OLD | NEW |
1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "core/frame/csp/CSPDirectiveList.h" | 5 #include "core/frame/csp/CSPDirectiveList.h" |
6 | 6 |
7 #include "bindings/core/v8/SourceLocation.h" | 7 #include "bindings/core/v8/SourceLocation.h" |
8 #include "core/dom/Document.h" | 8 #include "core/dom/Document.h" |
9 #include "core/dom/SecurityContext.h" | 9 #include "core/dom/SecurityContext.h" |
10 #include "core/dom/SpaceSplitString.h" | 10 #include "core/dom/SpaceSplitString.h" |
(...skipping 69 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
80 if (directives->isReportOnly() && | 80 if (directives->isReportOnly() && |
81 source != ContentSecurityPolicyHeaderSourceMeta && | 81 source != ContentSecurityPolicyHeaderSourceMeta && |
82 directives->reportEndpoints().isEmpty()) | 82 directives->reportEndpoints().isEmpty()) |
83 policy->reportMissingReportURI(String(begin, end - begin)); | 83 policy->reportMissingReportURI(String(begin, end - begin)); |
84 | 84 |
85 return directives; | 85 return directives; |
86 } | 86 } |
87 | 87 |
88 void CSPDirectiveList::reportViolation( | 88 void CSPDirectiveList::reportViolation( |
89 const String& directiveText, | 89 const String& directiveText, |
90 const ContentSecurityPolicy::DirectiveType& effectiveType, | 90 const String& effectiveDirective, |
91 const String& consoleMessage, | 91 const String& consoleMessage, |
92 const KURL& blockedURL, | 92 const KURL& blockedURL, |
93 ResourceRequest::RedirectStatus redirectStatus) const { | 93 ResourceRequest::RedirectStatus redirectStatus) const { |
94 String message = | 94 String message = |
95 isReportOnly() ? "[Report Only] " + consoleMessage : consoleMessage; | 95 isReportOnly() ? "[Report Only] " + consoleMessage : consoleMessage; |
96 m_policy->logToConsole(ConsoleMessage::create(SecurityMessageSource, | 96 m_policy->logToConsole(ConsoleMessage::create(SecurityMessageSource, |
97 ErrorMessageLevel, message)); | 97 ErrorMessageLevel, message)); |
98 m_policy->reportViolation(directiveText, effectiveType, message, blockedURL, | 98 m_policy->reportViolation(directiveText, effectiveDirective, message, |
99 m_reportEndpoints, m_header, m_headerType, | 99 blockedURL, m_reportEndpoints, m_header, |
100 ContentSecurityPolicy::URLViolation, nullptr, | 100 m_headerType, ContentSecurityPolicy::URLViolation, |
101 redirectStatus); | 101 nullptr, redirectStatus); |
102 } | 102 } |
103 | 103 |
104 void CSPDirectiveList::reportViolationWithFrame( | 104 void CSPDirectiveList::reportViolationWithFrame( |
105 const String& directiveText, | 105 const String& directiveText, |
106 const ContentSecurityPolicy::DirectiveType& effectiveType, | 106 const String& effectiveDirective, |
107 const String& consoleMessage, | 107 const String& consoleMessage, |
108 const KURL& blockedURL, | 108 const KURL& blockedURL, |
109 LocalFrame* frame) const { | 109 LocalFrame* frame) const { |
110 String message = | 110 String message = |
111 isReportOnly() ? "[Report Only] " + consoleMessage : consoleMessage; | 111 isReportOnly() ? "[Report Only] " + consoleMessage : consoleMessage; |
112 m_policy->logToConsole( | 112 m_policy->logToConsole( |
113 ConsoleMessage::create(SecurityMessageSource, ErrorMessageLevel, message), | 113 ConsoleMessage::create(SecurityMessageSource, ErrorMessageLevel, message), |
114 frame); | 114 frame); |
115 m_policy->reportViolation(directiveText, effectiveType, message, blockedURL, | 115 m_policy->reportViolation( |
116 m_reportEndpoints, m_header, m_headerType, | 116 directiveText, effectiveDirective, message, blockedURL, m_reportEndpoints, |
117 ContentSecurityPolicy::URLViolation, frame); | 117 m_header, m_headerType, ContentSecurityPolicy::URLViolation, frame); |
118 } | 118 } |
119 | 119 |
120 void CSPDirectiveList::reportViolationWithLocation( | 120 void CSPDirectiveList::reportViolationWithLocation( |
121 const String& directiveText, | 121 const String& directiveText, |
122 const ContentSecurityPolicy::DirectiveType& effectiveType, | 122 const String& effectiveDirective, |
123 const String& consoleMessage, | 123 const String& consoleMessage, |
124 const KURL& blockedURL, | 124 const KURL& blockedURL, |
125 const String& contextURL, | 125 const String& contextURL, |
126 const WTF::OrdinalNumber& contextLine, | 126 const WTF::OrdinalNumber& contextLine, |
127 Element* element) const { | 127 Element* element) const { |
128 String message = | 128 String message = |
129 isReportOnly() ? "[Report Only] " + consoleMessage : consoleMessage; | 129 isReportOnly() ? "[Report Only] " + consoleMessage : consoleMessage; |
130 m_policy->logToConsole(ConsoleMessage::create( | 130 m_policy->logToConsole(ConsoleMessage::create( |
131 SecurityMessageSource, ErrorMessageLevel, message, | 131 SecurityMessageSource, ErrorMessageLevel, message, |
132 SourceLocation::capture(contextURL, contextLine.oneBasedInt(), 0))); | 132 SourceLocation::capture(contextURL, contextLine.oneBasedInt(), 0))); |
133 m_policy->reportViolation( | 133 m_policy->reportViolation( |
134 directiveText, effectiveType, message, blockedURL, m_reportEndpoints, | 134 directiveText, effectiveDirective, message, blockedURL, m_reportEndpoints, |
135 m_header, m_headerType, ContentSecurityPolicy::InlineViolation, nullptr, | 135 m_header, m_headerType, ContentSecurityPolicy::InlineViolation, nullptr, |
136 RedirectStatus::NoRedirect, contextLine.oneBasedInt(), element); | 136 RedirectStatus::NoRedirect, contextLine.oneBasedInt(), element); |
137 } | 137 } |
138 | 138 |
139 void CSPDirectiveList::reportViolationWithState( | 139 void CSPDirectiveList::reportViolationWithState( |
140 const String& directiveText, | 140 const String& directiveText, |
141 const ContentSecurityPolicy::DirectiveType& effectiveType, | 141 const String& effectiveDirective, |
142 const String& message, | 142 const String& message, |
143 const KURL& blockedURL, | 143 const KURL& blockedURL, |
144 ScriptState* scriptState, | 144 ScriptState* scriptState, |
145 const ContentSecurityPolicy::ExceptionStatus exceptionStatus) const { | 145 const ContentSecurityPolicy::ExceptionStatus exceptionStatus) const { |
146 String reportMessage = isReportOnly() ? "[Report Only] " + message : message; | 146 String reportMessage = isReportOnly() ? "[Report Only] " + message : message; |
147 // Print a console message if it won't be redundant with a | 147 // Print a console message if it won't be redundant with a |
148 // JavaScript exception that the caller will throw. (Exceptions will | 148 // JavaScript exception that the caller will throw. (Exceptions will |
