Chromium Code Reviews Chromium Code Reviews
Issue 2474903002:
Part 3.1: Is policy list subsumed under subsuming policy? (Closed)
| OLD | NEW |
|---|---|
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "core/frame/csp/CSPDirectiveList.h" | 5 #include "core/frame/csp/CSPDirectiveList.h" |
| 6 | 6 |
| 7 #include "bindings/core/v8/SourceLocation.h" | 7 #include "bindings/core/v8/SourceLocation.h" |
| 8 #include "core/dom/Document.h" | 8 #include "core/dom/Document.h" |
| 9 #include "core/dom/SecurityContext.h" | 9 #include "core/dom/SecurityContext.h" |
| 10 #include "core/dom/SpaceSplitString.h" | 10 #include "core/dom/SpaceSplitString.h" |
| (...skipping 1124 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 1135 ContentSecurityPolicy::TreatAsPublicAddress)) { | 1135 ContentSecurityPolicy::TreatAsPublicAddress)) { |
| 1136 treatAsPublicAddress(name, value); | 1136 treatAsPublicAddress(name, value); |
| 1137 } else if (equalIgnoringCase(name, ContentSecurityPolicy::RequireSRIFor) && | 1137 } else if (equalIgnoringCase(name, ContentSecurityPolicy::RequireSRIFor) && |
| 1138 m_policy->experimentalFeaturesEnabled()) { | 1138 m_policy->experimentalFeaturesEnabled()) { |
| 1139 parseRequireSRIFor(name, value); | 1139 parseRequireSRIFor(name, value); |
| 1140 } else { | 1140 } else { |
| 1141 m_policy->reportUnsupportedDirective(name); | 1141 m_policy->reportUnsupportedDirective(name); |
| 1142 } | 1142 } |
| 1143 } | 1143 } |
| 1144 | 1144 |
| 1145 SourceListDirectiveVector CSPDirectiveList::getSourceList( | |
| 1146 const char* name, | |
| 1147 CSPDirectiveListVector policies) { | |
| 1148 SourceListDirectiveVector sourceListDirectives; | |
| 1149 if (name == ContentSecurityPolicy::ScriptSrc) { | |
|
Mike West
2016/11/14 14:21:23
Perhaps you could put the loop on the outside of a
amalika
2016/11/15 13:17:18
I thought it would be better to first get into the
Mike West
2016/11/17 11:25:15
We're expecting sites to have some small number of
| |
| 1150 for (const auto& policy : policies) { | |
| 1151 if (policy->m_scriptSrc.get()) { | |
| 1152 sourceListDirectives.append(policy->m_scriptSrc); | |
| 1153 } else if (policy->m_defaultSrc.get()) { | |
| 1154 sourceListDirectives.append(policy->m_defaultSrc); | |
| 1155 } | |
|
Mike West
2016/11/14 14:21:23
This could be compressed to something like:
```
i
| |
| 1156 } | |
| 1157 } else if (name == ContentSecurityPolicy::ObjectSrc) { | |
| 1158 for (const auto& policy : policies) { | |
| 1159 if (policy->m_objectSrc.get()) { | |
| 1160 sourceListDirectives.append(policy->m_objectSrc); | |
| 1161 } else if (policy->m_defaultSrc.get()) { | |
| 1162 sourceListDirectives.append(policy->m_defaultSrc); | |
| 1163 } | |
| 1164 } | |
| 1165 } else if (name == ContentSecurityPolicy::FrameSrc) { | |
| 1166 for (const auto& policy : policies) { | |
| 1167 if (policy->m_frameSrc.get()) { | |
| 1168 sourceListDirectives.append(policy->m_frameSrc); | |
| 1169 } else if (policy->m_childSrc.get()) { | |
| 1170 sourceListDirectives.append(policy->m_childSrc); | |
| 1171 } else if (policy->m_defaultSrc.get()) { | |
| 1172 sourceListDirectives.append(policy->m_defaultSrc); | |
| 1173 } | |
| 1174 } | |
| 1175 } else if (name == ContentSecurityPolicy::ImgSrc) { | |
