OLD | NEW |
---|---|
1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "core/frame/csp/CSPDirectiveList.h" | 5 #include "core/frame/csp/CSPDirectiveList.h" |
6 | 6 |
7 #include "bindings/core/v8/SourceLocation.h" | 7 #include "bindings/core/v8/SourceLocation.h" |
8 #include "core/dom/Document.h" | 8 #include "core/dom/Document.h" |
9 #include "core/dom/SecurityContext.h" | 9 #include "core/dom/SecurityContext.h" |
10 #include "core/dom/SpaceSplitString.h" | 10 #include "core/dom/SpaceSplitString.h" |
(...skipping 1124 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1135 ContentSecurityPolicy::TreatAsPublicAddress)) { | 1135 ContentSecurityPolicy::TreatAsPublicAddress)) { |
1136 treatAsPublicAddress(name, value); | 1136 treatAsPublicAddress(name, value); |
1137 } else if (equalIgnoringCase(name, ContentSecurityPolicy::RequireSRIFor) && | 1137 } else if (equalIgnoringCase(name, ContentSecurityPolicy::RequireSRIFor) && |
1138 m_policy->experimentalFeaturesEnabled()) { | 1138 m_policy->experimentalFeaturesEnabled()) { |
1139 parseRequireSRIFor(name, value); | 1139 parseRequireSRIFor(name, value); |
1140 } else { | 1140 } else { |
1141 m_policy->reportUnsupportedDirective(name); | 1141 m_policy->reportUnsupportedDirective(name); |
1142 } | 1142 } |
1143 } | 1143 } |
1144 | 1144 |
1145 SourceListDirectiveVector CSPDirectiveList::getSourceList( | |
1146 const char* name, | |
1147 CSPDirectiveListVector policies) { | |
1148 SourceListDirectiveVector sourceListDirectives; | |
1149 if (name == ContentSecurityPolicy::ScriptSrc) { | |
Mike West
2016/11/14 14:21:23
Perhaps you could put the loop on the outside of a
amalika
2016/11/15 13:17:18
I thought it would be better to first get into the
Mike West
2016/11/17 11:25:15
We're expecting sites to have some small number of
| |
1150 for (const auto& policy : policies) { | |
1151 if (policy->m_scriptSrc.get()) { | |
1152 sourceListDirectives.append(policy->m_scriptSrc); | |
1153 } else if (policy->m_defaultSrc.get()) { | |
1154 sourceListDirectives.append(policy->m_defaultSrc); | |
1155 } | |
Mike West
2016/11/14 14:21:23
This could be compressed to something like:
```
i
| |
1156 } | |
1157 } else if (name == ContentSecurityPolicy::ObjectSrc) { | |
1158 for (const auto& policy : policies) { | |
1159 if (policy->m_objectSrc.get()) { | |
1160 sourceListDirectives.append(policy->m_objectSrc); | |
1161 } else if (policy->m_defaultSrc.get()) { | |
1162 sourceListDirectives.append(policy->m_defaultSrc); | |
1163 } | |
1164 } | |
1165 } else if (name == ContentSecurityPolicy::FrameSrc) { | |
1166 for (const auto& policy : policies) { | |
1167 if (policy->m_frameSrc.get()) { | |
1168 sourceListDirectives.append(policy->m_frameSrc); | |
1169 } else if (policy->m_childSrc.get()) { | |
1170 sourceListDirectives.append(policy->m_childSrc); | |
1171 } else if (policy->m_defaultSrc.get()) { | |
1172 sourceListDirectives.append(policy->m_defaultSrc); | |
1173 } | |
1174 } | |
1175 } else if (name == ContentSecurityPolicy::ImgSrc) { | |
1176 for (const auto& policy : policies) { | |
1177 if (policy->m_imgSrc.get()) { | |
1178 sourceListDirectives.append(policy->m_imgSrc); | |
1179 } else if (policy->m_defaultSrc.get()) { | |
1180 sourceListDirectives.append(policy->m_defaultSrc); | |
1181 } | |
1182 } | |
1183 } else if (name == ContentSecurityPolicy::StyleSrc) { | |
1184 for (const auto& policy : policies) { | |
1185 if (policy->m_styleSrc.get()) { | |
1186 sourceListDirectives.append(policy->m_styleSrc); | |
1187 } else if (policy->m_defaultSrc.get()) { | |
1188 sourceListDirectives.append(policy->m_defaultSrc); | |
1189 } | |
1190 } | |
1191 } else if (name == ContentSecurityPolicy::FontSrc) { | |
1192 for (const auto& policy : policies) { | |
1193 if (policy->m_fontSrc.get()) { | |
1194 sourceListDirectives.append(policy->m_fontSrc); | |
1195 } else if (policy->m_defaultSrc.get()) { | |
1196 sourceListDirectives.append(policy->m_defaultSrc); | |
1197 } | |
1198 } | |
1199 } else if (name == ContentSecurityPolicy::MediaSrc) { | |
1200 for (const auto& policy : policies) { | |
1201 if (policy->m_mediaSrc.get()) { | |
1202 sourceListDirectives.append(policy->m_mediaSrc); | |
1203 } else if (policy->m_defaultSrc.get()) { | |
1204 sourceListDirectives.append(policy->m_defaultSrc); | |
1205 } | |
1206 } | |
1207 } else if (name == ContentSecurityPolicy::ConnectSrc) { | |
1208 for (const auto& policy : policies) { | |
1209 if (policy->m_connectSrc.get()) { | |
1210 sourceListDirectives.append(policy->m_connectSrc); | |
1211 } else if (policy->m_defaultSrc.get()) { | |
