OLD | NEW |
1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "core/frame/csp/CSPDirectiveList.h" | 5 #include "core/frame/csp/CSPDirectiveList.h" |
6 | 6 |
7 #include "bindings/core/v8/SourceLocation.h" | 7 #include "bindings/core/v8/SourceLocation.h" |
8 #include "core/dom/Document.h" | 8 #include "core/dom/Document.h" |
9 #include "core/dom/SecurityContext.h" | 9 #include "core/dom/SecurityContext.h" |
10 #include "core/dom/SpaceSplitString.h" | 10 #include "core/dom/SpaceSplitString.h" |
(...skipping 145 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
156 } | 156 } |
157 m_policy->reportViolation(directiveText, effectiveType, message, blockedURL, | 157 m_policy->reportViolation(directiveText, effectiveType, message, blockedURL, |
158 m_reportEndpoints, m_header, m_headerType, | 158 m_reportEndpoints, m_header, m_headerType, |
159 ContentSecurityPolicy::EvalViolation); | 159 ContentSecurityPolicy::EvalViolation); |
160 } | 160 } |
161 | 161 |
162 bool CSPDirectiveList::checkEval(SourceListDirective* directive) const { | 162 bool CSPDirectiveList::checkEval(SourceListDirective* directive) const { |
163 return !directive || directive->allowEval(); | 163 return !directive || directive->allowEval(); |
164 } | 164 } |
165 | 165 |
166 bool CSPDirectiveList::checkInline(SourceListDirective* directive) const { | |
167 return !directive || | |
168 (directive->allowInline() && !directive->isHashOrNoncePresent()); | |
169 } | |
170 | |
171 bool CSPDirectiveList::isMatchingNoncePresent(SourceListDirective* directive, | 166 bool CSPDirectiveList::isMatchingNoncePresent(SourceListDirective* directive, |
172 const String& nonce) const { | 167 const String& nonce) const { |
173 return directive && directive->allowNonce(nonce); | 168 return directive && directive->allowNonce(nonce); |
174 } | 169 } |
175 | 170 |
176 bool CSPDirectiveList::checkHash(SourceListDirective* directive, | 171 bool CSPDirectiveList::checkHash(SourceListDirective* directive, |
177 const CSPHashValue& hashValue) const { | 172 const CSPHashValue& hashValue) const { |
178 return !directive || directive->allowHash(hashValue); | 173 return !directive || directive->allowHash(hashValue); |
179 } | 174 } |
180 | 175 |
(...skipping 197 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
378 } | 373 } |
379 | 374 |
380 bool CSPDirectiveList::checkInlineAndReportViolation( | 375 bool CSPDirectiveList::checkInlineAndReportViolation( |
381 SourceListDirective* directive, | 376 SourceListDirective* directive, |
382 const String& consoleMessage, | 377 const String& consoleMessage, |
383 Element* element, | 378 Element* element, |
384 const String& contextURL, | 379 const String& contextURL, |
385 const WTF::OrdinalNumber& contextLine, | 380 const WTF::OrdinalNumber& contextLine, |
386 bool isScript, | 381 bool isScript, |
387 const String& hashValue) const { | 382 const String& hashValue) const { |
388 if (checkInline(directive)) | 383 if (!directive || directive->allowAllInline()) |
389 return true; | 384 return true; |
390 | 385 |
391 String suffix = String(); | 386 String suffix = String(); |
392 if (directive->allowInline() && directive->isHashOrNoncePresent()) { | 387 if (directive->allowInline() && directive->isHashOrNoncePresent()) { |
393 // If inline is allowed, but a hash or nonce is present, we ignore | 388 // If inline is allowed, but a hash or nonce is present, we ignore |
394 // 'unsafe-inline'. Throw a reasonable error. | 389 // 'unsafe-inline'. Throw a reasonable error. |
395 suffix = | 390 suffix = |
396 " Note that 'unsafe-inline' is ignored if either a hash or nonce value " | 391 " Note that 'unsafe-inline' is ignored if either a hash or nonce value " |
397 "is present in the source list."; | 392 "is present in the source list."; |
398 } else { | 393 } else { |
(...skipping 101 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
500 directive->text() + "\".", | 495 directive->text() + "\".", |
501 url, frame); | 496 url, frame); |
