OLD | NEW |
---|---|
1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "core/frame/csp/CSPDirectiveList.h" | 5 #include "core/frame/csp/CSPDirectiveList.h" |
6 | 6 |
7 #include "bindings/core/v8/SourceLocation.h" | 7 #include "bindings/core/v8/SourceLocation.h" |
8 #include "core/dom/Document.h" | 8 #include "core/dom/Document.h" |
9 #include "core/dom/SecurityContext.h" | 9 #include "core/dom/SecurityContext.h" |
10 #include "core/dom/SpaceSplitString.h" | 10 #include "core/dom/SpaceSplitString.h" |
(...skipping 751 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
762 m_baseURI.get(), url, | 762 m_baseURI.get(), url, |
763 ContentSecurityPolicy::DirectiveType::BaseURI, | 763 ContentSecurityPolicy::DirectiveType::BaseURI, |
764 redirectStatus) | 764 redirectStatus) |
765 : checkSource(m_baseURI.get(), url, redirectStatus); | 765 : checkSource(m_baseURI.get(), url, redirectStatus); |
766 } | 766 } |
767 | 767 |
768 bool CSPDirectiveList::allowWorkerFromSource( | 768 bool CSPDirectiveList::allowWorkerFromSource( |
769 const KURL& url, | 769 const KURL& url, |
770 ResourceRequest::RedirectStatus redirectStatus, | 770 ResourceRequest::RedirectStatus redirectStatus, |
771 ContentSecurityPolicy::ReportingStatus reportingStatus) const { | 771 ContentSecurityPolicy::ReportingStatus reportingStatus) const { |
772 // 'worker-src' overrides 'child-src', which overrides the default | 772 // 'worker-src' overrides 'script-src', which overrides the default |
773 // sources. So, we do this nested set of calls to 'operativeDirective()' to | 773 // sources. So, we do this nested set of calls to 'operativeDirective()' to |
774 // grab 'worker-src' if it exists, 'child-src' if it doesn't, and 'defaut-src' | 774 // grab 'worker-src' if it exists, 'script-src' if it doesn't, and |
775 // 'defaut-src' | |
estark
2016/11/29 22:01:16
nit: wrapping is weird
Mike West
2016/11/30 12:34:30
I blame clang format. :)
| |
775 // if neither are available. | 776 // if neither are available. |
776 SourceListDirective* whichDirective = operativeDirective( | 777 SourceListDirective* workerSrc = operativeDirective( |
777 m_workerSrc.get(), operativeDirective(m_childSrc.get())); | 778 m_workerSrc.get(), operativeDirective(m_scriptSrc.get())); |
779 | |
780 // Workers used to be controlled via 'child-src'; for the moment, we'll check | |
781 // 'child-src' if 'worker-src' is not present, and a check against | |
782 // 'script-src' | |
783 // fails (e.g. we'll block 'https://example.com/worker' given | |
estark
2016/11/29 22:01:16
nit: unclosed parenthesis *twitch*
But more impor
Mike West
2016/11/30 12:34:30
I've rewritten it in the hopes of being a little c
| |
784 // "worker-src 'none'" or "worker-src 'none'; child-src https://example.com", | |
785 // but we'll allow it given | |
786 // "script-src https://not-example.com; child-src https://example.com". | |
787 // | |
788 // TODO(mkwst): Remove this once other vendors follow suit. | |
789 // http://crbug.com/662930 | |
estark
2016/11/29 22:01:16
nit: https
Mike West
2016/11/30 12:34:30
Arg!
| |
790 if (!checkSource(workerSrc, url, redirectStatus) && !m_workerSrc) { | |
Mike West
2016/11/29 17:05:14
Bah. This should include `&& m_childSrc`. :(
estark
2016/11/29 22:01:16
And shouldn't call operativeDirective on line 791?
Mike West
2016/11/30 12:34:30
Hrm. Yeah, I think you're right.
