OLD | NEW |
1 /* | 1 /* |
2 * Copyright (C) 2011 Google, Inc. All rights reserved. | 2 * Copyright (C) 2011 Google, Inc. All rights reserved. |
3 * | 3 * |
4 * Redistribution and use in source and binary forms, with or without | 4 * Redistribution and use in source and binary forms, with or without |
5 * modification, are permitted provided that the following conditions | 5 * modification, are permitted provided that the following conditions |
6 * are met: | 6 * are met: |
7 * 1. Redistributions of source code must retain the above copyright | 7 * 1. Redistributions of source code must retain the above copyright |
8 * notice, this list of conditions and the following disclaimer. | 8 * notice, this list of conditions and the following disclaimer. |
9 * 2. Redistributions in binary form must reproduce the above copyright | 9 * 2. Redistributions in binary form must reproduce the above copyright |
10 * notice, this list of conditions and the following disclaimer in the | 10 * notice, this list of conditions and the following disclaimer in the |
(...skipping 54 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
65 | 65 |
66 typedef int SandboxFlags; | 66 typedef int SandboxFlags; |
67 typedef HeapVector<Member<CSPDirectiveList>> CSPDirectiveListVector; | 67 typedef HeapVector<Member<CSPDirectiveList>> CSPDirectiveListVector; |
68 typedef HeapVector<Member<ConsoleMessage>> ConsoleMessageVector; | 68 typedef HeapVector<Member<ConsoleMessage>> ConsoleMessageVector; |
69 typedef std::pair<String, ContentSecurityPolicyHeaderType> CSPHeaderAndType; | 69 typedef std::pair<String, ContentSecurityPolicyHeaderType> CSPHeaderAndType; |
70 using RedirectStatus = ResourceRequest::RedirectStatus; | 70 using RedirectStatus = ResourceRequest::RedirectStatus; |
71 | 71 |
72 class CORE_EXPORT ContentSecurityPolicy | 72 class CORE_EXPORT ContentSecurityPolicy |
73 : public GarbageCollectedFinalized<ContentSecurityPolicy> { | 73 : public GarbageCollectedFinalized<ContentSecurityPolicy> { |
74 public: | 74 public: |
75 // CSP Level 1 Directives | |
76 static const char ConnectSrc[]; | |
77 static const char DefaultSrc[]; | |
78 static const char FontSrc[]; | |
79 static const char FrameSrc[]; | |
80 static const char ImgSrc[]; | |
81 static const char MediaSrc[]; | |
82 static const char ObjectSrc[]; | |
83 static const char ReportURI[]; | |
84 static const char Sandbox[]; | |
85 static const char ScriptSrc[]; | |
86 static const char StyleSrc[]; | |
87 | |
88 // CSP Level 2 Directives | |
89 static const char BaseURI[]; | |
90 static const char ChildSrc[]; | |
91 static const char FormAction[]; | |
92 static const char FrameAncestors[]; | |
93 static const char PluginTypes[]; | |
94 | |
95 // CSP Level 3 Directives | |
96 static const char ManifestSrc[]; | |
97 static const char WorkerSrc[]; | |
98 | |
99 // Mixed Content Directive | |
100 // https://w3c.github.io/webappsec/specs/mixedcontent/#strict-mode | |
101 static const char BlockAllMixedContent[]; | |
102 | |
103 // https://w3c.github.io/webappsec/specs/upgrade/ | |
104 static const char UpgradeInsecureRequests[]; | |
105 | |
106 // https://mikewest.github.io/cors-rfc1918/#csp | |
107 static const char TreatAsPublicAddress[]; | |
108 | |
109 // https://w3c.github.io/webappsec-subresource-integrity/#require-sri-for | |
110 static const char RequireSRIFor[]; | |
111 | |
112 enum ReportingStatus { SendReport, SuppressReport }; | 75 enum ReportingStatus { SendReport, SuppressReport }; |
113 | 76 |
114 enum ExceptionStatus { WillThrowException, WillNotThrowException }; | 77 enum ExceptionStatus { WillThrowException, WillNotThrowException }; |