149 // never get thrown in report-only mode because the caller won't see | 149 // never get thrown in report-only mode because the caller won't see |
150 // a violation.) | 150 // a violation.) |
151 if (isReportOnly() || | 151 if (isReportOnly() || |
152 exceptionStatus == ContentSecurityPolicy::WillNotThrowException) { | 152 exceptionStatus == ContentSecurityPolicy::WillNotThrowException) { |
153 ConsoleMessage* consoleMessage = ConsoleMessage::create( | 153 ConsoleMessage* consoleMessage = ConsoleMessage::create( |
154 SecurityMessageSource, ErrorMessageLevel, reportMessage); | 154 SecurityMessageSource, ErrorMessageLevel, reportMessage); |
155 m_policy->logToConsole(consoleMessage); | 155 m_policy->logToConsole(consoleMessage); |
156 } | 156 } |
157 m_policy->reportViolation(directiveText, effectiveType, message, blockedURL, | 157 m_policy->reportViolation(directiveText, effectiveDirective, message, |
158 m_reportEndpoints, m_header, m_headerType, | 158 blockedURL, m_reportEndpoints, m_header, |
159 ContentSecurityPolicy::EvalViolation); | 159 m_headerType, ContentSecurityPolicy::EvalViolation); |
160 } | 160 } |
161 | 161 |
162 bool CSPDirectiveList::checkEval(SourceListDirective* directive) const { | 162 bool CSPDirectiveList::checkEval(SourceListDirective* directive) const { |
163 return !directive || directive->allowEval(); | 163 return !directive || directive->allowEval(); |
164 } | 164 } |
165 | 165 |
166 bool CSPDirectiveList::checkInline(SourceListDirective* directive) const { | 166 bool CSPDirectiveList::checkInline(SourceListDirective* directive) const { |
167 return !directive || | 167 return !directive || |
168 (directive->allowInline() && !directive->isHashOrNoncePresent()); | 168 (directive->allowInline() && !directive->isHashOrNoncePresent()); |
169 } | 169 } |
(...skipping 14 matching lines...) Expand all Loading... |
184 } | 184 } |
185 | 185 |
186 bool CSPDirectiveList::checkDynamic(SourceListDirective* directive) const { | 186 bool CSPDirectiveList::checkDynamic(SourceListDirective* directive) const { |
187 return !directive || directive->allowDynamic(); | 187 return !directive || directive->allowDynamic(); |
188 } | 188 } |
189 | 189 |
190 void CSPDirectiveList::reportMixedContent( | 190 void CSPDirectiveList::reportMixedContent( |
191 const KURL& mixedURL, | 191 const KURL& mixedURL, |
192 ResourceRequest::RedirectStatus redirectStatus) const { | 192 ResourceRequest::RedirectStatus redirectStatus) const { |
193 if (strictMixedContentChecking()) { | 193 if (strictMixedContentChecking()) { |
194 m_policy->reportViolation( | 194 m_policy->reportViolation(ContentSecurityPolicy::BlockAllMixedContent, |
195 ContentSecurityPolicy::getDirectiveName( | 195 ContentSecurityPolicy::BlockAllMixedContent, |
196 ContentSecurityPolicy::DirectiveType::BlockAllMixedContent), | 196 String(), mixedURL, m_reportEndpoints, m_header, |
197 ContentSecurityPolicy::DirectiveType::BlockAllMixedContent, String(), | 197 m_headerType, ContentSecurityPolicy::URLViolation, |
198 mixedURL, m_reportEndpoints, m_header, m_headerType, | 198 nullptr, redirectStatus); |
199 ContentSecurityPolicy::URLViolation, nullptr, redirectStatus); | |
200 } | 199 } |
201 } | 200 } |
202 | 201 |
203 bool CSPDirectiveList::checkSource( | 202 bool CSPDirectiveList::checkSource( |
204 SourceListDirective* directive, | 203 SourceListDirective* directive, |
205 const KURL& url, | 204 const KURL& url, |
206 ResourceRequest::RedirectStatus redirectStatus) const { | 205 ResourceRequest::RedirectStatus redirectStatus) const { |
207 // If |url| is empty, fall back to the policy URL to ensure that <object>'s | 206 // If |url| is empty, fall back to the policy URL to ensure that <object>'s |
208 // without a `src` can be blocked/allowed, as they can still load plugins | 207 // without a `src` can be blocked/allowed, as they can still load plugins |
209 // even though they don't actually have a URL. | 208 // even though they don't actually have a URL. |
(...skipping 66 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
276 case WebURLRequest::RequestContextSharedWorker: | 275 case WebURLRequest::RequestContextSharedWorker: |
277 resourceType = "shared worker"; | 276 resourceType = "shared worker"; |
278 break; | 277 break; |
279 case WebURLRequest::RequestContextWorker: | 278 case WebURLRequest::RequestContextWorker: |
280 resourceType = "worker"; | 279 resourceType = "worker"; |
281 break; | 280 break; |
282 default: | 281 default: |
283 break; | 282 break; |
284 } | 283 } |
285 | 284 |
286 reportViolation(ContentSecurityPolicy::getDirectiveName( | 285 reportViolation(ContentSecurityPolicy::RequireSRIFor, |
287 ContentSecurityPolicy::DirectiveType::RequireSRIFor), | 286 ContentSecurityPolicy::RequireSRIFor, |
288 ContentSecurityPolicy::DirectiveType::RequireSRIFor, | |
289 "Refused to load the " + resourceType + " '" + | 287 "Refused to load the " + resourceType + " '" + |
290 url.elidedString() + | 288 url.elidedString() + |
291 "' because 'require-sri-for' directive requires " | 289 "' because 'require-sri-for' directive requires " |
292 "integrity attribute be present for all " + | 290 "integrity attribute be present for all " + |
293 resourceType + "s.", | 291 resourceType + "s.", |
294 url, redirectStatus); | 292 url, redirectStatus); |
295 return denyIfEnforcingPolicy(); | 293 return denyIfEnforcingPolicy(); |
296 } | 294 } |
297 | 295 |
298 bool CSPDirectiveList::allowRequestWithoutIntegrity( | 296 bool CSPDirectiveList::allowRequestWithoutIntegrity( |
(...skipping 36 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
335 if (checkEval(directive)) | 333 if (checkEval(directive)) |
336 return true; | 334 return true; |
337 | 335 |
338 String suffix = String(); | 336 String suffix = String(); |
339 if (directive == m_defaultSrc) | 337 if (directive == m_defaultSrc) |
340 suffix = | 338 suffix = |
341 " Note that 'script-src' was not explicitly set, so 'default-src' is " | 339 " Note that 'script-src' was not explicitly set, so 'default-src' is " |
342 "used as a fallback."; | 340 "used as a fallback."; |
343 | 341 |
344 reportViolationWithState( | 342 reportViolationWithState( |
345 directive->text(), ContentSecurityPolicy::DirectiveType::ScriptSrc, | 343 directive->text(), ContentSecurityPolicy::ScriptSrc, |
346 consoleMessage + "\"" + directive->text() + "\"." + suffix + "\n", KURL(), | 344 consoleMessage + "\"" + directive->text() + "\"." + suffix + "\n", KURL(), |
