed, as they can still load plugins
154 // even though they don't actually have a URL. 154 // even though they don't actually have a URL.
155 return !directive || directive->allows(url.isEmpty() ? m_policy->url() : url , redirectStatus); 155 return !directive || directive->allows(url.isEmpty() ? m_policy->url() : url , redirectStatus);
156 } 156 }
157 157
(...skipping 806 matching lines...) Expand 10 before | Expand all | Expand 10 after
964 visitor->trace(m_imgSrc); 964 visitor->trace(m_imgSrc);
965 visitor->trace(m_mediaSrc); 965 visitor->trace(m_mediaSrc);
966 visitor->trace(m_manifestSrc); 966 visitor->trace(m_manifestSrc);
967 visitor->trace(m_objectSrc); 967 visitor->trace(m_objectSrc);
968 visitor->trace(m_scriptSrc); 968 visitor->trace(m_scriptSrc);
969 visitor->trace(m_styleSrc); 969 visitor->trace(m_styleSrc);
970 } 970 }
971 971
972 972
973 } // namespace blink 973 } // namespace blink
OLDNEW
« third_party/WebKit/Source/core/events/SecurityPolicyViolationEvent.idl ('K') | « third_party/WebKit/Source/core/events/SecurityPolicyViolationEventInit.idl ('k') | third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.h » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698