third_party/WebKit/Source/core/loader/HttpEquiv.cpp - Issue 2421473004: CSP: Fire 'SecurityPolicyViolation' on the offending element.

Side by Side Diff: third_party/WebKit/Source/core/loader/HttpEquiv.cpp

Issue 2421473004: CSP: Fire 'SecurityPolicyViolation' on the offending element. (Closed)

Patch Set: Test. Created 4 years, 2 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

« no previous file with comments | « third_party/WebKit/Source/core/loader/HttpEquiv.h ('k') | third_party/WebKit/Source/web/WebPluginContainerImpl.cpp » ('j') | no next file with comments »

OLD	NEW
1 // Copyright 2015 The Chromium Authors. All rights reserved.	1 // Copyright 2015 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "core/loader/HttpEquiv.h"	5 #include "core/loader/HttpEquiv.h"

6	6

7 #include "core/dom/Document.h"	7 #include "core/dom/Document.h"

8 #include "core/dom/ScriptableDocumentParser.h"	8 #include "core/dom/ScriptableDocumentParser.h"

9 #include "core/dom/StyleEngine.h"	9 #include "core/dom/StyleEngine.h"

10 #include "core/fetch/ClientHintsPreferences.h"	10 #include "core/fetch/ClientHintsPreferences.h"

11 #include "core/frame/UseCounter.h"	11 #include "core/frame/UseCounter.h"

12 #include "core/frame/csp/ContentSecurityPolicy.h"	12 #include "core/frame/csp/ContentSecurityPolicy.h"

13 #include "core/inspector/ConsoleMessage.h"	13 #include "core/inspector/ConsoleMessage.h"

14 #include "core/loader/DocumentLoader.h"	14 #include "core/loader/DocumentLoader.h"

15 #include "core/origin_trials/OriginTrialContext.h"	15 #include "core/origin_trials/OriginTrialContext.h"

16 #include "platform/HTTPNames.h"	16 #include "platform/HTTPNames.h"

17 #include "platform/network/HTTPParsers.h"	17 #include "platform/network/HTTPParsers.h"

18 #include "platform/weborigin/KURL.h"	18 #include "platform/weborigin/KURL.h"

19	19

20 namespace blink {	20 namespace blink {

21	21

22 void HttpEquiv::process(Document& document,	22 void HttpEquiv::process(Document& document,

23 const AtomicString& equiv,	23 const AtomicString& equiv,

24 const AtomicString& content,	24 const AtomicString& content,

25 bool inDocumentHeadElement) {	25 bool inDocumentHeadElement,

	26 Element* element) {

26 DCHECK(!equiv.isNull());	27 DCHECK(!equiv.isNull());

27 DCHECK(!content.isNull());	28 DCHECK(!content.isNull());

28	29

29 if (equalIgnoringCase(equiv, "default-style")) {	30 if (equalIgnoringCase(equiv, "default-style")) {

30 processHttpEquivDefaultStyle(document, content);	31 processHttpEquivDefaultStyle(document, content);

31 } else if (equalIgnoringCase(equiv, "refresh")) {	32 } else if (equalIgnoringCase(equiv, "refresh")) {

32 processHttpEquivRefresh(document, content);	33 processHttpEquivRefresh(document, content, element);

33 } else if (equalIgnoringCase(equiv, "set-cookie")) {	34 } else if (equalIgnoringCase(equiv, "set-cookie")) {

34 processHttpEquivSetCookie(document, content);	35 processHttpEquivSetCookie(document, content, element);

35 } else if (equalIgnoringCase(equiv, "content-language")) {	36 } else if (equalIgnoringCase(equiv, "content-language")) {

36 document.setContentLanguage(content);	37 document.setContentLanguage(content);

37 } else if (equalIgnoringCase(equiv, "x-dns-prefetch-control")) {	38 } else if (equalIgnoringCase(equiv, "x-dns-prefetch-control")) {

38 document.parseDNSPrefetchControlHeader(content);	39 document.parseDNSPrefetchControlHeader(content);

39 } else if (equalIgnoringCase(equiv, "x-frame-options")) {	40 } else if (equalIgnoringCase(equiv, "x-frame-options")) {

