OLD | NEW |
1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "core/frame/csp/CSPDirectiveList.h" | 5 #include "core/frame/csp/CSPDirectiveList.h" |
6 | 6 |
7 #include "bindings/core/v8/SourceLocation.h" | 7 #include "bindings/core/v8/SourceLocation.h" |
8 #include "core/dom/Document.h" | 8 #include "core/dom/Document.h" |
9 #include "core/dom/SecurityContext.h" | 9 #include "core/dom/SecurityContext.h" |
10 #include "core/dom/SpaceSplitString.h" | 10 #include "core/dom/SpaceSplitString.h" |
(...skipping 69 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
80 if (directives->isReportOnly() && | 80 if (directives->isReportOnly() && |
81 source != ContentSecurityPolicyHeaderSourceMeta && | 81 source != ContentSecurityPolicyHeaderSourceMeta && |
82 directives->reportEndpoints().isEmpty()) | 82 directives->reportEndpoints().isEmpty()) |
83 policy->reportMissingReportURI(String(begin, end - begin)); | 83 policy->reportMissingReportURI(String(begin, end - begin)); |
84 | 84 |
85 return directives; | 85 return directives; |
86 } | 86 } |
87 | 87 |
88 void CSPDirectiveList::reportViolation( | 88 void CSPDirectiveList::reportViolation( |
89 const String& directiveText, | 89 const String& directiveText, |
90 const String& effectiveDirective, | 90 const ContentSecurityPolicy::DirectiveType& effectiveType, |
91 const String& consoleMessage, | 91 const String& consoleMessage, |
92 const KURL& blockedURL, | 92 const KURL& blockedURL, |
93 ResourceRequest::RedirectStatus redirectStatus) const { | 93 ResourceRequest::RedirectStatus redirectStatus) const { |
94 String message = | 94 String message = |
95 isReportOnly() ? "[Report Only] " + consoleMessage : consoleMessage; | 95 isReportOnly() ? "[Report Only] " + consoleMessage : consoleMessage; |
96 m_policy->logToConsole(ConsoleMessage::create(SecurityMessageSource, | 96 m_policy->logToConsole(ConsoleMessage::create(SecurityMessageSource, |
97 ErrorMessageLevel, message)); | 97 ErrorMessageLevel, message)); |
98 m_policy->reportViolation(directiveText, effectiveDirective, message, | 98 m_policy->reportViolation(directiveText, effectiveType, message, blockedURL, |
99 blockedURL, m_reportEndpoints, m_header, | 99 m_reportEndpoints, m_header, m_headerType, |
100 m_headerType, ContentSecurityPolicy::URLViolation, | 100 ContentSecurityPolicy::URLViolation, nullptr, |
101 nullptr, redirectStatus); | 101 redirectStatus); |
102 } | 102 } |
103 | 103 |
104 void CSPDirectiveList::reportViolationWithFrame( | 104 void CSPDirectiveList::reportViolationWithFrame( |
105 const String& directiveText, | 105 const String& directiveText, |
106 const String& effectiveDirective, | 106 const ContentSecurityPolicy::DirectiveType& effectiveType, |
107 const String& consoleMessage, | 107 const String& consoleMessage, |
108 const KURL& blockedURL, | 108 const KURL& blockedURL, |
109 LocalFrame* frame) const { | 109 LocalFrame* frame) const { |
110 String message = | 110 String message = |
111 isReportOnly() ? "[Report Only] " + consoleMessage : consoleMessage; | 111 isReportOnly() ? "[Report Only] " + consoleMessage : consoleMessage; |
112 m_policy->logToConsole( | 112 m_policy->logToConsole( |
113 ConsoleMessage::create(SecurityMessageSource, ErrorMessageLevel, message), | 113 ConsoleMessage::create(SecurityMessageSource, ErrorMessageLevel, message), |
114 frame); | 114 frame); |
115 m_policy->reportViolation( | 115 m_policy->reportViolation(directiveText, effectiveType, message, blockedURL, |
116 directiveText, effectiveDirective, message, blockedURL, m_reportEndpoints, | 116 m_reportEndpoints, m_header, m_headerType, |
117 m_header, m_headerType, ContentSecurityPolicy::URLViolation, frame); | 117 ContentSecurityPolicy::URLViolation, frame); |
118 } | 118 } |
119 | 119 |
120 void CSPDirectiveList::reportViolationWithLocation( | 120 void CSPDirectiveList::reportViolationWithLocation( |
121 const String& directiveText, | 121 const String& directiveText, |
122 const String& effectiveDirective, | 122 const ContentSecurityPolicy::DirectiveType& effectiveType, |
123 const String& consoleMessage, | 123 const String& consoleMessage, |
124 const KURL& blockedURL, | 124 const KURL& blockedURL, |
125 const String& contextURL, | 125 const String& contextURL, |
126 const WTF::OrdinalNumber& contextLine, | 126 const WTF::OrdinalNumber& contextLine, |
127 Element* element) const { | 127 Element* element) const { |
128 String message = | 128 String message = |
129 isReportOnly() ? "[Report Only] " + consoleMessage : consoleMessage; | 129 isReportOnly() ? "[Report Only] " + consoleMessage : consoleMessage; |
130 m_policy->logToConsole(ConsoleMessage::create( | 130 m_policy->logToConsole(ConsoleMessage::create( |
131 SecurityMessageSource, ErrorMessageLevel, message, | 131 SecurityMessageSource, ErrorMessageLevel, message, |
132 SourceLocation::capture(contextURL, contextLine.oneBasedInt(), 0))); | 132 SourceLocation::capture(contextURL, contextLine.oneBasedInt(), 0))); |
133 m_policy->reportViolation( | 133 m_policy->reportViolation( |
134 directiveText, effectiveDirective, message, blockedURL, m_reportEndpoints, | 134 directiveText, effectiveType, message, blockedURL, m_reportEndpoints, |
135 m_header, m_headerType, ContentSecurityPolicy::InlineViolation, nullptr, | 135 m_header, m_headerType, ContentSecurityPolicy::InlineViolation, nullptr, |
136 RedirectStatus::NoRedirect, contextLine.oneBasedInt(), element); | 136 RedirectStatus::NoRedirect, contextLine.oneBasedInt(), element); |
137 } | 137 } |
138 | 138 |
139 void CSPDirectiveList::reportViolationWithState( | 139 void CSPDirectiveList::reportViolationWithState( |
140 const String& directiveText, | 140 const String& directiveText, |
141 const String& effectiveDirective, | 141 const ContentSecurityPolicy::DirectiveType& effectiveType, |
142 const String& message, | 142 const String& message, |
143 const KURL& blockedURL, | 143 const KURL& blockedURL, |
144 ScriptState* scriptState, | 144 ScriptState* scriptState, |
145 const ContentSecurityPolicy::ExceptionStatus exceptionStatus) const { | 145 const ContentSecurityPolicy::ExceptionStatus exceptionStatus) const { |
146 String reportMessage = isReportOnly() ? "[Report Only] " + message : message; | 146 String reportMessage = isReportOnly() ? "[Report Only] " + message : message; |
147 // Print a console message if it won't be redundant with a | 147 // Print a console message if it won't be redundant with a |
148 // JavaScript exception that the caller will throw. (Exceptions will | 148 // JavaScript exception that the caller will throw. (Exceptions will |
