third_party/WebKit/Source/core/frame/csp/CSPSource.cpp - Issue 2456493002: Splitting *Matches functions in CSPSource

Side by Side Diff: third_party/WebKit/Source/core/frame/csp/CSPSource.cpp

Issue 2456493002: Splitting *Matches functions in CSPSource (Closed)

Patch Set: Adding a comment Created 4 years, 1 month ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

OLD	NEW
1 // Copyright 2014 The Chromium Authors. All rights reserved.	1 // Copyright 2014 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "core/frame/csp/CSPSource.h"	5 #include "core/frame/csp/CSPSource.h"

6	6

7 #include "core/frame/UseCounter.h"	7 #include "core/frame/UseCounter.h"

8 #include "core/frame/csp/ContentSecurityPolicy.h"	8 #include "core/frame/csp/ContentSecurityPolicy.h"

9 #include "platform/weborigin/KURL.h"	9 #include "platform/weborigin/KURL.h"

10 #include "platform/weborigin/KnownPorts.h"	10 #include "platform/weborigin/KnownPorts.h"

11 #include "platform/weborigin/SecurityOrigin.h"	11 #include "platform/weborigin/SecurityOrigin.h"

12 #include "wtf/text/WTFString.h"	12 #include "wtf/text/WTFString.h"

13	13

14 namespace blink {	14 namespace blink {

15	15

16 CSPSource::CSPSource(ContentSecurityPolicy* policy,	16 CSPSource::CSPSource(ContentSecurityPolicy* policy,

17 const String& scheme,	17 const String& scheme,

18 const String& host,	18 const String& host,

19 int port,	19 int port,

20 const String& path,	20 const String& path,

21 WildcardDisposition hostWildcard,	21 WildcardDisposition hostWildcard,

22 WildcardDisposition portWildcard)	22 WildcardDisposition portWildcard)

23 : m_policy(policy),	23 : m_policy(policy),

24 m_scheme(scheme),	24 m_scheme(scheme.lower()),

25 m_host(host),	25 m_host(host.lower()),

26 m_port(port),	26 m_port(port),

27 m_path(path),	27 m_path(path),

28 m_hostWildcard(hostWildcard),	28 m_hostWildcard(hostWildcard),

29 m_portWildcard(portWildcard) {}	29 m_portWildcard(portWildcard) {}

30	30

31 bool CSPSource::matches(const KURL& url,	31 bool CSPSource::matches(const KURL& url,

32 ResourceRequest::RedirectStatus redirectStatus) const {	32 ResourceRequest::RedirectStatus redirectStatus) const {

33 if (!schemeMatches(url))	33 bool schemesMatch = m_scheme.isEmpty() ? m_policy->protocolMatchesSelf(url)

	34 : schemeMatches(url.protocol());

	35 if (!schemesMatch)

34 return false;	36 return false;

35 if (isSchemeOnly())	37 if (isSchemeOnly())

36 return true;	38 return true;

37 bool pathsMatch =	39 bool pathsMatch = (redirectStatus == RedirectStatus::FollowedRedirect) \|\|

38 (redirectStatus == RedirectStatus::FollowedRedirect) \|\| pathMatches(url);	40 pathMatches(url.path());

39 return hostMatches(url) && portMatches(url) && pathsMatch;	41 return hostMatches(url.host()) && portMatches(url.port(), url.protocol()) &&

	42 pathsMatch;

40 }	43 }

41	44

42 bool CSPSource::schemeMatches(const KURL& url) const {	45 bool CSPSource::schemeMatches(const String& protocol) const {

43 if (m_scheme.isEmpty())	46 DCHECK_EQ(protocol, protocol.lower());

44 return m_policy->protocolMatchesSelf(url);	47 if (m_scheme == "http")

45 if (equalIgnoringCase(m_scheme, "http"))	48 return protocol == "http" \|\| protocol == "https";

46 return equalIgnoringCase(url.protocol(), "http") \|\|	49 if (m_scheme == "ws")

47 equalIgnoringCase(url.protocol(), "https");	50 return protocol == "ws" \|\| protocol == "wss";

48 if (equalIgnoringCase(m_scheme, "ws"))	51 return protocol == m_scheme;

49 return equalIgnoringCase(url.protocol(), "ws") \|\|

50 equalIgnoringCase(url.protocol(), "wss");

51 return equalIgnoringCase(url.protocol(), m_scheme);

52 }	52 }

53	53

54 bool CSPSource::hostMatches(const KURL& url) const {	54 bool CSPSource::hostMatches(const String& host) const {