40 document.addConsoleMessage(ConsoleMessage::create(	41 document.addConsoleMessage(ConsoleMessage::create(

41 SecurityMessageSource, ErrorMessageLevel,	42 SecurityMessageSource, ErrorMessageLevel,

42 "X-Frame-Options may only be set via an HTTP header sent along with a "	43 "X-Frame-Options may only be set via an HTTP header sent along with a "

43 "document. It may not be set inside <meta>."));	44 "document. It may not be set inside <meta>."));

44 } else if (equalIgnoringCase(equiv, "accept-ch")) {	45 } else if (equalIgnoringCase(equiv, "accept-ch")) {

(...skipping 44 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
89 document.clientHintsPreferences().updateFromAcceptClientHintsHeader(	90 document.clientHintsPreferences().updateFromAcceptClientHintsHeader(

90 content, document.fetcher());	91 content, document.fetcher());

91 }	92 }

92	93

93 void HttpEquiv::processHttpEquivDefaultStyle(Document& document,	94 void HttpEquiv::processHttpEquivDefaultStyle(Document& document,

94 const AtomicString& content) {	95 const AtomicString& content) {

95 document.styleEngine().setHttpDefaultStyle(content);	96 document.styleEngine().setHttpDefaultStyle(content);

96 }	97 }

97	98

98 void HttpEquiv::processHttpEquivRefresh(Document& document,	99 void HttpEquiv::processHttpEquivRefresh(Document& document,

99 const AtomicString& content) {	100 const AtomicString& content,

	101 Element* element) {

100 UseCounter::count(document, UseCounter::MetaRefresh);	102 UseCounter::count(document, UseCounter::MetaRefresh);

101 if (!document.contentSecurityPolicy()->allowInlineScript(	103 if (!document.contentSecurityPolicy()->allowInlineScript(

102 KURL(), "", ParserInserted, OrdinalNumber(), "",	104 element, KURL(), "", OrdinalNumber(), "",

103 ContentSecurityPolicy::SuppressReport)) {	105 ContentSecurityPolicy::SuppressReport)) {

104 UseCounter::count(document,	106 UseCounter::count(document,

105 UseCounter::MetaRefreshWhenCSPBlocksInlineScript);	107 UseCounter::MetaRefreshWhenCSPBlocksInlineScript);

106 }	108 }

107	109

108 document.maybeHandleHttpRefresh(content, Document::HttpRefreshFromMetaTag);	110 document.maybeHandleHttpRefresh(content, Document::HttpRefreshFromMetaTag);

109 }	111 }

110	112

111 void HttpEquiv::processHttpEquivSetCookie(Document& document,	113 void HttpEquiv::processHttpEquivSetCookie(Document& document,

112 const AtomicString& content) {	114 const AtomicString& content,

	115 Element* element) {

113 // FIXME: make setCookie work on XML documents too; e.g. in case of	116 // FIXME: make setCookie work on XML documents too; e.g. in case of

114 // <html:meta.....>	117 // <html:meta.....>

115 if (!document.isHTMLDocument())	118 if (!document.isHTMLDocument())

116 return;	119 return;

117	120

118 UseCounter::count(document, UseCounter::MetaSetCookie);	121 UseCounter::count(document, UseCounter::MetaSetCookie);

119 if (!document.contentSecurityPolicy()->allowInlineScript(	122 if (!document.contentSecurityPolicy()->allowInlineScript(

120 KURL(), "", ParserInserted, OrdinalNumber(), "",	123 element, KURL(), "", OrdinalNumber(), "",

121 ContentSecurityPolicy::SuppressReport)) {	124 ContentSecurityPolicy::SuppressReport)) {

122 UseCounter::count(document,	125 UseCounter::count(document,

123 UseCounter::MetaSetCookieWhenCSPBlocksInlineScript);	126 UseCounter::MetaSetCookieWhenCSPBlocksInlineScript);

124 }	127 }

125	128

126 // Exception (for sandboxed documents) ignored.	129 // Exception (for sandboxed documents) ignored.

127 document.setCookie(content, IGNORE_EXCEPTION);	130 document.setCookie(content, IGNORE_EXCEPTION);

128 }	131 }

129	132

130 } // namespace blink	133 } // namespace blink

OLD	NEW