Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(147)

Unified Diff: third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp

Issue 2331213002: Add `disposition` to SecurityPolicyViolationEvent (Closed)
Patch Set: Update expected results Created 4 years, 3 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
Index: third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp
diff --git a/third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp b/third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp
index ea4ffe40346258b946f66a33cc375fdf4d5f744a..388b15957e97b544619b1acc68a299fd3bd56b53 100644
--- a/third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp
+++ b/third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp
@@ -78,28 +78,64 @@ CSPDirectiveList* CSPDirectiveList::create(ContentSecurityPolicy* policy, const
void CSPDirectiveList::reportViolation(const String& directiveText, const String& effectiveDirective, const String& consoleMessage, const KURL& blockedURL, ResourceRequest::RedirectStatus redirectStatus) const
{
- String message = m_reportOnly ? "[Report Only] " + consoleMessage : consoleMessage;
+ String message;
+ ContentSecurityPolicy::DispositionType dispositionType;
Mike West 2016/09/14 13:03:01 If you move to `ContentSecurityPolicyHeaderType`,
Sergey Shekyan 2016/09/16 05:36:45 It is confusing to me. I can refactor in another P
+ if (m_reportOnly) {
+ message = "[Report Only] " + consoleMessage;
+ dispositionType = ContentSecurityPolicy::Report;
+ } else {
+ message = consoleMessage;
+ dispositionType = ContentSecurityPolicy::Enforce;
+ }
+
m_policy->logToConsole(ConsoleMessage::create(SecurityMessageSource, ErrorMessageLevel, message));
- m_policy->reportViolation(directiveText, effectiveDirective, message, blockedURL, m_reportEndpoints, m_header, ContentSecurityPolicy::URLViolation, nullptr, redirectStatus);
+ m_policy->reportViolation(directiveText, dispositionType, effectiveDirective, message, blockedURL, m_reportEndpoints, m_header, ContentSecurityPolicy::URLViolation, nullptr, redirectStatus);
}
void CSPDirectiveList::reportViolationWithFrame(const String& directiveText, const String& effectiveDirective, const String& consoleMessage, const KURL& blockedURL, LocalFrame* frame) const
{
- String message = m_reportOnly ? "[Report Only] " + consoleMessage : consoleMessage;
+ String message;
+ ContentSecurityPolicy::DispositionType dispositionType;
+ if (m_reportOnly) {
+ message = "[Report Only] " + consoleMessage;
+ dispositionType = ContentSecurityPolicy::Report;
+ } else {
+ message = consoleMessage;
+ dispositionType = ContentSecurityPolicy::Enforce;
+ }
+
m_policy->logToConsole(ConsoleMessage::create(SecurityMessageSource, ErrorMessageLevel, message), frame);
- m_policy->reportViolation(directiveText, effectiveDirective, message, blockedURL, m_reportEndpoints, m_header, ContentSecurityPolicy::URLViolation, frame);
+ m_policy->reportViolation(directiveText, dispositionType, effectiveDirective, message, blockedURL, m_reportEndpoints, m_header, ContentSecurityPolicy::URLViolation, frame);
}
void CSPDirectiveList::reportViolationWithLocation(const String& directiveText, const String& effectiveDirective, const String& consoleMessage, const KURL& blockedURL, const String& contextURL, const WTF::OrdinalNumber& contextLine) const
{
- String message = m_reportOnly ? "[Report Only] " + consoleMessage : consoleMessage;
+ String message;
+ ContentSecurityPolicy::DispositionType dispositionType;
+ if (m_reportOnly) {
+ message = "[Report Only] " + consoleMessage;
+ dispositionType = ContentSecurityPolicy::Report;
+ } else {
+ message = consoleMessage;
+ dispositionType = ContentSecurityPolicy::Enforce;
+ }
+
m_policy->logToConsole(ConsoleMessage::create(SecurityMessageSource, ErrorMessageLevel, message, SourceLocation::capture(contextURL, contextLine.oneBasedInt(), 0)));
- m_policy->reportViolation(directiveText, effectiveDirective, message, blockedURL, m_reportEndpoints, m_header, ContentSecurityPolicy::InlineViolation, nullptr, RedirectStatus::NoRedirect, contextLine.oneBasedInt());
+ m_policy->reportViolation(directiveText, dispositionType, effectiveDirective, message, blockedURL, m_reportEndpoints, m_header, ContentSecurityPolicy::InlineViolation, nullptr, RedirectStatus::NoRedirect, contextLine.oneBasedInt());
}
void CSPDirectiveList::reportViolationWithState(const String& directiveText, const String& effectiveDirective, const String& message, const KURL& blockedURL, ScriptState* scriptState, const ContentSecurityPolicy::ExceptionStatus exceptionStatus) const
{
- String reportMessage = m_reportOnly ? "[Report Only] " + message : message;
+ String reportMessage;
+ ContentSecurityPolicy::DispositionType dispositionType;
+ if (m_reportOnly) {
+ reportMessage = "[Report Only] " + message;
+ dispositionType = ContentSecurityPolicy::Report;
+ } else {
+ reportMessage = message;
+ dispositionType = ContentSecurityPolicy::Enforce;
+ }
+
// Print a console message if it won't be redundant with a
// JavaScript exception that the caller will throw. (Exceptions will
// never get thrown in report-only mode because the caller won't see
@@ -108,7 +144,7 @@ void CSPDirectiveList::reportViolationWithState(const String& directiveText, con
ConsoleMessage* consoleMessage = ConsoleMessage::create(SecurityMessageSource, ErrorMessageLevel, reportMessage);
m_policy->logToConsole(consoleMessage);
}
- m_policy->reportViolation(directiveText, effectiveDirective, message, blockedURL, m_reportEndpoints, m_header, ContentSecurityPolicy::EvalViolation);
+ m_policy->reportViolation(directiveText, dispositionType, effectiveDirective, message, blockedURL, m_reportEndpoints, m_header, ContentSecurityPolicy::EvalViolation);
}
bool CSPDirectiveList::checkEval(SourceListDirective* directive) const
@@ -144,7 +180,7 @@ bool CSPDirectiveList::checkDynamic(SourceListDirective* directive) const
void CSPDirectiveList::reportMixedContent(const KURL& mixedURL, ResourceRequest::RedirectStatus redirectStatus) const
{
if (strictMixedContentChecking())
- m_policy->reportViolation(ContentSecurityPolicy::BlockAllMixedContent, ContentSecurityPolicy::BlockAllMixedContent, String(), mixedURL, m_reportEndpoints, m_header, ContentSecurityPolicy::URLViolation, nullptr, redirectStatus);
+ m_policy->reportViolation(ContentSecurityPolicy::BlockAllMixedContent, m_reportOnly ? ContentSecurityPolicy::Report : ContentSecurityPolicy::Enforce, ContentSecurityPolicy::BlockAllMixedContent, String(), mixedURL, m_reportEndpoints, m_header, ContentSecurityPolicy::URLViolation, nullptr, redirectStatus);
}
bool CSPDirectiveList::checkSource(SourceListDirective* directive, const KURL& url, ResourceRequest::RedirectStatus redirectStatus) const

Powered by Google App Engine
This is Rietveld 408576698