149 // never get thrown in report-only mode because the caller won't see | 149 // never get thrown in report-only mode because the caller won't see |
150 // a violation.) | 150 // a violation.) |
151 if (isReportOnly() || | 151 if (isReportOnly() || |
152 exceptionStatus == ContentSecurityPolicy::WillNotThrowException) { | 152 exceptionStatus == ContentSecurityPolicy::WillNotThrowException) { |
153 ConsoleMessage* consoleMessage = ConsoleMessage::create( | 153 ConsoleMessage* consoleMessage = ConsoleMessage::create( |
154 SecurityMessageSource, ErrorMessageLevel, reportMessage); | 154 SecurityMessageSource, ErrorMessageLevel, reportMessage); |
155 m_policy->logToConsole(consoleMessage); | 155 m_policy->logToConsole(consoleMessage); |
156 } | 156 } |
157 m_policy->reportViolation(directiveText, effectiveDirective, message, | 157 m_policy->reportViolation(directiveText, effectiveType, message, blockedURL, |
158 blockedURL, m_reportEndpoints, m_header, | 158 m_reportEndpoints, m_header, m_headerType, |
159 m_headerType, ContentSecurityPolicy::EvalViolation); | 159 ContentSecurityPolicy::EvalViolation); |
160 } | 160 } |
161 | 161 |
162 bool CSPDirectiveList::checkEval(SourceListDirective* directive) const { | 162 bool CSPDirectiveList::checkEval(SourceListDirective* directive) const { |
163 return !directive || directive->allowEval(); | 163 return !directive || directive->allowEval(); |
164 } | 164 } |
165 | 165 |
166 bool CSPDirectiveList::checkInline(SourceListDirective* directive) const { | 166 bool CSPDirectiveList::checkInline(SourceListDirective* directive) const { |
167 return !directive || | 167 return !directive || |
168 (directive->allowInline() && !directive->isHashOrNoncePresent()); | 168 (directive->allowInline() && !directive->isHashOrNoncePresent()); |
169 } | 169 } |
(...skipping 14 matching lines...) Expand all Loading... |
184 } | 184 } |
185 | 185 |
186 bool CSPDirectiveList::checkDynamic(SourceListDirective* directive) const { | 186 bool CSPDirectiveList::checkDynamic(SourceListDirective* directive) const { |
187 return !directive || directive->allowDynamic(); | 187 return !directive || directive->allowDynamic(); |
188 } | 188 } |
189 | 189 |
190 void CSPDirectiveList::reportMixedContent( | 190 void CSPDirectiveList::reportMixedContent( |
191 const KURL& mixedURL, | 191 const KURL& mixedURL, |
192 ResourceRequest::RedirectStatus redirectStatus) const { | 192 ResourceRequest::RedirectStatus redirectStatus) const { |
193 if (strictMixedContentChecking()) { | 193 if (strictMixedContentChecking()) { |
194 m_policy->reportViolation(ContentSecurityPolicy::BlockAllMixedContent, | 194 m_policy->reportViolation( |
195 ContentSecurityPolicy::BlockAllMixedContent, | 195 ContentSecurityPolicy::getDirectiveName( |
196 String(), mixedURL, m_reportEndpoints, m_header, | 196 ContentSecurityPolicy::DirectiveType::BlockAllMixedContent), |
197 m_headerType, ContentSecurityPolicy::URLViolation, | 197 ContentSecurityPolicy::DirectiveType::BlockAllMixedContent, String(), |
198 nullptr, redirectStatus); | 198 mixedURL, m_reportEndpoints, m_header, m_headerType, |
| 199 ContentSecurityPolicy::URLViolation, nullptr, redirectStatus); |
199 } | 200 } |
200 } | 201 } |
201 | 202 |
202 bool CSPDirectiveList::checkSource( | 203 bool CSPDirectiveList::checkSource( |
203 SourceListDirective* directive, | 204 SourceListDirective* directive, |
204 const KURL& url, | 205 const KURL& url, |
205 ResourceRequest::RedirectStatus redirectStatus) const { | 206 ResourceRequest::RedirectStatus redirectStatus) const { |
206 // If |url| is empty, fall back to the policy URL to ensure that <object>'s | 207 // If |url| is empty, fall back to the policy URL to ensure that <object>'s |
207 // without a `src` can be blocked/allowed, as they can still load plugins | 208 // without a `src` can be blocked/allowed, as they can still load plugins |
208 // even though they don't actually have a URL. | 209 // even though they don't actually have a URL. |
(...skipping 66 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
275 case WebURLRequest::RequestContextSharedWorker: | 276 case WebURLRequest::RequestContextSharedWorker: |
276 resourceType = "shared worker"; | 277 resourceType = "shared worker"; |
277 break; | 278 break; |
278 case WebURLRequest::RequestContextWorker: | 279 case WebURLRequest::RequestContextWorker: |
279 resourceType = "worker"; | 280 resourceType = "worker"; |
280 break; | 281 break; |
281 default: | 282 default: |
282 break; | 283 break; |
283 } | 284 } |
284 | 285 |
285 reportViolation(ContentSecurityPolicy::RequireSRIFor, | 286 reportViolation(ContentSecurityPolicy::getDirectiveName( |
286 ContentSecurityPolicy::RequireSRIFor, | 287 ContentSecurityPolicy::DirectiveType::RequireSRIFor), |
| 288 ContentSecurityPolicy::DirectiveType::RequireSRIFor, |
287 "Refused to load the " + resourceType + " '" + | 289 "Refused to load the " + resourceType + " '" + |
288 url.elidedString() + | 290 url.elidedString() + |
289 "' because 'require-sri-for' directive requires " | 291 "' because 'require-sri-for' directive requires " |
290 "integrity attribute be present for all " + | 292 "integrity attribute be present for all " + |
291 resourceType + "s.", | 293 resourceType + "s.", |
292 url, redirectStatus); | 294 url, redirectStatus); |
293 return denyIfEnforcingPolicy(); | 295 return denyIfEnforcingPolicy(); |
294 } | 296 } |
295 | 297 |
296 bool CSPDirectiveList::allowRequestWithoutIntegrity( | 298 bool CSPDirectiveList::allowRequestWithoutIntegrity( |
(...skipping 36 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
333 if (checkEval(directive)) | 335 if (checkEval(directive)) |
334 return true; | 336 return true; |
335 | 337 |
336 String suffix = String(); | 338 String suffix = String(); |
337 if (directive == m_defaultSrc) | 339 if (directive == m_defaultSrc) |
338 suffix = | 340 suffix = |
339 " Note that 'script-src' was not explicitly set, so 'default-src' is " | 341 " Note that 'script-src' was not explicitly set, so 'default-src' is " |
340 "used as a fallback."; | 342 "used as a fallback."; |
341 | 343 |
342 reportViolationWithState( | 344 reportViolationWithState( |
343 directive->text(), ContentSecurityPolicy::ScriptSrc, | 345 directive->text(), ContentSecurityPolicy::DirectiveType::ScriptSrc, |
344 consoleMessage + "\"" + directive->text() + "\"." + suffix + "\n", KURL(), | 346 consoleMessage + "\"" + directive->text() + "\"." + suffix + "\n", KURL(), |
