Chromium Code Reviews Chromium Code Reviews
Issue 2474903002:
Part 3.1: Is policy list subsumed under subsuming policy? (Closed)
| OLD | NEW |
|---|---|
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "core/frame/csp/CSPDirectiveList.h" | 5 #include "core/frame/csp/CSPDirectiveList.h" |
| 6 | 6 |
| 7 #include "bindings/core/v8/SourceLocation.h" | 7 #include "bindings/core/v8/SourceLocation.h" |
| 8 #include "core/dom/Document.h" | 8 #include "core/dom/Document.h" |
| 9 #include "core/dom/SecurityContext.h" | 9 #include "core/dom/SecurityContext.h" |
| 10 #include "core/dom/SpaceSplitString.h" | 10 #include "core/dom/SpaceSplitString.h" |
| (...skipping 1124 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 1135 ContentSecurityPolicy::TreatAsPublicAddress)) { | 1135 ContentSecurityPolicy::TreatAsPublicAddress)) { |
| 1136 treatAsPublicAddress(name, value); | 1136 treatAsPublicAddress(name, value); |
| 1137 } else if (equalIgnoringCase(name, ContentSecurityPolicy::RequireSRIFor) && | 1137 } else if (equalIgnoringCase(name, ContentSecurityPolicy::RequireSRIFor) && |
| 1138 m_policy->experimentalFeaturesEnabled()) { | 1138 m_policy->experimentalFeaturesEnabled()) { |
| 1139 parseRequireSRIFor(name, value); | 1139 parseRequireSRIFor(name, value); |
| 1140 } else { | 1140 } else { |
| 1141 m_policy->reportUnsupportedDirective(name); | 1141 m_policy->reportUnsupportedDirective(name); |
| 1142 } | 1142 } |
| 1143 } | 1143 } |
| 1144 | 1144 |
| 1145 SourceListDirectiveVector CSPDirectiveList::getSourceList( | |
| 1146 const char* name, | |
| 1147 CSPDirectiveListVector policies) { | |
| 1148 SourceListDirectiveVector sourceListDirectives; | |
| 1149 if (name == ContentSecurityPolicy::ScriptSrc) { | |
|
Mike West
2016/11/17 11:25:15
Another way of approaching this would be to refact
| |
| 1150 for (const auto& policy : policies) { | |
| 1151 if (SourceListDirective* directive = | |
| 1152 policy->operativeDirective(policy->m_scriptSrc.get())) { | |
| 1153 sourceListDirectives.append(directive); | |
| 1154 } | |
| 1155 } | |
| 1156 } else if (name == ContentSecurityPolicy::ObjectSrc) { | |
| 1157 for (const auto& policy : policies) { | |
| 1158 if (SourceListDirective* directive = | |
| 1159 policy->operativeDirective(policy->m_objectSrc.get())) { | |
| 1160 sourceListDirectives.append(directive); | |
| 1161 } | |
| 1162 } | |
| 1163 } else if (name == ContentSecurityPolicy::FrameSrc) { | |
| 1164 for (const auto& policy : policies) { | |
| 1165 if (SourceListDirective* directive = policy->operativeDirective( | |
| 1166 policy->m_frameSrc.get(), | |
| 1167 policy->operativeDirective(policy->m_childSrc.get()))) { | |
| 1168 sourceListDirectives.append(directive); | |
| 1169 } | |
| 1170 } | |
| 1171 } else if (name == ContentSecurityPolicy::ImgSrc) { | |
| 1172 for (const auto& policy : policies) { | |
| 1173 if (SourceListDirective* directive = | |
| 1174 policy->operativeDirective(policy->m_imgSrc.get())) { | |
| 1175 sourceListDirectives.append(directive); | |
| 1176 } | |
| 1177 } | |
| 1178 } else if (name == ContentSecurityPolicy::StyleSrc) { | |
| 1179 for (const auto& policy : policies) { | |
| 1180 if (SourceListDirective* directive = | |
| 1181 policy->operativeDirective(policy->m_styleSrc.get())) { | |
| 1182 sourceListDirectives.append(directive); | |
| 1183 } | |
| 1184 } | |
| 1185 } else if (name == ContentSecurityPolicy::FontSrc) { | |
| 1186 for (const auto& policy : policies) { | |
| 1187 if (SourceListDirective* directive = | |
| 1188 policy->operativeDirective(policy->m_fontSrc.get())) { | |
| 1189 sourceListDirectives.append(directive); | |
| 1190 } | |
| 1191 } | |
| 1192 } else if (name == ContentSecurityPolicy::MediaSrc) { | |
| 1193 for (const auto& policy : policies) { | |
| 1194 if (SourceListDirective* directive = | |
| 1195 policy->operativeDirective(policy->m_mediaSrc.get())) { | |
| 1196 sourceListDirectives.append(directive); | |
| 1197 } | |
| 1198 } | |
| 1199 } else if (name == ContentSecurityPolicy::ConnectSrc) { | |
| 1200 for (const auto& policy : policies) { | |
| 1201 if (SourceListDirective* directive = | |
| 1202 policy->operativeDirective(policy->m_connectSrc.get())) { | |
| 1203 sourceListDirectives.append(directive); | |
| 1204 } | |
| 1205 } | |
| 1206 } else if (name == ContentSecurityPolicy::ChildSrc) { | |
| 1207 for (const auto& policy : policies) { | |
| 1208 if (SourceListDirective* directive = | |
| 1209 policy->operativeDirective(policy->m_childSrc.get())) { | |