347 scriptState, exceptionStatus); | 345 scriptState, exceptionStatus); |
348 if (!isReportOnly()) { | 346 if (!isReportOnly()) { |
349 m_policy->reportBlockedScriptExecutionToInspector(directive->text()); | 347 m_policy->reportBlockedScriptExecutionToInspector(directive->text()); |
350 return false; | 348 return false; |
351 } | 349 } |
352 return true; | 350 return true; |
353 } | 351 } |
354 | 352 |
355 bool CSPDirectiveList::checkMediaTypeAndReportViolation( | 353 bool CSPDirectiveList::checkMediaTypeAndReportViolation( |
356 MediaListDirective* directive, | 354 MediaListDirective* directive, |
357 const String& type, | 355 const String& type, |
358 const String& typeAttribute, | 356 const String& typeAttribute, |
359 const String& consoleMessage) const { | 357 const String& consoleMessage) const { |
360 if (checkMediaType(directive, type, typeAttribute)) | 358 if (checkMediaType(directive, type, typeAttribute)) |
361 return true; | 359 return true; |
362 | 360 |
363 String message = consoleMessage + "\'" + directive->text() + "\'."; | 361 String message = consoleMessage + "\'" + directive->text() + "\'."; |
364 if (typeAttribute.isEmpty()) | 362 if (typeAttribute.isEmpty()) |
365 message = message + | 363 message = message + |
366 " When enforcing the 'plugin-types' directive, the plugin's " | 364 " When enforcing the 'plugin-types' directive, the plugin's " |
367 "media type must be explicitly declared with a 'type' attribute " | 365 "media type must be explicitly declared with a 'type' attribute " |
368 "on the containing element (e.g. '<object type=\"[TYPE GOES " | 366 "on the containing element (e.g. '<object type=\"[TYPE GOES " |
369 "HERE]\" ...>')."; | 367 "HERE]\" ...>')."; |
370 | 368 |
371 // 'RedirectStatus::NoRedirect' is safe here, as we do the media type check | 369 // 'RedirectStatus::NoRedirect' is safe here, as we do the media type check |
372 // before actually loading data; this means that we shouldn't leak redirect | 370 // before actually loading data; this means that we shouldn't leak redirect |
373 // targets, as we won't have had a chance to redirect yet. | 371 // targets, as we won't have had a chance to redirect yet. |
374 reportViolation( | 372 reportViolation(directive->text(), ContentSecurityPolicy::PluginTypes, |
375 directive->text(), ContentSecurityPolicy::DirectiveType::PluginTypes, | 373 message + "\n", KURL(), |
376 message + "\n", KURL(), ResourceRequest::RedirectStatus::NoRedirect); | 374 ResourceRequest::RedirectStatus::NoRedirect); |
377 return denyIfEnforcingPolicy(); | 375 return denyIfEnforcingPolicy(); |
378 } | 376 } |
379 | 377 |
380 bool CSPDirectiveList::checkInlineAndReportViolation( | 378 bool CSPDirectiveList::checkInlineAndReportViolation( |
381 SourceListDirective* directive, | 379 SourceListDirective* directive, |
382 const String& consoleMessage, | 380 const String& consoleMessage, |
383 Element* element, | 381 Element* element, |
384 const String& contextURL, | 382 const String& contextURL, |
385 const WTF::OrdinalNumber& contextLine, | 383 const WTF::OrdinalNumber& contextLine, |
386 bool isScript, | 384 bool isScript, |
(...skipping 13 matching lines...) Expand all Loading... |
400 " Either the 'unsafe-inline' keyword, a hash ('" + hashValue + | 398 " Either the 'unsafe-inline' keyword, a hash ('" + hashValue + |
401 "'), or a nonce ('nonce-...') is required to enable inline execution."; | 399 "'), or a nonce ('nonce-...') is required to enable inline execution."; |
402 if (directive == m_defaultSrc) | 400 if (directive == m_defaultSrc) |
403 suffix = suffix + " Note also that '" + | 401 suffix = suffix + " Note also that '" + |
404 String(isScript ? "script" : "style") + | 402 String(isScript ? "script" : "style") + |
405 "-src' was not explicitly set, so 'default-src' is used as a " | 403 "-src' was not explicitly set, so 'default-src' is used as a " |
406 "fallback."; | 404 "fallback."; |
407 } | 405 } |
408 | 406 |
409 reportViolationWithLocation( | 407 reportViolationWithLocation( |
410 directive->text(), | 408 directive->text(), isScript ? ContentSecurityPolicy::ScriptSrc |
411 isScript ? ContentSecurityPolicy::DirectiveType::ScriptSrc | 409 : ContentSecurityPolicy::StyleSrc, |
412 : ContentSecurityPolicy::DirectiveType::StyleSrc, | |
413 consoleMessage + "\"" + directive->text() + "\"." + suffix + "\n", KURL(), | 410 consoleMessage + "\"" + directive->text() + "\"." + suffix + "\n", KURL(), |
414 contextURL, contextLine, element); | 411 contextURL, contextLine, element); |
415 | 412 |
416 if (!isReportOnly()) { | 413 if (!isReportOnly()) { |
417 if (isScript) | 414 if (isScript) |
418 m_policy->reportBlockedScriptExecutionToInspector(directive->text()); | 415 m_policy->reportBlockedScriptExecutionToInspector(directive->text()); |
419 return false; | 416 return false; |
420 } | 417 } |
421 return true; | 418 return true; |
422 } | 419 } |
423 | 420 |
424 bool CSPDirectiveList::checkSourceAndReportViolation( | 421 bool CSPDirectiveList::checkSourceAndReportViolation( |
425 SourceListDirective* directive, | 422 SourceListDirective* directive, |
426 const KURL& url, | 423 const KURL& url, |
427 const ContentSecurityPolicy::DirectiveType& effectiveType, | 424 const String& effectiveDirective, |
428 ResourceRequest::RedirectStatus redirectStatus) const { | 425 ResourceRequest::RedirectStatus redirectStatus) const { |
429 if (!directive) | 426 if (!directive) |
430 return true; | 427 return true; |
431 | 428 |
432 // We ignore URL-based whitelists if we're allowing dynamic script injection. | 429 // We ignore URL-based whitelists if we're allowing dynamic script injection. |
433 if (checkSource(directive, url, redirectStatus) && !checkDynamic(directive)) | 430 if (checkSource(directive, url, redirectStatus) && !checkDynamic(directive)) |
434 return true; | 431 return true; |
435 | 432 |
436 // We should never have a violation against `child-src` or `default-src` | 433 // We should never have a violation against `child-src` or `default-src` |
437 // directly; the effective directive should always be one of the explicit | 434 // directly; the effective directive should always be one of the explicit |
438 // fetch directives. | 435 // fetch directives. |
439 DCHECK_NE(ContentSecurityPolicy::DirectiveType::ChildSrc, effectiveType); | 436 DCHECK_NE(ContentSecurityPolicy::ChildSrc, effectiveDirective); |
440 DCHECK_NE(ContentSecurityPolicy::DirectiveType::DefaultSrc, effectiveType); | 437 DCHECK_NE(ContentSecurityPolicy::DefaultSrc, effectiveDirective); |