345 scriptState, exceptionStatus); | 347 scriptState, exceptionStatus); |
346 if (!isReportOnly()) { | 348 if (!isReportOnly()) { |
347 m_policy->reportBlockedScriptExecutionToInspector(directive->text()); | 349 m_policy->reportBlockedScriptExecutionToInspector(directive->text()); |
348 return false; | 350 return false; |
349 } | 351 } |
350 return true; | 352 return true; |
351 } | 353 } |
352 | 354 |
353 bool CSPDirectiveList::checkMediaTypeAndReportViolation( | 355 bool CSPDirectiveList::checkMediaTypeAndReportViolation( |
354 MediaListDirective* directive, | 356 MediaListDirective* directive, |
355 const String& type, | 357 const String& type, |
356 const String& typeAttribute, | 358 const String& typeAttribute, |
357 const String& consoleMessage) const { | 359 const String& consoleMessage) const { |
358 if (checkMediaType(directive, type, typeAttribute)) | 360 if (checkMediaType(directive, type, typeAttribute)) |
359 return true; | 361 return true; |
360 | 362 |
361 String message = consoleMessage + "\'" + directive->text() + "\'."; | 363 String message = consoleMessage + "\'" + directive->text() + "\'."; |
362 if (typeAttribute.isEmpty()) | 364 if (typeAttribute.isEmpty()) |
363 message = message + | 365 message = message + |
364 " When enforcing the 'plugin-types' directive, the plugin's " | 366 " When enforcing the 'plugin-types' directive, the plugin's " |
365 "media type must be explicitly declared with a 'type' attribute " | 367 "media type must be explicitly declared with a 'type' attribute " |
366 "on the containing element (e.g. '<object type=\"[TYPE GOES " | 368 "on the containing element (e.g. '<object type=\"[TYPE GOES " |
367 "HERE]\" ...>')."; | 369 "HERE]\" ...>')."; |
368 | 370 |
369 // 'RedirectStatus::NoRedirect' is safe here, as we do the media type check | 371 // 'RedirectStatus::NoRedirect' is safe here, as we do the media type check |
370 // before actually loading data; this means that we shouldn't leak redirect | 372 // before actually loading data; this means that we shouldn't leak redirect |
371 // targets, as we won't have had a chance to redirect yet. | 373 // targets, as we won't have had a chance to redirect yet. |
372 reportViolation(directive->text(), ContentSecurityPolicy::PluginTypes, | 374 reportViolation( |
373 message + "\n", KURL(), | 375 directive->text(), ContentSecurityPolicy::DirectiveType::PluginTypes, |
374 ResourceRequest::RedirectStatus::NoRedirect); | 376 message + "\n", KURL(), ResourceRequest::RedirectStatus::NoRedirect); |
375 return denyIfEnforcingPolicy(); | 377 return denyIfEnforcingPolicy(); |
376 } | 378 } |
377 | 379 |
378 bool CSPDirectiveList::checkInlineAndReportViolation( | 380 bool CSPDirectiveList::checkInlineAndReportViolation( |
379 SourceListDirective* directive, | 381 SourceListDirective* directive, |
380 const String& consoleMessage, | 382 const String& consoleMessage, |
381 Element* element, | 383 Element* element, |
382 const String& contextURL, | 384 const String& contextURL, |
383 const WTF::OrdinalNumber& contextLine, | 385 const WTF::OrdinalNumber& contextLine, |
384 bool isScript, | 386 bool isScript, |
(...skipping 13 matching lines...) Expand all Loading... |
398 " Either the 'unsafe-inline' keyword, a hash ('" + hashValue + | 400 " Either the 'unsafe-inline' keyword, a hash ('" + hashValue + |
399 "'), or a nonce ('nonce-...') is required to enable inline execution."; | 401 "'), or a nonce ('nonce-...') is required to enable inline execution."; |
400 if (directive == m_defaultSrc) | 402 if (directive == m_defaultSrc) |
401 suffix = suffix + " Note also that '" + | 403 suffix = suffix + " Note also that '" + |
402 String(isScript ? "script" : "style") + | 404 String(isScript ? "script" : "style") + |
403 "-src' was not explicitly set, so 'default-src' is used as a " | 405 "-src' was not explicitly set, so 'default-src' is used as a " |
404 "fallback."; | 406 "fallback."; |
405 } | 407 } |
406 | 408 |
407 reportViolationWithLocation( | 409 reportViolationWithLocation( |
408 directive->text(), isScript ? ContentSecurityPolicy::ScriptSrc | 410 directive->text(), |
409 : ContentSecurityPolicy::StyleSrc, | 411 isScript ? ContentSecurityPolicy::DirectiveType::ScriptSrc |
| 412 : ContentSecurityPolicy::DirectiveType::StyleSrc, |
410 consoleMessage + "\"" + directive->text() + "\"." + suffix + "\n", KURL(), | 413 consoleMessage + "\"" + directive->text() + "\"." + suffix + "\n", KURL(), |
411 contextURL, contextLine, element); | 414 contextURL, contextLine, element); |
412 | 415 |
413 if (!isReportOnly()) { | 416 if (!isReportOnly()) { |
414 if (isScript) | 417 if (isScript) |
415 m_policy->reportBlockedScriptExecutionToInspector(directive->text()); | 418 m_policy->reportBlockedScriptExecutionToInspector(directive->text()); |
416 return false; | 419 return false; |
417 } | 420 } |
418 return true; | 421 return true; |
419 } | 422 } |
420 | 423 |
421 bool CSPDirectiveList::checkSourceAndReportViolation( | 424 bool CSPDirectiveList::checkSourceAndReportViolation( |
422 SourceListDirective* directive, | 425 SourceListDirective* directive, |
423 const KURL& url, | 426 const KURL& url, |
424 const String& effectiveDirective, | 427 const ContentSecurityPolicy::DirectiveType& effectiveType, |
425 ResourceRequest::RedirectStatus redirectStatus) const { | 428 ResourceRequest::RedirectStatus redirectStatus) const { |
426 if (!directive) | 429 if (!directive) |
427 return true; | 430 return true; |
428 | 431 |
429 // We ignore URL-based whitelists if we're allowing dynamic script injection. | 432 // We ignore URL-based whitelists if we're allowing dynamic script injection. |
430 if (checkSource(directive, url, redirectStatus) && !checkDynamic(directive)) | 433 if (checkSource(directive, url, redirectStatus) && !checkDynamic(directive)) |
431 return true; | 434 return true; |
432 | 435 |
433 // We should never have a violation against `child-src` or `default-src` | 436 // We should never have a violation against `child-src` or `default-src` |
434 // directly; the effective directive should always be one of the explicit | 437 // directly; the effective directive should always be one of the explicit |
435 // fetch directives. | 438 // fetch directives. |
436 DCHECK_NE(ContentSecurityPolicy::ChildSrc, effectiveDirective); | 439 DCHECK_NE(ContentSecurityPolicy::DirectiveType::ChildSrc, effectiveType); |
437 DCHECK_NE(ContentSecurityPolicy::DefaultSrc, effectiveDirective); | 440 DCHECK_NE(ContentSecurityPolicy::DirectiveType::DefaultSrc, effectiveType); |
