OLD | NEW |
---|---|
1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #ifndef CSPDirectiveList_h | 5 #ifndef CSPDirectiveList_h |
6 #define CSPDirectiveList_h | 6 #define CSPDirectiveList_h |
7 | 7 |
8 #include "core/fetch/Resource.h" | 8 #include "core/fetch/Resource.h" |
9 #include "core/frame/csp/ContentSecurityPolicy.h" | 9 #include "core/frame/csp/ContentSecurityPolicy.h" |
10 #include "core/frame/csp/MediaListDirective.h" | 10 #include "core/frame/csp/MediaListDirective.h" |
11 #include "core/frame/csp/SourceListDirective.h" | 11 #include "core/frame/csp/SourceListDirective.h" |
12 #include "platform/heap/Handle.h" | 12 #include "platform/heap/Handle.h" |
13 #include "platform/network/ContentSecurityPolicyParsers.h" | 13 #include "platform/network/ContentSecurityPolicyParsers.h" |
14 #include "platform/network/HTTPParsers.h" | 14 #include "platform/network/HTTPParsers.h" |
15 #include "platform/network/ResourceRequest.h" | 15 #include "platform/network/ResourceRequest.h" |
16 #include "platform/weborigin/KURL.h" | 16 #include "platform/weborigin/KURL.h" |
17 #include "wtf/Vector.h" | 17 #include "wtf/Vector.h" |
18 #include "wtf/text/AtomicString.h" | 18 #include "wtf/text/AtomicString.h" |
19 #include "wtf/text/WTFString.h" | 19 #include "wtf/text/WTFString.h" |
20 | 20 |
21 namespace blink { | 21 namespace blink { |
22 | 22 |
23 class ContentSecurityPolicy; | 23 class ContentSecurityPolicy; |
24 | 24 |
25 typedef HeapVector<Member<SourceListDirective>> SourceListDirectiveVector; | |
26 | |
25 class CORE_EXPORT CSPDirectiveList | 27 class CORE_EXPORT CSPDirectiveList |
26 : public GarbageCollectedFinalized<CSPDirectiveList> { | 28 : public GarbageCollectedFinalized<CSPDirectiveList> { |
27 WTF_MAKE_NONCOPYABLE(CSPDirectiveList); | 29 WTF_MAKE_NONCOPYABLE(CSPDirectiveList); |
28 | 30 |
29 public: | 31 public: |
30 static CSPDirectiveList* create(ContentSecurityPolicy*, | 32 static CSPDirectiveList* create(ContentSecurityPolicy*, |
31 const UChar* begin, | 33 const UChar* begin, |
32 const UChar* end, | 34 const UChar* end, |
33 ContentSecurityPolicyHeaderType, | 35 ContentSecurityPolicyHeaderType, |
34 ContentSecurityPolicyHeaderSource); | 36 ContentSecurityPolicyHeaderSource); |
(...skipping 114 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
149 return m_frameAncestors.get() && !isReportOnly(); | 151 return m_frameAncestors.get() && !isReportOnly(); |
150 } | 152 } |
151 | 153 |
152 // Used to copy plugin-types into a plugin document in a nested | 154 // Used to copy plugin-types into a plugin document in a nested |
153 // browsing context. | 155 // browsing context. |
154 bool hasPluginTypes() const { return !!m_pluginTypes; } | 156 bool hasPluginTypes() const { return !!m_pluginTypes; } |
155 const String& pluginTypesText() const; | 157 const String& pluginTypesText() const; |
156 | 158 |
157 bool shouldSendCSPHeader(Resource::Type) const; | 159 bool shouldSendCSPHeader(Resource::Type) const; |
158 | 160 |
161 // The algorithm is described here: | |
162 // https://w3c.github.io/webappsec-csp/embedded/#subsume-policy | |
163 bool subsumes(CSPDirectiveListVector); | |
164 | |
159 DECLARE_TRACE(); | 165 DECLARE_TRACE(); |