| |
791 SourceListDirective* childSrc = operativeDirective(m_childSrc.get()); | |
792 if (checkSource(childSrc, url, redirectStatus)) | |
793 return true; | |
794 } | |
778 | 795 |
779 return reportingStatus == ContentSecurityPolicy::SendReport | 796 return reportingStatus == ContentSecurityPolicy::SendReport |
780 ? checkSourceAndReportViolation( | 797 ? checkSourceAndReportViolation( |
781 whichDirective, url, | 798 workerSrc, url, |
782 ContentSecurityPolicy::DirectiveType::WorkerSrc, | 799 ContentSecurityPolicy::DirectiveType::WorkerSrc, |
783 redirectStatus) | 800 redirectStatus) |
784 : checkSource(whichDirective, url, redirectStatus); | 801 : checkSource(workerSrc, url, redirectStatus); |
785 } | 802 } |
786 | 803 |
787 bool CSPDirectiveList::allowAncestors( | 804 bool CSPDirectiveList::allowAncestors( |
788 LocalFrame* frame, | 805 LocalFrame* frame, |
789 const KURL& url, | 806 const KURL& url, |
790 ContentSecurityPolicy::ReportingStatus reportingStatus) const { | 807 ContentSecurityPolicy::ReportingStatus reportingStatus) const { |
791 return reportingStatus == ContentSecurityPolicy::SendReport | 808 return reportingStatus == ContentSecurityPolicy::SendReport |
792 ? checkAncestorsAndReportViolation(m_frameAncestors.get(), frame, | 809 ? checkAncestorsAndReportViolation(m_frameAncestors.get(), frame, |
793 url) | 810 url) |
794 : checkAncestors(m_frameAncestors.get(), frame); | 811 : checkAncestors(m_frameAncestors.get(), frame); |
(...skipping 336 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1131 } else if (type == ContentSecurityPolicy::DirectiveType::ConnectSrc) { | 1148 } else if (type == ContentSecurityPolicy::DirectiveType::ConnectSrc) { |
1132 setCSPDirective<SourceListDirective>(name, value, m_connectSrc); | 1149 setCSPDirective<SourceListDirective>(name, value, m_connectSrc); |
1133 } else if (type == ContentSecurityPolicy::DirectiveType::Sandbox) { | 1150 } else if (type == ContentSecurityPolicy::DirectiveType::Sandbox) { |
1134 applySandboxPolicy(name, value); | 1151 applySandboxPolicy(name, value); |
1135 } else if (type == ContentSecurityPolicy::DirectiveType::ReportURI) { | 1152 } else if (type == ContentSecurityPolicy::DirectiveType::ReportURI) { |
1136 parseReportURI(name, value); | 1153 parseReportURI(name, value); |
1137 } else if (type == ContentSecurityPolicy::DirectiveType::BaseURI) { | 1154 } else if (type == ContentSecurityPolicy::DirectiveType::BaseURI) { |
1138 setCSPDirective<SourceListDirective>(name, value, m_baseURI); | 1155 setCSPDirective<SourceListDirective>(name, value, m_baseURI); |
1139 } else if (type == ContentSecurityPolicy::DirectiveType::ChildSrc) { | 1156 } else if (type == ContentSecurityPolicy::DirectiveType::ChildSrc) { |
1140 setCSPDirective<SourceListDirective>(name, value, m_childSrc); | 1157 setCSPDirective<SourceListDirective>(name, value, m_childSrc); |
1141 } else if (type == ContentSecurityPolicy::DirectiveType::WorkerSrc && | 1158 } else if (type == ContentSecurityPolicy::DirectiveType::WorkerSrc) { |
1142 m_policy->experimentalFeaturesEnabled()) { | |
estark
2016/11/29 22:01:16
Was this an intentional change? Not clear why we d
Mike West
2016/11/30 12:34:30
Yes. This is something I want to ship (hence going
estark
2016/12/01 05:16:56
Oh, sorry, missed that! Makes sense now
| |
1143 setCSPDirective<SourceListDirective>(name, value, m_workerSrc); | 1159 setCSPDirective<SourceListDirective>(name, value, m_workerSrc); |
1144 } else if (type == ContentSecurityPolicy::DirectiveType::FormAction) { | 1160 } else if (type == ContentSecurityPolicy::DirectiveType::FormAction) { |
1145 setCSPDirective<SourceListDirective>(name, value, m_formAction); | 1161 setCSPDirective<SourceListDirective>(name, value, m_formAction); |
1146 } else if (type == ContentSecurityPolicy::DirectiveType::PluginTypes) { | 1162 } else if (type == ContentSecurityPolicy::DirectiveType::PluginTypes) { |
1147 setCSPDirective<MediaListDirective>(name, value, m_pluginTypes); | 1163 setCSPDirective<MediaListDirective>(name, value, m_pluginTypes); |