438 | 441 |
439 String prefix; | 442 String prefix; |
440 if (ContentSecurityPolicy::BaseURI == effectiveDirective) | 443 if (ContentSecurityPolicy::DirectiveType::BaseURI == effectiveType) |
441 prefix = "Refused to set the document's base URI to '"; | 444 prefix = "Refused to set the document's base URI to '"; |
442 else if (ContentSecurityPolicy::WorkerSrc == effectiveDirective) | 445 else if (ContentSecurityPolicy::DirectiveType::WorkerSrc == effectiveType) |
443 prefix = "Refused to create a worker from '"; | 446 prefix = "Refused to create a worker from '"; |
444 else if (ContentSecurityPolicy::ConnectSrc == effectiveDirective) | 447 else if (ContentSecurityPolicy::DirectiveType::ConnectSrc == effectiveType) |
445 prefix = "Refused to connect to '"; | 448 prefix = "Refused to connect to '"; |
446 else if (ContentSecurityPolicy::FontSrc == effectiveDirective) | 449 else if (ContentSecurityPolicy::DirectiveType::FontSrc == effectiveType) |
447 prefix = "Refused to load the font '"; | 450 prefix = "Refused to load the font '"; |
448 else if (ContentSecurityPolicy::FormAction == effectiveDirective) | 451 else if (ContentSecurityPolicy::DirectiveType::FormAction == effectiveType) |
449 prefix = "Refused to send form data to '"; | 452 prefix = "Refused to send form data to '"; |
450 else if (ContentSecurityPolicy::FrameSrc == effectiveDirective) | 453 else if (ContentSecurityPolicy::DirectiveType::FrameSrc == effectiveType) |
451 prefix = "Refused to frame '"; | 454 prefix = "Refused to frame '"; |
452 else if (ContentSecurityPolicy::ImgSrc == effectiveDirective) | 455 else if (ContentSecurityPolicy::DirectiveType::ImgSrc == effectiveType) |
453 prefix = "Refused to load the image '"; | 456 prefix = "Refused to load the image '"; |
454 else if (ContentSecurityPolicy::MediaSrc == effectiveDirective) | 457 else if (ContentSecurityPolicy::DirectiveType::MediaSrc == effectiveType) |
455 prefix = "Refused to load media from '"; | 458 prefix = "Refused to load media from '"; |
456 else if (ContentSecurityPolicy::ManifestSrc == effectiveDirective) | 459 else if (ContentSecurityPolicy::DirectiveType::ManifestSrc == effectiveType) |
457 prefix = "Refused to load manifest from '"; | 460 prefix = "Refused to load manifest from '"; |
458 else if (ContentSecurityPolicy::ObjectSrc == effectiveDirective) | 461 else if (ContentSecurityPolicy::DirectiveType::ObjectSrc == effectiveType) |
459 prefix = "Refused to load plugin data from '"; | 462 prefix = "Refused to load plugin data from '"; |
460 else if (ContentSecurityPolicy::ScriptSrc == effectiveDirective) | 463 else if (ContentSecurityPolicy::DirectiveType::ScriptSrc == effectiveType) |
461 prefix = "Refused to load the script '"; | 464 prefix = "Refused to load the script '"; |
462 else if (ContentSecurityPolicy::StyleSrc == effectiveDirective) | 465 else if (ContentSecurityPolicy::DirectiveType::StyleSrc == effectiveType) |
463 prefix = "Refused to load the stylesheet '"; | 466 prefix = "Refused to load the stylesheet '"; |
464 | 467 |
465 String suffix = String(); | 468 String suffix = String(); |
466 if (checkDynamic(directive)) | 469 if (checkDynamic(directive)) |
467 suffix = | 470 suffix = |
468 " 'strict-dynamic' is present, so host-based whitelisting is disabled."; | 471 " 'strict-dynamic' is present, so host-based whitelisting is disabled."; |
469 if (directive == m_defaultSrc) | 472 if (directive == m_defaultSrc) |
470 suffix = | 473 suffix = |
471 suffix + " Note that '" + effectiveDirective + | 474 suffix + " Note that '" + |
| 475 ContentSecurityPolicy::getDirectiveName(effectiveType) + |
472 "' was not explicitly set, so 'default-src' is used as a fallback."; | 476 "' was not explicitly set, so 'default-src' is used as a fallback."; |
473 | 477 |
474 reportViolation(directive->text(), effectiveDirective, | 478 reportViolation(directive->text(), effectiveType, |
475 prefix + url.elidedString() + | 479 prefix + url.elidedString() + |
476 "' because it violates the following Content Security " | 480 "' because it violates the following Content Security " |
477 "Policy directive: \"" + | 481 "Policy directive: \"" + |
478 directive->text() + "\"." + suffix + "\n", | 482 directive->text() + "\"." + suffix + "\n", |
479 url, redirectStatus); | 483 url, redirectStatus); |
480 return denyIfEnforcingPolicy(); | 484 return denyIfEnforcingPolicy(); |
481 } | 485 } |
482 | 486 |
483 bool CSPDirectiveList::checkAncestorsAndReportViolation( | 487 bool CSPDirectiveList::checkAncestorsAndReportViolation( |
484 SourceListDirective* directive, | 488 SourceListDirective* directive, |
485 LocalFrame* frame, | 489 LocalFrame* frame, |
486 const KURL& url) const { | 490 const KURL& url) const { |
487 if (checkAncestors(directive, frame)) | 491 if (checkAncestors(directive, frame)) |
488 return true; | 492 return true; |
489 | 493 |
490 reportViolationWithFrame(directive->text(), "frame-ancestors", | 494 reportViolationWithFrame(directive->text(), |
| 495 ContentSecurityPolicy::DirectiveType::FrameAncestors, |
491 "Refused to display '" + url.elidedString() + | 496 "Refused to display '" + url.elidedString() + |
492 "' in a frame because an ancestor violates the " | 497 "' in a frame because an ancestor violates the " |
493 "following Content Security Policy directive: " | 498 "following Content Security Policy directive: " |
494 "\"" + | 499 "\"" + |
495 directive->text() + "\".", | 500 directive->text() + "\".", |
496 url, frame); | 501 url, frame); |
497 return denyIfEnforcingPolicy(); | 502 return denyIfEnforcingPolicy(); |
498 } | 503 } |
499 | 504 |
500 bool CSPDirectiveList::allowJavaScriptURLs( | 505 bool CSPDirectiveList::allowJavaScriptURLs( |
(...skipping 105 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
606 ParserDisposition parserDisposition, | 611 ParserDisposition parserDisposition, |
607 ResourceRequest::RedirectStatus redirectStatus, | 612 ResourceRequest::RedirectStatus redirectStatus, |
608 ContentSecurityPolicy::ReportingStatus reportingStatus) const { | 613 ContentSecurityPolicy::ReportingStatus reportingStatus) const { |
609 if (isMatchingNoncePresent(operativeDirective(m_scriptSrc.get()), nonce)) | 614 if (isMatchingNoncePresent(operativeDirective(m_scriptSrc.get()), nonce)) |
610 return true; | 615 return true; |
611 if (parserDisposition == NotParserInserted && allowDynamic()) | 616 if (parserDisposition == NotParserInserted && allowDynamic()) |
612 return true; | 617 return true; |
