OLD | NEW |
1 /* | 1 /* |
2 * Copyright (C) 2011 Google, Inc. All rights reserved. | 2 * Copyright (C) 2011 Google, Inc. All rights reserved. |
3 * | 3 * |
4 * Redistribution and use in source and binary forms, with or without | 4 * Redistribution and use in source and binary forms, with or without |
5 * modification, are permitted provided that the following conditions | 5 * modification, are permitted provided that the following conditions |
6 * are met: | 6 * are met: |
7 * 1. Redistributions of source code must retain the above copyright | 7 * 1. Redistributions of source code must retain the above copyright |
8 * notice, this list of conditions and the following disclaimer. | 8 * notice, this list of conditions and the following disclaimer. |
9 * 2. Redistributions in binary form must reproduce the above copyright | 9 * 2. Redistributions in binary form must reproduce the above copyright |
10 * notice, this list of conditions and the following disclaimer in the | 10 * notice, this list of conditions and the following disclaimer in the |
(...skipping 54 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
65 | 65 |
66 typedef int SandboxFlags; | 66 typedef int SandboxFlags; |
67 typedef HeapVector<Member<CSPDirectiveList>> CSPDirectiveListVector; | 67 typedef HeapVector<Member<CSPDirectiveList>> CSPDirectiveListVector; |
68 typedef HeapVector<Member<ConsoleMessage>> ConsoleMessageVector; | 68 typedef HeapVector<Member<ConsoleMessage>> ConsoleMessageVector; |
69 typedef std::pair<String, ContentSecurityPolicyHeaderType> CSPHeaderAndType; | 69 typedef std::pair<String, ContentSecurityPolicyHeaderType> CSPHeaderAndType; |
70 using RedirectStatus = ResourceRequest::RedirectStatus; | 70 using RedirectStatus = ResourceRequest::RedirectStatus; |
71 | 71 |
72 class CORE_EXPORT ContentSecurityPolicy | 72 class CORE_EXPORT ContentSecurityPolicy |
73 : public GarbageCollectedFinalized<ContentSecurityPolicy> { | 73 : public GarbageCollectedFinalized<ContentSecurityPolicy> { |
74 public: | 74 public: |
| 75 // CSP Level 1 Directives |
| 76 static const char ConnectSrc[]; |
| 77 static const char DefaultSrc[]; |
| 78 static const char FontSrc[]; |
| 79 static const char FrameSrc[]; |
| 80 static const char ImgSrc[]; |
| 81 static const char MediaSrc[]; |
| 82 static const char ObjectSrc[]; |
| 83 static const char ReportURI[]; |
| 84 static const char Sandbox[]; |
| 85 static const char ScriptSrc[]; |
| 86 static const char StyleSrc[]; |
| 87 |
| 88 // CSP Level 2 Directives |
| 89 static const char BaseURI[]; |
| 90 static const char ChildSrc[]; |
| 91 static const char FormAction[]; |
| 92 static const char FrameAncestors[]; |
| 93 static const char PluginTypes[]; |
| 94 |
| 95 // CSP Level 3 Directives |
| 96 static const char ManifestSrc[]; |
| 97 static const char WorkerSrc[]; |
| 98 |
| 99 // Mixed Content Directive |
| 100 // https://w3c.github.io/webappsec/specs/mixedcontent/#strict-mode |
| 101 static const char BlockAllMixedContent[]; |
| 102 |
| 103 // https://w3c.github.io/webappsec/specs/upgrade/ |
| 104 static const char UpgradeInsecureRequests[]; |
| 105 |
| 106 // https://mikewest.github.io/cors-rfc1918/#csp |
| 107 static const char TreatAsPublicAddress[]; |
| 108 |
| 109 // https://w3c.github.io/webappsec-subresource-integrity/#require-sri-for |
| 110 static const char RequireSRIFor[]; |
| 111 |
75 enum ReportingStatus { SendReport, SuppressReport }; | 112 enum ReportingStatus { SendReport, SuppressReport }; |
76 | 113 |
77 enum ExceptionStatus { WillThrowException, WillNotThrowException }; | 114 enum ExceptionStatus { WillThrowException, WillNotThrowException }; |