1148 } else if (type == | 1164 } else if (type == |
1149 ContentSecurityPolicy::DirectiveType::UpgradeInsecureRequests) { | 1165 ContentSecurityPolicy::DirectiveType::UpgradeInsecureRequests) { |
1150 enableInsecureRequestsUpgrade(name, value); | 1166 enableInsecureRequestsUpgrade(name, value); |
1151 } else if (type == | 1167 } else if (type == |
1152 ContentSecurityPolicy::DirectiveType::BlockAllMixedContent) { | 1168 ContentSecurityPolicy::DirectiveType::BlockAllMixedContent) { |
(...skipping 35 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1188 case ContentSecurityPolicy::DirectiveType::ManifestSrc: | 1204 case ContentSecurityPolicy::DirectiveType::ManifestSrc: |
1189 return operativeDirective(m_manifestSrc.get()); | 1205 return operativeDirective(m_manifestSrc.get()); |
1190 case ContentSecurityPolicy::DirectiveType::MediaSrc: | 1206 case ContentSecurityPolicy::DirectiveType::MediaSrc: |
1191 return operativeDirective(m_mediaSrc.get()); | 1207 return operativeDirective(m_mediaSrc.get()); |
1192 case ContentSecurityPolicy::DirectiveType::ObjectSrc: | 1208 case ContentSecurityPolicy::DirectiveType::ObjectSrc: |
1193 return operativeDirective(m_objectSrc.get()); | 1209 return operativeDirective(m_objectSrc.get()); |
1194 case ContentSecurityPolicy::DirectiveType::ScriptSrc: | 1210 case ContentSecurityPolicy::DirectiveType::ScriptSrc: |
1195 return operativeDirective(m_scriptSrc.get()); | 1211 return operativeDirective(m_scriptSrc.get()); |
1196 case ContentSecurityPolicy::DirectiveType::StyleSrc: | 1212 case ContentSecurityPolicy::DirectiveType::StyleSrc: |
1197 return operativeDirective(m_styleSrc.get()); | 1213 return operativeDirective(m_styleSrc.get()); |
1198 // Directives that default to child-src, which defaults to default-src. | 1214 // Directives that default to 'child-src' (which defaults to 'default-src') |
1199 case ContentSecurityPolicy::DirectiveType::FrameSrc: | 1215 case ContentSecurityPolicy::DirectiveType::FrameSrc: |
1200 return operativeDirective(m_frameSrc, | 1216 return operativeDirective(m_frameSrc, |
1201 operativeDirective(m_childSrc.get())); | 1217 operativeDirective(m_childSrc.get())); |
1202 // TODO(mkwst): Reevaluate this | 1218 // Directives that default to 'script-src' (which defaults to 'default-src') |
1203 case ContentSecurityPolicy::DirectiveType::WorkerSrc: | 1219 case ContentSecurityPolicy::DirectiveType::WorkerSrc: |
1204 return operativeDirective(m_workerSrc.get(), | 1220 return operativeDirective(m_workerSrc.get(), |
1205 operativeDirective(m_childSrc.get())); | 1221 operativeDirective(m_scriptSrc.get())); |
1206 default: | 1222 default: |
1207 return nullptr; | 1223 return nullptr; |
1208 } | 1224 } |
1209 } | 1225 } |
1210 | 1226 |
1211 SourceListDirectiveVector CSPDirectiveList::getSourceVector( | 1227 SourceListDirectiveVector CSPDirectiveList::getSourceVector( |
1212 const ContentSecurityPolicy::DirectiveType& type, | 1228 const ContentSecurityPolicy::DirectiveType& type, |
1213 const CSPDirectiveListVector& policies) { | 1229 const CSPDirectiveListVector& policies) { |
1214 SourceListDirectiveVector sourceListDirectives; | 1230 SourceListDirectiveVector sourceListDirectives; |
1215 for (const auto& policy : policies) { | 1231 for (const auto& policy : policies) { |
(...skipping 59 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1275 visitor->trace(m_imgSrc); | 1291 visitor->trace(m_imgSrc); |
1276 visitor->trace(m_mediaSrc); | 1292 visitor->trace(m_mediaSrc); |
1277 visitor->trace(m_manifestSrc); | 1293 visitor->trace(m_manifestSrc); |
1278 visitor->trace(m_objectSrc); | 1294 visitor->trace(m_objectSrc); |
1279 visitor->trace(m_scriptSrc); | 1295 visitor->trace(m_scriptSrc); |
1280 visitor->trace(m_styleSrc); | 1296 visitor->trace(m_styleSrc); |
1281 visitor->trace(m_workerSrc); | 1297 visitor->trace(m_workerSrc); |
1282 } | 1298 } |
1283 | 1299 |
1284 } // namespace blink | 1300 } // namespace blink |
OLD | NEW |