441 | 438 |
442 String prefix; | 439 String prefix; |
443 if (ContentSecurityPolicy::DirectiveType::BaseURI == effectiveType) | 440 if (ContentSecurityPolicy::BaseURI == effectiveDirective) |
444 prefix = "Refused to set the document's base URI to '"; | 441 prefix = "Refused to set the document's base URI to '"; |
445 else if (ContentSecurityPolicy::DirectiveType::WorkerSrc == effectiveType) | 442 else if (ContentSecurityPolicy::WorkerSrc == effectiveDirective) |
446 prefix = "Refused to create a worker from '"; | 443 prefix = "Refused to create a worker from '"; |
447 else if (ContentSecurityPolicy::DirectiveType::ConnectSrc == effectiveType) | 444 else if (ContentSecurityPolicy::ConnectSrc == effectiveDirective) |
448 prefix = "Refused to connect to '"; | 445 prefix = "Refused to connect to '"; |
449 else if (ContentSecurityPolicy::DirectiveType::FontSrc == effectiveType) | 446 else if (ContentSecurityPolicy::FontSrc == effectiveDirective) |
450 prefix = "Refused to load the font '"; | 447 prefix = "Refused to load the font '"; |
451 else if (ContentSecurityPolicy::DirectiveType::FormAction == effectiveType) | 448 else if (ContentSecurityPolicy::FormAction == effectiveDirective) |
452 prefix = "Refused to send form data to '"; | 449 prefix = "Refused to send form data to '"; |
453 else if (ContentSecurityPolicy::DirectiveType::FrameSrc == effectiveType) | 450 else if (ContentSecurityPolicy::FrameSrc == effectiveDirective) |
454 prefix = "Refused to frame '"; | 451 prefix = "Refused to frame '"; |
455 else if (ContentSecurityPolicy::DirectiveType::ImgSrc == effectiveType) | 452 else if (ContentSecurityPolicy::ImgSrc == effectiveDirective) |
456 prefix = "Refused to load the image '"; | 453 prefix = "Refused to load the image '"; |
457 else if (ContentSecurityPolicy::DirectiveType::MediaSrc == effectiveType) | 454 else if (ContentSecurityPolicy::MediaSrc == effectiveDirective) |
458 prefix = "Refused to load media from '"; | 455 prefix = "Refused to load media from '"; |
459 else if (ContentSecurityPolicy::DirectiveType::ManifestSrc == effectiveType) | 456 else if (ContentSecurityPolicy::ManifestSrc == effectiveDirective) |
460 prefix = "Refused to load manifest from '"; | 457 prefix = "Refused to load manifest from '"; |
461 else if (ContentSecurityPolicy::DirectiveType::ObjectSrc == effectiveType) | 458 else if (ContentSecurityPolicy::ObjectSrc == effectiveDirective) |
462 prefix = "Refused to load plugin data from '"; | 459 prefix = "Refused to load plugin data from '"; |
463 else if (ContentSecurityPolicy::DirectiveType::ScriptSrc == effectiveType) | 460 else if (ContentSecurityPolicy::ScriptSrc == effectiveDirective) |
464 prefix = "Refused to load the script '"; | 461 prefix = "Refused to load the script '"; |
465 else if (ContentSecurityPolicy::DirectiveType::StyleSrc == effectiveType) | 462 else if (ContentSecurityPolicy::StyleSrc == effectiveDirective) |
466 prefix = "Refused to load the stylesheet '"; | 463 prefix = "Refused to load the stylesheet '"; |
467 | 464 |
468 String suffix = String(); | 465 String suffix = String(); |
469 if (checkDynamic(directive)) | 466 if (checkDynamic(directive)) |
470 suffix = | 467 suffix = |
471 " 'strict-dynamic' is present, so host-based whitelisting is disabled."; | 468 " 'strict-dynamic' is present, so host-based whitelisting is disabled."; |
472 if (directive == m_defaultSrc) | 469 if (directive == m_defaultSrc) |
473 suffix = | 470 suffix = |
474 suffix + " Note that '" + | 471 suffix + " Note that '" + effectiveDirective + |
475 ContentSecurityPolicy::getDirectiveName(effectiveType) + | |
476 "' was not explicitly set, so 'default-src' is used as a fallback."; | 472 "' was not explicitly set, so 'default-src' is used as a fallback."; |
477 | 473 |
478 reportViolation(directive->text(), effectiveType, | 474 reportViolation(directive->text(), effectiveDirective, |
479 prefix + url.elidedString() + | 475 prefix + url.elidedString() + |
480 "' because it violates the following Content Security " | 476 "' because it violates the following Content Security " |
481 "Policy directive: \"" + | 477 "Policy directive: \"" + |
482 directive->text() + "\"." + suffix + "\n", | 478 directive->text() + "\"." + suffix + "\n", |
483 url, redirectStatus); | 479 url, redirectStatus); |
484 return denyIfEnforcingPolicy(); | 480 return denyIfEnforcingPolicy(); |
485 } | 481 } |
486 | 482 |
487 bool CSPDirectiveList::checkAncestorsAndReportViolation( | 483 bool CSPDirectiveList::checkAncestorsAndReportViolation( |
488 SourceListDirective* directive, | 484 SourceListDirective* directive, |
489 LocalFrame* frame, | 485 LocalFrame* frame, |
490 const KURL& url) const { | 486 const KURL& url) const { |
491 if (checkAncestors(directive, frame)) | 487 if (checkAncestors(directive, frame)) |
492 return true; | 488 return true; |
493 | 489 |
494 reportViolationWithFrame(directive->text(), | 490 reportViolationWithFrame(directive->text(), "frame-ancestors", |
495 ContentSecurityPolicy::DirectiveType::FrameAncestors, | |
496 "Refused to display '" + url.elidedString() + | 491 "Refused to display '" + url.elidedString() + |
497 "' in a frame because an ancestor violates the " | 492 "' in a frame because an ancestor violates the " |
498 "following Content Security Policy directive: " | 493 "following Content Security Policy directive: " |
499 "\"" + | 494 "\"" + |
500 directive->text() + "\".", | 495 directive->text() + "\".", |
501 url, frame); | 496 url, frame); |
502 return denyIfEnforcingPolicy(); | 497 return denyIfEnforcingPolicy(); |
503 } | 498 } |
504 | 499 |
505 bool CSPDirectiveList::allowJavaScriptURLs( | 500 bool CSPDirectiveList::allowJavaScriptURLs( |
(...skipping 105 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
611 ParserDisposition parserDisposition, | 606 ParserDisposition parserDisposition, |
612 ResourceRequest::RedirectStatus redirectStatus, | 607 ResourceRequest::RedirectStatus redirectStatus, |
613 ContentSecurityPolicy::ReportingStatus reportingStatus) const { | 608 ContentSecurityPolicy::ReportingStatus reportingStatus) const { |
614 if (isMatchingNoncePresent(operativeDirective(m_scriptSrc.get()), nonce)) | 609 if (isMatchingNoncePresent(operativeDirective(m_scriptSrc.get()), nonce)) |
615 return true; | 610 return true; |
616 if (parserDisposition == NotParserInserted && allowDynamic()) | 611 if (parserDisposition == NotParserInserted && allowDynamic()) |
617 return true; | 612 return true; |