1212 sourceListDirectives.append(policy->m_defaultSrc); | |
1213 } | |
1214 } | |
1215 } else if (name == ContentSecurityPolicy::ChildSrc) { | |
1216 for (const auto& policy : policies) { | |
1217 if (policy->m_childSrc.get()) { | |
1218 sourceListDirectives.append(policy->m_childSrc); | |
1219 } else if (policy->m_defaultSrc.get()) { | |
1220 sourceListDirectives.append(policy->m_defaultSrc); | |
1221 } | |
1222 } | |
1223 } else if (name == ContentSecurityPolicy::ManifestSrc) { | |
1224 for (const auto& policy : policies) { | |
1225 if (policy->m_manifestSrc.get()) { | |
1226 sourceListDirectives.append(policy->m_manifestSrc); | |
1227 } else if (policy->m_defaultSrc.get()) { | |
1228 sourceListDirectives.append(policy->m_defaultSrc); | |
1229 } | |
1230 } | |
1231 } else if (name == ContentSecurityPolicy::FrameAncestors) { | |
1232 for (const auto& policy : policies) { | |
1233 if (policy->m_frameAncestors.get()) { | |
1234 sourceListDirectives.append(policy->m_frameAncestors); | |
1235 } | |
1236 } | |
1237 } else if (name == ContentSecurityPolicy::BaseURI) { | |
1238 for (const auto& policy : policies) { | |
1239 if (policy->m_baseURI.get()) { | |
1240 sourceListDirectives.append(policy->m_baseURI); | |
1241 } | |
1242 } | |
1243 } else if (name == ContentSecurityPolicy::FormAction) { | |
1244 for (const auto& policy : policies) { | |
1245 if (policy->m_formAction.get()) { | |
1246 sourceListDirectives.append(policy->m_formAction); | |
1247 } | |
1248 } | |
1249 } | |
1250 return sourceListDirectives; | |
1251 } | |
1252 | |
1253 bool CSPDirectiveList::subsumes(CSPDirectiveListVector other) { | |
1254 const char* directives[] = { | |
1255 // Fetch Directives | |
1256 ContentSecurityPolicy::ChildSrc, ContentSecurityPolicy::ConnectSrc, | |
1257 ContentSecurityPolicy::FontSrc, ContentSecurityPolicy::FrameSrc, | |
1258 ContentSecurityPolicy::ImgSrc, ContentSecurityPolicy::ManifestSrc, | |
1259 ContentSecurityPolicy::MediaSrc, ContentSecurityPolicy::ObjectSrc, | |
1260 ContentSecurityPolicy::ScriptSrc, ContentSecurityPolicy::StyleSrc, | |
1261 // Document Directives | |
1262 ContentSecurityPolicy::BaseURI, | |
1263 // Navigation Directives | |
1264 ContentSecurityPolicy::FrameAncestors, ContentSecurityPolicy::FormAction}; | |
1265 | |
1266 for (const auto& directive : directives) { | |
1267 // There should only be one SourceListDirective for each dirctive in | |
1268 // Embedding-CSP. | |
1269 SourceListDirectiveVector requiredList = | |
1270 getSourceList(directive, CSPDirectiveListVector(1, this)); | |
1271 if (requiredList.size() == 0) | |
1272 continue; | |
1273 SourceListDirective* required = requiredList[0]; | |
1274 // Aggregate all serialized source lists of the returned CSP into a vector | |
1275 // based on a directive type, defaulting accordingly (for example, to | |
1276 // `default-src`) | |
1277 SourceListDirectiveVector returned = getSourceList(directive, other); | |
1278 // TODO(amalika): Add checks for plugin-types, sandbox, disown-opener, | |
1279 // navigation-to, worker-src. | |
1280 if (!required->subsumes(returned)) | |
1281 return false; | |
1282 } | |
1283 | |
1284 return true; | |
1285 } | |
1286 | |
1145 DEFINE_TRACE(CSPDirectiveList) { | 1287 DEFINE_TRACE(CSPDirectiveList) { |
1146 visitor->trace(m_policy); | 1288 visitor->trace(m_policy); |
1147 visitor->trace(m_pluginTypes); | 1289 visitor->trace(m_pluginTypes); |
1148 visitor->trace(m_baseURI); | 1290 visitor->trace(m_baseURI); |
1149 visitor->trace(m_childSrc); | 1291 visitor->trace(m_childSrc); |
1150 visitor->trace(m_connectSrc); | 1292 visitor->trace(m_connectSrc); |
1151 visitor->trace(m_defaultSrc); | 1293 visitor->trace(m_defaultSrc); |
1152 visitor->trace(m_fontSrc); | 1294 visitor->trace(m_fontSrc); |
1153 visitor->trace(m_formAction); | 1295 visitor->trace(m_formAction); |
1154 visitor->trace(m_frameAncestors); | 1296 visitor->trace(m_frameAncestors); |
1155 visitor->trace(m_frameSrc); | 1297 visitor->trace(m_frameSrc); |
1156 visitor->trace(m_imgSrc); | 1298 visitor->trace(m_imgSrc); |
1157 visitor->trace(m_mediaSrc); | 1299 visitor->trace(m_mediaSrc); |
1158 visitor->trace(m_manifestSrc); | 1300 visitor->trace(m_manifestSrc); |
1159 visitor->trace(m_objectSrc); | 1301 visitor->trace(m_objectSrc); |
1160 visitor->trace(m_scriptSrc); | 1302 visitor->trace(m_scriptSrc); |
1161 visitor->trace(m_styleSrc); | 1303 visitor->trace(m_styleSrc); |
1162 visitor->trace(m_workerSrc); | 1304 visitor->trace(m_workerSrc); |
1163 } | 1305 } |
1164 | 1306 |
1165 } // namespace blink | 1307 } // namespace blink |
OLD | NEW |