| 1176 for (const auto& policy : policies) { | |
| 1177 if (policy->m_imgSrc.get()) { | |
| 1178 sourceListDirectives.append(policy->m_imgSrc); | |
| 1179 } else if (policy->m_defaultSrc.get()) { | |
| 1180 sourceListDirectives.append(policy->m_defaultSrc); | |
| 1181 } | |
| 1182 } | |
| 1183 } else if (name == ContentSecurityPolicy::StyleSrc) { | |
| 1184 for (const auto& policy : policies) { | |
| 1185 if (policy->m_styleSrc.get()) { | |
| 1186 sourceListDirectives.append(policy->m_styleSrc); | |
| 1187 } else if (policy->m_defaultSrc.get()) { | |
| 1188 sourceListDirectives.append(policy->m_defaultSrc); | |
| 1189 } | |
| 1190 } | |
| 1191 } else if (name == ContentSecurityPolicy::FontSrc) { | |
| 1192 for (const auto& policy : policies) { | |
| 1193 if (policy->m_fontSrc.get()) { | |
| 1194 sourceListDirectives.append(policy->m_fontSrc); | |
| 1195 } else if (policy->m_defaultSrc.get()) { | |
| 1196 sourceListDirectives.append(policy->m_defaultSrc); | |
| 1197 } | |
| 1198 } | |
| 1199 } else if (name == ContentSecurityPolicy::MediaSrc) { | |
| 1200 for (const auto& policy : policies) { | |
| 1201 if (policy->m_mediaSrc.get()) { | |
| 1202 sourceListDirectives.append(policy->m_mediaSrc); | |
| 1203 } else if (policy->m_defaultSrc.get()) { | |
| 1204 sourceListDirectives.append(policy->m_defaultSrc); | |
| 1205 } | |
| 1206 } | |
| 1207 } else if (name == ContentSecurityPolicy::ConnectSrc) { | |
| 1208 for (const auto& policy : policies) { | |
| 1209 if (policy->m_connectSrc.get()) { | |
| 1210 sourceListDirectives.append(policy->m_connectSrc); | |
| 1211 } else if (policy->m_defaultSrc.get()) { | |
| 1212 sourceListDirectives.append(policy->m_defaultSrc); | |
| 1213 } | |
| 1214 } | |
| 1215 } else if (name == ContentSecurityPolicy::ChildSrc) { | |
| 1216 for (const auto& policy : policies) { | |
| 1217 if (policy->m_childSrc.get()) { | |
| 1218 sourceListDirectives.append(policy->m_childSrc); | |
| 1219 } else if (policy->m_defaultSrc.get()) { | |
| 1220 sourceListDirectives.append(policy->m_defaultSrc); | |
| 1221 } | |
| 1222 } | |
| 1223 } else if (name == ContentSecurityPolicy::ManifestSrc) { | |
| 1224 for (const auto& policy : policies) { | |
| 1225 if (policy->m_manifestSrc.get()) { | |
| 1226 sourceListDirectives.append(policy->m_manifestSrc); | |
| 1227 } else if (policy->m_defaultSrc.get()) { | |
| 1228 sourceListDirectives.append(policy->m_defaultSrc); | |
| 1229 } | |
| 1230 } | |
| 1231 } else if (name == ContentSecurityPolicy::FrameAncestors) { | |
| 1232 for (const auto& policy : policies) { | |
| 1233 if (policy->m_frameAncestors.get()) { | |
| 1234 sourceListDirectives.append(policy->m_frameAncestors); | |
| 1235 } | |
| 1236 } | |
| 1237 } else if (name == ContentSecurityPolicy::BaseURI) { | |
| 1238 for (const auto& policy : policies) { | |
| 1239 if (policy->m_baseURI.get()) { | |
| 1240 sourceListDirectives.append(policy->m_baseURI); | |
| 1241 } | |
| 1242 } | |
| 1243 } else if (name == ContentSecurityPolicy::FormAction) { | |
| 1244 for (const auto& policy : policies) { | |
| 1245 if (policy->m_formAction.get()) { | |
| 1246 sourceListDirectives.append(policy->m_formAction); | |
| 1247 } | |
| 1248 } | |
