Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(56)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.h

Issue 2474903002: Part 3.1: Is policy list subsumed under subsuming policy? (Closed)
Patch Set: OperativeDirective test + other changes based on reviews Created 4 years ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « no previous file | third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp » ('j') | third_party/WebKit/Source/core/frame/csp/CSPDirectiveListTest.cpp » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2014 The Chromium Authors. All rights reserved. 1 // Copyright 2014 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #ifndef CSPDirectiveList_h 5 #ifndef CSPDirectiveList_h
6 #define CSPDirectiveList_h 6 #define CSPDirectiveList_h
7 7
8 #include "core/fetch/Resource.h" 8 #include "core/fetch/Resource.h"
9 #include "core/frame/csp/ContentSecurityPolicy.h" 9 #include "core/frame/csp/ContentSecurityPolicy.h"
10 #include "core/frame/csp/MediaListDirective.h" 10 #include "core/frame/csp/MediaListDirective.h"
11 #include "core/frame/csp/SourceListDirective.h" 11 #include "core/frame/csp/SourceListDirective.h"
12 #include "platform/heap/Handle.h" 12 #include "platform/heap/Handle.h"
13 #include "platform/network/ContentSecurityPolicyParsers.h" 13 #include "platform/network/ContentSecurityPolicyParsers.h"
14 #include "platform/network/HTTPParsers.h" 14 #include "platform/network/HTTPParsers.h"
15 #include "platform/network/ResourceRequest.h" 15 #include "platform/network/ResourceRequest.h"
16 #include "platform/weborigin/KURL.h" 16 #include "platform/weborigin/KURL.h"
17 #include "wtf/Vector.h" 17 #include "wtf/Vector.h"
18 #include "wtf/text/AtomicString.h" 18 #include "wtf/text/AtomicString.h"
19 #include "wtf/text/WTFString.h" 19 #include "wtf/text/WTFString.h"
20 20
21 namespace blink { 21 namespace blink {
22 22
23 class ContentSecurityPolicy; 23 class ContentSecurityPolicy;
24 24
25 typedef HeapVector<Member<SourceListDirective>> SourceListDirectiveVector;
26
25 class CORE_EXPORT CSPDirectiveList 27 class CORE_EXPORT CSPDirectiveList
26 : public GarbageCollectedFinalized<CSPDirectiveList> { 28 : public GarbageCollectedFinalized<CSPDirectiveList> {
27 WTF_MAKE_NONCOPYABLE(CSPDirectiveList); 29 WTF_MAKE_NONCOPYABLE(CSPDirectiveList);
28 30
29 public: 31 public:
30 static CSPDirectiveList* create(ContentSecurityPolicy*, 32 static CSPDirectiveList* create(ContentSecurityPolicy*,
31 const UChar* begin, 33 const UChar* begin,
32 const UChar* end, 34 const UChar* end,
33 ContentSecurityPolicyHeaderType, 35 ContentSecurityPolicyHeaderType,
34 ContentSecurityPolicyHeaderSource); 36 ContentSecurityPolicyHeaderSource);
(...skipping 114 matching lines...) Expand 10 before | Expand all | Expand 10 after
149 return m_frameAncestors.get() && !isReportOnly(); 151 return m_frameAncestors.get() && !isReportOnly();
150 } 152 }
151 153
152 // Used to copy plugin-types into a plugin document in a nested 154 // Used to copy plugin-types into a plugin document in a nested
153 // browsing context. 155 // browsing context.
