OLD | NEW |
1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "core/frame/csp/CSPDirectiveList.h" | 5 #include "core/frame/csp/CSPDirectiveList.h" |
6 | 6 |
7 #include "bindings/core/v8/SourceLocation.h" | 7 #include "bindings/core/v8/SourceLocation.h" |
8 #include "core/dom/Document.h" | 8 #include "core/dom/Document.h" |
9 #include "core/dom/SecurityContext.h" | 9 #include "core/dom/SecurityContext.h" |
10 #include "core/dom/SpaceSplitString.h" | 10 #include "core/dom/SpaceSplitString.h" |
(...skipping 34 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
45 | 45 |
46 } // namespace | 46 } // namespace |
47 | 47 |
48 CSPDirectiveList::CSPDirectiveList(ContentSecurityPolicy* policy, | 48 CSPDirectiveList::CSPDirectiveList(ContentSecurityPolicy* policy, |
49 ContentSecurityPolicyHeaderType type, | 49 ContentSecurityPolicyHeaderType type, |
50 ContentSecurityPolicyHeaderSource source) | 50 ContentSecurityPolicyHeaderSource source) |
51 : m_policy(policy), | 51 : m_policy(policy), |
52 m_headerType(type), | 52 m_headerType(type), |
53 m_headerSource(source), | 53 m_headerSource(source), |
54 m_hasSandboxPolicy(false), | 54 m_hasSandboxPolicy(false), |
55 m_reflectedXSSDisposition(ReflectedXSSUnset), | |
56 m_didSetReferrerPolicy(false), | 55 m_didSetReferrerPolicy(false), |
57 m_referrerPolicy(ReferrerPolicyDefault), | 56 m_referrerPolicy(ReferrerPolicyDefault), |
58 m_strictMixedContentCheckingEnforced(false), | 57 m_strictMixedContentCheckingEnforced(false), |
59 m_upgradeInsecureRequests(false), | 58 m_upgradeInsecureRequests(false), |
60 m_treatAsPublicAddress(false), | 59 m_treatAsPublicAddress(false), |
61 m_requireSRIFor(RequireSRIForToken::None) {} | 60 m_requireSRIFor(RequireSRIForToken::None) {} |
62 | 61 |
63 CSPDirectiveList* CSPDirectiveList::create( | 62 CSPDirectiveList* CSPDirectiveList::create( |
64 ContentSecurityPolicy* policy, | 63 ContentSecurityPolicy* policy, |
65 const UChar* begin, | 64 const UChar* begin, |
(...skipping 998 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1064 m_policy->reportDuplicateDirective(name); | 1063 m_policy->reportDuplicateDirective(name); |
1065 return; | 1064 return; |
1066 } | 1065 } |
1067 m_upgradeInsecureRequests = true; | 1066 m_upgradeInsecureRequests = true; |
1068 | 1067 |
1069 m_policy->upgradeInsecureRequests(); | 1068 m_policy->upgradeInsecureRequests(); |
1070 if (!value.isEmpty()) | 1069 if (!value.isEmpty()) |
1071 m_policy->reportValueForEmptyDirective(name, value); | 1070 m_policy->reportValueForEmptyDirective(name, value); |
1072 } | 1071 } |
1073 | 1072 |
1074 void CSPDirectiveList::parseReflectedXSS(const String& name, | |
1075 const String& value) { | |
1076 if (m_reflectedXSSDisposition != ReflectedXSSUnset) { | |
1077 m_policy->reportDuplicateDirective(name); | |
1078 m_reflectedXSSDisposition = ReflectedXSSInvalid; | |
1079 return; | |
1080 } | |
1081 | |
1082 if (value.isEmpty()) { | |
1083 m_reflectedXSSDisposition = ReflectedXSSInvalid; | |
1084 m_policy->reportInvalidReflectedXSS(value); | |
1085 return; | |
1086 } | |
1087 | |
1088 Vector<UChar> characters; | |
1089 value.appendTo(characters); | |
1090 | |
1091 const UChar* position = characters.data(); | |
1092 const UChar* end = position + characters.size(); | |
1093 | |
1094 skipWhile<UChar, isASCIISpace>(position, end); | |
1095 const UChar* begin = position; | |
1096 skipWhile<UChar, isNotASCIISpace>(position, end); | |
1097 | |
1098 StringView token(begin, position - begin); | |
1099 | |
1100 // value1 | |
1101 // ^ | |
1102 if (equalIgnoringCase("allow", token)) { | |
1103 m_reflectedXSSDisposition = AllowReflectedXSS; | |
1104 } else if (equalIgnoringCase("filter", token)) { | |
1105 m_reflectedXSSDisposition = FilterReflectedXSS; | |
1106 } else if (equalIgnoringCase("block", token)) { | |
1107 m_reflectedXSSDisposition = BlockReflectedXSS; | |
1108 } else { | |
1109 m_reflectedXSSDisposition = ReflectedXSSInvalid; | |
1110 m_policy->reportInvalidReflectedXSS(value); | |
1111 return; | |
1112 } | |
1113 | |
1114 skipWhile<UChar, isASCIISpace>(position, end); | |
1115 if (position == end && m_reflectedXSSDisposition != ReflectedXSSUnset) | |
1116 return; | |
1117 | |
1118 // value1 value2 | |
