OLD | NEW |
---|---|
1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "core/frame/csp/CSPDirectiveList.h" | 5 #include "core/frame/csp/CSPDirectiveList.h" |
6 | 6 |
7 #include "bindings/core/v8/SourceLocation.h" | 7 #include "bindings/core/v8/SourceLocation.h" |
8 #include "core/dom/Document.h" | 8 #include "core/dom/Document.h" |
9 #include "core/dom/SecurityContext.h" | 9 #include "core/dom/SecurityContext.h" |
10 #include "core/dom/SpaceSplitString.h" | 10 #include "core/dom/SpaceSplitString.h" |
(...skipping 1124 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1135 ContentSecurityPolicy::TreatAsPublicAddress)) { | 1135 ContentSecurityPolicy::TreatAsPublicAddress)) { |
1136 treatAsPublicAddress(name, value); | 1136 treatAsPublicAddress(name, value); |
1137 } else if (equalIgnoringCase(name, ContentSecurityPolicy::RequireSRIFor) && | 1137 } else if (equalIgnoringCase(name, ContentSecurityPolicy::RequireSRIFor) && |
1138 m_policy->experimentalFeaturesEnabled()) { | 1138 m_policy->experimentalFeaturesEnabled()) { |
1139 parseRequireSRIFor(name, value); | 1139 parseRequireSRIFor(name, value); |
1140 } else { | 1140 } else { |
1141 m_policy->reportUnsupportedDirective(name); | 1141 m_policy->reportUnsupportedDirective(name); |
1142 } | 1142 } |
1143 } | 1143 } |
1144 | 1144 |
1145 SourceListDirective* CSPDirectiveList::getSourceListDirective( | |
1146 const char* name) { | |
1147 if (name == ContentSecurityPolicy::BaseURI) | |
1148 return m_baseURI.get(); | |
1149 if (name == ContentSecurityPolicy::ChildSrc) | |
1150 return m_childSrc.get(); | |
1151 if (name == ContentSecurityPolicy::ConnectSrc) | |
1152 return m_connectSrc.get(); | |
1153 if (name == ContentSecurityPolicy::FontSrc) | |
1154 return m_fontSrc.get(); | |
1155 if (name == ContentSecurityPolicy::FormAction) | |
1156 return m_formAction.get(); | |
1157 if (name == ContentSecurityPolicy::FrameAncestors) | |
1158 return m_frameAncestors.get(); | |
1159 if (name == ContentSecurityPolicy::FrameSrc) | |
1160 return m_frameSrc.get(); | |
1161 if (name == ContentSecurityPolicy::ImgSrc) | |
1162 return m_imgSrc.get(); | |
1163 if (name == ContentSecurityPolicy::MediaSrc) | |
1164 return m_mediaSrc.get(); | |
1165 if (name == ContentSecurityPolicy::ManifestSrc) | |
1166 return m_manifestSrc.get(); | |
1167 if (name == ContentSecurityPolicy::ObjectSrc) | |
1168 return m_objectSrc.get(); | |
1169 if (name == ContentSecurityPolicy::ScriptSrc) | |
1170 return m_scriptSrc.get(); | |
1171 if (name == ContentSecurityPolicy::StyleSrc) | |
1172 return m_styleSrc.get(); | |
1173 if (name == ContentSecurityPolicy::WorkerSrc) | |
1174 return m_workerSrc.get(); | |
1175 | |
1176 return nullptr; | |
1177 } | |
1178 | |
1179 SourceListDirectiveVector CSPDirectiveList::getSourceVector( | |
1180 const char* name, | |
1181 CSPDirectiveListVector policies) { | |
1182 SourceListDirectiveVector sourceListDirectives; | |
1183 for (const auto& policy : policies) { | |
1184 SourceListDirective* directive = policy->getSourceListDirective(name); | |
1185 | |
1186 if (name == ContentSecurityPolicy::FrameSrc) { | |
1187 // m_frameSrc defaults to m_childSrc, which defaults to m_defaultSrc. | |
1188 directive = policy->operativeDirective( | |
1189 directive, policy->operativeDirective(policy->m_childSrc.get())); | |
1190 } else if (String(name).endsWith("src")) { | |
amalika
2016/11/21 15:57:06
Another approach would be to define an enum (such
Mike West