618 return reportingStatus == ContentSecurityPolicy::SendReport | 613 return reportingStatus == ContentSecurityPolicy::SendReport |
619 ? checkSourceAndReportViolation( | 614 ? checkSourceAndReportViolation( |
620 operativeDirective(m_scriptSrc.get()), url, | 615 operativeDirective(m_scriptSrc.get()), url, |
621 ContentSecurityPolicy::DirectiveType::ScriptSrc, | 616 ContentSecurityPolicy::ScriptSrc, redirectStatus) |
622 redirectStatus) | |
623 : checkSource(operativeDirective(m_scriptSrc.get()), url, | 617 : checkSource(operativeDirective(m_scriptSrc.get()), url, |
624 redirectStatus); | 618 redirectStatus); |
625 } | 619 } |
626 | 620 |
627 bool CSPDirectiveList::allowObjectFromSource( | 621 bool CSPDirectiveList::allowObjectFromSource( |
628 const KURL& url, | 622 const KURL& url, |
629 ResourceRequest::RedirectStatus redirectStatus, | 623 ResourceRequest::RedirectStatus redirectStatus, |
630 ContentSecurityPolicy::ReportingStatus reportingStatus) const { | 624 ContentSecurityPolicy::ReportingStatus reportingStatus) const { |
631 if (url.protocolIsAbout()) | 625 if (url.protocolIsAbout()) |
632 return true; | 626 return true; |
633 return reportingStatus == ContentSecurityPolicy::SendReport | 627 return reportingStatus == ContentSecurityPolicy::SendReport |
634 ? checkSourceAndReportViolation( | 628 ? checkSourceAndReportViolation( |
635 operativeDirective(m_objectSrc.get()), url, | 629 operativeDirective(m_objectSrc.get()), url, |
636 ContentSecurityPolicy::DirectiveType::ObjectSrc, | 630 ContentSecurityPolicy::ObjectSrc, redirectStatus) |
637 redirectStatus) | |
638 : checkSource(operativeDirective(m_objectSrc.get()), url, | 631 : checkSource(operativeDirective(m_objectSrc.get()), url, |
639 redirectStatus); | 632 redirectStatus); |
640 } | 633 } |
641 | 634 |
642 bool CSPDirectiveList::allowFrameFromSource( | 635 bool CSPDirectiveList::allowFrameFromSource( |
643 const KURL& url, | 636 const KURL& url, |
644 ResourceRequest::RedirectStatus redirectStatus, | 637 ResourceRequest::RedirectStatus redirectStatus, |
645 ContentSecurityPolicy::ReportingStatus reportingStatus) const { | 638 ContentSecurityPolicy::ReportingStatus reportingStatus) const { |
646 if (url.protocolIsAbout()) | 639 if (url.protocolIsAbout()) |
647 return true; | 640 return true; |
648 | 641 |
649 // 'frame-src' overrides 'child-src', which overrides the default | 642 // 'frame-src' overrides 'child-src', which overrides the default |
650 // sources. So, we do this nested set of calls to 'operativeDirective()' to | 643 // sources. So, we do this nested set of calls to 'operativeDirective()' to |
651 // grab 'frame-src' if it exists, 'child-src' if it doesn't, and 'defaut-src' | 644 // grab 'frame-src' if it exists, 'child-src' if it doesn't, and 'defaut-src' |
652 // if neither are available. | 645 // if neither are available. |
653 SourceListDirective* whichDirective = operativeDirective( | 646 SourceListDirective* whichDirective = operativeDirective( |
654 m_frameSrc.get(), operativeDirective(m_childSrc.get())); | 647 m_frameSrc.get(), operativeDirective(m_childSrc.get())); |
655 | 648 |
656 return reportingStatus == ContentSecurityPolicy::SendReport | 649 return reportingStatus == ContentSecurityPolicy::SendReport |
657 ? checkSourceAndReportViolation( | 650 ? checkSourceAndReportViolation(whichDirective, url, |
658 whichDirective, url, | 651 ContentSecurityPolicy::FrameSrc, |
659 ContentSecurityPolicy::DirectiveType::FrameSrc, | 652 redirectStatus) |
660 redirectStatus) | |
661 : checkSource(whichDirective, url, redirectStatus); | 653 : checkSource(whichDirective, url, redirectStatus); |
662 } | 654 } |
663 | 655 |
664 bool CSPDirectiveList::allowImageFromSource( | 656 bool CSPDirectiveList::allowImageFromSource( |
665 const KURL& url, | 657 const KURL& url, |
666 ResourceRequest::RedirectStatus redirectStatus, | 658 ResourceRequest::RedirectStatus redirectStatus, |
667 ContentSecurityPolicy::ReportingStatus reportingStatus) const { | 659 ContentSecurityPolicy::ReportingStatus reportingStatus) const { |
668 return reportingStatus == ContentSecurityPolicy::SendReport | 660 return reportingStatus == ContentSecurityPolicy::SendReport |
669 ? checkSourceAndReportViolation( | 661 ? checkSourceAndReportViolation(operativeDirective(m_imgSrc.get()), |
670 operativeDirective(m_imgSrc.get()), url, | 662 url, ContentSecurityPolicy::ImgSrc, |
671 ContentSecurityPolicy::DirectiveType::ImgSrc, redirectStatus) | 663 redirectStatus) |
672 : checkSource(operativeDirective(m_imgSrc.get()), url, | 664 : checkSource(operativeDirective(m_imgSrc.get()), url, |
673 redirectStatus); | 665 redirectStatus); |
674 } | 666 } |
675 | 667 |
676 bool CSPDirectiveList::allowStyleFromSource( | 668 bool CSPDirectiveList::allowStyleFromSource( |
677 const KURL& url, | 669 const KURL& url, |
678 const String& nonce, | 670 const String& nonce, |
679 ResourceRequest::RedirectStatus redirectStatus, | 671 ResourceRequest::RedirectStatus redirectStatus, |
680 ContentSecurityPolicy::ReportingStatus reportingStatus) const { | 672 ContentSecurityPolicy::ReportingStatus reportingStatus) const { |
681 if (isMatchingNoncePresent(operativeDirective(m_styleSrc.get()), nonce)) | 673 if (isMatchingNoncePresent(operativeDirective(m_styleSrc.get()), nonce)) |
682 return true; | 674 return true; |
683 return reportingStatus == ContentSecurityPolicy::SendReport | 675 return reportingStatus == ContentSecurityPolicy::SendReport |
684 ? checkSourceAndReportViolation( | 676 ? checkSourceAndReportViolation( |
685 operativeDirective(m_styleSrc.get()), url, | 677 operativeDirective(m_styleSrc.get()), url, |
686 ContentSecurityPolicy::DirectiveType::StyleSrc, | 678 ContentSecurityPolicy::StyleSrc, redirectStatus) |
687 redirectStatus) | |
688 : checkSource(operativeDirective(m_styleSrc.get()), url, | 679 : checkSource(operativeDirective(m_styleSrc.get()), url, |
689 redirectStatus); | 680 redirectStatus); |
690 } | 681 } |
691 | 682 |
692 bool CSPDirectiveList::allowFontFromSource( | 683 bool CSPDirectiveList::allowFontFromSource( |
693 const KURL& url, | 684 const KURL& url, |
694 ResourceRequest::RedirectStatus redirectStatus, | 685 ResourceRequest::RedirectStatus redirectStatus, |
695 ContentSecurityPolicy::ReportingStatus reportingStatus) const { | 686 ContentSecurityPolicy::ReportingStatus reportingStatus) const { |
696 return reportingStatus == ContentSecurityPolicy::SendReport | 687 return reportingStatus == ContentSecurityPolicy::SendReport |