115 | 78 |
116 // This covers the possible values of a violation's 'resource', as defined in | 79 // This covers the possible values of a violation's 'resource', as defined in |
117 // https://w3c.github.io/webappsec-csp/#violation-resource. By the time we | 80 // https://w3c.github.io/webappsec-csp/#violation-resource. By the time we |
118 // generate a report, we're guaranteed that the value isn't 'null', so we | 81 // generate a report, we're guaranteed that the value isn't 'null', so we |
119 // don't need that state in this enum. | 82 // don't need that state in this enum. |
120 enum ViolationType { InlineViolation, EvalViolation, URLViolation }; | 83 enum ViolationType { InlineViolation, EvalViolation, URLViolation }; |
121 | 84 |
122 enum class InlineType { Block, Attribute }; | 85 enum class InlineType { Block, Attribute }; |
123 | 86 |
| 87 enum class DirectiveType { |
| 88 Undefined, |
| 89 BaseURI, |
| 90 BlockAllMixedContent, |
| 91 ChildSrc, |
| 92 ConnectSrc, |
| 93 DefaultSrc, |
| 94 FrameAncestors, |
| 95 FrameSrc, |
| 96 FontSrc, |
| 97 FormAction, |
| 98 ImgSrc, |
| 99 ManifestSrc, |
| 100 MediaSrc, |
| 101 ObjectSrc, |
| 102 PluginTypes, |
| 103 ReportURI, |
| 104 RequireSRIFor, |
| 105 Sandbox, |
| 106 ScriptSrc, |
| 107 StyleSrc, |
| 108 TreatAsPublicAddress, |
| 109 UpgradeInsecureRequests, |
| 110 WorkerSrc, |
| 111 }; |
| 112 |
124 static ContentSecurityPolicy* create() { return new ContentSecurityPolicy(); } | 113 static ContentSecurityPolicy* create() { return new ContentSecurityPolicy(); } |
125 ~ContentSecurityPolicy(); | 114 ~ContentSecurityPolicy(); |
126 DECLARE_TRACE(); | 115 DECLARE_TRACE(); |
127 | 116 |
128 void bindToExecutionContext(ExecutionContext*); | 117 void bindToExecutionContext(ExecutionContext*); |
129 void setupSelf(const SecurityOrigin&); | 118 void setupSelf(const SecurityOrigin&); |
130 void copyStateFrom(const ContentSecurityPolicy*); | 119 void copyStateFrom(const ContentSecurityPolicy*); |
131 void copyPluginTypesFrom(const ContentSecurityPolicy*); | 120 void copyPluginTypesFrom(const ContentSecurityPolicy*); |
132 | 121 |
133 void didReceiveHeaders(const ContentSecurityPolicyResponseHeaders&); | 122 void didReceiveHeaders(const ContentSecurityPolicyResponseHeaders&); |
(...skipping 170 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
304 void reportReportOnlyInMeta(const String&); | 293 void reportReportOnlyInMeta(const String&); |
305 void reportMetaOutsideHead(const String&); | 294 void reportMetaOutsideHead(const String&); |
306 void reportValueForEmptyDirective(const String& directiveName, | 295 void reportValueForEmptyDirective(const String& directiveName, |
307 const String& value); | 296 const String& value); |
308 | 297 |
309 // If a frame is passed in, the report will be sent using it as a context. If | 298 // If a frame is passed in, the report will be sent using it as a context. If |
310 // no frame is passed in, the report will be sent via this object's | 299 // no frame is passed in, the report will be sent via this object's |
311 // |m_executionContext| (or dropped on the floor if no such context is | 300 // |m_executionContext| (or dropped on the floor if no such context is |
312 // available). | 301 // available). |
313 void reportViolation(const String& directiveText, | 302 void reportViolation(const String& directiveText, |
314 const String& effectiveDirective, | 303 const DirectiveType& effectiveType, |
315 const String& consoleMessage, | 304 const String& consoleMessage, |