160 | 166 |
161 private: | 167 private: |
162 FRIEND_TEST_ALL_PREFIXES(CSPDirectiveListTest, IsMatchingNoncePresent); | 168 FRIEND_TEST_ALL_PREFIXES(CSPDirectiveListTest, IsMatchingNoncePresent); |
169 FRIEND_TEST_ALL_PREFIXES(CSPDirectiveListTest, GetSourceVector); | |
163 | 170 |
164 enum RequireSRIForToken { None = 0, Script = 1 << 0, Style = 1 << 1 }; | 171 enum RequireSRIForToken { None = 0, Script = 1 << 0, Style = 1 << 1 }; |
165 | 172 |
166 CSPDirectiveList(ContentSecurityPolicy*, | 173 CSPDirectiveList(ContentSecurityPolicy*, |
167 ContentSecurityPolicyHeaderType, | 174 ContentSecurityPolicyHeaderType, |
168 ContentSecurityPolicyHeaderSource); | 175 ContentSecurityPolicyHeaderSource); |
169 | 176 |
170 bool parseDirective(const UChar* begin, | 177 bool parseDirective(const UChar* begin, |
171 const UChar* end, | 178 const UChar* end, |
172 String& name, | 179 String& name, |
(...skipping 86 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
259 bool checkAncestorsAndReportViolation(SourceListDirective*, | 266 bool checkAncestorsAndReportViolation(SourceListDirective*, |
260 LocalFrame*, | 267 LocalFrame*, |
261 const KURL&) const; | 268 const KURL&) const; |
262 bool checkRequestWithoutIntegrityAndReportViolation( | 269 bool checkRequestWithoutIntegrityAndReportViolation( |
263 WebURLRequest::RequestContext, | 270 WebURLRequest::RequestContext, |
264 const KURL&, | 271 const KURL&, |
265 ResourceRequest::RedirectStatus) const; | 272 ResourceRequest::RedirectStatus) const; |
266 | 273 |
267 bool denyIfEnforcingPolicy() const { return isReportOnly(); } | 274 bool denyIfEnforcingPolicy() const { return isReportOnly(); } |
268 | 275 |
276 SourceListDirective* operativeDirective( | |
Mike West
2016/11/24 13:07:46
Please add unit tests, especially for the cascade
amalika
2016/11/24 14:32:29
Added!
| |
277 const ContentSecurityPolicy::DirectiveType&); | |
278 static SourceListDirectiveVector getSourceVector( | |
Mike West
2016/11/24 13:07:46
Can you add a comment explaining what these functi
amalika
2016/11/24 14:32:29
Added!
| |
279 const ContentSecurityPolicy::DirectiveType&, | |
280 CSPDirectiveListVector policies); | |
281 | |
269 Member<ContentSecurityPolicy> m_policy; | 282 Member<ContentSecurityPolicy> m_policy; |
270 | 283 |
271 String m_header; | 284 String m_header; |
272 ContentSecurityPolicyHeaderType m_headerType; | 285 ContentSecurityPolicyHeaderType m_headerType; |
273 ContentSecurityPolicyHeaderSource m_headerSource; | 286 ContentSecurityPolicyHeaderSource m_headerSource; |
274 | 287 |
275 bool m_hasSandboxPolicy; | 288 bool m_hasSandboxPolicy; |
276 | 289 |
277 bool m_strictMixedContentCheckingEnforced; | 290 bool m_strictMixedContentCheckingEnforced; |
278 | 291 |
(...skipping 20 matching lines...) Expand all Loading... | |
299 uint8_t m_requireSRIFor; | 312 uint8_t m_requireSRIFor; |
300 | 313 |
301 Vector<String> m_reportEndpoints; | 314 Vector<String> m_reportEndpoints; |
302 | 315 |
303 String m_evalDisabledErrorMessage; | 316 String m_evalDisabledErrorMessage; |
304 }; | 317 }; |
305 | 318 |
306 } // namespace blink | 319 } // namespace blink |
307 | 320 |
308 #endif | 321 #endif |
OLD | NEW |