697 ? checkSourceAndReportViolation( | 688 ? checkSourceAndReportViolation( |
698 operativeDirective(m_fontSrc.get()), url, | 689 operativeDirective(m_fontSrc.get()), url, |
699 ContentSecurityPolicy::DirectiveType::FontSrc, | 690 ContentSecurityPolicy::FontSrc, redirectStatus) |
700 redirectStatus) | |
701 : checkSource(operativeDirective(m_fontSrc.get()), url, | 691 : checkSource(operativeDirective(m_fontSrc.get()), url, |
702 redirectStatus); | 692 redirectStatus); |
703 } | 693 } |
704 | 694 |
705 bool CSPDirectiveList::allowMediaFromSource( | 695 bool CSPDirectiveList::allowMediaFromSource( |
706 const KURL& url, | 696 const KURL& url, |
707 ResourceRequest::RedirectStatus redirectStatus, | 697 ResourceRequest::RedirectStatus redirectStatus, |
708 ContentSecurityPolicy::ReportingStatus reportingStatus) const { | 698 ContentSecurityPolicy::ReportingStatus reportingStatus) const { |
709 return reportingStatus == ContentSecurityPolicy::SendReport | 699 return reportingStatus == ContentSecurityPolicy::SendReport |
710 ? checkSourceAndReportViolation( | 700 ? checkSourceAndReportViolation( |
711 operativeDirective(m_mediaSrc.get()), url, | 701 operativeDirective(m_mediaSrc.get()), url, |
712 ContentSecurityPolicy::DirectiveType::MediaSrc, | 702 ContentSecurityPolicy::MediaSrc, redirectStatus) |
713 redirectStatus) | |
714 : checkSource(operativeDirective(m_mediaSrc.get()), url, | 703 : checkSource(operativeDirective(m_mediaSrc.get()), url, |
715 redirectStatus); | 704 redirectStatus); |
716 } | 705 } |
717 | 706 |
718 bool CSPDirectiveList::allowManifestFromSource( | 707 bool CSPDirectiveList::allowManifestFromSource( |
719 const KURL& url, | 708 const KURL& url, |
720 ResourceRequest::RedirectStatus redirectStatus, | 709 ResourceRequest::RedirectStatus redirectStatus, |
721 ContentSecurityPolicy::ReportingStatus reportingStatus) const { | 710 ContentSecurityPolicy::ReportingStatus reportingStatus) const { |
722 return reportingStatus == ContentSecurityPolicy::SendReport | 711 return reportingStatus == ContentSecurityPolicy::SendReport |
723 ? checkSourceAndReportViolation( | 712 ? checkSourceAndReportViolation( |
724 operativeDirective(m_manifestSrc.get()), url, | 713 operativeDirective(m_manifestSrc.get()), url, |
725 ContentSecurityPolicy::DirectiveType::ManifestSrc, | 714 ContentSecurityPolicy::ManifestSrc, redirectStatus) |
726 redirectStatus) | |
727 : checkSource(operativeDirective(m_manifestSrc.get()), url, | 715 : checkSource(operativeDirective(m_manifestSrc.get()), url, |
728 redirectStatus); | 716 redirectStatus); |
729 } | 717 } |
730 | 718 |
731 bool CSPDirectiveList::allowConnectToSource( | 719 bool CSPDirectiveList::allowConnectToSource( |
732 const KURL& url, | 720 const KURL& url, |
733 ResourceRequest::RedirectStatus redirectStatus, | 721 ResourceRequest::RedirectStatus redirectStatus, |
734 ContentSecurityPolicy::ReportingStatus reportingStatus) const { | 722 ContentSecurityPolicy::ReportingStatus reportingStatus) const { |
735 return reportingStatus == ContentSecurityPolicy::SendReport | 723 return reportingStatus == ContentSecurityPolicy::SendReport |
736 ? checkSourceAndReportViolation( | 724 ? checkSourceAndReportViolation( |
737 operativeDirective(m_connectSrc.get()), url, | 725 operativeDirective(m_connectSrc.get()), url, |
738 ContentSecurityPolicy::DirectiveType::ConnectSrc, | 726 ContentSecurityPolicy::ConnectSrc, redirectStatus) |
739 redirectStatus) | |
740 : checkSource(operativeDirective(m_connectSrc.get()), url, | 727 : checkSource(operativeDirective(m_connectSrc.get()), url, |
741 redirectStatus); | 728 redirectStatus); |
742 } | 729 } |
743 | 730 |
744 bool CSPDirectiveList::allowFormAction( | 731 bool CSPDirectiveList::allowFormAction( |
745 const KURL& url, | 732 const KURL& url, |
746 ResourceRequest::RedirectStatus redirectStatus, | 733 ResourceRequest::RedirectStatus redirectStatus, |
747 ContentSecurityPolicy::ReportingStatus reportingStatus) const { | 734 ContentSecurityPolicy::ReportingStatus reportingStatus) const { |
748 return reportingStatus == ContentSecurityPolicy::SendReport | 735 return reportingStatus == ContentSecurityPolicy::SendReport |
749 ? checkSourceAndReportViolation( | 736 ? checkSourceAndReportViolation(m_formAction.get(), url, |
750 m_formAction.get(), url, | 737 ContentSecurityPolicy::FormAction, |
751 ContentSecurityPolicy::DirectiveType::FormAction, | 738 redirectStatus) |
752 redirectStatus) | |
753 : checkSource(m_formAction.get(), url, redirectStatus); | 739 : checkSource(m_formAction.get(), url, redirectStatus); |
754 } | 740 } |
755 | 741 |
756 bool CSPDirectiveList::allowBaseURI( | 742 bool CSPDirectiveList::allowBaseURI( |
757 const KURL& url, | 743 const KURL& url, |
758 ResourceRequest::RedirectStatus redirectStatus, | 744 ResourceRequest::RedirectStatus redirectStatus, |
759 ContentSecurityPolicy::ReportingStatus reportingStatus) const { | 745 ContentSecurityPolicy::ReportingStatus reportingStatus) const { |
760 return reportingStatus == ContentSecurityPolicy::SendReport | 746 return reportingStatus == ContentSecurityPolicy::SendReport |
761 ? checkSourceAndReportViolation( | 747 ? checkSourceAndReportViolation(m_baseURI.get(), url, |
762 m_baseURI.get(), url, | 748 ContentSecurityPolicy::BaseURI, |
763 ContentSecurityPolicy::DirectiveType::BaseURI, | 749 redirectStatus) |
764 redirectStatus) | |
765 : checkSource(m_baseURI.get(), url, redirectStatus); | 750 : checkSource(m_baseURI.get(), url, redirectStatus); |
766 } | 751 } |
767 | 752 |
768 bool CSPDirectiveList::allowWorkerFromSource( | 753 bool CSPDirectiveList::allowWorkerFromSource( |
769 const KURL& url, | 754 const KURL& url, |
770 ResourceRequest::RedirectStatus redirectStatus, | 755 ResourceRequest::RedirectStatus redirectStatus, |
771 ContentSecurityPolicy::ReportingStatus reportingStatus) const { | 756 ContentSecurityPolicy::ReportingStatus reportingStatus) const { |
772 // 'worker-src' overrides 'child-src', which overrides the default | 757 // 'worker-src' overrides 'child-src', which overrides the default |
773 // sources. So, we do this nested set of calls to 'operativeDirective()' to | 758 // sources. So, we do this nested set of calls to 'operativeDirective()' to |
774 // grab 'worker-src' if it exists, 'child-src' if it doesn't, and 'defaut-src' | 759 // grab 'worker-src' if it exists, 'child-src' if it doesn't, and 'defaut-src' |
775 // if neither are available. | 760 // if neither are available. |
776 SourceListDirective* whichDirective = operativeDirective( | 761 SourceListDirective* whichDirective = operativeDirective( |
