OLD | NEW |
---|---|
1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "core/frame/csp/CSPDirectiveList.h" | 5 #include "core/frame/csp/CSPDirectiveList.h" |
6 | 6 |
7 #include "bindings/core/v8/SourceLocation.h" | 7 #include "bindings/core/v8/SourceLocation.h" |
8 #include "core/dom/Document.h" | 8 #include "core/dom/Document.h" |
9 #include "core/dom/SecurityContext.h" | 9 #include "core/dom/SecurityContext.h" |
10 #include "core/dom/SpaceSplitString.h" | 10 #include "core/dom/SpaceSplitString.h" |
(...skipping 1124 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1135 ContentSecurityPolicy::TreatAsPublicAddress)) { | 1135 ContentSecurityPolicy::TreatAsPublicAddress)) { |
1136 treatAsPublicAddress(name, value); | 1136 treatAsPublicAddress(name, value); |
1137 } else if (equalIgnoringCase(name, ContentSecurityPolicy::RequireSRIFor) && | 1137 } else if (equalIgnoringCase(name, ContentSecurityPolicy::RequireSRIFor) && |
1138 m_policy->experimentalFeaturesEnabled()) { | 1138 m_policy->experimentalFeaturesEnabled()) { |
1139 parseRequireSRIFor(name, value); | 1139 parseRequireSRIFor(name, value); |
1140 } else { | 1140 } else { |
1141 m_policy->reportUnsupportedDirective(name); | 1141 m_policy->reportUnsupportedDirective(name); |
1142 } | 1142 } |
1143 } | 1143 } |
1144 | 1144 |
1145 SourceListDirectiveVector CSPDirectiveList::getSourceList( | |
1146 const char* name, | |
1147 CSPDirectiveListVector policies) { | |
1148 SourceListDirectiveVector sourceListDirectives; | |
1149 if (name == ContentSecurityPolicy::ScriptSrc) { | |
Mike West
2016/11/17 11:25:15
Another way of approaching this would be to refact
| |
1150 for (const auto& policy : policies) { | |
1151 if (SourceListDirective* directive = | |
1152 policy->operativeDirective(policy->m_scriptSrc.get())) { | |
1153 sourceListDirectives.append(directive); | |
1154 } | |
1155 } | |
1156 } else if (name == ContentSecurityPolicy::ObjectSrc) { | |
1157 for (const auto& policy : policies) { | |
1158 if (SourceListDirective* directive = | |
1159 policy->operativeDirective(policy->m_objectSrc.get())) { | |
1160 sourceListDirectives.append(directive); | |
1161 } | |
1162 } | |
1163 } else if (name == ContentSecurityPolicy::FrameSrc) { | |
1164 for (const auto& policy : policies) { | |
1165 if (SourceListDirective* directive = policy->operativeDirective( | |
1166 policy->m_frameSrc.get(), | |
1167 policy->operativeDirective(policy->m_childSrc.get()))) { | |
1168 sourceListDirectives.append(directive); | |
1169 } | |
1170 } | |
1171 } else if (name == ContentSecurityPolicy::ImgSrc) { | |
1172 for (const auto& policy : policies) { | |
1173 if (SourceListDirective* directive = | |
1174 policy->operativeDirective(policy->m_imgSrc.get())) { | |
1175 sourceListDirectives.append(directive); | |
1176 } | |
1177 } | |
1178 } else if (name == ContentSecurityPolicy::StyleSrc) { | |
1179 for (const auto& policy : policies) { | |
1180 if (SourceListDirective* directive = | |
1181 policy->operativeDirective(policy->m_styleSrc.get())) { | |
1182 sourceListDirectives.append(directive); | |
1183 } | |
1184 } | |
1185 } else if (name == ContentSecurityPolicy::FontSrc) { | |
1186 for (const auto& policy : policies) { | |
1187 if (SourceListDirective* directive = | |
1188 policy->operativeDirective(policy->m_fontSrc.get())) { | |
1189 sourceListDirectives.append(directive); | |
1190 } | |
1191 } | |
1192 } else if (name == ContentSecurityPolicy::MediaSrc) { | |
1193 for (const auto& policy : policies) { | |
1194 if (SourceListDirective* directive = | |
1195 policy->operativeDirective(policy->m_mediaSrc.get())) { | |
1196 sourceListDirectives.append(directive); | |
1197 } | |
1198 } | |
1199 } else if (name == ContentSecurityPolicy::ConnectSrc) { | |
1200 for (const auto& policy : policies) { | |
1201 if (SourceListDirective* directive = | |
1202 policy->operativeDirective(policy->m_connectSrc.get())) { | |
1203 sourceListDirectives.append(directive); | |
1204 } | |
1205 } | |
1206 } else if (name == ContentSecurityPolicy::ChildSrc) { | |
1207 for (const auto& policy : policies) { | |
1208 if (SourceListDirective* directive = | |
1209 policy->operativeDirective(policy->m_childSrc.get())) { | |
1210 sourceListDirectives.append(directive); | |
1211 } | |
