OLD | NEW |
1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #ifndef CSPDirectiveList_h | 5 #ifndef CSPDirectiveList_h |
6 #define CSPDirectiveList_h | 6 #define CSPDirectiveList_h |
7 | 7 |
8 #include "core/fetch/Resource.h" | 8 #include "core/fetch/Resource.h" |
9 #include "core/frame/csp/ContentSecurityPolicy.h" | 9 #include "core/frame/csp/ContentSecurityPolicy.h" |
10 #include "core/frame/csp/MediaListDirective.h" | 10 #include "core/frame/csp/MediaListDirective.h" |
11 #include "core/frame/csp/SourceListDirective.h" | 11 #include "core/frame/csp/SourceListDirective.h" |
12 #include "platform/heap/Handle.h" | 12 #include "platform/heap/Handle.h" |
13 #include "platform/network/ContentSecurityPolicyParsers.h" | 13 #include "platform/network/ContentSecurityPolicyParsers.h" |
14 #include "platform/network/HTTPParsers.h" | 14 #include "platform/network/HTTPParsers.h" |
15 #include "platform/network/ResourceRequest.h" | 15 #include "platform/network/ResourceRequest.h" |
16 #include "platform/weborigin/KURL.h" | 16 #include "platform/weborigin/KURL.h" |
17 #include "wtf/Vector.h" | 17 #include "wtf/Vector.h" |
18 #include "wtf/text/AtomicString.h" | 18 #include "wtf/text/AtomicString.h" |
19 #include "wtf/text/WTFString.h" | 19 #include "wtf/text/WTFString.h" |
20 | 20 |
21 namespace blink { | 21 namespace blink { |
22 | 22 |
23 class ContentSecurityPolicy; | 23 class ContentSecurityPolicy; |
24 | 24 |
| 25 typedef HeapVector<Member<SourceListDirective>> SourceListDirectiveVector; |
| 26 |
25 class CORE_EXPORT CSPDirectiveList | 27 class CORE_EXPORT CSPDirectiveList |
26 : public GarbageCollectedFinalized<CSPDirectiveList> { | 28 : public GarbageCollectedFinalized<CSPDirectiveList> { |
27 WTF_MAKE_NONCOPYABLE(CSPDirectiveList); | 29 WTF_MAKE_NONCOPYABLE(CSPDirectiveList); |
28 | 30 |
29 public: | 31 public: |
30 static CSPDirectiveList* create(ContentSecurityPolicy*, | 32 static CSPDirectiveList* create(ContentSecurityPolicy*, |
31 const UChar* begin, | 33 const UChar* begin, |
32 const UChar* end, | 34 const UChar* end, |
33 ContentSecurityPolicyHeaderType, | 35 ContentSecurityPolicyHeaderType, |
34 ContentSecurityPolicyHeaderSource); | 36 ContentSecurityPolicyHeaderSource); |
(...skipping 114 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
149 return m_frameAncestors.get() && !isReportOnly(); | 151 return m_frameAncestors.get() && !isReportOnly(); |
150 } | 152 } |
151 | 153 |
152 // Used to copy plugin-types into a plugin document in a nested | 154 // Used to copy plugin-types into a plugin document in a nested |
153 // browsing context. | 155 // browsing context. |
154 bool hasPluginTypes() const { return !!m_pluginTypes; } | 156 bool hasPluginTypes() const { return !!m_pluginTypes; } |
155 const String& pluginTypesText() const; | 157 const String& pluginTypesText() const; |
156 | 158 |
157 bool shouldSendCSPHeader(Resource::Type) const; | 159 bool shouldSendCSPHeader(Resource::Type) const; |
158 | 160 |
| 161 // The algorithm is described here: |
| 162 // https://w3c.github.io/webappsec-csp/embedded/#subsume-policy |
| 163 bool subsumes(CSPDirectiveListVector); |
| 164 |
159 DECLARE_TRACE(); | 165 DECLARE_TRACE(); |
160 | 166 |
161 private: | 167 private: |
162 FRIEND_TEST_ALL_PREFIXES(CSPDirectiveListTest, IsMatchingNoncePresent); | 168 FRIEND_TEST_ALL_PREFIXES(CSPDirectiveListTest, IsMatchingNoncePresent); |
163 | 169 |
164 enum RequireSRIForToken { None = 0, Script = 1 << 0, Style = 1 << 1 }; | 170 enum RequireSRIForToken { None = 0, Script = 1 << 0, Style = 1 << 1 }; |
165 | 171 |
166 CSPDirectiveList(ContentSecurityPolicy*, | 172 CSPDirectiveList(ContentSecurityPolicy*, |
167 ContentSecurityPolicyHeaderType, | 173 ContentSecurityPolicyHeaderType, |
168 ContentSecurityPolicyHeaderSource); | 174 ContentSecurityPolicyHeaderSource); |
(...skipping 89 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
258 bool checkAncestorsAndReportViolation(SourceListDirective*, | 264 bool checkAncestorsAndReportViolation(SourceListDirective*, |
259 LocalFrame*, | 265 LocalFrame*, |
260 const KURL&) const; | 266 const KURL&) const; |
261 bool checkRequestWithoutIntegrityAndReportViolation( | 267 bool checkRequestWithoutIntegrityAndReportViolation( |
262 WebURLRequest::RequestContext, | 268 WebURLRequest::RequestContext, |
263 const KURL&, | 269 const KURL&, |
264 ResourceRequest::RedirectStatus) const; | 270 ResourceRequest::RedirectStatus) const; |
265 | 271 |
266 bool denyIfEnforcingPolicy() const { return isReportOnly(); } | 272 bool denyIfEnforcingPolicy() const { return isReportOnly(); } |
267 | 273 |
| 274 static SourceListDirectiveVector getSourceList( |
| 275 const char* name, |
| 276 CSPDirectiveListVector policies); |
| 277 |
268 Member<ContentSecurityPolicy> m_policy; | 278 Member<ContentSecurityPolicy> m_policy; |
269 | 279 |
270 String m_header; | 280 String m_header; |
271 ContentSecurityPolicyHeaderType m_headerType; | 281 ContentSecurityPolicyHeaderType m_headerType; |
272 ContentSecurityPolicyHeaderSource m_headerSource; | 282 ContentSecurityPolicyHeaderSource m_headerSource; |
273 | 283 |
274 bool m_hasSandboxPolicy; | 284 bool m_hasSandboxPolicy; |
275 | 285 |
276 bool m_strictMixedContentCheckingEnforced; | 286 bool m_strictMixedContentCheckingEnforced; |
277 | 287 |
(...skipping 20 matching lines...) Expand all Loading... |
298 uint8_t m_requireSRIFor; | 308 uint8_t m_requireSRIFor; |
299 | 309 |
300 Vector<String> m_reportEndpoints; | 310 Vector<String> m_reportEndpoints; |
301 | 311 |
302 String m_evalDisabledErrorMessage; | 312 String m_evalDisabledErrorMessage; |
303 }; | 313 }; |
304 | 314 |
305 } // namespace blink | 315 } // namespace blink |
306 | 316 |
307 #endif | 317 #endif |
OLD | NEW |