78 | 115 |
79 // This covers the possible values of a violation's 'resource', as defined in | 116 // This covers the possible values of a violation's 'resource', as defined in |
80 // https://w3c.github.io/webappsec-csp/#violation-resource. By the time we | 117 // https://w3c.github.io/webappsec-csp/#violation-resource. By the time we |
81 // generate a report, we're guaranteed that the value isn't 'null', so we | 118 // generate a report, we're guaranteed that the value isn't 'null', so we |
82 // don't need that state in this enum. | 119 // don't need that state in this enum. |
83 enum ViolationType { InlineViolation, EvalViolation, URLViolation }; | 120 enum ViolationType { InlineViolation, EvalViolation, URLViolation }; |
84 | 121 |
85 enum class InlineType { Block, Attribute }; | 122 enum class InlineType { Block, Attribute }; |
86 | 123 |
87 enum class DirectiveType { | |
88 Undefined, | |
89 BaseURI, | |
90 BlockAllMixedContent, | |
91 ChildSrc, | |
92 ConnectSrc, | |
93 DefaultSrc, | |
94 FrameAncestors, | |
95 FrameSrc, | |
96 FontSrc, | |
97 FormAction, | |
98 ImgSrc, | |
99 ManifestSrc, | |
100 MediaSrc, | |
101 ObjectSrc, | |
102 PluginTypes, | |
103 ReportURI, | |
104 RequireSRIFor, | |
105 Sandbox, | |
106 ScriptSrc, | |
107 StyleSrc, | |
108 TreatAsPublicAddress, | |
109 UpgradeInsecureRequests, | |
110 WorkerSrc, | |
111 }; | |
112 | |
113 static ContentSecurityPolicy* create() { return new ContentSecurityPolicy(); } | 124 static ContentSecurityPolicy* create() { return new ContentSecurityPolicy(); } |
114 ~ContentSecurityPolicy(); | 125 ~ContentSecurityPolicy(); |
115 DECLARE_TRACE(); | 126 DECLARE_TRACE(); |
116 | 127 |
117 void bindToExecutionContext(ExecutionContext*); | 128 void bindToExecutionContext(ExecutionContext*); |
118 void setupSelf(const SecurityOrigin&); | 129 void setupSelf(const SecurityOrigin&); |
119 void copyStateFrom(const ContentSecurityPolicy*); | 130 void copyStateFrom(const ContentSecurityPolicy*); |
120 void copyPluginTypesFrom(const ContentSecurityPolicy*); | 131 void copyPluginTypesFrom(const ContentSecurityPolicy*); |
121 | 132 |
122 void didReceiveHeaders(const ContentSecurityPolicyResponseHeaders&); | 133 void didReceiveHeaders(const ContentSecurityPolicyResponseHeaders&); |
(...skipping 170 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
293 void reportReportOnlyInMeta(const String&); | 304 void reportReportOnlyInMeta(const String&); |
294 void reportMetaOutsideHead(const String&); | 305 void reportMetaOutsideHead(const String&); |
295 void reportValueForEmptyDirective(const String& directiveName, | 306 void reportValueForEmptyDirective(const String& directiveName, |
296 const String& value); | 307 const String& value); |
297 | 308 |
298 // If a frame is passed in, the report will be sent using it as a context. If | 309 // If a frame is passed in, the report will be sent using it as a context. If |
299 // no frame is passed in, the report will be sent via this object's | 310 // no frame is passed in, the report will be sent via this object's |
300 // |m_executionContext| (or dropped on the floor if no such context is | 311 // |m_executionContext| (or dropped on the floor if no such context is |
301 // available). | 312 // available). |
302 void reportViolation(const String& directiveText, | 313 void reportViolation(const String& directiveText, |
303 const DirectiveType& effectiveType, | 314 const String& effectiveDirective, |
304 const String& consoleMessage, | 315 const String& consoleMessage, |
