| OLD | NEW |
|---|
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "core/frame/csp/CSPDirectiveList.h" | 5 #include "core/frame/csp/CSPDirectiveList.h" |
| 6 | 6 |
| 7 #include "bindings/core/v8/SourceLocation.h" | 7 #include "bindings/core/v8/SourceLocation.h" |
| 8 #include "core/dom/Document.h" | 8 #include "core/dom/Document.h" |
| 9 #include "core/dom/SecurityContext.h" | 9 #include "core/dom/SecurityContext.h" |
| 10 #include "core/dom/SpaceSplitString.h" | 10 #include "core/dom/SpaceSplitString.h" |
| (...skipping 145 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 156 } | 156 } |
| 157 m_policy->reportViolation(directiveText, effectiveType, message, blockedURL, | 157 m_policy->reportViolation(directiveText, effectiveType, message, blockedURL, |
| 158 m_reportEndpoints, m_header, m_headerType, | 158 m_reportEndpoints, m_header, m_headerType, |
| 159 ContentSecurityPolicy::EvalViolation); | 159 ContentSecurityPolicy::EvalViolation); |
| 160 } | 160 } |
| 161 | 161 |
| 162 bool CSPDirectiveList::checkEval(SourceListDirective* directive) const { | 162 bool CSPDirectiveList::checkEval(SourceListDirective* directive) const { |
| 163 return !directive || directive->allowEval(); | 163 return !directive || directive->allowEval(); |
| 164 } | 164 } |
| 165 | 165 |
| 166 bool CSPDirectiveList::checkInline(SourceListDirective* directive) const { | |
| 167 return !directive || | |
| 168 (directive->allowInline() && !directive->isHashOrNoncePresent()); | |
| 169 } | |
| 170 | |
| 171 bool CSPDirectiveList::isMatchingNoncePresent(SourceListDirective* directive, | 166 bool CSPDirectiveList::isMatchingNoncePresent(SourceListDirective* directive, |
| 172 const String& nonce) const { | 167 const String& nonce) const { |
| 173 return directive && directive->allowNonce(nonce); | 168 return directive && directive->allowNonce(nonce); |
| 174 } | 169 } |
| 175 | 170 |
| 176 bool CSPDirectiveList::checkHash(SourceListDirective* directive, | 171 bool CSPDirectiveList::checkHash(SourceListDirective* directive, |
| 177 const CSPHashValue& hashValue) const { | 172 const CSPHashValue& hashValue) const { |
| 178 return !directive || directive->allowHash(hashValue); | 173 return !directive || directive->allowHash(hashValue); |
| 179 } | 174 } |
| 180 | 175 |
| (...skipping 197 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 378 } | 373 } |
| 379 | 374 |
| 380 bool CSPDirectiveList::checkInlineAndReportViolation( | 375 bool CSPDirectiveList::checkInlineAndReportViolation( |
| 381 SourceListDirective* directive, | 376 SourceListDirective* directive, |
| 382 const String& consoleMessage, | 377 const String& consoleMessage, |
| 383 Element* element, | 378 Element* element, |
| 384 const String& contextURL, | 379 const String& contextURL, |
| 385 const WTF::OrdinalNumber& contextLine, | 380 const WTF::OrdinalNumber& contextLine, |
| 386 bool isScript, | 381 bool isScript, |
| 387 const String& hashValue) const { | 382 const String& hashValue) const { |
| 388 if (checkInline(directive)) | 383 if (!directive || directive->allowAllInline()) |
| 389 return true; | 384 return true; |
| 390 | 385 |
| 391 String suffix = String(); | 386 String suffix = String(); |
| 392 if (directive->allowInline() && directive->isHashOrNoncePresent()) { | 387 if (directive->allowInline() && directive->isHashOrNoncePresent()) { |
| 393 // If inline is allowed, but a hash or nonce is present, we ignore | 388 // If inline is allowed, but a hash or nonce is present, we ignore |
| 394 // 'unsafe-inline'. Throw a reasonable error. | 389 // 'unsafe-inline'. Throw a reasonable error. |
| 395 suffix = | 390 suffix = |
| 396 " Note that 'unsafe-inline' is ignored if either a hash or nonce value " | 391 " Note that 'unsafe-inline' is ignored if either a hash or nonce value " |
| 397 "is present in the source list."; | 392 "is present in the source list."; |
| 398 } else { | 393 } else { |
| (...skipping 101 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 500 directive->text() + "\".", | 495 directive->text() + "\".", |
| 501 url, frame); | 496 url, frame); |
| 502 return denyIfEnforcingPolicy(); | 497 return denyIfEnforcingPolicy(); |
| 503 } | 498 } |
| 504 | 499 |
| 505 bool CSPDirectiveList::allowJavaScriptURLs( | 500 bool CSPDirectiveList::allowJavaScriptURLs( |
| 506 Element* element, | 501 Element* element, |