1212 } | |
1213 } else if (name == ContentSecurityPolicy::ManifestSrc) { | |
1214 for (const auto& policy : policies) { | |
1215 if (SourceListDirective* directive = | |
1216 policy->operativeDirective(policy->m_manifestSrc.get())) { | |
1217 sourceListDirectives.append(directive); | |
1218 } | |
1219 } | |
1220 } else if (name == ContentSecurityPolicy::FrameAncestors) { | |
1221 for (const auto& policy : policies) { | |
1222 if (SourceListDirective* directive = policy->m_frameAncestors.get()) { | |
1223 sourceListDirectives.append(directive); | |
1224 } | |
1225 } | |
1226 } else if (name == ContentSecurityPolicy::BaseURI) { | |
1227 for (const auto& policy : policies) { | |
1228 if (SourceListDirective* directive = policy->m_baseURI.get()) { | |
1229 sourceListDirectives.append(directive); | |
1230 } | |
1231 } | |
1232 } else if (name == ContentSecurityPolicy::FormAction) { | |
1233 for (const auto& policy : policies) { | |
1234 if (SourceListDirective* directive = policy->m_formAction.get()) { | |
1235 sourceListDirectives.append(directive); | |
1236 } | |
1237 } | |
1238 } | |
1239 | |
1240 return sourceListDirectives; | |
1241 } | |
1242 | |
1243 bool CSPDirectiveList::subsumes(CSPDirectiveListVector other) { | |
1244 const char* directives[] = { | |
1245 // Fetch Directives | |
1246 ContentSecurityPolicy::ChildSrc, ContentSecurityPolicy::ConnectSrc, | |
1247 ContentSecurityPolicy::FontSrc, ContentSecurityPolicy::FrameSrc, | |
1248 ContentSecurityPolicy::ImgSrc, ContentSecurityPolicy::ManifestSrc, | |
1249 ContentSecurityPolicy::MediaSrc, ContentSecurityPolicy::ObjectSrc, | |
1250 ContentSecurityPolicy::ScriptSrc, ContentSecurityPolicy::StyleSrc, | |
Mike West
2016/11/17 11:25:15
You'll want to add 'WorkerSrc', as you noted.
| |
1251 // Document Directives | |
1252 ContentSecurityPolicy::BaseURI, | |
1253 // Navigation Directives | |
1254 ContentSecurityPolicy::FrameAncestors, ContentSecurityPolicy::FormAction}; | |
1255 | |
1256 for (const auto& directive : directives) { | |
1257 // There should only be one SourceListDirective for each dirctive in | |
1258 // Embedding-CSP. | |
1259 SourceListDirectiveVector requiredList = | |
1260 getSourceList(directive, CSPDirectiveListVector(1, this)); | |
1261 if (requiredList.size() == 0) | |
1262 continue; | |
1263 SourceListDirective* required = requiredList[0]; | |
1264 // Aggregate all serialized source lists of the returned CSP into a vector | |
1265 // based on a directive type, defaulting accordingly (for example, to | |
1266 // `default-src`). | |
1267 SourceListDirectiveVector returned = getSourceList(directive, other); | |
1268 // TODO(amalika): Add checks for plugin-types, sandbox, disown-opener, | |
1269 // navigation-to, worker-src. | |
1270 if (!required->subsumes(returned)) | |
1271 return false; | |
1272 } | |
1273 | |
1274 return true; | |
1275 } | |
1276 | |
1145 DEFINE_TRACE(CSPDirectiveList) { | 1277 DEFINE_TRACE(CSPDirectiveList) { |
1146 visitor->trace(m_policy); | 1278 visitor->trace(m_policy); |
1147 visitor->trace(m_pluginTypes); | 1279 visitor->trace(m_pluginTypes); |
1148 visitor->trace(m_baseURI); | 1280 visitor->trace(m_baseURI); |
1149 visitor->trace(m_childSrc); | 1281 visitor->trace(m_childSrc); |
1150 visitor->trace(m_connectSrc); | 1282 visitor->trace(m_connectSrc); |
1151 visitor->trace(m_defaultSrc); | 1283 visitor->trace(m_defaultSrc); |
1152 visitor->trace(m_fontSrc); | 1284 visitor->trace(m_fontSrc); |
1153 visitor->trace(m_formAction); | 1285 visitor->trace(m_formAction); |
1154 visitor->trace(m_frameAncestors); | 1286 visitor->trace(m_frameAncestors); |
1155 visitor->trace(m_frameSrc); | 1287 visitor->trace(m_frameSrc); |
1156 visitor->trace(m_imgSrc); | 1288 visitor->trace(m_imgSrc); |
1157 visitor->trace(m_mediaSrc); | 1289 visitor->trace(m_mediaSrc); |
1158 visitor->trace(m_manifestSrc); | 1290 visitor->trace(m_manifestSrc); |
1159 visitor->trace(m_objectSrc); | 1291 visitor->trace(m_objectSrc); |
1160 visitor->trace(m_scriptSrc); | 1292 visitor->trace(m_scriptSrc); |
1161 visitor->trace(m_styleSrc); | 1293 visitor->trace(m_styleSrc); |
1162 visitor->trace(m_workerSrc); | 1294 visitor->trace(m_workerSrc); |
1163 } | 1295 } |
1164 | 1296 |
1165 } // namespace blink | 1297 } // namespace blink |
OLD | NEW |