OLD | NEW |
1 /* | 1 /* |
2 * Copyright (C) 2011 Google, Inc. All rights reserved. | 2 * Copyright (C) 2011 Google, Inc. All rights reserved. |
3 * | 3 * |
4 * Redistribution and use in source and binary forms, with or without | 4 * Redistribution and use in source and binary forms, with or without |
5 * modification, are permitted provided that the following conditions | 5 * modification, are permitted provided that the following conditions |
6 * are met: | 6 * are met: |
7 * 1. Redistributions of source code must retain the above copyright | 7 * 1. Redistributions of source code must retain the above copyright |
8 * notice, this list of conditions and the following disclaimer. | 8 * notice, this list of conditions and the following disclaimer. |
9 * 2. Redistributions in binary form must reproduce the above copyright | 9 * 2. Redistributions in binary form must reproduce the above copyright |
10 * notice, this list of conditions and the following disclaimer in the | 10 * notice, this list of conditions and the following disclaimer in the |
(...skipping 127 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
138 | 138 |
139 bool nonceable = true; | 139 bool nonceable = true; |
140 | 140 |
141 // To prevent an attacker from hijacking an existing nonce via a dangling | 141 // To prevent an attacker from hijacking an existing nonce via a dangling |
142 // markup injection, we walk through the attributes of each nonced script | 142 // markup injection, we walk through the attributes of each nonced script |
143 // element: if their names or values contain "<script" or "<style", we won't | 143 // element: if their names or values contain "<script" or "<style", we won't |
144 // apply the nonce when loading script. | 144 // apply the nonce when loading script. |
145 // | 145 // |
146 // See http://blog.innerht.ml/csp-2015/#danglingmarkupinjection for an example | 146 // See http://blog.innerht.ml/csp-2015/#danglingmarkupinjection for an example |
147 // of the kind of attack this is aimed at mitigating. | 147 // of the kind of attack this is aimed at mitigating. |
148 DEFINE_STATIC_LOCAL(AtomicString, scriptString, ("<script")); | 148 static const char scriptString[] = "<script"; |
149 DEFINE_STATIC_LOCAL(AtomicString, styleString, ("<style")); | 149 static const char styleString[] = "<style"; |
150 for (const Attribute& attr : element->attributes()) { | 150 for (const Attribute& attr : element->attributes()) { |
151 AtomicString name = attr.localName().lowerASCII(); | 151 AtomicString name = attr.localName().lowerASCII(); |
152 AtomicString value = attr.value().lowerASCII(); | 152 AtomicString value = attr.value().lowerASCII(); |
153 if (name.find(scriptString) != WTF::kNotFound || | 153 if (name.find(scriptString) != WTF::kNotFound || |
154 name.find(styleString) != WTF::kNotFound || | 154 name.find(styleString) != WTF::kNotFound || |
155 value.find(scriptString) != WTF::kNotFound || | 155 value.find(scriptString) != WTF::kNotFound || |
156 value.find(styleString) != WTF::kNotFound) { | 156 value.find(styleString) != WTF::kNotFound) { |
157 nonceable = false; | 157 nonceable = false; |
158 break; | 158 break; |
159 } | 159 } |
(...skipping 1139 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1299 | 1299 |
1300 void ContentSecurityPolicy::reportInvalidDirectiveInMeta( | 1300 void ContentSecurityPolicy::reportInvalidDirectiveInMeta( |
1301 const String& directive) { | 1301 const String& directive) { |
1302 logToConsole( | 1302 logToConsole( |
1303 "Content Security Policies delivered via a <meta> element may not " | 1303 "Content Security Policies delivered via a <meta> element may not " |
1304 "contain the " + | 1304 "contain the " + |