502 return denyIfEnforcingPolicy(); | 497 return denyIfEnforcingPolicy(); |
503 } | 498 } |
504 | 499 |
505 bool CSPDirectiveList::allowJavaScriptURLs( | 500 bool CSPDirectiveList::allowJavaScriptURLs( |
506 Element* element, | 501 Element* element, |
507 const String& contextURL, | 502 const String& contextURL, |
508 const WTF::OrdinalNumber& contextLine, | 503 const WTF::OrdinalNumber& contextLine, |
509 ContentSecurityPolicy::ReportingStatus reportingStatus) const { | 504 ContentSecurityPolicy::ReportingStatus reportingStatus) const { |
| 505 SourceListDirective* directive = operativeDirective(m_scriptSrc.get()); |
510 if (reportingStatus == ContentSecurityPolicy::SendReport) { | 506 if (reportingStatus == ContentSecurityPolicy::SendReport) { |
511 return checkInlineAndReportViolation( | 507 return checkInlineAndReportViolation( |
512 operativeDirective(m_scriptSrc.get()), | 508 directive, |
513 "Refused to execute JavaScript URL because it violates the following " | 509 "Refused to execute JavaScript URL because it violates the following " |
514 "Content Security Policy directive: ", | 510 "Content Security Policy directive: ", |
515 element, contextURL, contextLine, true, "sha256-..."); | 511 element, contextURL, contextLine, true, "sha256-..."); |
516 } | 512 } |
517 return checkInline(operativeDirective(m_scriptSrc.get())); | 513 |
| 514 return !directive || directive->allowAllInline(); |
518 } | 515 } |
519 | 516 |
520 bool CSPDirectiveList::allowInlineEventHandlers( | 517 bool CSPDirectiveList::allowInlineEventHandlers( |
521 Element* element, | 518 Element* element, |
522 const String& contextURL, | 519 const String& contextURL, |
523 const WTF::OrdinalNumber& contextLine, | 520 const WTF::OrdinalNumber& contextLine, |
524 ContentSecurityPolicy::ReportingStatus reportingStatus) const { | 521 ContentSecurityPolicy::ReportingStatus reportingStatus) const { |
| 522 SourceListDirective* directive = operativeDirective(m_scriptSrc.get()); |
525 if (reportingStatus == ContentSecurityPolicy::SendReport) { | 523 if (reportingStatus == ContentSecurityPolicy::SendReport) { |
526 return checkInlineAndReportViolation( | 524 return checkInlineAndReportViolation( |
527 operativeDirective(m_scriptSrc.get()), | 525 operativeDirective(m_scriptSrc.get()), |
528 "Refused to execute inline event handler because it violates the " | 526 "Refused to execute inline event handler because it violates the " |
529 "following Content Security Policy directive: ", | 527 "following Content Security Policy directive: ", |
530 element, contextURL, contextLine, true, "sha256-..."); | 528 element, contextURL, contextLine, true, "sha256-..."); |
531 } | 529 } |
532 return checkInline(operativeDirective(m_scriptSrc.get())); | 530 |
| 531 return !directive || directive->allowAllInline(); |
533 } | 532 } |
534 | 533 |
535 bool CSPDirectiveList::allowInlineScript( | 534 bool CSPDirectiveList::allowInlineScript( |
536 Element* element, | 535 Element* element, |
537 const String& contextURL, | 536 const String& contextURL, |
538 const String& nonce, | 537 const String& nonce, |
539 const WTF::OrdinalNumber& contextLine, | 538 const WTF::OrdinalNumber& contextLine, |
540 ContentSecurityPolicy::ReportingStatus reportingStatus, | 539 ContentSecurityPolicy::ReportingStatus reportingStatus, |
541 const String& content) const { | 540 const String& content) const { |
542 if (isMatchingNoncePresent(operativeDirective(m_scriptSrc.get()), nonce)) | 541 SourceListDirective* directive = operativeDirective(m_scriptSrc.get()); |
| 542 if (isMatchingNoncePresent(directive, nonce)) |
543 return true; | 543 return true; |
544 if (element && isHTMLScriptElement(element) && | 544 if (element && isHTMLScriptElement(element) && |
545 !toHTMLScriptElement(element)->loader()->isParserInserted() && | 545 !toHTMLScriptElement(element)->loader()->isParserInserted() && |
546 allowDynamic()) { | 546 allowDynamic()) { |
547 return true; | 547 return true; |
548 } | 548 } |
