OLD | NEW |
1 /* | 1 /* |
2 * Copyright (C) 2011 Google, Inc. All rights reserved. | 2 * Copyright (C) 2011 Google, Inc. All rights reserved. |
3 * | 3 * |
4 * Redistribution and use in source and binary forms, with or without | 4 * Redistribution and use in source and binary forms, with or without |
5 * modification, are permitted provided that the following conditions | 5 * modification, are permitted provided that the following conditions |
6 * are met: | 6 * are met: |
7 * 1. Redistributions of source code must retain the above copyright | 7 * 1. Redistributions of source code must retain the above copyright |
8 * notice, this list of conditions and the following disclaimer. | 8 * notice, this list of conditions and the following disclaimer. |
9 * 2. Redistributions in binary form must reproduce the above copyright | 9 * 2. Redistributions in binary form must reproduce the above copyright |
10 * notice, this list of conditions and the following disclaimer in the | 10 * notice, this list of conditions and the following disclaimer in the |
(...skipping 74 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
85 const char ContentSecurityPolicy::Sandbox[] = "sandbox"; | 85 const char ContentSecurityPolicy::Sandbox[] = "sandbox"; |
86 const char ContentSecurityPolicy::ScriptSrc[] = "script-src"; | 86 const char ContentSecurityPolicy::ScriptSrc[] = "script-src"; |
87 const char ContentSecurityPolicy::StyleSrc[] = "style-src"; | 87 const char ContentSecurityPolicy::StyleSrc[] = "style-src"; |
88 | 88 |
89 // CSP Level 2 Directives | 89 // CSP Level 2 Directives |
90 const char ContentSecurityPolicy::BaseURI[] = "base-uri"; | 90 const char ContentSecurityPolicy::BaseURI[] = "base-uri"; |
91 const char ContentSecurityPolicy::ChildSrc[] = "child-src"; | 91 const char ContentSecurityPolicy::ChildSrc[] = "child-src"; |
92 const char ContentSecurityPolicy::FormAction[] = "form-action"; | 92 const char ContentSecurityPolicy::FormAction[] = "form-action"; |
93 const char ContentSecurityPolicy::FrameAncestors[] = "frame-ancestors"; | 93 const char ContentSecurityPolicy::FrameAncestors[] = "frame-ancestors"; |
94 const char ContentSecurityPolicy::PluginTypes[] = "plugin-types"; | 94 const char ContentSecurityPolicy::PluginTypes[] = "plugin-types"; |
95 const char ContentSecurityPolicy::ReflectedXSS[] = "reflected-xss"; | |
96 const char ContentSecurityPolicy::Referrer[] = "referrer"; | 95 const char ContentSecurityPolicy::Referrer[] = "referrer"; |
97 | 96 |
98 // CSP Editor's Draft: | 97 // CSP Editor's Draft: |
99 // https://w3c.github.io/webappsec/specs/content-security-policy | 98 // https://w3c.github.io/webappsec/specs/content-security-policy |
100 const char ContentSecurityPolicy::ManifestSrc[] = "manifest-src"; | 99 const char ContentSecurityPolicy::ManifestSrc[] = "manifest-src"; |
101 | 100 |
102 // Mixed Content Directive | 101 // Mixed Content Directive |
103 // https://w3c.github.io/webappsec/specs/mixedcontent/#strict-mode | 102 // https://w3c.github.io/webappsec/specs/mixedcontent/#strict-mode |
104 const char ContentSecurityPolicy::BlockAllMixedContent[] = | 103 const char ContentSecurityPolicy::BlockAllMixedContent[] = |
105 "block-all-mixed-content"; | 104 "block-all-mixed-content"; |
(...skipping 14 matching lines...) Expand all Loading... |
120 equalIgnoringCase(name, ConnectSrc) || | 119 equalIgnoringCase(name, ConnectSrc) || |
121 equalIgnoringCase(name, DefaultSrc) || equalIgnoringCase(name, FontSrc) || | 120 equalIgnoringCase(name, DefaultSrc) || equalIgnoringCase(name, FontSrc) || |
122 equalIgnoringCase(name, FrameSrc) || equalIgnoringCase(name, ImgSrc) || | 121 equalIgnoringCase(name, FrameSrc) || equalIgnoringCase(name, ImgSrc) || |
123 equalIgnoringCase(name, MediaSrc) || equalIgnoringCase(name, ObjectSrc) || | 122 equalIgnoringCase(name, MediaSrc) || equalIgnoringCase(name, ObjectSrc) || |
124 equalIgnoringCase(name, ReportURI) || equalIgnoringCase(name, Sandbox) || | 123 equalIgnoringCase(name, ReportURI) || equalIgnoringCase(name, Sandbox) || |
125 equalIgnoringCase(name, ScriptSrc) || equalIgnoringCase(name, StyleSrc) || | 124 equalIgnoringCase(name, ScriptSrc) || equalIgnoringCase(name, StyleSrc) || |
126 equalIgnoringCase(name, BaseURI) || equalIgnoringCase(name, ChildSrc) || | 125 equalIgnoringCase(name, BaseURI) || equalIgnoringCase(name, ChildSrc) || |
127 equalIgnoringCase(name, FormAction) || | 126 equalIgnoringCase(name, FormAction) || |
128 equalIgnoringCase(name, FrameAncestors) || | 127 equalIgnoringCase(name, FrameAncestors) || |
129 equalIgnoringCase(name, PluginTypes) || | 128 equalIgnoringCase(name, PluginTypes) || |
130 equalIgnoringCase(name, ReflectedXSS) || | |
131 equalIgnoringCase(name, Referrer) || | 129 equalIgnoringCase(name, Referrer) || |
132 equalIgnoringCase(name, ManifestSrc) || | 130 equalIgnoringCase(name, ManifestSrc) || |
