OLD | NEW |
1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #ifndef CSPDirectiveList_h | 5 #ifndef CSPDirectiveList_h |
6 #define CSPDirectiveList_h | 6 #define CSPDirectiveList_h |
7 | 7 |
8 #include "core/fetch/Resource.h" | 8 #include "core/fetch/Resource.h" |
9 #include "core/frame/csp/ContentSecurityPolicy.h" | 9 #include "core/frame/csp/ContentSecurityPolicy.h" |
10 #include "core/frame/csp/MediaListDirective.h" | 10 #include "core/frame/csp/MediaListDirective.h" |
11 #include "core/frame/csp/SourceListDirective.h" | 11 #include "core/frame/csp/SourceListDirective.h" |
12 #include "platform/heap/Handle.h" | 12 #include "platform/heap/Handle.h" |
13 #include "platform/network/ContentSecurityPolicyParsers.h" | 13 #include "platform/network/ContentSecurityPolicyParsers.h" |
14 #include "platform/network/HTTPParsers.h" | 14 #include "platform/network/HTTPParsers.h" |
15 #include "platform/network/ResourceRequest.h" | 15 #include "platform/network/ResourceRequest.h" |
16 #include "platform/weborigin/KURL.h" | 16 #include "platform/weborigin/KURL.h" |
17 #include "wtf/Vector.h" | 17 #include "wtf/Vector.h" |
18 #include "wtf/text/AtomicString.h" | 18 #include "wtf/text/AtomicString.h" |
19 #include "wtf/text/WTFString.h" | 19 #include "wtf/text/WTFString.h" |
20 | 20 |
21 namespace blink { | 21 namespace blink { |
22 | 22 |
23 class ContentSecurityPolicy; | 23 class ContentSecurityPolicy; |
24 | 24 |
| 25 typedef HeapVector<Member<SourceListDirective>> SourceListDirectiveVector; |
| 26 |
25 class CORE_EXPORT CSPDirectiveList | 27 class CORE_EXPORT CSPDirectiveList |
26 : public GarbageCollectedFinalized<CSPDirectiveList> { | 28 : public GarbageCollectedFinalized<CSPDirectiveList> { |
27 WTF_MAKE_NONCOPYABLE(CSPDirectiveList); | 29 WTF_MAKE_NONCOPYABLE(CSPDirectiveList); |
28 | 30 |
29 public: | 31 public: |
30 static CSPDirectiveList* create(ContentSecurityPolicy*, | 32 static CSPDirectiveList* create(ContentSecurityPolicy*, |
31 const UChar* begin, | 33 const UChar* begin, |
32 const UChar* end, | 34 const UChar* end, |
33 ContentSecurityPolicyHeaderType, | 35 ContentSecurityPolicyHeaderType, |
34 ContentSecurityPolicyHeaderSource); | 36 ContentSecurityPolicyHeaderSource); |
(...skipping 114 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
149 return m_frameAncestors.get() && !isReportOnly(); | 151 return m_frameAncestors.get() && !isReportOnly(); |
150 } | 152 } |
151 | 153 |
152 // Used to copy plugin-types into a plugin document in a nested | 154 // Used to copy plugin-types into a plugin document in a nested |
153 // browsing context. | 155 // browsing context. |
154 bool hasPluginTypes() const { return !!m_pluginTypes; } | 156 bool hasPluginTypes() const { return !!m_pluginTypes; } |
155 const String& pluginTypesText() const; | 157 const String& pluginTypesText() const; |
156 | 158 |
157 bool shouldSendCSPHeader(Resource::Type) const; | 159 bool shouldSendCSPHeader(Resource::Type) const; |
158 | 160 |
| 161 // The algorithm is described here: |
| 162 // https://w3c.github.io/webappsec-csp/embedded/#subsume-policy |
| 163 bool subsumes(const CSPDirectiveListVector&); |
| 164 |
159 DECLARE_TRACE(); | 165 DECLARE_TRACE(); |
160 | 166 |
161 private: | 167 private: |
