OLD | NEW |
---|---|
1 /* | 1 /* |
2 * Copyright (C) 2011 Google, Inc. All rights reserved. | 2 * Copyright (C) 2011 Google, Inc. All rights reserved. |
3 * | 3 * |
4 * Redistribution and use in source and binary forms, with or without | 4 * Redistribution and use in source and binary forms, with or without |
5 * modification, are permitted provided that the following conditions | 5 * modification, are permitted provided that the following conditions |
6 * are met: | 6 * are met: |
7 * 1. Redistributions of source code must retain the above copyright | 7 * 1. Redistributions of source code must retain the above copyright |
8 * notice, this list of conditions and the following disclaimer. | 8 * notice, this list of conditions and the following disclaimer. |
9 * 2. Redistributions in binary form must reproduce the above copyright | 9 * 2. Redistributions in binary form must reproduce the above copyright |
10 * notice, this list of conditions and the following disclaimer in the | 10 * notice, this list of conditions and the following disclaimer in the |
(...skipping 293 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
304 ContentSecurityPolicyHeaderType type, | 304 ContentSecurityPolicyHeaderType type, |
305 ContentSecurityPolicyHeaderSource source) { | 305 ContentSecurityPolicyHeaderSource source) { |
306 addAndReportPolicyFromHeaderValue(header, type, source); | 306 addAndReportPolicyFromHeaderValue(header, type, source); |
307 | 307 |
308 // This might be called after we've been bound to an execution context. For | 308 // This might be called after we've been bound to an execution context. For |
309 // example, a <meta> element might be injected after page load. | 309 // example, a <meta> element might be injected after page load. |
310 if (m_executionContext) | 310 if (m_executionContext) |
311 applyPolicySideEffectsToExecutionContext(); | 311 applyPolicySideEffectsToExecutionContext(); |
312 } | 312 } |
313 | 313 |
314 bool ContentSecurityPolicy::shouldEnforceEmbeddersPolicy( | |
Mike West
2016/10/14 09:01:17
Can you add some unit tests for this method in `Co
| |
315 const ResourceResponse& response, | |
316 SecurityOrigin* parentOrigin) { | |
317 if (response.url().isEmpty() || response.url().protocolIsAbout() || | |
318 response.url().protocolIsData() || response.url().protocolIs("blob") || | |
319 response.url().protocolIs("filesystem")) { | |
320 return true; | |
321 } | |
322 | |
323 if (parentOrigin->canAccess(SecurityOrigin::create(response.url()).get())) | |
324 return true; | |
325 | |
326 String header = response.httpHeaderField(HTTPNames::Allow_CSP_From); | |
327 if (header.isEmpty() || !header.containsOnlyASCII()) | |
328 return false; | |
329 | |
330 String headerValue = header.stripWhiteSpace(); | |
331 if (headerValue == "*" || | |
332 parentOrigin->canAccess( | |
333 SecurityOrigin::createFromString(headerValue).get())) | |
Mike West
2016/10/14 09:01:17
I think you can simplify the logic here a bit with
| |
334 return true; | |
Mike West
2016/10/14 09:01:17
Nit: `{}` around the body if the `if` clause is mu
| |
335 | |
336 return false; | |
337 } | |
338 | |
314 void ContentSecurityPolicy::addPolicyFromHeaderValue( | 339 void ContentSecurityPolicy::addPolicyFromHeaderValue( |
315 const String& header, | 340 const String& header, |
316 ContentSecurityPolicyHeaderType type, | 341 ContentSecurityPolicyHeaderType type, |
317 ContentSecurityPolicyHeaderSource source) { | 342 ContentSecurityPolicyHeaderSource source) { |
318 // If this is a report-only header inside a <meta> element, bail out. | 343 // If this is a report-only header inside a <meta> element, bail out. |
319 if (source == ContentSecurityPolicyHeaderSourceMeta && | 344 if (source == ContentSecurityPolicyHeaderSourceMeta && |
320 type == ContentSecurityPolicyHeaderTypeReport) { | 345 type == ContentSecurityPolicyHeaderTypeReport) { |
321 reportReportOnlyInMeta(header); | 346 reportReportOnlyInMeta(header); |
322 return; | 347 return; |
323 } | 348 } |
(...skipping 1155 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1479 // Collisions have no security impact, so we can save space by storing only | 1504 // Collisions have no security impact, so we can save space by storing only |
1480 // the string's hash rather than the whole report. | 1505 // the string's hash rather than the whole report. |
1481 return !m_violationReportsSent.contains(report.impl()->hash()); | 1506 return !m_violationReportsSent.contains(report.impl()->hash()); |
1482 } | 1507 } |
1483 | 1508 |
1484 void ContentSecurityPolicy::didSendViolationReport(const String& report) { | 1509 void ContentSecurityPolicy::didSendViolationReport(const String& report) { |
1485 m_violationReportsSent.add(report.impl()->hash()); | 1510 m_violationReportsSent.add(report.impl()->hash()); |
1486 } | 1511 } |
1487 | 1512 |
1488 } // namespace blink | 1513 } // namespace blink |
OLD | NEW |