305 const KURL& blockedURL, | 316 const KURL& blockedURL, |
306 const Vector<String>& reportEndpoints, | 317 const Vector<String>& reportEndpoints, |
307 const String& header, | 318 const String& header, |
308 ContentSecurityPolicyHeaderType, | 319 ContentSecurityPolicyHeaderType, |
309 ViolationType, | 320 ViolationType, |
310 LocalFrame* = nullptr, | 321 LocalFrame* = nullptr, |
311 RedirectStatus = RedirectStatus::FollowedRedirect, | 322 RedirectStatus = RedirectStatus::FollowedRedirect, |
312 int contextLine = 0, | 323 int contextLine = 0, |
313 Element* = nullptr); | 324 Element* = nullptr); |
(...skipping 22 matching lines...) Expand all Loading... |
336 bool urlMatchesSelf(const KURL&) const; | 347 bool urlMatchesSelf(const KURL&) const; |
337 bool protocolMatchesSelf(const KURL&) const; | 348 bool protocolMatchesSelf(const KURL&) const; |
338 bool selfMatchesInnerURL() const; | 349 bool selfMatchesInnerURL() const; |
339 | 350 |
340 bool experimentalFeaturesEnabled() const; | 351 bool experimentalFeaturesEnabled() const; |
341 | 352 |
342 bool shouldSendCSPHeader(Resource::Type) const; | 353 bool shouldSendCSPHeader(Resource::Type) const; |
343 | 354 |
344 static bool shouldBypassMainWorld(const ExecutionContext*); | 355 static bool shouldBypassMainWorld(const ExecutionContext*); |
345 | 356 |
| 357 static bool isDirectiveName(const String&); |
| 358 |
346 static bool isNonceableElement(const Element*); | 359 static bool isNonceableElement(const Element*); |
347 | 360 |
348 // This method checks whether the request should be allowed for an | 361 // This method checks whether the request should be allowed for an |
349 // experimental EmbeddingCSP feature | 362 // experimental EmbeddingCSP feature |
350 // Please, see https://w3c.github.io/webappsec-csp/embedded/#origin-allowed. | 363 // Please, see https://w3c.github.io/webappsec-csp/embedded/#origin-allowed. |
351 static bool shouldEnforceEmbeddersPolicy(const ResourceResponse&, | 364 static bool shouldEnforceEmbeddersPolicy(const ResourceResponse&, |
352 SecurityOrigin*); | 365 SecurityOrigin*); |
353 | 366 |
354 static const char* getDirectiveName(const DirectiveType&); | |
355 static DirectiveType getDirectiveType(const String& name); | |
356 | |
357 Document* document() const; | 367 Document* document() const; |
358 | 368 |
359 private: | 369 private: |
360 FRIEND_TEST_ALL_PREFIXES(ContentSecurityPolicyTest, NonceInline); | 370 FRIEND_TEST_ALL_PREFIXES(ContentSecurityPolicyTest, NonceInline); |
361 FRIEND_TEST_ALL_PREFIXES(ContentSecurityPolicyTest, NonceSinglePolicy); | 371 FRIEND_TEST_ALL_PREFIXES(ContentSecurityPolicyTest, NonceSinglePolicy); |
362 FRIEND_TEST_ALL_PREFIXES(ContentSecurityPolicyTest, NonceMultiplePolicy); | 372 FRIEND_TEST_ALL_PREFIXES(ContentSecurityPolicyTest, NonceMultiplePolicy); |
363 | 373 |
364 ContentSecurityPolicy(); | 374 ContentSecurityPolicy(); |
365 | 375 |
366 void applyPolicySideEffectsToExecutionContext(); | 376 void applyPolicySideEffectsToExecutionContext(); |
(...skipping 33 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
400 String m_disableEvalErrorMessage; | 410 String m_disableEvalErrorMessage; |
401 WebInsecureRequestPolicy m_insecureRequestPolicy; | 411 WebInsecureRequestPolicy m_insecureRequestPolicy; |
402 | 412 |
403 Member<CSPSource> m_selfSource; | 413 Member<CSPSource> m_selfSource; |
404 String m_selfProtocol; | 414 String m_selfProtocol; |
405 }; | 415 }; |
406 | 416 |
407 } // namespace blink | 417 } // namespace blink |
408 | 418 |
409 #endif | 419 #endif |
OLD | NEW |