Index: third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp |
diff --git a/third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp b/third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp |
index 4bdfefc6cc7a7147cdca93bbf6659dc25093bb0f..f78b559b1264ac532d3677b3ad727a824c7f4ee2 100644 |
--- a/third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp |
+++ b/third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp |
@@ -1142,6 +1142,98 @@ void CSPDirectiveList::addDirective(const String& name, const String& value) { |
} |
} |
+SourceListDirective* CSPDirectiveList::getSourceListDirective( |
+ const char* name) { |
+ if (name == ContentSecurityPolicy::BaseURI) |
+ return m_baseURI.get(); |
+ if (name == ContentSecurityPolicy::ChildSrc) |
+ return m_childSrc.get(); |
+ if (name == ContentSecurityPolicy::ConnectSrc) |
+ return m_connectSrc.get(); |
+ if (name == ContentSecurityPolicy::FontSrc) |
+ return m_fontSrc.get(); |
+ if (name == ContentSecurityPolicy::FormAction) |
+ return m_formAction.get(); |
+ if (name == ContentSecurityPolicy::FrameAncestors) |
+ return m_frameAncestors.get(); |
+ if (name == ContentSecurityPolicy::FrameSrc) |
+ return m_frameSrc.get(); |
+ if (name == ContentSecurityPolicy::ImgSrc) |
+ return m_imgSrc.get(); |
+ if (name == ContentSecurityPolicy::MediaSrc) |
+ return m_mediaSrc.get(); |
+ if (name == ContentSecurityPolicy::ManifestSrc) |
+ return m_manifestSrc.get(); |
+ if (name == ContentSecurityPolicy::ObjectSrc) |
+ return m_objectSrc.get(); |
+ if (name == ContentSecurityPolicy::ScriptSrc) |
+ return m_scriptSrc.get(); |
+ if (name == ContentSecurityPolicy::StyleSrc) |
+ return m_styleSrc.get(); |
+ if (name == ContentSecurityPolicy::WorkerSrc) |
+ return m_workerSrc.get(); |
+ |
+ return nullptr; |
+} |
+ |
+SourceListDirectiveVector CSPDirectiveList::getSourceVector( |
+ const char* name, |
+ CSPDirectiveListVector policies) { |
+ SourceListDirectiveVector sourceListDirectives; |
+ for (const auto& policy : policies) { |
+ SourceListDirective* directive = policy->getSourceListDirective(name); |
+ |
+ if (name == ContentSecurityPolicy::FrameSrc) { |
+ // m_frameSrc defaults to m_childSrc, which defaults to m_defaultSrc. |
+ directive = policy->operativeDirective( |
+ directive, policy->operativeDirective(policy->m_childSrc.get())); |
+ } else if (String(name).endsWith("src")) { |
amalika
2016/11/21 15:57:06
Another approach would be to define an enum (such
Mike West
2016/11/23 11:19:02
Or do the work in `getSourceListDirective` instead
|
+ // All directives that end with "src" default to m_defaultSrc. |
+ directive = policy->operativeDirective(directive); |
+ } |
+ |
+ if (directive) |
+ sourceListDirectives.append(directive); |
+ } |
+ |
+ return sourceListDirectives; |
+} |
+ |
+bool CSPDirectiveList::subsumes(CSPDirectiveListVector other) { |
+ const char* directives[] = { |
+ // Fetch Directives |
+ ContentSecurityPolicy::ChildSrc, ContentSecurityPolicy::ConnectSrc, |
+ ContentSecurityPolicy::FontSrc, ContentSecurityPolicy::FrameSrc, |
+ ContentSecurityPolicy::ImgSrc, ContentSecurityPolicy::ManifestSrc, |
+ ContentSecurityPolicy::MediaSrc, ContentSecurityPolicy::ObjectSrc, |
+ ContentSecurityPolicy::ScriptSrc, ContentSecurityPolicy::StyleSrc, |
+ ContentSecurityPolicy::WorkerSrc, |
+ // Document Directives |
+ ContentSecurityPolicy::BaseURI, |
+ // Navigation Directives |
+ ContentSecurityPolicy::FrameAncestors, ContentSecurityPolicy::FormAction}; |
+ |
+ for (const auto& directive : directives) { |
+ // There should only be one SourceListDirective for each directive in |
+ // Embedding-CSP. |
+ SourceListDirectiveVector requiredList = |
+ getSourceVector(directive, CSPDirectiveListVector(1, this)); |
+ if (requiredList.size() == 0) |
+ continue; |
+ SourceListDirective* required = requiredList[0]; |
+ // Aggregate all serialized source lists of the returned CSP into a vector |
+ // based on a directive type, defaulting accordingly (for example, to |
+ // `default-src`). |
+ SourceListDirectiveVector returned = getSourceVector(directive, other); |
+ // TODO(amalika): Add checks for plugin-types, sandbox, disown-opener, |
+ // navigation-to, worker-src. |
+ if (!required->subsumes(returned)) |
+ return false; |
+ } |
+ |
+ return true; |
+} |
+ |
DEFINE_TRACE(CSPDirectiveList) { |
visitor->trace(m_policy); |
visitor->trace(m_pluginTypes); |