OLD | NEW |
---|---|
1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "core/frame/csp/CSPDirectiveList.h" | 5 #include "core/frame/csp/CSPDirectiveList.h" |
6 | 6 |
7 #include "bindings/core/v8/SourceLocation.h" | 7 #include "bindings/core/v8/SourceLocation.h" |
8 #include "core/dom/Document.h" | 8 #include "core/dom/Document.h" |
9 #include "core/dom/SecurityContext.h" | 9 #include "core/dom/SecurityContext.h" |
10 #include "core/dom/SpaceSplitString.h" | 10 #include "core/dom/SpaceSplitString.h" |
(...skipping 1146 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1157 ContentSecurityPolicy::DirectiveType::TreatAsPublicAddress) { | 1157 ContentSecurityPolicy::DirectiveType::TreatAsPublicAddress) { |
1158 treatAsPublicAddress(name, value); | 1158 treatAsPublicAddress(name, value); |
1159 } else if (type == ContentSecurityPolicy::DirectiveType::RequireSRIFor && | 1159 } else if (type == ContentSecurityPolicy::DirectiveType::RequireSRIFor && |
1160 m_policy->experimentalFeaturesEnabled()) { | 1160 m_policy->experimentalFeaturesEnabled()) { |
1161 parseRequireSRIFor(name, value); | 1161 parseRequireSRIFor(name, value); |
1162 } else { | 1162 } else { |
1163 m_policy->reportUnsupportedDirective(name); | 1163 m_policy->reportUnsupportedDirective(name); |
1164 } | 1164 } |
1165 } | 1165 } |
1166 | 1166 |
1167 SourceListDirective* CSPDirectiveList::operativeDirective( | |
amalika
2016/11/23 13:57:11
Not sure if we should add a case for `DefaultSrc`
Mike West
2016/11/24 13:07:46
`default-src`'s operative directive is `default-sr
amalika
2016/11/24 14:32:29
Updated!
| |
1168 const ContentSecurityPolicy::DirectiveType& type) { | |
1169 switch (type) { | |
1170 // Directives that do not have a default directive. | |
1171 case ContentSecurityPolicy::DirectiveType::BaseURI: | |
1172 return m_baseURI.get(); | |
1173 case ContentSecurityPolicy::DirectiveType::DefaultSrc: | |
1174 return m_defaultSrc.get(); | |
1175 case ContentSecurityPolicy::DirectiveType::FrameAncestors: | |
1176 return m_frameAncestors.get(); | |
1177 case ContentSecurityPolicy::DirectiveType::FormAction: | |
1178 return m_formAction.get(); | |
1179 // Directives that have one default directive. | |
1180 case ContentSecurityPolicy::DirectiveType::ChildSrc: | |
1181 return operativeDirective(m_childSrc.get()); | |
1182 case ContentSecurityPolicy::DirectiveType::ConnectSrc: | |
1183 return operativeDirective(m_connectSrc.get()); | |
1184 case ContentSecurityPolicy::DirectiveType::FontSrc: | |
1185 return operativeDirective(m_fontSrc.get()); | |
1186 case ContentSecurityPolicy::DirectiveType::ImgSrc: | |
1187 return operativeDirective(m_imgSrc.get()); | |
1188 case ContentSecurityPolicy::DirectiveType::ManifestSrc: | |
1189 return operativeDirective(m_manifestSrc.get()); | |
1190 case ContentSecurityPolicy::DirectiveType::MediaSrc: | |
1191 return operativeDirective(m_mediaSrc.get()); | |
1192 case ContentSecurityPolicy::DirectiveType::ObjectSrc: | |
1193 return operativeDirective(m_objectSrc.get()); | |
1194 case ContentSecurityPolicy::DirectiveType::ScriptSrc: | |
1195 return operativeDirective(m_scriptSrc.get()); | |
1196 case ContentSecurityPolicy::DirectiveType::StyleSrc: | |
1197 return operativeDirective(m_styleSrc.get()); | |
1198 case ContentSecurityPolicy::DirectiveType::WorkerSrc: | |
Mike West
2016/11/24 13:07:46
1. `worker-src` is currently defined as sitting on
amalika
2016/11/24 14:32:29
Addressed.
| |
1199 return operativeDirective(m_workerSrc.get()); | |
1200 // frame-src defaults to child-src, which defaults to default-src. | |
1201 case ContentSecurityPolicy::DirectiveType::FrameSrc: | |
1202 return operativeDirective(m_frameSrc, | |
1203 operativeDirective(m_childSrc.get())); | |
1204 default: | |
1205 return nullptr; | |
1206 } | |
1207 } | |
1208 | |
1209 SourceListDirectiveVector CSPDirectiveList::getSourceVector( | |
1210 const ContentSecurityPolicy::DirectiveType& type, | |
1211 CSPDirectiveListVector policies) { | |
Mike West
2016/11/24 13:07:46
`const CSPDirectiveListVector&`?