549 if (reportingStatus == ContentSecurityPolicy::SendReport) { | 549 if (reportingStatus == ContentSecurityPolicy::SendReport) { |
550 return checkInlineAndReportViolation( | 550 return checkInlineAndReportViolation( |
551 operativeDirective(m_scriptSrc.get()), | 551 directive, |
552 "Refused to execute inline script because it violates the following " | 552 "Refused to execute inline script because it violates the following " |
553 "Content Security Policy directive: ", | 553 "Content Security Policy directive: ", |
554 element, contextURL, contextLine, true, getSha256String(content)); | 554 element, contextURL, contextLine, true, getSha256String(content)); |
555 } | 555 } |
556 return checkInline(operativeDirective(m_scriptSrc.get())); | 556 |
| 557 return !directive || directive->allowAllInline(); |
557 } | 558 } |
558 | 559 |
559 bool CSPDirectiveList::allowInlineStyle( | 560 bool CSPDirectiveList::allowInlineStyle( |
560 Element* element, | 561 Element* element, |
561 const String& contextURL, | 562 const String& contextURL, |
562 const String& nonce, | 563 const String& nonce, |
563 const WTF::OrdinalNumber& contextLine, | 564 const WTF::OrdinalNumber& contextLine, |
564 ContentSecurityPolicy::ReportingStatus reportingStatus, | 565 ContentSecurityPolicy::ReportingStatus reportingStatus, |
565 const String& content) const { | 566 const String& content) const { |
566 if (isMatchingNoncePresent(operativeDirective(m_styleSrc.get()), nonce)) | 567 SourceListDirective* directive = operativeDirective(m_styleSrc.get()); |
| 568 if (isMatchingNoncePresent(directive, nonce)) |
567 return true; | 569 return true; |
568 if (reportingStatus == ContentSecurityPolicy::SendReport) { | 570 if (reportingStatus == ContentSecurityPolicy::SendReport) { |
569 return checkInlineAndReportViolation( | 571 return checkInlineAndReportViolation( |
570 operativeDirective(m_styleSrc.get()), | 572 directive, |
571 "Refused to apply inline style because it violates the following " | 573 "Refused to apply inline style because it violates the following " |
572 "Content Security Policy directive: ", | 574 "Content Security Policy directive: ", |
573 element, contextURL, contextLine, false, getSha256String(content)); | 575 element, contextURL, contextLine, false, getSha256String(content)); |
574 } | 576 } |
575 return checkInline(operativeDirective(m_styleSrc.get())); | 577 |
| 578 return !directive || directive->allowAllInline(); |
576 } | 579 } |
577 | 580 |
578 bool CSPDirectiveList::allowEval( | 581 bool CSPDirectiveList::allowEval( |
579 ScriptState* scriptState, | 582 ScriptState* scriptState, |
580 ContentSecurityPolicy::ReportingStatus reportingStatus, | 583 ContentSecurityPolicy::ReportingStatus reportingStatus, |
581 ContentSecurityPolicy::ExceptionStatus exceptionStatus) const { | 584 ContentSecurityPolicy::ExceptionStatus exceptionStatus) const { |
582 if (reportingStatus == ContentSecurityPolicy::SendReport) { | 585 if (reportingStatus == ContentSecurityPolicy::SendReport) { |
583 return checkEvalAndReportViolation( | 586 return checkEvalAndReportViolation( |
584 operativeDirective(m_scriptSrc.get()), | 587 operativeDirective(m_scriptSrc.get()), |
585 "Refused to evaluate a string as JavaScript because 'unsafe-eval' is " | 588 "Refused to evaluate a string as JavaScript because 'unsafe-eval' is " |
(...skipping 689 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1275 visitor->trace(m_imgSrc); | 1278 visitor->trace(m_imgSrc); |
1276 visitor->trace(m_mediaSrc); | 1279 visitor->trace(m_mediaSrc); |
1277 visitor->trace(m_manifestSrc); | 1280 visitor->trace(m_manifestSrc); |
1278 visitor->trace(m_objectSrc); | 1281 visitor->trace(m_objectSrc); |
1279 visitor->trace(m_scriptSrc); | 1282 visitor->trace(m_scriptSrc); |
1280 visitor->trace(m_styleSrc); | 1283 visitor->trace(m_styleSrc); |
1281 visitor->trace(m_workerSrc); | 1284 visitor->trace(m_workerSrc); |
1282 } | 1285 } |
1283 | 1286 |
1284 } // namespace blink | 1287 } // namespace blink |
OLD | NEW |