777 m_workerSrc.get(), operativeDirective(m_childSrc.get())); | 762 m_workerSrc.get(), operativeDirective(m_childSrc.get())); |
778 | 763 |
779 return reportingStatus == ContentSecurityPolicy::SendReport | 764 return reportingStatus == ContentSecurityPolicy::SendReport |
780 ? checkSourceAndReportViolation( | 765 ? checkSourceAndReportViolation(whichDirective, url, |
781 whichDirective, url, | 766 ContentSecurityPolicy::WorkerSrc, |
782 ContentSecurityPolicy::DirectiveType::WorkerSrc, | 767 redirectStatus) |
783 redirectStatus) | |
784 : checkSource(whichDirective, url, redirectStatus); | 768 : checkSource(whichDirective, url, redirectStatus); |
785 } | 769 } |
786 | 770 |
787 bool CSPDirectiveList::allowAncestors( | 771 bool CSPDirectiveList::allowAncestors( |
788 LocalFrame* frame, | 772 LocalFrame* frame, |
789 const KURL& url, | 773 const KURL& url, |
790 ContentSecurityPolicy::ReportingStatus reportingStatus) const { | 774 ContentSecurityPolicy::ReportingStatus reportingStatus) const { |
791 return reportingStatus == ContentSecurityPolicy::SendReport | 775 return reportingStatus == ContentSecurityPolicy::SendReport |
792 ? checkAncestorsAndReportViolation(m_frameAncestors.get(), frame, | 776 ? checkAncestorsAndReportViolation(m_frameAncestors.get(), frame, |
793 url) | 777 url) |
(...skipping 212 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1006 const String& value, | 990 const String& value, |
1007 Member<CSPDirectiveType>& directive) { | 991 Member<CSPDirectiveType>& directive) { |
1008 if (directive) { | 992 if (directive) { |
1009 m_policy->reportDuplicateDirective(name); | 993 m_policy->reportDuplicateDirective(name); |
1010 return; | 994 return; |
1011 } | 995 } |
1012 | 996 |
1013 // Remove frame-ancestors directives in meta policies, per | 997 // Remove frame-ancestors directives in meta policies, per |
1014 // https://www.w3.org/TR/CSP2/#delivery-html-meta-element. | 998 // https://www.w3.org/TR/CSP2/#delivery-html-meta-element. |
1015 if (m_headerSource == ContentSecurityPolicyHeaderSourceMeta && | 999 if (m_headerSource == ContentSecurityPolicyHeaderSourceMeta && |
1016 ContentSecurityPolicy::getDirectiveType(name) == | 1000 name == ContentSecurityPolicy::FrameAncestors) { |
1017 ContentSecurityPolicy::DirectiveType::FrameAncestors) { | |
1018 m_policy->reportInvalidDirectiveInMeta(name); | 1001 m_policy->reportInvalidDirectiveInMeta(name); |
1019 return; | 1002 return; |
1020 } | 1003 } |
1021 | 1004 |
1022 directive = new CSPDirectiveType(name, value, m_policy); | 1005 directive = new CSPDirectiveType(name, value, m_policy); |
1023 } | 1006 } |
1024 | 1007 |
1025 void CSPDirectiveList::applySandboxPolicy(const String& name, | 1008 void CSPDirectiveList::applySandboxPolicy(const String& name, |
1026 const String& sandboxPolicy) { | 1009 const String& sandboxPolicy) { |
1027 // Remove sandbox directives in meta policies, per | 1010 // Remove sandbox directives in meta policies, per |
(...skipping 64 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1092 m_upgradeInsecureRequests = true; | 1075 m_upgradeInsecureRequests = true; |
1093 | 1076 |
1094 m_policy->upgradeInsecureRequests(); | 1077 m_policy->upgradeInsecureRequests(); |
1095 if (!value.isEmpty()) | 1078 if (!value.isEmpty()) |
1096 m_policy->reportValueForEmptyDirective(name, value); | 1079 m_policy->reportValueForEmptyDirective(name, value); |
1097 } | 1080 } |
1098 | 1081 |
1099 void CSPDirectiveList::addDirective(const String& name, const String& value) { | 1082 void CSPDirectiveList::addDirective(const String& name, const String& value) { |
1100 ASSERT(!name.isEmpty()); | 1083 ASSERT(!name.isEmpty()); |
1101 | 1084 |
1102 ContentSecurityPolicy::DirectiveType type = | 1085 if (equalIgnoringCase(name, ContentSecurityPolicy::DefaultSrc)) { |
1103 ContentSecurityPolicy::getDirectiveType(name); | |
1104 if (type == ContentSecurityPolicy::DirectiveType::DefaultSrc) { | |
1105 setCSPDirective<SourceListDirective>(name, value, m_defaultSrc); | 1086 setCSPDirective<SourceListDirective>(name, value, m_defaultSrc); |
1106 // TODO(mkwst) It seems unlikely that developers would use different | 1087 // TODO(mkwst) It seems unlikely that developers would use different |
1107 // algorithms for scripts and styles. We may want to combine the | 1088 // algorithms for scripts and styles. We may want to combine the |
1108 // usesScriptHashAlgorithms() and usesStyleHashAlgorithms. | 1089 // usesScriptHashAlgorithms() and usesStyleHashAlgorithms. |
1109 m_policy->usesScriptHashAlgorithms(m_defaultSrc->hashAlgorithmsUsed()); | 1090 m_policy->usesScriptHashAlgorithms(m_defaultSrc->hashAlgorithmsUsed()); |
1110 m_policy->usesStyleHashAlgorithms(m_defaultSrc->hashAlgorithmsUsed()); | 1091 m_policy->usesStyleHashAlgorithms(m_defaultSrc->hashAlgorithmsUsed()); |
1111 } else if (type == ContentSecurityPolicy::DirectiveType::ScriptSrc) { | 1092 } else if (equalIgnoringCase(name, ContentSecurityPolicy::ScriptSrc)) { |
1112 setCSPDirective<SourceListDirective>(name, value, m_scriptSrc); | 1093 setCSPDirective<SourceListDirective>(name, value, m_scriptSrc); |
1113 m_policy->usesScriptHashAlgorithms(m_scriptSrc->hashAlgorithmsUsed()); | 1094 m_policy->usesScriptHashAlgorithms(m_scriptSrc->hashAlgorithmsUsed()); |
1114 } else if (type == ContentSecurityPolicy::DirectiveType::ObjectSrc) { | 1095 } else if (equalIgnoringCase(name, ContentSecurityPolicy::ObjectSrc)) { |
1115 setCSPDirective<SourceListDirective>(name, value, m_objectSrc); | 1096 setCSPDirective<SourceListDirective>(name, value, m_objectSrc); |
1116 } else if (type == | 1097 } else if (equalIgnoringCase(name, ContentSecurityPolicy::FrameAncestors)) { |
1117 | |
1118 ContentSecurityPolicy::DirectiveType::FrameAncestors) { | |
1119 setCSPDirective<SourceListDirective>(name, value, m_frameAncestors); | 1098 setCSPDirective<SourceListDirective>(name, value, m_frameAncestors); |
1120 } else if (type == ContentSecurityPolicy::DirectiveType::FrameSrc) { | 1099 } else if (equalIgnoringCase(name, ContentSecurityPolicy::FrameSrc)) { |
1121 setCSPDirective<SourceListDirective>(name, value, m_frameSrc); | 1100 setCSPDirective<SourceListDirective>(name, value, m_frameSrc); |
1122 } else if (type == ContentSecurityPolicy::DirectiveType::ImgSrc) { | 1101 } else if (equalIgnoringCase(name, ContentSecurityPolicy::ImgSrc)) { |
1123 setCSPDirective<SourceListDirective>(name, value, m_imgSrc); | 1102 setCSPDirective<SourceListDirective>(name, value, m_imgSrc); |
