OLD | NEW |
1 /* | 1 /* |
2 * Copyright (C) 2011 Google, Inc. All rights reserved. | 2 * Copyright (C) 2011 Google, Inc. All rights reserved. |
3 * | 3 * |
4 * Redistribution and use in source and binary forms, with or without | 4 * Redistribution and use in source and binary forms, with or without |
5 * modification, are permitted provided that the following conditions | 5 * modification, are permitted provided that the following conditions |
6 * are met: | 6 * are met: |
7 * 1. Redistributions of source code must retain the above copyright | 7 * 1. Redistributions of source code must retain the above copyright |
8 * notice, this list of conditions and the following disclaimer. | 8 * notice, this list of conditions and the following disclaimer. |
9 * 2. Redistributions in binary form must reproduce the above copyright | 9 * 2. Redistributions in binary form must reproduce the above copyright |
10 * notice, this list of conditions and the following disclaimer in the | 10 * notice, this list of conditions and the following disclaimer in the |
(...skipping 293 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
304 ContentSecurityPolicyHeaderType type, | 304 ContentSecurityPolicyHeaderType type, |
305 ContentSecurityPolicyHeaderSource source) { | 305 ContentSecurityPolicyHeaderSource source) { |
306 addAndReportPolicyFromHeaderValue(header, type, source); | 306 addAndReportPolicyFromHeaderValue(header, type, source); |
307 | 307 |
308 // This might be called after we've been bound to an execution context. For | 308 // This might be called after we've been bound to an execution context. For |
309 // example, a <meta> element might be injected after page load. | 309 // example, a <meta> element might be injected after page load. |
310 if (m_executionContext) | 310 if (m_executionContext) |
311 applyPolicySideEffectsToExecutionContext(); | 311 applyPolicySideEffectsToExecutionContext(); |
312 } | 312 } |
313 | 313 |
| 314 bool ContentSecurityPolicy::shouldEnforceEmbeddersPolicy( |
| 315 const ResourceResponse& response, |
| 316 SecurityOrigin* parentOrigin) { |
| 317 if (response.url().isEmpty() || response.url().protocolIsAbout() || |
| 318 response.url().protocolIsData() || response.url().protocolIs("blob") || |
| 319 response.url().protocolIs("filesystem")) { |
| 320 return true; |
| 321 } |
| 322 |
| 323 if (parentOrigin->canAccess(SecurityOrigin::create(response.url()).get())) |
| 324 return true; |
| 325 |
| 326 String header = response.httpHeaderField(HTTPNames::Allow_CSP_From); |
| 327 header = header.stripWhiteSpace(); |
| 328 if (header == "*") |
| 329 return true; |
| 330 if (RefPtr<SecurityOrigin> childOrigin = |
| 331 SecurityOrigin::createFromString(header)) { |
| 332 return parentOrigin->canAccess(childOrigin.get()); |
| 333 } |
| 334 |
| 335 return false; |
| 336 } |
| 337 |
314 void ContentSecurityPolicy::addPolicyFromHeaderValue( | 338 void ContentSecurityPolicy::addPolicyFromHeaderValue( |
315 const String& header, | 339 const String& header, |
316 ContentSecurityPolicyHeaderType type, | 340 ContentSecurityPolicyHeaderType type, |
317 ContentSecurityPolicyHeaderSource source) { | 341 ContentSecurityPolicyHeaderSource source) { |
318 // If this is a report-only header inside a <meta> element, bail out. | 342 // If this is a report-only header inside a <meta> element, bail out. |
319 if (source == ContentSecurityPolicyHeaderSourceMeta && | 343 if (source == ContentSecurityPolicyHeaderSourceMeta && |
320 type == ContentSecurityPolicyHeaderTypeReport) { | 344 type == ContentSecurityPolicyHeaderTypeReport) { |
321 reportReportOnlyInMeta(header); | 345 reportReportOnlyInMeta(header); |
322 return; | 346 return; |
323 } | 347 } |
(...skipping 1155 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1479 // Collisions have no security impact, so we can save space by storing only | 1503 // Collisions have no security impact, so we can save space by storing only |
1480 // the string's hash rather than the whole report. | 1504 // the string's hash rather than the whole report. |
1481 return !m_violationReportsSent.contains(report.impl()->hash()); | 1505 return !m_violationReportsSent.contains(report.impl()->hash()); |
1482 } | 1506 } |
1483 | 1507 |
1484 void ContentSecurityPolicy::didSendViolationReport(const String& report) { | 1508 void ContentSecurityPolicy::didSendViolationReport(const String& report) { |
1485 m_violationReportsSent.add(report.impl()->hash()); | 1509 m_violationReportsSent.add(report.impl()->hash()); |
1486 } | 1510 } |
1487 | 1511 |
1488 } // namespace blink | 1512 } // namespace blink |
OLD | NEW |