613 return reportingStatus == ContentSecurityPolicy::SendReport | 618 return reportingStatus == ContentSecurityPolicy::SendReport |
614 ? checkSourceAndReportViolation( | 619 ? checkSourceAndReportViolation( |
615 operativeDirective(m_scriptSrc.get()), url, | 620 operativeDirective(m_scriptSrc.get()), url, |
616 ContentSecurityPolicy::ScriptSrc, redirectStatus) | 621 ContentSecurityPolicy::DirectiveType::ScriptSrc, |
| 622 redirectStatus) |
617 : checkSource(operativeDirective(m_scriptSrc.get()), url, | 623 : checkSource(operativeDirective(m_scriptSrc.get()), url, |
618 redirectStatus); | 624 redirectStatus); |
619 } | 625 } |
620 | 626 |
621 bool CSPDirectiveList::allowObjectFromSource( | 627 bool CSPDirectiveList::allowObjectFromSource( |
622 const KURL& url, | 628 const KURL& url, |
623 ResourceRequest::RedirectStatus redirectStatus, | 629 ResourceRequest::RedirectStatus redirectStatus, |
624 ContentSecurityPolicy::ReportingStatus reportingStatus) const { | 630 ContentSecurityPolicy::ReportingStatus reportingStatus) const { |
625 if (url.protocolIsAbout()) | 631 if (url.protocolIsAbout()) |
626 return true; | 632 return true; |
627 return reportingStatus == ContentSecurityPolicy::SendReport | 633 return reportingStatus == ContentSecurityPolicy::SendReport |
628 ? checkSourceAndReportViolation( | 634 ? checkSourceAndReportViolation( |
629 operativeDirective(m_objectSrc.get()), url, | 635 operativeDirective(m_objectSrc.get()), url, |
630 ContentSecurityPolicy::ObjectSrc, redirectStatus) | 636 ContentSecurityPolicy::DirectiveType::ObjectSrc, |
| 637 redirectStatus) |
631 : checkSource(operativeDirective(m_objectSrc.get()), url, | 638 : checkSource(operativeDirective(m_objectSrc.get()), url, |
632 redirectStatus); | 639 redirectStatus); |
633 } | 640 } |
634 | 641 |
635 bool CSPDirectiveList::allowFrameFromSource( | 642 bool CSPDirectiveList::allowFrameFromSource( |
636 const KURL& url, | 643 const KURL& url, |
637 ResourceRequest::RedirectStatus redirectStatus, | 644 ResourceRequest::RedirectStatus redirectStatus, |
638 ContentSecurityPolicy::ReportingStatus reportingStatus) const { | 645 ContentSecurityPolicy::ReportingStatus reportingStatus) const { |
639 if (url.protocolIsAbout()) | 646 if (url.protocolIsAbout()) |
640 return true; | 647 return true; |
641 | 648 |
642 // 'frame-src' overrides 'child-src', which overrides the default | 649 // 'frame-src' overrides 'child-src', which overrides the default |
643 // sources. So, we do this nested set of calls to 'operativeDirective()' to | 650 // sources. So, we do this nested set of calls to 'operativeDirective()' to |
644 // grab 'frame-src' if it exists, 'child-src' if it doesn't, and 'defaut-src' | 651 // grab 'frame-src' if it exists, 'child-src' if it doesn't, and 'defaut-src' |
645 // if neither are available. | 652 // if neither are available. |
646 SourceListDirective* whichDirective = operativeDirective( | 653 SourceListDirective* whichDirective = operativeDirective( |
647 m_frameSrc.get(), operativeDirective(m_childSrc.get())); | 654 m_frameSrc.get(), operativeDirective(m_childSrc.get())); |
648 | 655 |
649 return reportingStatus == ContentSecurityPolicy::SendReport | 656 return reportingStatus == ContentSecurityPolicy::SendReport |
650 ? checkSourceAndReportViolation(whichDirective, url, | 657 ? checkSourceAndReportViolation( |
651 ContentSecurityPolicy::FrameSrc, | 658 whichDirective, url, |
652 redirectStatus) | 659 ContentSecurityPolicy::DirectiveType::FrameSrc, |
| 660 redirectStatus) |
653 : checkSource(whichDirective, url, redirectStatus); | 661 : checkSource(whichDirective, url, redirectStatus); |
654 } | 662 } |
655 | 663 |
656 bool CSPDirectiveList::allowImageFromSource( | 664 bool CSPDirectiveList::allowImageFromSource( |
657 const KURL& url, | 665 const KURL& url, |
658 ResourceRequest::RedirectStatus redirectStatus, | 666 ResourceRequest::RedirectStatus redirectStatus, |
659 ContentSecurityPolicy::ReportingStatus reportingStatus) const { | 667 ContentSecurityPolicy::ReportingStatus reportingStatus) const { |
660 return reportingStatus == ContentSecurityPolicy::SendReport | 668 return reportingStatus == ContentSecurityPolicy::SendReport |
661 ? checkSourceAndReportViolation(operativeDirective(m_imgSrc.get()), | 669 ? checkSourceAndReportViolation( |
662 url, ContentSecurityPolicy::ImgSrc, | 670 operativeDirective(m_imgSrc.get()), url, |
663 redirectStatus) | 671 ContentSecurityPolicy::DirectiveType::ImgSrc, redirectStatus) |
664 : checkSource(operativeDirective(m_imgSrc.get()), url, | 672 : checkSource(operativeDirective(m_imgSrc.get()), url, |
665 redirectStatus); | 673 redirectStatus); |
666 } | 674 } |
667 | 675 |
668 bool CSPDirectiveList::allowStyleFromSource( | 676 bool CSPDirectiveList::allowStyleFromSource( |
669 const KURL& url, | 677 const KURL& url, |
670 const String& nonce, | 678 const String& nonce, |
671 ResourceRequest::RedirectStatus redirectStatus, | 679 ResourceRequest::RedirectStatus redirectStatus, |
672 ContentSecurityPolicy::ReportingStatus reportingStatus) const { | 680 ContentSecurityPolicy::ReportingStatus reportingStatus) const { |
673 if (isMatchingNoncePresent(operativeDirective(m_styleSrc.get()), nonce)) | 681 if (isMatchingNoncePresent(operativeDirective(m_styleSrc.get()), nonce)) |
674 return true; | 682 return true; |
675 return reportingStatus == ContentSecurityPolicy::SendReport | 683 return reportingStatus == ContentSecurityPolicy::SendReport |
676 ? checkSourceAndReportViolation( | 684 ? checkSourceAndReportViolation( |
677 operativeDirective(m_styleSrc.get()), url, | 685 operativeDirective(m_styleSrc.get()), url, |
678 ContentSecurityPolicy::StyleSrc, redirectStatus) | 686 ContentSecurityPolicy::DirectiveType::StyleSrc, |
| 687 redirectStatus) |
679 : checkSource(operativeDirective(m_styleSrc.get()), url, | 688 : checkSource(operativeDirective(m_styleSrc.get()), url, |
680 redirectStatus); | 689 redirectStatus); |
681 } | 690 } |
682 | 691 |
683 bool CSPDirectiveList::allowFontFromSource( | 692 bool CSPDirectiveList::allowFontFromSource( |
684 const KURL& url, | 693 const KURL& url, |
685 ResourceRequest::RedirectStatus redirectStatus, | 694 ResourceRequest::RedirectStatus redirectStatus, |
686 ContentSecurityPolicy::ReportingStatus reportingStatus) const { | 695 ContentSecurityPolicy::ReportingStatus reportingStatus) const { |
687 return reportingStatus == ContentSecurityPolicy::SendReport | 696 return reportingStatus == ContentSecurityPolicy::SendReport |