316 const KURL& blockedURL, | 305 const KURL& blockedURL, |
317 const Vector<String>& reportEndpoints, | 306 const Vector<String>& reportEndpoints, |
318 const String& header, | 307 const String& header, |
319 ContentSecurityPolicyHeaderType, | 308 ContentSecurityPolicyHeaderType, |
320 ViolationType, | 309 ViolationType, |
321 LocalFrame* = nullptr, | 310 LocalFrame* = nullptr, |
322 RedirectStatus = RedirectStatus::FollowedRedirect, | 311 RedirectStatus = RedirectStatus::FollowedRedirect, |
323 int contextLine = 0, | 312 int contextLine = 0, |
324 Element* = nullptr); | 313 Element* = nullptr); |
(...skipping 22 matching lines...) Expand all Loading... |
347 bool urlMatchesSelf(const KURL&) const; | 336 bool urlMatchesSelf(const KURL&) const; |
348 bool protocolMatchesSelf(const KURL&) const; | 337 bool protocolMatchesSelf(const KURL&) const; |
349 bool selfMatchesInnerURL() const; | 338 bool selfMatchesInnerURL() const; |
350 | 339 |
351 bool experimentalFeaturesEnabled() const; | 340 bool experimentalFeaturesEnabled() const; |
352 | 341 |
353 bool shouldSendCSPHeader(Resource::Type) const; | 342 bool shouldSendCSPHeader(Resource::Type) const; |
354 | 343 |
355 static bool shouldBypassMainWorld(const ExecutionContext*); | 344 static bool shouldBypassMainWorld(const ExecutionContext*); |
356 | 345 |
357 static bool isDirectiveName(const String&); | |
358 | |
359 static bool isNonceableElement(const Element*); | 346 static bool isNonceableElement(const Element*); |
360 | 347 |
361 // This method checks whether the request should be allowed for an | 348 // This method checks whether the request should be allowed for an |
362 // experimental EmbeddingCSP feature | 349 // experimental EmbeddingCSP feature |
363 // Please, see https://w3c.github.io/webappsec-csp/embedded/#origin-allowed. | 350 // Please, see https://w3c.github.io/webappsec-csp/embedded/#origin-allowed. |
364 static bool shouldEnforceEmbeddersPolicy(const ResourceResponse&, | 351 static bool shouldEnforceEmbeddersPolicy(const ResourceResponse&, |
365 SecurityOrigin*); | 352 SecurityOrigin*); |
366 | 353 |
| 354 static const char* getDirectiveName(const DirectiveType&); |
| 355 static DirectiveType getDirectiveType(const String& name); |
| 356 |
367 Document* document() const; | 357 Document* document() const; |
368 | 358 |
369 private: | 359 private: |
370 FRIEND_TEST_ALL_PREFIXES(ContentSecurityPolicyTest, NonceInline); | 360 FRIEND_TEST_ALL_PREFIXES(ContentSecurityPolicyTest, NonceInline); |
371 FRIEND_TEST_ALL_PREFIXES(ContentSecurityPolicyTest, NonceSinglePolicy); | 361 FRIEND_TEST_ALL_PREFIXES(ContentSecurityPolicyTest, NonceSinglePolicy); |
372 FRIEND_TEST_ALL_PREFIXES(ContentSecurityPolicyTest, NonceMultiplePolicy); | 362 FRIEND_TEST_ALL_PREFIXES(ContentSecurityPolicyTest, NonceMultiplePolicy); |
373 | 363 |
374 ContentSecurityPolicy(); | 364 ContentSecurityPolicy(); |
375 | 365 |
376 void applyPolicySideEffectsToExecutionContext(); | 366 void applyPolicySideEffectsToExecutionContext(); |
(...skipping 33 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
410 String m_disableEvalErrorMessage; | 400 String m_disableEvalErrorMessage; |
411 WebInsecureRequestPolicy m_insecureRequestPolicy; | 401 WebInsecureRequestPolicy m_insecureRequestPolicy; |
412 | 402 |
413 Member<CSPSource> m_selfSource; | 403 Member<CSPSource> m_selfSource; |
414 String m_selfProtocol; | 404 String m_selfProtocol; |
415 }; | 405 }; |
416 | 406 |
417 } // namespace blink | 407 } // namespace blink |
418 | 408 |
419 #endif | 409 #endif |
OLD | NEW |