Index: third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp |
diff --git a/third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp b/third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp |
index f40f1cca42bbab5a59f3b9049d374326773fbced..42f53da5a832a71b6c287430e32f9779c09c5c31 100644 |
--- a/third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp |
+++ b/third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp |
@@ -1164,6 +1164,101 @@ void CSPDirectiveList::addDirective(const String& name, const String& value) { |
} |
} |
+SourceListDirective* CSPDirectiveList::operativeDirective( |
amalika
2016/11/23 13:57:11
Not sure if we should add a case for `DefaultSrc`
Mike West
2016/11/24 13:07:46
`default-src`'s operative directive is `default-sr
amalika
2016/11/24 14:32:29
Updated!
|
+ const ContentSecurityPolicy::DirectiveType& type) { |
+ switch (type) { |
+ // Directives that do not have a default directive. |
+ case ContentSecurityPolicy::DirectiveType::BaseURI: |
+ return m_baseURI.get(); |
+ case ContentSecurityPolicy::DirectiveType::DefaultSrc: |
+ return m_defaultSrc.get(); |
+ case ContentSecurityPolicy::DirectiveType::FrameAncestors: |
+ return m_frameAncestors.get(); |
+ case ContentSecurityPolicy::DirectiveType::FormAction: |
+ return m_formAction.get(); |
+ // Directives that have one default directive. |
+ case ContentSecurityPolicy::DirectiveType::ChildSrc: |
+ return operativeDirective(m_childSrc.get()); |
+ case ContentSecurityPolicy::DirectiveType::ConnectSrc: |
+ return operativeDirective(m_connectSrc.get()); |
+ case ContentSecurityPolicy::DirectiveType::FontSrc: |
+ return operativeDirective(m_fontSrc.get()); |
+ case ContentSecurityPolicy::DirectiveType::ImgSrc: |
+ return operativeDirective(m_imgSrc.get()); |
+ case ContentSecurityPolicy::DirectiveType::ManifestSrc: |
+ return operativeDirective(m_manifestSrc.get()); |
+ case ContentSecurityPolicy::DirectiveType::MediaSrc: |
+ return operativeDirective(m_mediaSrc.get()); |
+ case ContentSecurityPolicy::DirectiveType::ObjectSrc: |
+ return operativeDirective(m_objectSrc.get()); |
+ case ContentSecurityPolicy::DirectiveType::ScriptSrc: |
+ return operativeDirective(m_scriptSrc.get()); |
+ case ContentSecurityPolicy::DirectiveType::StyleSrc: |
+ return operativeDirective(m_styleSrc.get()); |
+ case ContentSecurityPolicy::DirectiveType::WorkerSrc: |
Mike West
2016/11/24 13:07:46
1. `worker-src` is currently defined as sitting on
amalika
2016/11/24 14:32:29
Addressed.
|
+ return operativeDirective(m_workerSrc.get()); |
+ // frame-src defaults to child-src, which defaults to default-src. |
+ case ContentSecurityPolicy::DirectiveType::FrameSrc: |
+ return operativeDirective(m_frameSrc, |
+ operativeDirective(m_childSrc.get())); |
+ default: |
+ return nullptr; |
+ } |
+} |
+ |
+SourceListDirectiveVector CSPDirectiveList::getSourceVector( |
+ const ContentSecurityPolicy::DirectiveType& type, |
+ CSPDirectiveListVector policies) { |
Mike West
2016/11/24 13:07:46
`const CSPDirectiveListVector&`?
|
+ SourceListDirectiveVector sourceListDirectives; |
+ for (const auto& policy : policies) { |
+ if (SourceListDirective* directive = policy->operativeDirective(type)) |
+ sourceListDirectives.append(directive); |
+ } |
+ |
+ return sourceListDirectives; |
+} |
+ |
+bool CSPDirectiveList::subsumes(CSPDirectiveListVector other) { |
Mike West
2016/11/24 13:07:46
`const CSPDirectiveListVector&`?
|
+ ContentSecurityPolicy::DirectiveType directives[] = { |
+ // Fetch Directives |
+ ContentSecurityPolicy::DirectiveType::ChildSrc, |
+ ContentSecurityPolicy::DirectiveType::ConnectSrc, |
+ ContentSecurityPolicy::DirectiveType::FontSrc, |
+ ContentSecurityPolicy::DirectiveType::FrameSrc, |
+ ContentSecurityPolicy::DirectiveType::ImgSrc, |
+ ContentSecurityPolicy::DirectiveType::ManifestSrc, |
+ ContentSecurityPolicy::DirectiveType::MediaSrc, |
+ ContentSecurityPolicy::DirectiveType::ObjectSrc, |
+ ContentSecurityPolicy::DirectiveType::ScriptSrc, |
+ ContentSecurityPolicy::DirectiveType::StyleSrc, |
+ ContentSecurityPolicy::DirectiveType::WorkerSrc, |
+ // Document Directives |
+ ContentSecurityPolicy::DirectiveType::BaseURI, |
+ // Navigation Directives |
Mike West
2016/11/24 13:07:46
I don't think these comments add much. You're not
amalika
2016/11/24 14:32:29
Changed!
|
+ ContentSecurityPolicy::DirectiveType::FrameAncestors, |
+ ContentSecurityPolicy::DirectiveType::FormAction}; |
+ |
+ for (const auto& directive : directives) { |
+ // There should only be one SourceListDirective for each directive in |
+ // Embedding-CSP. |
+ SourceListDirectiveVector requiredList = |
+ getSourceVector(directive, CSPDirectiveListVector(1, this)); |
+ if (requiredList.size() == 0) |
+ continue; |
+ SourceListDirective* required = requiredList[0]; |
+ // Aggregate all serialized source lists of the returned CSP into a vector |
+ // based on a directive type, defaulting accordingly (for example, to |
+ // `default-src`). |
+ SourceListDirectiveVector returned = getSourceVector(directive, other); |
+ // TODO(amalika): Add checks for plugin-types, sandbox, disown-opener, |
+ // navigation-to, worker-src. |
+ if (!required->subsumes(returned)) |
+ return false; |
+ } |
+ |
+ return true; |
+} |
+ |
DEFINE_TRACE(CSPDirectiveList) { |
visitor->trace(m_policy); |
visitor->trace(m_pluginTypes); |