| OLD | NEW |
|---|
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "core/frame/csp/CSPDirectiveList.h" | 5 #include "core/frame/csp/CSPDirectiveList.h" |
| 6 | 6 |
| 7 #include "bindings/core/v8/SourceLocation.h" | 7 #include "bindings/core/v8/SourceLocation.h" |
| 8 #include "core/dom/Document.h" | 8 #include "core/dom/Document.h" |
| 9 #include "core/dom/SecurityContext.h" | 9 #include "core/dom/SecurityContext.h" |
| 10 #include "core/dom/SpaceSplitString.h" | 10 #include "core/dom/SpaceSplitString.h" |
| (...skipping 1146 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1157 ContentSecurityPolicy::DirectiveType::TreatAsPublicAddress) { | 1157 ContentSecurityPolicy::DirectiveType::TreatAsPublicAddress) { |
| 1158 treatAsPublicAddress(name, value); | 1158 treatAsPublicAddress(name, value); |
| 1159 } else if (type == ContentSecurityPolicy::DirectiveType::RequireSRIFor && | 1159 } else if (type == ContentSecurityPolicy::DirectiveType::RequireSRIFor && |
| 1160 m_policy->experimentalFeaturesEnabled()) { | 1160 m_policy->experimentalFeaturesEnabled()) { |
| 1161 parseRequireSRIFor(name, value); | 1161 parseRequireSRIFor(name, value); |
| 1162 } else { | 1162 } else { |
| 1163 m_policy->reportUnsupportedDirective(name); | 1163 m_policy->reportUnsupportedDirective(name); |
| 1164 } | 1164 } |
| 1165 } | 1165 } |
| 1166 | 1166 |
| 1167 SourceListDirective* CSPDirectiveList::operativeDirective( |
| 1168 const ContentSecurityPolicy::DirectiveType& type) { |
| 1169 switch (type) { |
| 1170 // Directives that do not have a default directive. |
| 1171 case ContentSecurityPolicy::DirectiveType::BaseURI: |
| 1172 return m_baseURI.get(); |
| 1173 case ContentSecurityPolicy::DirectiveType::DefaultSrc: |
| 1174 return m_defaultSrc.get(); |
| 1175 case ContentSecurityPolicy::DirectiveType::FrameAncestors: |
| 1176 return m_frameAncestors.get(); |
| 1177 case ContentSecurityPolicy::DirectiveType::FormAction: |
| 1178 return m_formAction.get(); |
| 1179 // Directives that have one default directive. |
| 1180 case ContentSecurityPolicy::DirectiveType::ChildSrc: |
| 1181 return operativeDirective(m_childSrc.get()); |
| 1182 case ContentSecurityPolicy::DirectiveType::ConnectSrc: |
| 1183 return operativeDirective(m_connectSrc.get()); |
| 1184 case ContentSecurityPolicy::DirectiveType::FontSrc: |
| 1185 return operativeDirective(m_fontSrc.get()); |
| 1186 case ContentSecurityPolicy::DirectiveType::ImgSrc: |
| 1187 return operativeDirective(m_imgSrc.get()); |
| 1188 case ContentSecurityPolicy::DirectiveType::ManifestSrc: |
| 1189 return operativeDirective(m_manifestSrc.get()); |
| 1190 case ContentSecurityPolicy::DirectiveType::MediaSrc: |
| 1191 return operativeDirective(m_mediaSrc.get()); |
| 1192 case ContentSecurityPolicy::DirectiveType::ObjectSrc: |
| 1193 return operativeDirective(m_objectSrc.get()); |
| 1194 case ContentSecurityPolicy::DirectiveType::ScriptSrc: |
| 1195 return operativeDirective(m_scriptSrc.get()); |
| 1196 case ContentSecurityPolicy::DirectiveType::StyleSrc: |
| 1197 return operativeDirective(m_styleSrc.get()); |
| 1198 // Directives that default to child-src, which defaults to default-src. |
| 1199 case ContentSecurityPolicy::DirectiveType::FrameSrc: |
| 1200 return operativeDirective(m_frameSrc, |
| 1201 operativeDirective(m_childSrc.get())); |
| 1202 // TODO(mkwst): Reevaluate this |
| 1203 case ContentSecurityPolicy::DirectiveType::WorkerSrc: |
| 1204 return operativeDirective(m_workerSrc.get(), |
| 1205 operativeDirective(m_childSrc.get())); |
| 1206 default: |
| 1207 return nullptr; |
| 1208 } |
| 1209 } |
| 1210 |
| 1211 SourceListDirectiveVector CSPDirectiveList::getSourceVector( |
| 1212 const ContentSecurityPolicy::DirectiveType& type, |
| 1213 const CSPDirectiveListVector& policies) { |
| 1214 SourceListDirectiveVector sourceListDirectives; |
| 1215 for (const auto& policy : policies) { |
