OLD | NEW |
1 /* | 1 /* |
2 * Copyright (C) 2011 Google, Inc. All rights reserved. | 2 * Copyright (C) 2011 Google, Inc. All rights reserved. |
3 * | 3 * |
4 * Redistribution and use in source and binary forms, with or without | 4 * Redistribution and use in source and binary forms, with or without |
5 * modification, are permitted provided that the following conditions | 5 * modification, are permitted provided that the following conditions |
6 * are met: | 6 * are met: |
7 * 1. Redistributions of source code must retain the above copyright | 7 * 1. Redistributions of source code must retain the above copyright |
8 * notice, this list of conditions and the following disclaimer. | 8 * notice, this list of conditions and the following disclaimer. |
9 * 2. Redistributions in binary form must reproduce the above copyright | 9 * 2. Redistributions in binary form must reproduce the above copyright |
10 * notice, this list of conditions and the following disclaimer in the | 10 * notice, this list of conditions and the following disclaimer in the |
(...skipping 1193 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1204 if (violationData.columnNumber()) | 1204 if (violationData.columnNumber()) |
1205 cspReport->setInteger("column-number", violationData.columnNumber()); | 1205 cspReport->setInteger("column-number", violationData.columnNumber()); |
1206 if (!violationData.sourceFile().isEmpty()) | 1206 if (!violationData.sourceFile().isEmpty()) |
1207 cspReport->setString("source-file", violationData.sourceFile()); | 1207 cspReport->setString("source-file", violationData.sourceFile()); |
1208 cspReport->setInteger("status-code", violationData.statusCode()); | 1208 cspReport->setInteger("status-code", violationData.statusCode()); |
1209 | 1209 |
1210 std::unique_ptr<JSONObject> reportObject = JSONObject::create(); | 1210 std::unique_ptr<JSONObject> reportObject = JSONObject::create(); |
1211 reportObject->setObject("csp-report", std::move(cspReport)); | 1211 reportObject->setObject("csp-report", std::move(cspReport)); |
1212 String stringifiedReport = reportObject->toJSONString(); | 1212 String stringifiedReport = reportObject->toJSONString(); |
1213 | 1213 |
1214 if (!shouldSendViolationReport(stringifiedReport)) | 1214 // Only POST unique reports to the external endpoint; repeated reports add no |
1215 return; | 1215 // value on the server side, as they're indistinguishable. Note that we'll |
1216 didSendViolationReport(stringifiedReport); | 1216 // fire the DOM event for every violation, as the page has enough context to |
| 1217 // react in some reasonable way to each violation as it occurs. |
| 1218 if (shouldSendViolationReport(stringifiedReport)) { |
| 1219 didSendViolationReport(stringifiedReport); |
1217 | 1220 |
1218 RefPtr<EncodedFormData> report = | 1221 RefPtr<EncodedFormData> report = |
1219 EncodedFormData::create(stringifiedReport.utf8()); | 1222 EncodedFormData::create(stringifiedReport.utf8()); |
1220 | 1223 |
1221 LocalFrame* frame = document->frame(); | 1224 LocalFrame* frame = document->frame(); |
1222 if (!frame) | 1225 if (!frame) |
1223 return; | 1226 return; |
1224 | 1227 |
1225 for (const String& endpoint : reportEndpoints) { | 1228 for (const String& endpoint : reportEndpoints) { |
1226 // If we have a context frame we're dealing with 'frame-ancestors' and we | 1229 // If we have a context frame we're dealing with 'frame-ancestors' and we |
1227 // don't have our own execution context. Use the frame's document to | 1230 // don't have our own execution context. Use the frame's document to |
1228 // complete the endpoint URL, overriding its URL with the blocked document's | 1231 // complete the endpoint URL, overriding its URL with the blocked |
1229 // URL. | 1232 // document's URL. |
1230 DCHECK(!contextFrame || !m_executionContext); | 1233 DCHECK(!contextFrame || !m_executionContext); |
1231 DCHECK(!contextFrame || | 1234 DCHECK(!contextFrame || |
1232 equalIgnoringCase(effectiveDirective, FrameAncestors)); | 1235 equalIgnoringCase(effectiveDirective, FrameAncestors)); |
1233 KURL url = | 1236 KURL url = |
1234 contextFrame | 1237 contextFrame |
1235 ? frame->document()->completeURLWithOverride(endpoint, blockedURL) | 1238 ? frame->document()->completeURLWithOverride(endpoint, blockedURL) |
1236 : completeURL(endpoint); | 1239 : completeURL(endpoint); |
1237 PingLoader::sendViolationReport( | 1240 PingLoader::sendViolationReport( |
1238 frame, url, report, PingLoader::ContentSecurityPolicyViolationReport); | 1241 frame, url, report, PingLoader::ContentSecurityPolicyViolationReport); |
| 1242 } |
1239 } | 1243 } |
1240 | 1244 |
1241 document->postTask( | 1245 document->postTask( |
1242 BLINK_FROM_HERE, | 1246 BLINK_FROM_HERE, |
1243 createSameThreadTask(&ContentSecurityPolicy::dispatchViolationEvents, | 1247 createSameThreadTask(&ContentSecurityPolicy::dispatchViolationEvents, |
1244 wrapPersistent(this), violationData, | 1248 wrapPersistent(this), violationData, |
1245 wrapPersistent(element), wrapPersistent(document))); | 1249 wrapPersistent(element), wrapPersistent(document))); |
1246 } | 1250 } |
1247 | 1251 |
1248 void ContentSecurityPolicy::dispatchViolationEvents( | 1252 void ContentSecurityPolicy::dispatchViolationEvents( |
(...skipping 264 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1513 // Collisions have no security impact, so we can save space by storing only | 1517 // Collisions have no security impact, so we can save space by storing only |
1514 // the string's hash rather than the whole report. | 1518 // the string's hash rather than the whole report. |
1515 return !m_violationReportsSent.contains(report.impl()->hash()); | 1519 return !m_violationReportsSent.contains(report.impl()->hash()); |
1516 } | 1520 } |
1517 | 1521 |
1518 void ContentSecurityPolicy::didSendViolationReport(const String& report) { | 1522 void ContentSecurityPolicy::didSendViolationReport(const String& report) { |
1519 m_violationReportsSent.add(report.impl()->hash()); | 1523 m_violationReportsSent.add(report.impl()->hash()); |
1520 } | 1524 } |
1521 | 1525 |
1522 } // namespace blink | 1526 } // namespace blink |
OLD | NEW |