1119 // ^ | |
1120 m_reflectedXSSDisposition = ReflectedXSSInvalid; | |
1121 m_policy->reportInvalidReflectedXSS(value); | |
1122 } | |
1123 | |
1124 void CSPDirectiveList::parseReferrer(const String& name, const String& value) { | 1073 void CSPDirectiveList::parseReferrer(const String& name, const String& value) { |
1125 m_didSetReferrerPolicy = true; | 1074 m_didSetReferrerPolicy = true; |
1126 | 1075 |
1127 if (value.isEmpty()) { | 1076 if (value.isEmpty()) { |
1128 m_policy->reportInvalidReferrer(value); | 1077 m_policy->reportInvalidReferrer(value); |
1129 m_referrerPolicy = ReferrerPolicyNever; | 1078 m_referrerPolicy = ReferrerPolicyNever; |
1130 return; | 1079 return; |
1131 } | 1080 } |
1132 | 1081 |
1133 Vector<UChar> characters; | 1082 Vector<UChar> characters; |
(...skipping 70 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1204 } else if (equalIgnoringCase(name, ContentSecurityPolicy::ReportURI)) { | 1153 } else if (equalIgnoringCase(name, ContentSecurityPolicy::ReportURI)) { |
1205 parseReportURI(name, value); | 1154 parseReportURI(name, value); |
1206 } else if (equalIgnoringCase(name, ContentSecurityPolicy::BaseURI)) { | 1155 } else if (equalIgnoringCase(name, ContentSecurityPolicy::BaseURI)) { |
1207 setCSPDirective<SourceListDirective>(name, value, m_baseURI); | 1156 setCSPDirective<SourceListDirective>(name, value, m_baseURI); |
1208 } else if (equalIgnoringCase(name, ContentSecurityPolicy::ChildSrc)) { | 1157 } else if (equalIgnoringCase(name, ContentSecurityPolicy::ChildSrc)) { |
1209 setCSPDirective<SourceListDirective>(name, value, m_childSrc); | 1158 setCSPDirective<SourceListDirective>(name, value, m_childSrc); |
1210 } else if (equalIgnoringCase(name, ContentSecurityPolicy::FormAction)) { | 1159 } else if (equalIgnoringCase(name, ContentSecurityPolicy::FormAction)) { |
1211 setCSPDirective<SourceListDirective>(name, value, m_formAction); | 1160 setCSPDirective<SourceListDirective>(name, value, m_formAction); |
1212 } else if (equalIgnoringCase(name, ContentSecurityPolicy::PluginTypes)) { | 1161 } else if (equalIgnoringCase(name, ContentSecurityPolicy::PluginTypes)) { |
1213 setCSPDirective<MediaListDirective>(name, value, m_pluginTypes); | 1162 setCSPDirective<MediaListDirective>(name, value, m_pluginTypes); |
1214 } else if (equalIgnoringCase(name, ContentSecurityPolicy::ReflectedXSS)) { | |
1215 parseReflectedXSS(name, value); | |
1216 } else if (equalIgnoringCase(name, ContentSecurityPolicy::Referrer)) { | 1163 } else if (equalIgnoringCase(name, ContentSecurityPolicy::Referrer)) { |
1217 parseReferrer(name, value); | 1164 parseReferrer(name, value); |
1218 } else if (equalIgnoringCase( | 1165 } else if (equalIgnoringCase( |
1219 name, ContentSecurityPolicy::UpgradeInsecureRequests)) { | 1166 name, ContentSecurityPolicy::UpgradeInsecureRequests)) { |
1220 enableInsecureRequestsUpgrade(name, value); | 1167 enableInsecureRequestsUpgrade(name, value); |
1221 } else if (equalIgnoringCase(name, | 1168 } else if (equalIgnoringCase(name, |
1222 ContentSecurityPolicy::BlockAllMixedContent)) { | 1169 ContentSecurityPolicy::BlockAllMixedContent)) { |
1223 enforceStrictMixedContentChecking(name, value); | 1170 enforceStrictMixedContentChecking(name, value); |
1224 } else if (equalIgnoringCase(name, ContentSecurityPolicy::ManifestSrc)) { | 1171 } else if (equalIgnoringCase(name, ContentSecurityPolicy::ManifestSrc)) { |
1225 setCSPDirective<SourceListDirective>(name, value, m_manifestSrc); | 1172 setCSPDirective<SourceListDirective>(name, value, m_manifestSrc); |
(...skipping 21 matching lines...) Expand all Loading... |
1247 visitor->trace(m_frameSrc); | 1194 visitor->trace(m_frameSrc); |
1248 visitor->trace(m_imgSrc); | 1195 visitor->trace(m_imgSrc); |
1249 visitor->trace(m_mediaSrc); | 1196 visitor->trace(m_mediaSrc); |
1250 visitor->trace(m_manifestSrc); | 1197 visitor->trace(m_manifestSrc); |
1251 visitor->trace(m_objectSrc); | 1198 visitor->trace(m_objectSrc); |
1252 visitor->trace(m_scriptSrc); | 1199 visitor->trace(m_scriptSrc); |
1253 visitor->trace(m_styleSrc); | 1200 visitor->trace(m_styleSrc); |
1254 } | 1201 } |
1255 | 1202 |
1256 } // namespace blink | 1203 } // namespace blink |
OLD | NEW |