| 1216 if (SourceListDirective* directive = policy->operativeDirective(type)) |
| 1217 sourceListDirectives.append(directive); |
| 1218 } |
| 1219 |
| 1220 return sourceListDirectives; |
| 1221 } |
| 1222 |
| 1223 bool CSPDirectiveList::subsumes(const CSPDirectiveListVector& other) { |
| 1224 // A white-list of directives that we consider for subsumption. |
| 1225 // See more about source lists here: |
| 1226 // https://w3c.github.io/webappsec-csp/#framework-directive-source-list |
| 1227 ContentSecurityPolicy::DirectiveType directives[] = { |
| 1228 ContentSecurityPolicy::DirectiveType::ChildSrc, |
| 1229 ContentSecurityPolicy::DirectiveType::ConnectSrc, |
| 1230 ContentSecurityPolicy::DirectiveType::FontSrc, |
| 1231 ContentSecurityPolicy::DirectiveType::FrameSrc, |
| 1232 ContentSecurityPolicy::DirectiveType::ImgSrc, |
| 1233 ContentSecurityPolicy::DirectiveType::ManifestSrc, |
| 1234 ContentSecurityPolicy::DirectiveType::MediaSrc, |
| 1235 ContentSecurityPolicy::DirectiveType::ObjectSrc, |
| 1236 ContentSecurityPolicy::DirectiveType::ScriptSrc, |
| 1237 ContentSecurityPolicy::DirectiveType::StyleSrc, |
| 1238 ContentSecurityPolicy::DirectiveType::WorkerSrc, |
| 1239 ContentSecurityPolicy::DirectiveType::BaseURI, |
| 1240 ContentSecurityPolicy::DirectiveType::FrameAncestors, |
| 1241 ContentSecurityPolicy::DirectiveType::FormAction}; |
| 1242 |
| 1243 for (const auto& directive : directives) { |
| 1244 // There should only be one SourceListDirective for each directive in |
| 1245 // Embedding-CSP. |
| 1246 SourceListDirectiveVector requiredList = |
| 1247 getSourceVector(directive, CSPDirectiveListVector(1, this)); |
| 1248 if (requiredList.size() == 0) |
| 1249 continue; |
| 1250 SourceListDirective* required = requiredList[0]; |
| 1251 // Aggregate all serialized source lists of the returned CSP into a vector |
| 1252 // based on a directive type, defaulting accordingly (for example, to |
| 1253 // `default-src`). |
| 1254 SourceListDirectiveVector returned = getSourceVector(directive, other); |
| 1255 // TODO(amalika): Add checks for plugin-types, sandbox, disown-opener, |
| 1256 // navigation-to, worker-src. |
| 1257 if (!required->subsumes(returned)) |
| 1258 return false; |
| 1259 } |
| 1260 |
| 1261 return true; |
| 1262 } |
| 1263 |
| 1167 DEFINE_TRACE(CSPDirectiveList) { | 1264 DEFINE_TRACE(CSPDirectiveList) { |
| 1168 visitor->trace(m_policy); | 1265 visitor->trace(m_policy); |
| 1169 visitor->trace(m_pluginTypes); | 1266 visitor->trace(m_pluginTypes); |
| 1170 visitor->trace(m_baseURI); | 1267 visitor->trace(m_baseURI); |
| 1171 visitor->trace(m_childSrc); | 1268 visitor->trace(m_childSrc); |
| 1172 visitor->trace(m_connectSrc); | 1269 visitor->trace(m_connectSrc); |
| 1173 visitor->trace(m_defaultSrc); | 1270 visitor->trace(m_defaultSrc); |
| 1174 visitor->trace(m_fontSrc); | 1271 visitor->trace(m_fontSrc); |
| 1175 visitor->trace(m_formAction); | 1272 visitor->trace(m_formAction); |
| 1176 visitor->trace(m_frameAncestors); | 1273 visitor->trace(m_frameAncestors); |
| 1177 visitor->trace(m_frameSrc); | 1274 visitor->trace(m_frameSrc); |
| 1178 visitor->trace(m_imgSrc); | 1275 visitor->trace(m_imgSrc); |
| 1179 visitor->trace(m_mediaSrc); | 1276 visitor->trace(m_mediaSrc); |
| 1180 visitor->trace(m_manifestSrc); | 1277 visitor->trace(m_manifestSrc); |
| 1181 visitor->trace(m_objectSrc); | 1278 visitor->trace(m_objectSrc); |
| 1182 visitor->trace(m_scriptSrc); | 1279 visitor->trace(m_scriptSrc); |
| 1183 visitor->trace(m_styleSrc); | 1280 visitor->trace(m_styleSrc); |
| 1184 visitor->trace(m_workerSrc); | 1281 visitor->trace(m_workerSrc); |
| 1185 } | 1282 } |
| 1186 | 1283 |
| 1187 } // namespace blink | 1284 } // namespace blink |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2474903002:
Part 3.1: Is policy list subsumed under subsuming policy? (Closed)