688 ? checkSourceAndReportViolation( | 697 ? checkSourceAndReportViolation( |
689 operativeDirective(m_fontSrc.get()), url, | 698 operativeDirective(m_fontSrc.get()), url, |
690 ContentSecurityPolicy::FontSrc, redirectStatus) | 699 ContentSecurityPolicy::DirectiveType::FontSrc, |
| 700 redirectStatus) |
691 : checkSource(operativeDirective(m_fontSrc.get()), url, | 701 : checkSource(operativeDirective(m_fontSrc.get()), url, |
692 redirectStatus); | 702 redirectStatus); |
693 } | 703 } |
694 | 704 |
695 bool CSPDirectiveList::allowMediaFromSource( | 705 bool CSPDirectiveList::allowMediaFromSource( |
696 const KURL& url, | 706 const KURL& url, |
697 ResourceRequest::RedirectStatus redirectStatus, | 707 ResourceRequest::RedirectStatus redirectStatus, |
698 ContentSecurityPolicy::ReportingStatus reportingStatus) const { | 708 ContentSecurityPolicy::ReportingStatus reportingStatus) const { |
699 return reportingStatus == ContentSecurityPolicy::SendReport | 709 return reportingStatus == ContentSecurityPolicy::SendReport |
700 ? checkSourceAndReportViolation( | 710 ? checkSourceAndReportViolation( |
701 operativeDirective(m_mediaSrc.get()), url, | 711 operativeDirective(m_mediaSrc.get()), url, |
702 ContentSecurityPolicy::MediaSrc, redirectStatus) | 712 ContentSecurityPolicy::DirectiveType::MediaSrc, |
| 713 redirectStatus) |
703 : checkSource(operativeDirective(m_mediaSrc.get()), url, | 714 : checkSource(operativeDirective(m_mediaSrc.get()), url, |
704 redirectStatus); | 715 redirectStatus); |
705 } | 716 } |
706 | 717 |
707 bool CSPDirectiveList::allowManifestFromSource( | 718 bool CSPDirectiveList::allowManifestFromSource( |
708 const KURL& url, | 719 const KURL& url, |
709 ResourceRequest::RedirectStatus redirectStatus, | 720 ResourceRequest::RedirectStatus redirectStatus, |
710 ContentSecurityPolicy::ReportingStatus reportingStatus) const { | 721 ContentSecurityPolicy::ReportingStatus reportingStatus) const { |
711 return reportingStatus == ContentSecurityPolicy::SendReport | 722 return reportingStatus == ContentSecurityPolicy::SendReport |
712 ? checkSourceAndReportViolation( | 723 ? checkSourceAndReportViolation( |
713 operativeDirective(m_manifestSrc.get()), url, | 724 operativeDirective(m_manifestSrc.get()), url, |
714 ContentSecurityPolicy::ManifestSrc, redirectStatus) | 725 ContentSecurityPolicy::DirectiveType::ManifestSrc, |
| 726 redirectStatus) |
715 : checkSource(operativeDirective(m_manifestSrc.get()), url, | 727 : checkSource(operativeDirective(m_manifestSrc.get()), url, |
716 redirectStatus); | 728 redirectStatus); |
717 } | 729 } |
718 | 730 |
719 bool CSPDirectiveList::allowConnectToSource( | 731 bool CSPDirectiveList::allowConnectToSource( |
720 const KURL& url, | 732 const KURL& url, |
721 ResourceRequest::RedirectStatus redirectStatus, | 733 ResourceRequest::RedirectStatus redirectStatus, |
722 ContentSecurityPolicy::ReportingStatus reportingStatus) const { | 734 ContentSecurityPolicy::ReportingStatus reportingStatus) const { |
723 return reportingStatus == ContentSecurityPolicy::SendReport | 735 return reportingStatus == ContentSecurityPolicy::SendReport |
724 ? checkSourceAndReportViolation( | 736 ? checkSourceAndReportViolation( |
725 operativeDirective(m_connectSrc.get()), url, | 737 operativeDirective(m_connectSrc.get()), url, |
726 ContentSecurityPolicy::ConnectSrc, redirectStatus) | 738 ContentSecurityPolicy::DirectiveType::ConnectSrc, |
| 739 redirectStatus) |
727 : checkSource(operativeDirective(m_connectSrc.get()), url, | 740 : checkSource(operativeDirective(m_connectSrc.get()), url, |
728 redirectStatus); | 741 redirectStatus); |
729 } | 742 } |
730 | 743 |
731 bool CSPDirectiveList::allowFormAction( | 744 bool CSPDirectiveList::allowFormAction( |
732 const KURL& url, | 745 const KURL& url, |
733 ResourceRequest::RedirectStatus redirectStatus, | 746 ResourceRequest::RedirectStatus redirectStatus, |
734 ContentSecurityPolicy::ReportingStatus reportingStatus) const { | 747 ContentSecurityPolicy::ReportingStatus reportingStatus) const { |
735 return reportingStatus == ContentSecurityPolicy::SendReport | 748 return reportingStatus == ContentSecurityPolicy::SendReport |
736 ? checkSourceAndReportViolation(m_formAction.get(), url, | 749 ? checkSourceAndReportViolation( |
737 ContentSecurityPolicy::FormAction, | 750 m_formAction.get(), url, |
738 redirectStatus) | 751 ContentSecurityPolicy::DirectiveType::FormAction, |
| 752 redirectStatus) |
739 : checkSource(m_formAction.get(), url, redirectStatus); | 753 : checkSource(m_formAction.get(), url, redirectStatus); |
740 } | 754 } |
741 | 755 |
742 bool CSPDirectiveList::allowBaseURI( | 756 bool CSPDirectiveList::allowBaseURI( |
743 const KURL& url, | 757 const KURL& url, |
744 ResourceRequest::RedirectStatus redirectStatus, | 758 ResourceRequest::RedirectStatus redirectStatus, |
745 ContentSecurityPolicy::ReportingStatus reportingStatus) const { | 759 ContentSecurityPolicy::ReportingStatus reportingStatus) const { |
746 return reportingStatus == ContentSecurityPolicy::SendReport | 760 return reportingStatus == ContentSecurityPolicy::SendReport |
747 ? checkSourceAndReportViolation(m_baseURI.get(), url, | 761 ? checkSourceAndReportViolation( |
748 ContentSecurityPolicy::BaseURI, | 762 m_baseURI.get(), url, |
749 redirectStatus) | 763 ContentSecurityPolicy::DirectiveType::BaseURI, |
| 764 redirectStatus) |
750 : checkSource(m_baseURI.get(), url, redirectStatus); | 765 : checkSource(m_baseURI.get(), url, redirectStatus); |
751 } | 766 } |
752 | 767 |
753 bool CSPDirectiveList::allowWorkerFromSource( | 768 bool CSPDirectiveList::allowWorkerFromSource( |
754 const KURL& url, | 769 const KURL& url, |
755 ResourceRequest::RedirectStatus redirectStatus, | 770 ResourceRequest::RedirectStatus redirectStatus, |
756 ContentSecurityPolicy::ReportingStatus reportingStatus) const { | 771 ContentSecurityPolicy::ReportingStatus reportingStatus) const { |
757 // 'worker-src' overrides 'child-src', which overrides the default | 772 // 'worker-src' overrides 'child-src', which overrides the default |
758 // sources. So, we do this nested set of calls to 'operativeDirective()' to | 773 // sources. So, we do this nested set of calls to 'operativeDirective()' to |
759 // grab 'worker-src' if it exists, 'child-src' if it doesn't, and 'defaut-src' | 774 // grab 'worker-src' if it exists, 'child-src' if it doesn't, and 'defaut-src' |
760 // if neither are available. | 775 // if neither are available. |
761 SourceListDirective* whichDirective = operativeDirective( | 776 SourceListDirective* whichDirective = operativeDirective( |