1124 } else if (type == ContentSecurityPolicy::DirectiveType::StyleSrc) { | 1103 } else if (equalIgnoringCase(name, ContentSecurityPolicy::StyleSrc)) { |
1125 setCSPDirective<SourceListDirective>(name, value, m_styleSrc); | 1104 setCSPDirective<SourceListDirective>(name, value, m_styleSrc); |
1126 m_policy->usesStyleHashAlgorithms(m_styleSrc->hashAlgorithmsUsed()); | 1105 m_policy->usesStyleHashAlgorithms(m_styleSrc->hashAlgorithmsUsed()); |
1127 } else if (type == ContentSecurityPolicy::DirectiveType::FontSrc) { | 1106 } else if (equalIgnoringCase(name, ContentSecurityPolicy::FontSrc)) { |
1128 setCSPDirective<SourceListDirective>(name, value, m_fontSrc); | 1107 setCSPDirective<SourceListDirective>(name, value, m_fontSrc); |
1129 } else if (type == ContentSecurityPolicy::DirectiveType::MediaSrc) { | 1108 } else if (equalIgnoringCase(name, ContentSecurityPolicy::MediaSrc)) { |
1130 setCSPDirective<SourceListDirective>(name, value, m_mediaSrc); | 1109 setCSPDirective<SourceListDirective>(name, value, m_mediaSrc); |
1131 } else if (type == ContentSecurityPolicy::DirectiveType::ConnectSrc) { | 1110 } else if (equalIgnoringCase(name, ContentSecurityPolicy::ConnectSrc)) { |
1132 setCSPDirective<SourceListDirective>(name, value, m_connectSrc); | 1111 setCSPDirective<SourceListDirective>(name, value, m_connectSrc); |
1133 } else if (type == ContentSecurityPolicy::DirectiveType::Sandbox) { | 1112 } else if (equalIgnoringCase(name, ContentSecurityPolicy::Sandbox)) { |
1134 applySandboxPolicy(name, value); | 1113 applySandboxPolicy(name, value); |
1135 } else if (type == ContentSecurityPolicy::DirectiveType::ReportURI) { | 1114 } else if (equalIgnoringCase(name, ContentSecurityPolicy::ReportURI)) { |
1136 parseReportURI(name, value); | 1115 parseReportURI(name, value); |
1137 } else if (type == ContentSecurityPolicy::DirectiveType::BaseURI) { | 1116 } else if (equalIgnoringCase(name, ContentSecurityPolicy::BaseURI)) { |
1138 setCSPDirective<SourceListDirective>(name, value, m_baseURI); | 1117 setCSPDirective<SourceListDirective>(name, value, m_baseURI); |
1139 } else if (type == ContentSecurityPolicy::DirectiveType::ChildSrc) { | 1118 } else if (equalIgnoringCase(name, ContentSecurityPolicy::ChildSrc)) { |
1140 setCSPDirective<SourceListDirective>(name, value, m_childSrc); | 1119 setCSPDirective<SourceListDirective>(name, value, m_childSrc); |
1141 } else if (type == ContentSecurityPolicy::DirectiveType::WorkerSrc && | 1120 } else if (equalIgnoringCase(name, ContentSecurityPolicy::WorkerSrc) && |
1142 m_policy->experimentalFeaturesEnabled()) { | 1121 m_policy->experimentalFeaturesEnabled()) { |
1143 setCSPDirective<SourceListDirective>(name, value, m_workerSrc); | 1122 setCSPDirective<SourceListDirective>(name, value, m_workerSrc); |
1144 } else if (type == ContentSecurityPolicy::DirectiveType::FormAction) { | 1123 } else if (equalIgnoringCase(name, ContentSecurityPolicy::FormAction)) { |
1145 setCSPDirective<SourceListDirective>(name, value, m_formAction); | 1124 setCSPDirective<SourceListDirective>(name, value, m_formAction); |
1146 } else if (type == ContentSecurityPolicy::DirectiveType::PluginTypes) { | 1125 } else if (equalIgnoringCase(name, ContentSecurityPolicy::PluginTypes)) { |
1147 setCSPDirective<MediaListDirective>(name, value, m_pluginTypes); | 1126 setCSPDirective<MediaListDirective>(name, value, m_pluginTypes); |
1148 } else if (type == | 1127 } else if (equalIgnoringCase( |
1149 ContentSecurityPolicy::DirectiveType::UpgradeInsecureRequests) { | 1128 name, ContentSecurityPolicy::UpgradeInsecureRequests)) { |
1150 enableInsecureRequestsUpgrade(name, value); | 1129 enableInsecureRequestsUpgrade(name, value); |
1151 } else if (type == | 1130 } else if (equalIgnoringCase(name, |
1152 ContentSecurityPolicy::DirectiveType::BlockAllMixedContent) { | 1131 ContentSecurityPolicy::BlockAllMixedContent)) { |
1153 enforceStrictMixedContentChecking(name, value); | 1132 enforceStrictMixedContentChecking(name, value); |
1154 } else if (type == ContentSecurityPolicy::DirectiveType::ManifestSrc) { | 1133 } else if (equalIgnoringCase(name, ContentSecurityPolicy::ManifestSrc)) { |
1155 setCSPDirective<SourceListDirective>(name, value, m_manifestSrc); | 1134 setCSPDirective<SourceListDirective>(name, value, m_manifestSrc); |
1156 } else if (type == | 1135 } else if (equalIgnoringCase(name, |
1157 ContentSecurityPolicy::DirectiveType::TreatAsPublicAddress) { | 1136 ContentSecurityPolicy::TreatAsPublicAddress)) { |
1158 treatAsPublicAddress(name, value); | 1137 treatAsPublicAddress(name, value); |
1159 } else if (type == ContentSecurityPolicy::DirectiveType::RequireSRIFor && | 1138 } else if (equalIgnoringCase(name, ContentSecurityPolicy::RequireSRIFor) && |
1160 m_policy->experimentalFeaturesEnabled()) { | 1139 m_policy->experimentalFeaturesEnabled()) { |
1161 parseRequireSRIFor(name, value); | 1140 parseRequireSRIFor(name, value); |
1162 } else { | 1141 } else { |
1163 m_policy->reportUnsupportedDirective(name); | 1142 m_policy->reportUnsupportedDirective(name); |
1164 } | 1143 } |
1165 } | 1144 } |
1166 | 1145 |
1167 DEFINE_TRACE(CSPDirectiveList) { | 1146 DEFINE_TRACE(CSPDirectiveList) { |
1168 visitor->trace(m_policy); | 1147 visitor->trace(m_policy); |
1169 visitor->trace(m_pluginTypes); | 1148 visitor->trace(m_pluginTypes); |
1170 visitor->trace(m_baseURI); | 1149 visitor->trace(m_baseURI); |
1171 visitor->trace(m_childSrc); | 1150 visitor->trace(m_childSrc); |
1172 visitor->trace(m_connectSrc); | 1151 visitor->trace(m_connectSrc); |
1173 visitor->trace(m_defaultSrc); | 1152 visitor->trace(m_defaultSrc); |
1174 visitor->trace(m_fontSrc); | 1153 visitor->trace(m_fontSrc); |
1175 visitor->trace(m_formAction); | 1154 visitor->trace(m_formAction); |
1176 visitor->trace(m_frameAncestors); | 1155 visitor->trace(m_frameAncestors); |
1177 visitor->trace(m_frameSrc); | 1156 visitor->trace(m_frameSrc); |
1178 visitor->trace(m_imgSrc); | 1157 visitor->trace(m_imgSrc); |
1179 visitor->trace(m_mediaSrc); | 1158 visitor->trace(m_mediaSrc); |
1180 visitor->trace(m_manifestSrc); | 1159 visitor->trace(m_manifestSrc); |
1181 visitor->trace(m_objectSrc); | 1160 visitor->trace(m_objectSrc); |
1182 visitor->trace(m_scriptSrc); | 1161 visitor->trace(m_scriptSrc); |
1183 visitor->trace(m_styleSrc); | 1162 visitor->trace(m_styleSrc); |
1184 visitor->trace(m_workerSrc); | 1163 visitor->trace(m_workerSrc); |
1185 } | 1164 } |
1186 | 1165 |
1187 } // namespace blink | 1166 } // namespace blink |
OLD | NEW |