| |
1212 SourceListDirectiveVector sourceListDirectives; | |
1213 for (const auto& policy : policies) { | |
1214 if (SourceListDirective* directive = policy->operativeDirective(type)) | |
1215 sourceListDirectives.append(directive); | |
1216 } | |
1217 | |
1218 return sourceListDirectives; | |
1219 } | |
1220 | |
1221 bool CSPDirectiveList::subsumes(CSPDirectiveListVector other) { | |
Mike West
2016/11/24 13:07:46
`const CSPDirectiveListVector&`?
| |
1222 ContentSecurityPolicy::DirectiveType directives[] = { | |
1223 // Fetch Directives | |
1224 ContentSecurityPolicy::DirectiveType::ChildSrc, | |
1225 ContentSecurityPolicy::DirectiveType::ConnectSrc, | |
1226 ContentSecurityPolicy::DirectiveType::FontSrc, | |
1227 ContentSecurityPolicy::DirectiveType::FrameSrc, | |
1228 ContentSecurityPolicy::DirectiveType::ImgSrc, | |
1229 ContentSecurityPolicy::DirectiveType::ManifestSrc, | |
1230 ContentSecurityPolicy::DirectiveType::MediaSrc, | |
1231 ContentSecurityPolicy::DirectiveType::ObjectSrc, | |
1232 ContentSecurityPolicy::DirectiveType::ScriptSrc, | |
1233 ContentSecurityPolicy::DirectiveType::StyleSrc, | |
1234 ContentSecurityPolicy::DirectiveType::WorkerSrc, | |
1235 // Document Directives | |
1236 ContentSecurityPolicy::DirectiveType::BaseURI, | |
1237 // Navigation Directives | |
Mike West
2016/11/24 13:07:46
I don't think these comments add much. You're not
amalika
2016/11/24 14:32:29
Changed!
| |
1238 ContentSecurityPolicy::DirectiveType::FrameAncestors, | |
1239 ContentSecurityPolicy::DirectiveType::FormAction}; | |
1240 | |
1241 for (const auto& directive : directives) { | |
1242 // There should only be one SourceListDirective for each directive in | |
1243 // Embedding-CSP. | |
1244 SourceListDirectiveVector requiredList = | |
1245 getSourceVector(directive, CSPDirectiveListVector(1, this)); | |
1246 if (requiredList.size() == 0) | |
1247 continue; | |
1248 SourceListDirective* required = requiredList[0]; | |
1249 // Aggregate all serialized source lists of the returned CSP into a vector | |
1250 // based on a directive type, defaulting accordingly (for example, to | |
1251 // `default-src`). | |
1252 SourceListDirectiveVector returned = getSourceVector(directive, other); | |
1253 // TODO(amalika): Add checks for plugin-types, sandbox, disown-opener, | |
1254 // navigation-to, worker-src. | |
1255 if (!required->subsumes(returned)) | |
1256 return false; | |
1257 } | |
1258 | |
1259 return true; | |
1260 } | |
1261 | |
1167 DEFINE_TRACE(CSPDirectiveList) { | 1262 DEFINE_TRACE(CSPDirectiveList) { |
1168 visitor->trace(m_policy); | 1263 visitor->trace(m_policy); |
1169 visitor->trace(m_pluginTypes); | 1264 visitor->trace(m_pluginTypes); |
1170 visitor->trace(m_baseURI); | 1265 visitor->trace(m_baseURI); |
1171 visitor->trace(m_childSrc); | 1266 visitor->trace(m_childSrc); |
1172 visitor->trace(m_connectSrc); | 1267 visitor->trace(m_connectSrc); |
1173 visitor->trace(m_defaultSrc); | 1268 visitor->trace(m_defaultSrc); |
1174 visitor->trace(m_fontSrc); | 1269 visitor->trace(m_fontSrc); |
1175 visitor->trace(m_formAction); | 1270 visitor->trace(m_formAction); |
1176 visitor->trace(m_frameAncestors); | 1271 visitor->trace(m_frameAncestors); |
1177 visitor->trace(m_frameSrc); | 1272 visitor->trace(m_frameSrc); |
1178 visitor->trace(m_imgSrc); | 1273 visitor->trace(m_imgSrc); |
1179 visitor->trace(m_mediaSrc); | 1274 visitor->trace(m_mediaSrc); |
1180 visitor->trace(m_manifestSrc); | 1275 visitor->trace(m_manifestSrc); |
1181 visitor->trace(m_objectSrc); | 1276 visitor->trace(m_objectSrc); |
1182 visitor->trace(m_scriptSrc); | 1277 visitor->trace(m_scriptSrc); |
1183 visitor->trace(m_styleSrc); | 1278 visitor->trace(m_styleSrc); |
1184 visitor->trace(m_workerSrc); | 1279 visitor->trace(m_workerSrc); |
1185 } | 1280 } |
1186 | 1281 |
1187 } // namespace blink | 1282 } // namespace blink |
OLD | NEW |