762 m_workerSrc.get(), operativeDirective(m_childSrc.get())); | 777 m_workerSrc.get(), operativeDirective(m_childSrc.get())); |
763 | 778 |
764 return reportingStatus == ContentSecurityPolicy::SendReport | 779 return reportingStatus == ContentSecurityPolicy::SendReport |
765 ? checkSourceAndReportViolation(whichDirective, url, | 780 ? checkSourceAndReportViolation( |
766 ContentSecurityPolicy::WorkerSrc, | 781 whichDirective, url, |
767 redirectStatus) | 782 ContentSecurityPolicy::DirectiveType::WorkerSrc, |
| 783 redirectStatus) |
768 : checkSource(whichDirective, url, redirectStatus); | 784 : checkSource(whichDirective, url, redirectStatus); |
769 } | 785 } |
770 | 786 |
771 bool CSPDirectiveList::allowAncestors( | 787 bool CSPDirectiveList::allowAncestors( |
772 LocalFrame* frame, | 788 LocalFrame* frame, |
773 const KURL& url, | 789 const KURL& url, |
774 ContentSecurityPolicy::ReportingStatus reportingStatus) const { | 790 ContentSecurityPolicy::ReportingStatus reportingStatus) const { |
775 return reportingStatus == ContentSecurityPolicy::SendReport | 791 return reportingStatus == ContentSecurityPolicy::SendReport |
776 ? checkAncestorsAndReportViolation(m_frameAncestors.get(), frame, | 792 ? checkAncestorsAndReportViolation(m_frameAncestors.get(), frame, |
777 url) | 793 url) |
(...skipping 212 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
990 const String& value, | 1006 const String& value, |
991 Member<CSPDirectiveType>& directive) { | 1007 Member<CSPDirectiveType>& directive) { |
992 if (directive) { | 1008 if (directive) { |
993 m_policy->reportDuplicateDirective(name); | 1009 m_policy->reportDuplicateDirective(name); |
994 return; | 1010 return; |
995 } | 1011 } |
996 | 1012 |
997 // Remove frame-ancestors directives in meta policies, per | 1013 // Remove frame-ancestors directives in meta policies, per |
998 // https://www.w3.org/TR/CSP2/#delivery-html-meta-element. | 1014 // https://www.w3.org/TR/CSP2/#delivery-html-meta-element. |
999 if (m_headerSource == ContentSecurityPolicyHeaderSourceMeta && | 1015 if (m_headerSource == ContentSecurityPolicyHeaderSourceMeta && |
1000 name == ContentSecurityPolicy::FrameAncestors) { | 1016 ContentSecurityPolicy::getDirectiveType(name) == |
| 1017 ContentSecurityPolicy::DirectiveType::FrameAncestors) { |
1001 m_policy->reportInvalidDirectiveInMeta(name); | 1018 m_policy->reportInvalidDirectiveInMeta(name); |
1002 return; | 1019 return; |
1003 } | 1020 } |
1004 | 1021 |
1005 directive = new CSPDirectiveType(name, value, m_policy); | 1022 directive = new CSPDirectiveType(name, value, m_policy); |
1006 } | 1023 } |
1007 | 1024 |
1008 void CSPDirectiveList::applySandboxPolicy(const String& name, | 1025 void CSPDirectiveList::applySandboxPolicy(const String& name, |
1009 const String& sandboxPolicy) { | 1026 const String& sandboxPolicy) { |
1010 // Remove sandbox directives in meta policies, per | 1027 // Remove sandbox directives in meta policies, per |
(...skipping 64 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1075 m_upgradeInsecureRequests = true; | 1092 m_upgradeInsecureRequests = true; |
1076 | 1093 |
1077 m_policy->upgradeInsecureRequests(); | 1094 m_policy->upgradeInsecureRequests(); |
1078 if (!value.isEmpty()) | 1095 if (!value.isEmpty()) |
1079 m_policy->reportValueForEmptyDirective(name, value); | 1096 m_policy->reportValueForEmptyDirective(name, value); |
1080 } | 1097 } |
1081 | 1098 |
1082 void CSPDirectiveList::addDirective(const String& name, const String& value) { | 1099 void CSPDirectiveList::addDirective(const String& name, const String& value) { |
1083 ASSERT(!name.isEmpty()); | 1100 ASSERT(!name.isEmpty()); |
1084 | 1101 |
1085 if (equalIgnoringCase(name, ContentSecurityPolicy::DefaultSrc)) { | 1102 ContentSecurityPolicy::DirectiveType type = |
| 1103 ContentSecurityPolicy::getDirectiveType(name); |
| 1104 if (type == ContentSecurityPolicy::DirectiveType::DefaultSrc) { |
1086 setCSPDirective<SourceListDirective>(name, value, m_defaultSrc); | 1105 setCSPDirective<SourceListDirective>(name, value, m_defaultSrc); |
1087 // TODO(mkwst) It seems unlikely that developers would use different | 1106 // TODO(mkwst) It seems unlikely that developers would use different |
1088 // algorithms for scripts and styles. We may want to combine the | 1107 // algorithms for scripts and styles. We may want to combine the |
1089 // usesScriptHashAlgorithms() and usesStyleHashAlgorithms. | 1108 // usesScriptHashAlgorithms() and usesStyleHashAlgorithms. |
1090 m_policy->usesScriptHashAlgorithms(m_defaultSrc->hashAlgorithmsUsed()); | 1109 m_policy->usesScriptHashAlgorithms(m_defaultSrc->hashAlgorithmsUsed()); |
1091 m_policy->usesStyleHashAlgorithms(m_defaultSrc->hashAlgorithmsUsed()); | 1110 m_policy->usesStyleHashAlgorithms(m_defaultSrc->hashAlgorithmsUsed()); |
1092 } else if (equalIgnoringCase(name, ContentSecurityPolicy::ScriptSrc)) { | 1111 } else if (type == ContentSecurityPolicy::DirectiveType::ScriptSrc) { |
1093 setCSPDirective<SourceListDirective>(name, value, m_scriptSrc); | 1112 setCSPDirective<SourceListDirective>(name, value, m_scriptSrc); |
1094 m_policy->usesScriptHashAlgorithms(m_scriptSrc->hashAlgorithmsUsed()); | 1113 m_policy->usesScriptHashAlgorithms(m_scriptSrc->hashAlgorithmsUsed()); |
1095 } else if (equalIgnoringCase(name, ContentSecurityPolicy::ObjectSrc)) { | 1114 } else if (type == ContentSecurityPolicy::DirectiveType::ObjectSrc) { |
1096 setCSPDirective<SourceListDirective>(name, value, m_objectSrc); | 1115 setCSPDirective<SourceListDirective>(name, value, m_objectSrc); |
1097 } else if (equalIgnoringCase(name, ContentSecurityPolicy::FrameAncestors)) { | 1116 } else if (type == |
| 1117 |
| 1118 ContentSecurityPolicy::DirectiveType::FrameAncestors) { |
1098 setCSPDirective<SourceListDirective>(name, value, m_frameAncestors); | 1119 setCSPDirective<SourceListDirective>(name, value, m_frameAncestors); |
1099 } else if (equalIgnoringCase(name, ContentSecurityPolicy::FrameSrc)) { | 1120 } else if (type == ContentSecurityPolicy::DirectiveType::FrameSrc) { |
1100 setCSPDirective<SourceListDirective>(name, value, m_frameSrc); | 1121 setCSPDirective<SourceListDirective>(name, value, m_frameSrc); |
1101 } else if (equalIgnoringCase(name, ContentSecurityPolicy::ImgSrc)) { | 1122 } else if (type == ContentSecurityPolicy::DirectiveType::ImgSrc) { |
1102 setCSPDirective<SourceListDirective>(name, value, m_imgSrc); | 1123 setCSPDirective<SourceListDirective>(name, value, m_imgSrc); |