| 1249 } | |
| 1250 return sourceListDirectives; | |
| 1251 } | |
| 1252 | |
| 1253 bool CSPDirectiveList::subsumes(CSPDirectiveListVector other) { | |
| 1254 const char* directives[] = { | |
| 1255 // Fetch Directives | |
| 1256 ContentSecurityPolicy::ChildSrc, ContentSecurityPolicy::ConnectSrc, | |
| 1257 ContentSecurityPolicy::FontSrc, ContentSecurityPolicy::FrameSrc, | |
| 1258 ContentSecurityPolicy::ImgSrc, ContentSecurityPolicy::ManifestSrc, | |
| 1259 ContentSecurityPolicy::MediaSrc, ContentSecurityPolicy::ObjectSrc, | |
| 1260 ContentSecurityPolicy::ScriptSrc, ContentSecurityPolicy::StyleSrc, | |
| 1261 // Document Directives | |
| 1262 ContentSecurityPolicy::BaseURI, | |
| 1263 // Navigation Directives | |
| 1264 ContentSecurityPolicy::FrameAncestors, ContentSecurityPolicy::FormAction}; | |
| 1265 | |
| 1266 for (const auto& directive : directives) { | |
| 1267 // There should only be one SourceListDirective for each dirctive in | |
| 1268 // Embedding-CSP. | |
| 1269 SourceListDirectiveVector requiredList = | |
| 1270 getSourceList(directive, CSPDirectiveListVector(1, this)); | |
| 1271 if (requiredList.size() == 0) | |
| 1272 continue; | |
| 1273 SourceListDirective* required = requiredList[0]; | |
| 1274 // Aggregate all serialized source lists of the returned CSP into a vector | |
| 1275 // based on a directive type, defaulting accordingly (for example, to | |
| 1276 // `default-src`) | |
| 1277 SourceListDirectiveVector returned = getSourceList(directive, other); | |
| 1278 // TODO(amalika): Add checks for plugin-types, sandbox, disown-opener, | |
| 1279 // navigation-to, worker-src. | |
| 1280 if (!required->subsumes(returned)) | |
| 1281 return false; | |
| 1282 } | |
| 1283 | |
| 1284 return true; | |
| 1285 } | |
| 1286 | |
| 1145 DEFINE_TRACE(CSPDirectiveList) { | 1287 DEFINE_TRACE(CSPDirectiveList) { |
| 1146 visitor->trace(m_policy); | 1288 visitor->trace(m_policy); |
| 1147 visitor->trace(m_pluginTypes); | 1289 visitor->trace(m_pluginTypes); |
| 1148 visitor->trace(m_baseURI); | 1290 visitor->trace(m_baseURI); |
| 1149 visitor->trace(m_childSrc); | 1291 visitor->trace(m_childSrc); |
| 1150 visitor->trace(m_connectSrc); | 1292 visitor->trace(m_connectSrc); |
| 1151 visitor->trace(m_defaultSrc); | 1293 visitor->trace(m_defaultSrc); |
| 1152 visitor->trace(m_fontSrc); | 1294 visitor->trace(m_fontSrc); |
| 1153 visitor->trace(m_formAction); | 1295 visitor->trace(m_formAction); |
| 1154 visitor->trace(m_frameAncestors); | 1296 visitor->trace(m_frameAncestors); |
| 1155 visitor->trace(m_frameSrc); | 1297 visitor->trace(m_frameSrc); |
| 1156 visitor->trace(m_imgSrc); | 1298 visitor->trace(m_imgSrc); |
| 1157 visitor->trace(m_mediaSrc); | 1299 visitor->trace(m_mediaSrc); |
| 1158 visitor->trace(m_manifestSrc); | 1300 visitor->trace(m_manifestSrc); |
| 1159 visitor->trace(m_objectSrc); | 1301 visitor->trace(m_objectSrc); |
| 1160 visitor->trace(m_scriptSrc); | 1302 visitor->trace(m_scriptSrc); |
| 1161 visitor->trace(m_styleSrc); | 1303 visitor->trace(m_styleSrc); |
| 1162 visitor->trace(m_workerSrc); | 1304 visitor->trace(m_workerSrc); |
| 1163 } | 1305 } |
| 1164 | 1306 |
| 1165 } // namespace blink | 1307 } // namespace blink |
| OLD | NEW |