55 const String& host = url.host();	55 DCHECK_EQ(host, host.lower());
	Mike West 2016/10/27 07:45:59 In https://codereview.chromium.org/2447293002, csh In https://codereview.chromium.org/2447293002, csharrison pointed out that `lower()` is incorrect for hosts (as that might actually change their meaning, because we canonicalize escape characters to uppercase). So let's drop this DCHECK, as well as the call to `.lower()` in the constructor. When his patch lands, we might want to call `SecurityOrigin::canonicalizeHost()`. I don't remember if we do that work when parsing a policy in the first place. `==` is still the right check, however. :)
	56

56 Document* document = m_policy->document();	57 Document* document = m_policy->document();

57 bool match;	58 bool match;

58	59

59 bool equalHosts = equalIgnoringCase(host, m_host);	60 bool equalHosts = m_host == host;

60 if (m_hostWildcard == HasWildcard) {	61 if (m_hostWildcard == HasWildcard) {

61 match = host.endsWith(String("." + m_host), TextCaseInsensitive);	62 match = host.endsWith(String("." + m_host), TextCaseInsensitive);

62	63

63 // Chrome used to, incorrectly, match *.x.y to x.y. This was fixed, but	64 // Chrome used to, incorrectly, match *.x.y to x.y. This was fixed, but

64 // the following count measures when a match fails that would have	65 // the following count measures when a match fails that would have

65 // passed the old, incorrect style, in case a lot of sites were	66 // passed the old, incorrect style, in case a lot of sites were

66 // relying on that behavior.	67 // relying on that behavior.

67 if (document && equalHosts)	68 if (document && equalHosts)

68 UseCounter::count(*document,	69 UseCounter::count(*document,

69 UseCounter::CSPSourceWildcardWouldMatchExactHost);	70 UseCounter::CSPSourceWildcardWouldMatchExactHost);

70 } else {	71 } else {

71 match = equalHosts;	72 match = equalHosts;

72 }	73 }

73	74

74 return match;	75 return match;

75 }	76 }

76	77

77 bool CSPSource::pathMatches(const KURL& url) const {	78 bool CSPSource::pathMatches(const String& urlPath) const {

78 if (m_path.isEmpty())	79 if (m_path.isEmpty())

79 return true;	80 return true;

80	81

81 String path = decodeURLEscapeSequences(url.path());	82 String path = decodeURLEscapeSequences(urlPath);

82	83

83 if (m_path.endsWith("/"))	84 if (m_path.endsWith("/"))

84 return path.startsWith(m_path);	85 return path.startsWith(m_path);

85	86

86 return path == m_path;	87 return path == m_path;

87 }	88 }

88	89

89 bool CSPSource::portMatches(const KURL& url) const {	90 bool CSPSource::portMatches(int port, const String& protocol) const {

90 if (m_portWildcard == HasWildcard)	91 if (m_portWildcard == HasWildcard)

91 return true;	92 return true;

92	93

93 int port = url.port();

94

95 if (port == m_port)	94 if (port == m_port)

96 return true;	95 return true;

97	96

98 if (m_port == 80 &&	97 if (m_port == 80 &&

99 (port == 443 \|\|	98 (port == 443 \|\| (port == 0 && defaultPortForProtocol(protocol) == 443)))

100 (port == 0 && defaultPortForProtocol(url.protocol()) == 443)))

101 return true;	99 return true;

102	100

103 if (!port)	101 if (!port)

104 return isDefaultPortForProtocol(m_port, url.protocol());	102 return isDefaultPortForProtocol(m_port, protocol);

105	103

106 if (!m_port)	104 if (!m_port)

107 return isDefaultPortForProtocol(port, url.protocol());	105 return isDefaultPortForProtocol(port, protocol);

108	106

109 return false;	107 return false;

110 }	108 }

111	109

112 bool CSPSource::isSchemeOnly() const {	110 bool CSPSource::isSchemeOnly() const {

113 return m_host.isEmpty();	111 return m_host.isEmpty();

114 }	112 }

115	113

116 DEFINE_TRACE(CSPSource) {	114 DEFINE_TRACE(CSPSource) {

117 visitor->trace(m_policy);	115 visitor->trace(m_policy);

118 }	116 }

119	117

120 } // namespace blink	118 } // namespace blink

OLD	NEW

« no previous file with comments | « third_party/WebKit/Source/core/frame/csp/CSPSource.h ('k') | no next file » | no next file with comments »