162 FRIEND_TEST_ALL_PREFIXES(CSPDirectiveListTest, IsMatchingNoncePresent); | 168 FRIEND_TEST_ALL_PREFIXES(CSPDirectiveListTest, IsMatchingNoncePresent); |
| 169 FRIEND_TEST_ALL_PREFIXES(CSPDirectiveListTest, GetSourceVector); |
| 170 FRIEND_TEST_ALL_PREFIXES(CSPDirectiveListTest, OperativeDirectiveGivenType); |
163 | 171 |
164 enum RequireSRIForToken { None = 0, Script = 1 << 0, Style = 1 << 1 }; | 172 enum RequireSRIForToken { None = 0, Script = 1 << 0, Style = 1 << 1 }; |
165 | 173 |
166 CSPDirectiveList(ContentSecurityPolicy*, | 174 CSPDirectiveList(ContentSecurityPolicy*, |
167 ContentSecurityPolicyHeaderType, | 175 ContentSecurityPolicyHeaderType, |
168 ContentSecurityPolicyHeaderSource); | 176 ContentSecurityPolicyHeaderSource); |
169 | 177 |
170 bool parseDirective(const UChar* begin, | 178 bool parseDirective(const UChar* begin, |
171 const UChar* end, | 179 const UChar* end, |
172 String& name, | 180 String& name, |
(...skipping 86 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
259 bool checkAncestorsAndReportViolation(SourceListDirective*, | 267 bool checkAncestorsAndReportViolation(SourceListDirective*, |
260 LocalFrame*, | 268 LocalFrame*, |
261 const KURL&) const; | 269 const KURL&) const; |
262 bool checkRequestWithoutIntegrityAndReportViolation( | 270 bool checkRequestWithoutIntegrityAndReportViolation( |
263 WebURLRequest::RequestContext, | 271 WebURLRequest::RequestContext, |
264 const KURL&, | 272 const KURL&, |
265 ResourceRequest::RedirectStatus) const; | 273 ResourceRequest::RedirectStatus) const; |
266 | 274 |
267 bool denyIfEnforcingPolicy() const { return isReportOnly(); } | 275 bool denyIfEnforcingPolicy() const { return isReportOnly(); } |
268 | 276 |
| 277 // Tthis function returns a SourceListDirective of a given type |
| 278 // or if it is not defined, the default SourceListDirective for that type. |
| 279 SourceListDirective* operativeDirective( |
| 280 const ContentSecurityPolicy::DirectiveType&); |
| 281 |
| 282 // This function aggregates from a vector of policies all operative |
| 283 // SourceListDirectives of a given type into a vector. |
| 284 static SourceListDirectiveVector getSourceVector( |
| 285 const ContentSecurityPolicy::DirectiveType&, |
| 286 const CSPDirectiveListVector& policies); |
| 287 |
269 Member<ContentSecurityPolicy> m_policy; | 288 Member<ContentSecurityPolicy> m_policy; |
270 | 289 |
271 String m_header; | 290 String m_header; |
272 ContentSecurityPolicyHeaderType m_headerType; | 291 ContentSecurityPolicyHeaderType m_headerType; |
273 ContentSecurityPolicyHeaderSource m_headerSource; | 292 ContentSecurityPolicyHeaderSource m_headerSource; |
274 | 293 |
275 bool m_hasSandboxPolicy; | 294 bool m_hasSandboxPolicy; |
276 | 295 |
277 bool m_strictMixedContentCheckingEnforced; | 296 bool m_strictMixedContentCheckingEnforced; |
278 | 297 |
(...skipping 20 matching lines...) Expand all Loading... |
299 uint8_t m_requireSRIFor; | 318 uint8_t m_requireSRIFor; |
300 | 319 |
301 Vector<String> m_reportEndpoints; | 320 Vector<String> m_reportEndpoints; |
302 | 321 |
303 String m_evalDisabledErrorMessage; | 322 String m_evalDisabledErrorMessage; |
304 }; | 323 }; |
305 | 324 |
306 } // namespace blink | 325 } // namespace blink |
307 | 326 |
308 #endif | 327 #endif |
OLD | NEW |