133 equalIgnoringCase(name, BlockAllMixedContent) || | 131 equalIgnoringCase(name, BlockAllMixedContent) || |
134 equalIgnoringCase(name, UpgradeInsecureRequests) || | 132 equalIgnoringCase(name, UpgradeInsecureRequests) || |
135 equalIgnoringCase(name, TreatAsPublicAddress) || | 133 equalIgnoringCase(name, TreatAsPublicAddress) || |
136 equalIgnoringCase(name, RequireSRIFor)); | 134 equalIgnoringCase(name, RequireSRIFor)); |
137 } | 135 } |
138 | 136 |
139 bool ContentSecurityPolicy::isNonceableElement(const Element* element) { | 137 bool ContentSecurityPolicy::isNonceableElement(const Element* element) { |
140 if (!element->fastHasAttribute(HTMLNames::nonceAttr)) | 138 if (!element->fastHasAttribute(HTMLNames::nonceAttr)) |
(...skipping 862 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1003 if (policy->isFrameAncestorsEnforced()) | 1001 if (policy->isFrameAncestorsEnforced()) |
1004 return true; | 1002 return true; |
1005 } | 1003 } |
1006 return false; | 1004 return false; |
1007 } | 1005 } |
1008 | 1006 |
1009 bool ContentSecurityPolicy::isActive() const { | 1007 bool ContentSecurityPolicy::isActive() const { |
1010 return !m_policies.isEmpty(); | 1008 return !m_policies.isEmpty(); |
1011 } | 1009 } |
1012 | 1010 |
1013 ReflectedXSSDisposition ContentSecurityPolicy::getReflectedXSSDisposition() | |
1014 const { | |
1015 ReflectedXSSDisposition disposition = ReflectedXSSUnset; | |
1016 for (const auto& policy : m_policies) { | |
1017 if (policy->getReflectedXSSDisposition() > disposition) | |
1018 disposition = std::max(disposition, policy->getReflectedXSSDisposition()); | |
1019 } | |
1020 return disposition; | |
1021 } | |
1022 | |
1023 bool ContentSecurityPolicy::didSetReferrerPolicy() const { | 1011 bool ContentSecurityPolicy::didSetReferrerPolicy() const { |
1024 for (const auto& policy : m_policies) { | 1012 for (const auto& policy : m_policies) { |
1025 if (policy->didSetReferrerPolicy()) | 1013 if (policy->didSetReferrerPolicy()) |
1026 return true; | 1014 return true; |
1027 } | 1015 } |
1028 return false; | 1016 return false; |
1029 } | 1017 } |
1030 | 1018 |
1031 const KURL ContentSecurityPolicy::url() const { | 1019 const KURL ContentSecurityPolicy::url() const { |
1032 return m_executionContext->contextURL(); | 1020 return m_executionContext->contextURL(); |
(...skipping 366 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1399 logToConsole(message); | 1387 logToConsole(message); |
1400 } | 1388 } |
1401 | 1389 |
1402 void ContentSecurityPolicy::reportInvalidSandboxFlags( | 1390 void ContentSecurityPolicy::reportInvalidSandboxFlags( |
1403 const String& invalidFlags) { | 1391 const String& invalidFlags) { |
1404 logToConsole( | 1392 logToConsole( |
1405 "Error while parsing the 'sandbox' Content Security Policy directive: " + | 1393 "Error while parsing the 'sandbox' Content Security Policy directive: " + |
1406 invalidFlags); | 1394 invalidFlags); |
1407 } | 1395 } |
1408 | 1396 |
1409 void ContentSecurityPolicy::reportInvalidReflectedXSS( | |
1410 const String& invalidValue) { | |
1411 logToConsole( | |
1412 "The 'reflected-xss' Content Security Policy directive has the invalid " | |
1413 "value \"" + | |
1414 invalidValue + | |
1415 "\". Valid values are \"allow\", \"filter\", and \"block\"."); | |
1416 } | |
1417 | |
1418 void ContentSecurityPolicy::reportInvalidRequireSRIForTokens( | 1397 void ContentSecurityPolicy::reportInvalidRequireSRIForTokens( |
1419 const String& invalidTokens) { | 1398 const String& invalidTokens) { |
1420 logToConsole( | 1399 logToConsole( |
1421 "Error while parsing the 'require-sri-for' Content Security Policy " | 1400 "Error while parsing the 'require-sri-for' Content Security Policy " |
1422 "directive: " + | 1401 "directive: " + |
1423 invalidTokens); | 1402 invalidTokens); |
1424 } | 1403 } |
1425 | 1404 |
1426 void ContentSecurityPolicy::reportInvalidDirectiveValueCharacter( | 1405 void ContentSecurityPolicy::reportInvalidDirectiveValueCharacter( |
1427 const String& directiveName, | 1406 const String& directiveName, |
(...skipping 116 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1544 // Collisions have no security impact, so we can save space by storing only | 1523 // Collisions have no security impact, so we can save space by storing only |
1545 // the string's hash rather than the whole report. | 1524 // the string's hash rather than the whole report. |
1546 return !m_violationReportsSent.contains(report.impl()->hash()); | 1525 return !m_violationReportsSent.contains(report.impl()->hash()); |
1547 } | 1526 } |
1548 | 1527 |
1549 void ContentSecurityPolicy::didSendViolationReport(const String& report) { | 1528 void ContentSecurityPolicy::didSendViolationReport(const String& report) { |
1550 m_violationReportsSent.add(report.impl()->hash()); | 1529 m_violationReportsSent.add(report.impl()->hash()); |
1551 } | 1530 } |
1552 | 1531 |
1553 } // namespace blink | 1532 } // namespace blink |
OLD | NEW |