1305 directive + " directive."); | 1305 directive + " directive."); |
1306 } | 1306 } |
1307 | 1307 |
1308 void ContentSecurityPolicy::reportUnsupportedDirective(const String& name) { | 1308 void ContentSecurityPolicy::reportUnsupportedDirective(const String& name) { |
1309 DEFINE_STATIC_LOCAL(String, allow, ("allow")); | 1309 static const char allow[] = "allow"; |
1310 DEFINE_STATIC_LOCAL(String, options, ("options")); | 1310 static const char options[] = "options"; |
1311 DEFINE_STATIC_LOCAL(String, policyURI, ("policy-uri")); | 1311 static const char policyURI[] = "policy-uri"; |
1312 DEFINE_STATIC_LOCAL( | 1312 static const char allowMessage[] = |
1313 String, allowMessage, | 1313 "The 'allow' directive has been replaced with 'default-src'. Please use " |
1314 ("The 'allow' directive has been replaced with 'default-src'. Please use " | 1314 "that directive instead, as 'allow' has no effect."; |
1315 "that directive instead, as 'allow' has no effect.")); | 1315 static const char optionsMessage[] = |
1316 DEFINE_STATIC_LOCAL( | 1316 "The 'options' directive has been replaced with 'unsafe-inline' and " |
1317 String, optionsMessage, | 1317 "'unsafe-eval' source expressions for the 'script-src' and 'style-src' " |
1318 ("The 'options' directive has been replaced with 'unsafe-inline' and " | 1318 "directives. Please use those directives instead, as 'options' has no " |
1319 "'unsafe-eval' source expressions for the 'script-src' and 'style-src' " | 1319 "effect."; |
1320 "directives. Please use those directives instead, as 'options' has no " | 1320 static const char policyURIMessage[] = |
1321 "effect.")); | 1321 "The 'policy-uri' directive has been removed from the " |
1322 DEFINE_STATIC_LOCAL(String, policyURIMessage, | 1322 "specification. Please specify a complete policy via " |
1323 ("The 'policy-uri' directive has been removed from the " | 1323 "the Content-Security-Policy header."; |
1324 "specification. Please specify a complete policy via " | |
1325 "the Content-Security-Policy header.")); | |
1326 | 1324 |
1327 String message = | 1325 String message = |
1328 "Unrecognized Content-Security-Policy directive '" + name + "'.\n"; | 1326 "Unrecognized Content-Security-Policy directive '" + name + "'.\n"; |
1329 MessageLevel level = ErrorMessageLevel; | 1327 MessageLevel level = ErrorMessageLevel; |
1330 if (equalIgnoringCase(name, allow)) { | 1328 if (equalIgnoringCase(name, allow)) { |
1331 message = allowMessage; | 1329 message = allowMessage; |
1332 } else if (equalIgnoringCase(name, options)) { | 1330 } else if (equalIgnoringCase(name, options)) { |
1333 message = optionsMessage; | 1331 message = optionsMessage; |
1334 } else if (equalIgnoringCase(name, policyURI)) { | 1332 } else if (equalIgnoringCase(name, policyURI)) { |
1335 message = policyURIMessage; | 1333 message = policyURIMessage; |
(...skipping 178 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1514 // Collisions have no security impact, so we can save space by storing only | 1512 // Collisions have no security impact, so we can save space by storing only |
1515 // the string's hash rather than the whole report. | 1513 // the string's hash rather than the whole report. |
1516 return !m_violationReportsSent.contains(report.impl()->hash()); | 1514 return !m_violationReportsSent.contains(report.impl()->hash()); |
1517 } | 1515 } |
1518 | 1516 |
1519 void ContentSecurityPolicy::didSendViolationReport(const String& report) { | 1517 void ContentSecurityPolicy::didSendViolationReport(const String& report) { |
1520 m_violationReportsSent.add(report.impl()->hash()); | 1518 m_violationReportsSent.add(report.impl()->hash()); |
1521 } | 1519 } |
1522 | 1520 |
1523 } // namespace blink | 1521 } // namespace blink |
OLD | NEW |