1103 } else if (equalIgnoringCase(name, ContentSecurityPolicy::StyleSrc)) { | 1124 } else if (type == ContentSecurityPolicy::DirectiveType::StyleSrc) { |
1104 setCSPDirective<SourceListDirective>(name, value, m_styleSrc); | 1125 setCSPDirective<SourceListDirective>(name, value, m_styleSrc); |
1105 m_policy->usesStyleHashAlgorithms(m_styleSrc->hashAlgorithmsUsed()); | 1126 m_policy->usesStyleHashAlgorithms(m_styleSrc->hashAlgorithmsUsed()); |
1106 } else if (equalIgnoringCase(name, ContentSecurityPolicy::FontSrc)) { | 1127 } else if (type == ContentSecurityPolicy::DirectiveType::FontSrc) { |
1107 setCSPDirective<SourceListDirective>(name, value, m_fontSrc); | 1128 setCSPDirective<SourceListDirective>(name, value, m_fontSrc); |
1108 } else if (equalIgnoringCase(name, ContentSecurityPolicy::MediaSrc)) { | 1129 } else if (type == ContentSecurityPolicy::DirectiveType::MediaSrc) { |
1109 setCSPDirective<SourceListDirective>(name, value, m_mediaSrc); | 1130 setCSPDirective<SourceListDirective>(name, value, m_mediaSrc); |
1110 } else if (equalIgnoringCase(name, ContentSecurityPolicy::ConnectSrc)) { | 1131 } else if (type == ContentSecurityPolicy::DirectiveType::ConnectSrc) { |
1111 setCSPDirective<SourceListDirective>(name, value, m_connectSrc); | 1132 setCSPDirective<SourceListDirective>(name, value, m_connectSrc); |
1112 } else if (equalIgnoringCase(name, ContentSecurityPolicy::Sandbox)) { | 1133 } else if (type == ContentSecurityPolicy::DirectiveType::Sandbox) { |
1113 applySandboxPolicy(name, value); | 1134 applySandboxPolicy(name, value); |
1114 } else if (equalIgnoringCase(name, ContentSecurityPolicy::ReportURI)) { | 1135 } else if (type == ContentSecurityPolicy::DirectiveType::ReportURI) { |
1115 parseReportURI(name, value); | 1136 parseReportURI(name, value); |
1116 } else if (equalIgnoringCase(name, ContentSecurityPolicy::BaseURI)) { | 1137 } else if (type == ContentSecurityPolicy::DirectiveType::BaseURI) { |
1117 setCSPDirective<SourceListDirective>(name, value, m_baseURI); | 1138 setCSPDirective<SourceListDirective>(name, value, m_baseURI); |
1118 } else if (equalIgnoringCase(name, ContentSecurityPolicy::ChildSrc)) { | 1139 } else if (type == ContentSecurityPolicy::DirectiveType::ChildSrc) { |
1119 setCSPDirective<SourceListDirective>(name, value, m_childSrc); | 1140 setCSPDirective<SourceListDirective>(name, value, m_childSrc); |
1120 } else if (equalIgnoringCase(name, ContentSecurityPolicy::WorkerSrc) && | 1141 } else if (type == ContentSecurityPolicy::DirectiveType::WorkerSrc && |
1121 m_policy->experimentalFeaturesEnabled()) { | 1142 m_policy->experimentalFeaturesEnabled()) { |
1122 setCSPDirective<SourceListDirective>(name, value, m_workerSrc); | 1143 setCSPDirective<SourceListDirective>(name, value, m_workerSrc); |
1123 } else if (equalIgnoringCase(name, ContentSecurityPolicy::FormAction)) { | 1144 } else if (type == ContentSecurityPolicy::DirectiveType::FormAction) { |
1124 setCSPDirective<SourceListDirective>(name, value, m_formAction); | 1145 setCSPDirective<SourceListDirective>(name, value, m_formAction); |
1125 } else if (equalIgnoringCase(name, ContentSecurityPolicy::PluginTypes)) { | 1146 } else if (type == ContentSecurityPolicy::DirectiveType::PluginTypes) { |
1126 setCSPDirective<MediaListDirective>(name, value, m_pluginTypes); | 1147 setCSPDirective<MediaListDirective>(name, value, m_pluginTypes); |
1127 } else if (equalIgnoringCase( | 1148 } else if (type == |
1128 name, ContentSecurityPolicy::UpgradeInsecureRequests)) { | 1149 ContentSecurityPolicy::DirectiveType::UpgradeInsecureRequests) { |
1129 enableInsecureRequestsUpgrade(name, value); | 1150 enableInsecureRequestsUpgrade(name, value); |
1130 } else if (equalIgnoringCase(name, | 1151 } else if (type == |
1131 ContentSecurityPolicy::BlockAllMixedContent)) { | 1152 ContentSecurityPolicy::DirectiveType::BlockAllMixedContent) { |
1132 enforceStrictMixedContentChecking(name, value); | 1153 enforceStrictMixedContentChecking(name, value); |
1133 } else if (equalIgnoringCase(name, ContentSecurityPolicy::ManifestSrc)) { | 1154 } else if (type == ContentSecurityPolicy::DirectiveType::ManifestSrc) { |
1134 setCSPDirective<SourceListDirective>(name, value, m_manifestSrc); | 1155 setCSPDirective<SourceListDirective>(name, value, m_manifestSrc); |
1135 } else if (equalIgnoringCase(name, | 1156 } else if (type == |
1136 ContentSecurityPolicy::TreatAsPublicAddress)) { | 1157 ContentSecurityPolicy::DirectiveType::TreatAsPublicAddress) { |
1137 treatAsPublicAddress(name, value); | 1158 treatAsPublicAddress(name, value); |
1138 } else if (equalIgnoringCase(name, ContentSecurityPolicy::RequireSRIFor) && | 1159 } else if (type == ContentSecurityPolicy::DirectiveType::RequireSRIFor && |
1139 m_policy->experimentalFeaturesEnabled()) { | 1160 m_policy->experimentalFeaturesEnabled()) { |
1140 parseRequireSRIFor(name, value); | 1161 parseRequireSRIFor(name, value); |
1141 } else { | 1162 } else { |
1142 m_policy->reportUnsupportedDirective(name); | 1163 m_policy->reportUnsupportedDirective(name); |
1143 } | 1164 } |
1144 } | 1165 } |
1145 | 1166 |
1146 DEFINE_TRACE(CSPDirectiveList) { | 1167 DEFINE_TRACE(CSPDirectiveList) { |
1147 visitor->trace(m_policy); | 1168 visitor->trace(m_policy); |
1148 visitor->trace(m_pluginTypes); | 1169 visitor->trace(m_pluginTypes); |
1149 visitor->trace(m_baseURI); | 1170 visitor->trace(m_baseURI); |
1150 visitor->trace(m_childSrc); | 1171 visitor->trace(m_childSrc); |
1151 visitor->trace(m_connectSrc); | 1172 visitor->trace(m_connectSrc); |
1152 visitor->trace(m_defaultSrc); | 1173 visitor->trace(m_defaultSrc); |
1153 visitor->trace(m_fontSrc); | 1174 visitor->trace(m_fontSrc); |
1154 visitor->trace(m_formAction); | 1175 visitor->trace(m_formAction); |
1155 visitor->trace(m_frameAncestors); | 1176 visitor->trace(m_frameAncestors); |
1156 visitor->trace(m_frameSrc); | 1177 visitor->trace(m_frameSrc); |
1157 visitor->trace(m_imgSrc); | 1178 visitor->trace(m_imgSrc); |
1158 visitor->trace(m_mediaSrc); | 1179 visitor->trace(m_mediaSrc); |
1159 visitor->trace(m_manifestSrc); | 1180 visitor->trace(m_manifestSrc); |
1160 visitor->trace(m_objectSrc); | 1181 visitor->trace(m_objectSrc); |
1161 visitor->trace(m_scriptSrc); | 1182 visitor->trace(m_scriptSrc); |
1162 visitor->trace(m_styleSrc); | 1183 visitor->trace(m_styleSrc); |
1163 visitor->trace(m_workerSrc); | 1184 visitor->trace(m_workerSrc); |
1164 } | 1185 } |
1165 | 1186 |
1166 } // namespace blink | 1187 } // namespace blink |
OLD | NEW |