| 1210 sourceListDirectives.append(directive); | |
| 1211 } | |
| 1212 } | |
| 1213 } else if (name == ContentSecurityPolicy::ManifestSrc) { | |
| 1214 for (const auto& policy : policies) { | |
| 1215 if (SourceListDirective* directive = | |
| 1216 policy->operativeDirective(policy->m_manifestSrc.get())) { | |
| 1217 sourceListDirectives.append(directive); | |
| 1218 } | |
| 1219 } | |
| 1220 } else if (name == ContentSecurityPolicy::FrameAncestors) { | |
| 1221 for (const auto& policy : policies) { | |
| 1222 if (SourceListDirective* directive = policy->m_frameAncestors.get()) { | |
| 1223 sourceListDirectives.append(directive); | |
| 1224 } | |
| 1225 } | |
| 1226 } else if (name == ContentSecurityPolicy::BaseURI) { | |
| 1227 for (const auto& policy : policies) { | |
| 1228 if (SourceListDirective* directive = policy->m_baseURI.get()) { | |
| 1229 sourceListDirectives.append(directive); | |
| 1230 } | |
| 1231 } | |
| 1232 } else if (name == ContentSecurityPolicy::FormAction) { | |
| 1233 for (const auto& policy : policies) { | |
| 1234 if (SourceListDirective* directive = policy->m_formAction.get()) { | |
| 1235 sourceListDirectives.append(directive); | |
| 1236 } | |
| 1237 } | |
| 1238 } | |
| 1239 | |
| 1240 return sourceListDirectives; | |
| 1241 } | |
| 1242 | |
| 1243 bool CSPDirectiveList::subsumes(CSPDirectiveListVector other) { | |
| 1244 const char* directives[] = { | |
| 1245 // Fetch Directives | |
| 1246 ContentSecurityPolicy::ChildSrc, ContentSecurityPolicy::ConnectSrc, | |
| 1247 ContentSecurityPolicy::FontSrc, ContentSecurityPolicy::FrameSrc, | |
| 1248 ContentSecurityPolicy::ImgSrc, ContentSecurityPolicy::ManifestSrc, | |
| 1249 ContentSecurityPolicy::MediaSrc, ContentSecurityPolicy::ObjectSrc, | |
| 1250 ContentSecurityPolicy::ScriptSrc, ContentSecurityPolicy::StyleSrc, | |
|
Mike West
2016/11/17 11:25:15
You'll want to add 'WorkerSrc', as you noted.
| |
| 1251 // Document Directives | |
| 1252 ContentSecurityPolicy::BaseURI, | |
| 1253 // Navigation Directives | |
| 1254 ContentSecurityPolicy::FrameAncestors, ContentSecurityPolicy::FormAction}; | |
| 1255 | |
| 1256 for (const auto& directive : directives) { | |
| 1257 // There should only be one SourceListDirective for each dirctive in | |
| 1258 // Embedding-CSP. | |
| 1259 SourceListDirectiveVector requiredList = | |
| 1260 getSourceList(directive, CSPDirectiveListVector(1, this)); | |
| 1261 if (requiredList.size() == 0) | |
| 1262 continue; | |
| 1263 SourceListDirective* required = requiredList[0]; | |
| 1264 // Aggregate all serialized source lists of the returned CSP into a vector | |
| 1265 // based on a directive type, defaulting accordingly (for example, to | |
| 1266 // `default-src`). | |
| 1267 SourceListDirectiveVector returned = getSourceList(directive, other); | |
| 1268 // TODO(amalika): Add checks for plugin-types, sandbox, disown-opener, | |
| 1269 // navigation-to, worker-src. | |
| 1270 if (!required->subsumes(returned)) | |
| 1271 return false; | |
| 1272 } | |
| 1273 | |
| 1274 return true; | |
| 1275 } | |
| 1276 | |
| 1145 DEFINE_TRACE(CSPDirectiveList) { | 1277 DEFINE_TRACE(CSPDirectiveList) { |
| 1146 visitor->trace(m_policy); | 1278 visitor->trace(m_policy); |
| 1147 visitor->trace(m_pluginTypes); | 1279 visitor->trace(m_pluginTypes); |
| 1148 visitor->trace(m_baseURI); | 1280 visitor->trace(m_baseURI); |
| 1149 visitor->trace(m_childSrc); | 1281 visitor->trace(m_childSrc); |
| 1150 visitor->trace(m_connectSrc); | 1282 visitor->trace(m_connectSrc); |
| 1151 visitor->trace(m_defaultSrc); | 1283 visitor->trace(m_defaultSrc); |
| 1152 visitor->trace(m_fontSrc); | 1284 visitor->trace(m_fontSrc); |
| 1153 visitor->trace(m_formAction); | 1285 visitor->trace(m_formAction); |
| 1154 visitor->trace(m_frameAncestors); | 1286 visitor->trace(m_frameAncestors); |
| 1155 visitor->trace(m_frameSrc); | 1287 visitor->trace(m_frameSrc); |
| 1156 visitor->trace(m_imgSrc); | 1288 visitor->trace(m_imgSrc); |
| 1157 visitor->trace(m_mediaSrc); | 1289 visitor->trace(m_mediaSrc); |
| 1158 visitor->trace(m_manifestSrc); | 1290 visitor->trace(m_manifestSrc); |
| 1159 visitor->trace(m_objectSrc); | 1291 visitor->trace(m_objectSrc); |
| 1160 visitor->trace(m_scriptSrc); | 1292 visitor->trace(m_scriptSrc); |
| 1161 visitor->trace(m_styleSrc); | 1293 visitor->trace(m_styleSrc); |
| 1162 visitor->trace(m_workerSrc); | 1294 visitor->trace(m_workerSrc); |
| 1163 } | 1295 } |
| 1164 | 1296 |
| 1165 } // namespace blink | 1297 } // namespace blink |
| OLD | NEW |
