Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(473)

Unified Diff: third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp

Issue 2436003002: CSP: Add 'script-sample' to violation reports. (Closed)
Patch Set: Rebase. Created 3 years, 10 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
Index: third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp
diff --git a/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp b/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp
index f9f6bd3c3e2963d979b0935e5e52baeef8537711..4316f93f55d4ce6939b033b72f88abb496057428 100644
--- a/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp
+++ b/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp
@@ -419,17 +419,19 @@ bool isAllowedByAll(const CSPDirectiveListVector& policies,
template <bool (CSPDirectiveList::*allowed)(
Element*,
const String&,
+ const String&,
const WTF::OrdinalNumber&,
ContentSecurityPolicy::ReportingStatus) const>
bool isAllowedByAll(const CSPDirectiveListVector& policies,
Element* element,
+ const String& source,
const String& contextURL,
const WTF::OrdinalNumber& contextLine,
ContentSecurityPolicy::ReportingStatus reportingStatus) {
bool isAllowed = true;
for (const auto& policy : policies) {
- isAllowed &= (policy.get()->*allowed)(element, contextURL, contextLine,
- reportingStatus);
+ isAllowed &= (policy.get()->*allowed)(element, source, contextURL,
+ contextLine, reportingStatus);
}
return isAllowed;
}
@@ -622,11 +624,12 @@ bool checkDigest(const String& source,
bool ContentSecurityPolicy::allowJavaScriptURLs(
Element* element,
+ const String& source,
const String& contextURL,
const WTF::OrdinalNumber& contextLine,
ContentSecurityPolicy::ReportingStatus reportingStatus) const {
return isAllowedByAll<&CSPDirectiveList::allowJavaScriptURLs>(
- m_policies, element, contextURL, contextLine, reportingStatus);
+ m_policies, element, source, contextURL, contextLine, reportingStatus);
}
bool ContentSecurityPolicy::allowInlineEventHandler(
@@ -644,7 +647,7 @@ bool ContentSecurityPolicy::allowInlineEventHandler(
m_policies))
return true;
return isAllowedByAll<&CSPDirectiveList::allowInlineEventHandlers>(
- m_policies, element, contextURL, contextLine, reportingStatus);
+ m_policies, element, source, contextURL, contextLine, reportingStatus);
}
bool ContentSecurityPolicy::allowInlineScript(
@@ -1043,7 +1046,8 @@ static void gatherSecurityPolicyViolationEventData(
RedirectStatus redirectStatus,
ContentSecurityPolicyHeaderType headerType,
ContentSecurityPolicy::ViolationType violationType,
- int contextLine) {
+ int contextLine,
+ const String& scriptSource) {
if (effectiveType == ContentSecurityPolicy::DirectiveType::FrameAncestors) {
// If this load was blocked via 'frame-ancestors', then the URL of
// |document| has not yet been initialized. In this case, we'll set both
@@ -1097,6 +1101,9 @@ static void gatherSecurityPolicyViolationEventData(
init.setLineNumber(location->lineNumber());
init.setColumnNumber(location->columnNumber());
}
+
+ if (!scriptSource.isEmpty())
+ init.setScriptSample(scriptSource.stripWhiteSpace().left(40));
}
void ContentSecurityPolicy::reportViolation(
@@ -1111,7 +1118,8 @@ void ContentSecurityPolicy::reportViolation(
LocalFrame* contextFrame,
RedirectStatus redirectStatus,
int contextLine,
- Element* element) {
+ Element* element,
+ const String& source) {
ASSERT(violationType == URLViolation || blockedURL.isEmpty());
// TODO(lukasza): Support sending reports from OOPIFs -
@@ -1136,7 +1144,7 @@ void ContentSecurityPolicy::reportViolation(
DCHECK(relevantContext);
gatherSecurityPolicyViolationEventData(
violationData, relevantContext, directiveText, effectiveType, blockedURL,
- header, redirectStatus, headerType, violationType, contextLine);
+ header, redirectStatus, headerType, violationType, contextLine, source);
// TODO(mkwst): Obviously, we shouldn't hit this check, as extension-loaded
// resources should be allowed regardless. We apparently do, however, so
@@ -1198,6 +1206,9 @@ void ContentSecurityPolicy::postViolationReport(
cspReport->setString("source-file", violationData.sourceFile());
cspReport->setInteger("status-code", violationData.statusCode());
+ if (experimentalFeaturesEnabled())
+ cspReport->setString("script-sample", violationData.scriptSample());
+
std::unique_ptr<JSONObject> reportObject = JSONObject::create();
reportObject->setObject("csp-report", std::move(cspReport));
String stringifiedReport = reportObject->toJSONString();

Powered by Google App Engine
This is Rietveld 408576698