third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp - Issue 2526473005: Part 4.1: Is policy list subsumed under subsuming policy?

Side by Side Diff: third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp

Issue 2526473005: Part 4.1: Is policy list subsumed under subsuming policy? (Closed)

Patch Set: Created 4 years ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

« third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.h ('K') | « third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.h ('k') | third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicyTest.cpp » ('j') | third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicyTest.cpp » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

OLD	NEW
1 /*	1 /*

2 * Copyright (C) 2011 Google, Inc. All rights reserved.	2 * Copyright (C) 2011 Google, Inc. All rights reserved.

3 *	3 *

4 * Redistribution and use in source and binary forms, with or without	4 * Redistribution and use in source and binary forms, with or without

5 * modification, are permitted provided that the following conditions	5 * modification, are permitted provided that the following conditions

6 * are met:	6 * are met:

7 * 1. Redistributions of source code must retain the above copyright	7 * 1. Redistributions of source code must retain the above copyright

8 * notice, this list of conditions and the following disclaimer.	8 * notice, this list of conditions and the following disclaimer.

9 * 2. Redistributions in binary form must reproduce the above copyright	9 * 2. Redistributions in binary form must reproduce the above copyright

10 * notice, this list of conditions and the following disclaimer in the	10 * notice, this list of conditions and the following disclaimer in the

(...skipping 1538 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
1549 const String& report) const {	1549 const String& report) const {

1550 // Collisions have no security impact, so we can save space by storing only	1550 // Collisions have no security impact, so we can save space by storing only

1551 // the string's hash rather than the whole report.	1551 // the string's hash rather than the whole report.

1552 return !m_violationReportsSent.contains(report.impl()->hash());	1552 return !m_violationReportsSent.contains(report.impl()->hash());

1553 }	1553 }

1554	1554

1555 void ContentSecurityPolicy::didSendViolationReport(const String& report) {	1555 void ContentSecurityPolicy::didSendViolationReport(const String& report) {

1556 m_violationReportsSent.add(report.impl()->hash());	1556 m_violationReportsSent.add(report.impl()->hash());

1557 }	1557 }

1558	1558

	1559 bool ContentSecurityPolicy::subsumes(const ContentSecurityPolicy& other) {

	1560 if (!m_policies.size() \|\| !other.m_policies.size())

	1561 return !m_policies.size();

	1562

	1563 CSPDirectiveListVector otherVector;

	1564 for (const auto& policy : other.m_policies) {

	1565 if (!policy->isReportOnly())

	1566 otherVector.append(policy);

	1567 }

	1568 // Embedding-CSP specifies only one policy.

	1569 DCHECK(m_policies.size(), 1u);
	amalika 2016/11/28 11:56:22 Since Embedding-CSP can't be more than just one po Since Embedding-CSP can't be more than just one policy, should this be removed? Mike West 2016/11/28 13:08:02 I'd suggest returning `false` if more than one pol Show quoted text On 2016/11/28 at 11:56:22, amalika wrote: > Since Embedding-CSP can't be more than just one policy, should this be removed? I'd suggest returning `false` if more than one policy is present. amalika 2016/11/29 12:43:52 Changed! Show quoted text On 2016/11/28 at 13:08:02, Mike West (slow) wrote: > On 2016/11/28 at 11:56:22, amalika wrote: > > Since Embedding-CSP can't be more than just one policy, should this be removed? > > I'd suggest returning `false` if more than one policy is present. Changed!
	1570

	1571 return m_policies[0]->subsumes(otherVector);
	Mike West 2016/11/28 13:08:02 What if `m_policies[0]` is report-only? What if `m_policies[0]` is report-only? amalika 2016/11/29 12:43:52 Current implementation of Embedding-CSP is such th Show quoted text On 2016/11/28 at 13:08:02, Mike West (slow) wrote: > What if `m_policies[0]` is report-only? Current implementation of Embedding-CSP is such that there is only one string which becomes one enforced policy. We set it to be of type `Enforce` in DocumentLoader. Would there be any other usages of subsumption that we should check `Report` type here?
	1572 }

	1573

1559 } // namespace blink	1574 } // namespace blink

OLD	NEW