154 bool hasPluginTypes() const { return !!m_pluginTypes; } 156 bool hasPluginTypes() const { return !!m_pluginTypes; }
155 const String& pluginTypesText() const; 157 const String& pluginTypesText() const;
156 158
157 bool shouldSendCSPHeader(Resource::Type) const; 159 bool shouldSendCSPHeader(Resource::Type) const;
158 160
161 // The algorithm is described here:
162 // https://w3c.github.io/webappsec-csp/embedded/#subsume-policy
163 bool subsumes(const CSPDirectiveListVector&);
164
159 DECLARE_TRACE(); 165 DECLARE_TRACE();
160 166
161 private: 167 private:
162 FRIEND_TEST_ALL_PREFIXES(CSPDirectiveListTest, IsMatchingNoncePresent); 168 FRIEND_TEST_ALL_PREFIXES(CSPDirectiveListTest, IsMatchingNoncePresent);
169 FRIEND_TEST_ALL_PREFIXES(CSPDirectiveListTest, GetSourceVector);
170 FRIEND_TEST_ALL_PREFIXES(CSPDirectiveListTest, OperativeDirectiveGivenType);
163 171
164 enum RequireSRIForToken { None = 0, Script = 1 << 0, Style = 1 << 1 }; 172 enum RequireSRIForToken { None = 0, Script = 1 << 0, Style = 1 << 1 };
165 173
166 CSPDirectiveList(ContentSecurityPolicy*, 174 CSPDirectiveList(ContentSecurityPolicy*,
167 ContentSecurityPolicyHeaderType, 175 ContentSecurityPolicyHeaderType,
168 ContentSecurityPolicyHeaderSource); 176 ContentSecurityPolicyHeaderSource);
169 177
170 bool parseDirective(const UChar* begin, 178 bool parseDirective(const UChar* begin,
171 const UChar* end, 179 const UChar* end,
172 String& name, 180 String& name,
(...skipping 86 matching lines...) Expand 10 before | Expand all | Expand 10 after
259 bool checkAncestorsAndReportViolation(SourceListDirective*, 267 bool checkAncestorsAndReportViolation(SourceListDirective*,
260 LocalFrame*, 268 LocalFrame*,
261 const KURL&) const; 269 const KURL&) const;
262 bool checkRequestWithoutIntegrityAndReportViolation( 270 bool checkRequestWithoutIntegrityAndReportViolation(
263 WebURLRequest::RequestContext, 271 WebURLRequest::RequestContext,
264 const KURL&, 272 const KURL&,
265 ResourceRequest::RedirectStatus) const; 273 ResourceRequest::RedirectStatus) const;
266 274
267 bool denyIfEnforcingPolicy() const { return isReportOnly(); } 275 bool denyIfEnforcingPolicy() const { return isReportOnly(); }
268 276
277 // Tthis function returns a SourceListDirective of that type
Mike West 2016/11/24 14:37:37 Nit: Tt. Nit: "of a given type".
amalika 2016/11/24 15:38:20 Updated
278 // or if it is not defined, the default SourceListDirective for that type.
279 SourceListDirective* operativeDirective(
280 const ContentSecurityPolicy::DirectiveType&);
281 // This function aggregates from a vector of policies all operative
Mike West 2016/11/24 14:37:37 Nit: Newline.
amalika 2016/11/24 15:38:20 Added
282 // SourceListDirectives of a given type into a vector.
283 static SourceListDirectiveVector getSourceVector(
284 const ContentSecurityPolicy::DirectiveType&,
285 const CSPDirectiveListVector& policies);
286
269 Member<ContentSecurityPolicy> m_policy; 287 Member<ContentSecurityPolicy> m_policy;
270 288
271 String m_header; 289 String m_header;
272 ContentSecurityPolicyHeaderType m_headerType; 290 ContentSecurityPolicyHeaderType m_headerType;
273 ContentSecurityPolicyHeaderSource m_headerSource; 291 ContentSecurityPolicyHeaderSource m_headerSource;
274 292
275 bool m_hasSandboxPolicy; 293 bool m_hasSandboxPolicy;
276 294
277 bool m_strictMixedContentCheckingEnforced; 295 bool m_strictMixedContentCheckingEnforced;
278 296
(...skipping 20 matching lines...) Expand all
299 uint8_t m_requireSRIFor; 317 uint8_t m_requireSRIFor;
300 318
301 Vector<String> m_reportEndpoints; 319 Vector<String> m_reportEndpoints;
302 320
303 String m_evalDisabledErrorMessage; 321 String m_evalDisabledErrorMessage;
304 }; 322 };
305 323
306 } // namespace blink 324 } // namespace blink
307 325
308 #endif 326 #endif
OLDNEW
« no previous file with comments | « no previous file | third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp » ('j') | third_party/WebKit/Source/core/frame/csp/CSPDirectiveListTest.cpp » ('J')

Powered by Google App Engine
This is Rietveld 408576698