2016/11/23 11:19:02
Or do the work in `getSourceListDirective` instead
| |
1191 // All directives that end with "src" default to m_defaultSrc. | |
1192 directive = policy->operativeDirective(directive); | |
1193 } | |
1194 | |
1195 if (directive) | |
1196 sourceListDirectives.append(directive); | |
1197 } | |
1198 | |
1199 return sourceListDirectives; | |
1200 } | |
1201 | |
1202 bool CSPDirectiveList::subsumes(CSPDirectiveListVector other) { | |
1203 const char* directives[] = { | |
1204 // Fetch Directives | |
1205 ContentSecurityPolicy::ChildSrc, ContentSecurityPolicy::ConnectSrc, | |
1206 ContentSecurityPolicy::FontSrc, ContentSecurityPolicy::FrameSrc, | |
1207 ContentSecurityPolicy::ImgSrc, ContentSecurityPolicy::ManifestSrc, | |
1208 ContentSecurityPolicy::MediaSrc, ContentSecurityPolicy::ObjectSrc, | |
1209 ContentSecurityPolicy::ScriptSrc, ContentSecurityPolicy::StyleSrc, | |
1210 ContentSecurityPolicy::WorkerSrc, | |
1211 // Document Directives | |
1212 ContentSecurityPolicy::BaseURI, | |
1213 // Navigation Directives | |
1214 ContentSecurityPolicy::FrameAncestors, ContentSecurityPolicy::FormAction}; | |
1215 | |
1216 for (const auto& directive : directives) { | |
1217 // There should only be one SourceListDirective for each directive in | |
1218 // Embedding-CSP. | |
1219 SourceListDirectiveVector requiredList = | |
1220 getSourceVector(directive, CSPDirectiveListVector(1, this)); | |
1221 if (requiredList.size() == 0) | |
1222 continue; | |
1223 SourceListDirective* required = requiredList[0]; | |
1224 // Aggregate all serialized source lists of the returned CSP into a vector | |
1225 // based on a directive type, defaulting accordingly (for example, to | |
1226 // `default-src`). | |
1227 SourceListDirectiveVector returned = getSourceVector(directive, other); | |
1228 // TODO(amalika): Add checks for plugin-types, sandbox, disown-opener, | |
1229 // navigation-to, worker-src. | |
1230 if (!required->subsumes(returned)) | |
1231 return false; | |
1232 } | |
1233 | |
1234 return true; | |
1235 } | |
1236 | |
1145 DEFINE_TRACE(CSPDirectiveList) { | 1237 DEFINE_TRACE(CSPDirectiveList) { |
1146 visitor->trace(m_policy); | 1238 visitor->trace(m_policy); |
1147 visitor->trace(m_pluginTypes); | 1239 visitor->trace(m_pluginTypes); |
1148 visitor->trace(m_baseURI); | 1240 visitor->trace(m_baseURI); |
1149 visitor->trace(m_childSrc); | 1241 visitor->trace(m_childSrc); |
1150 visitor->trace(m_connectSrc); | 1242 visitor->trace(m_connectSrc); |
1151 visitor->trace(m_defaultSrc); | 1243 visitor->trace(m_defaultSrc); |
1152 visitor->trace(m_fontSrc); | 1244 visitor->trace(m_fontSrc); |
1153 visitor->trace(m_formAction); | 1245 visitor->trace(m_formAction); |
1154 visitor->trace(m_frameAncestors); | 1246 visitor->trace(m_frameAncestors); |
1155 visitor->trace(m_frameSrc); | 1247 visitor->trace(m_frameSrc); |
1156 visitor->trace(m_imgSrc); | 1248 visitor->trace(m_imgSrc); |
1157 visitor->trace(m_mediaSrc); | 1249 visitor->trace(m_mediaSrc); |
1158 visitor->trace(m_manifestSrc); | 1250 visitor->trace(m_manifestSrc); |
1159 visitor->trace(m_objectSrc); | 1251 visitor->trace(m_objectSrc); |
1160 visitor->trace(m_scriptSrc); | 1252 visitor->trace(m_scriptSrc); |
1161 visitor->trace(m_styleSrc); | 1253 visitor->trace(m_styleSrc); |
1162 visitor->trace(m_workerSrc); | 1254 visitor->trace(m_workerSrc); |
1163 } | 1255 } |
1164 | 1256 |
1165 } // namespace blink | 1257 } // namespace blink |
OLD | NEW |