| 507 const String& contextURL, | 502 const String& contextURL, |
| 508 const WTF::OrdinalNumber& contextLine, | 503 const WTF::OrdinalNumber& contextLine, |
| 509 ContentSecurityPolicy::ReportingStatus reportingStatus) const { | 504 ContentSecurityPolicy::ReportingStatus reportingStatus) const { |
| 505 SourceListDirective* directive = operativeDirective(m_scriptSrc.get()); |
| 510 if (reportingStatus == ContentSecurityPolicy::SendReport) { | 506 if (reportingStatus == ContentSecurityPolicy::SendReport) { |
| 511 return checkInlineAndReportViolation( | 507 return checkInlineAndReportViolation( |
| 512 operativeDirective(m_scriptSrc.get()), | 508 directive, |
| 513 "Refused to execute JavaScript URL because it violates the following " | 509 "Refused to execute JavaScript URL because it violates the following " |
| 514 "Content Security Policy directive: ", | 510 "Content Security Policy directive: ", |
| 515 element, contextURL, contextLine, true, "sha256-..."); | 511 element, contextURL, contextLine, true, "sha256-..."); |
| 516 } | 512 } |
| 517 return checkInline(operativeDirective(m_scriptSrc.get())); | 513 |
| 514 return !directive || directive->allowAllInline(); |
| 518 } | 515 } |
| 519 | 516 |
| 520 bool CSPDirectiveList::allowInlineEventHandlers( | 517 bool CSPDirectiveList::allowInlineEventHandlers( |
| 521 Element* element, | 518 Element* element, |
| 522 const String& contextURL, | 519 const String& contextURL, |
| 523 const WTF::OrdinalNumber& contextLine, | 520 const WTF::OrdinalNumber& contextLine, |
| 524 ContentSecurityPolicy::ReportingStatus reportingStatus) const { | 521 ContentSecurityPolicy::ReportingStatus reportingStatus) const { |
| 522 SourceListDirective* directive = operativeDirective(m_scriptSrc.get()); |
| 525 if (reportingStatus == ContentSecurityPolicy::SendReport) { | 523 if (reportingStatus == ContentSecurityPolicy::SendReport) { |
| 526 return checkInlineAndReportViolation( | 524 return checkInlineAndReportViolation( |
| 527 operativeDirective(m_scriptSrc.get()), | 525 operativeDirective(m_scriptSrc.get()), |
| 528 "Refused to execute inline event handler because it violates the " | 526 "Refused to execute inline event handler because it violates the " |
| 529 "following Content Security Policy directive: ", | 527 "following Content Security Policy directive: ", |
| 530 element, contextURL, contextLine, true, "sha256-..."); | 528 element, contextURL, contextLine, true, "sha256-..."); |
| 531 } | 529 } |
| 532 return checkInline(operativeDirective(m_scriptSrc.get())); | 530 |
| 531 return !directive || directive->allowAllInline(); |
| 533 } | 532 } |
| 534 | 533 |
| 535 bool CSPDirectiveList::allowInlineScript( | 534 bool CSPDirectiveList::allowInlineScript( |
| 536 Element* element, | 535 Element* element, |
| 537 const String& contextURL, | 536 const String& contextURL, |
| 538 const String& nonce, | 537 const String& nonce, |
| 539 const WTF::OrdinalNumber& contextLine, | 538 const WTF::OrdinalNumber& contextLine, |
| 540 ContentSecurityPolicy::ReportingStatus reportingStatus, | 539 ContentSecurityPolicy::ReportingStatus reportingStatus, |
| 541 const String& content) const { | 540 const String& content) const { |
| 542 if (isMatchingNoncePresent(operativeDirective(m_scriptSrc.get()), nonce)) | 541 SourceListDirective* directive = operativeDirective(m_scriptSrc.get()); |
| 542 if (isMatchingNoncePresent(directive, nonce)) |
| 543 return true; | 543 return true; |
| 544 if (element && isHTMLScriptElement(element) && | 544 if (element && isHTMLScriptElement(element) && |
| 545 !toHTMLScriptElement(element)->loader()->isParserInserted() && | 545 !toHTMLScriptElement(element)->loader()->isParserInserted() && |
| 546 allowDynamic()) { | 546 allowDynamic()) { |
| 547 return true; | 547 return true; |
| 548 } | 548 } |
| 549 if (reportingStatus == ContentSecurityPolicy::SendReport) { | 549 if (reportingStatus == ContentSecurityPolicy::SendReport) { |
| 550 return checkInlineAndReportViolation( | 550 return checkInlineAndReportViolation( |
| 551 operativeDirective(m_scriptSrc.get()), | 551 directive, |
| 552 "Refused to execute inline script because it violates the following " | 552 "Refused to execute inline script because it violates the following " |
| 553 "Content Security Policy directive: ", | 553 "Content Security Policy directive: ", |
| 554 element, contextURL, contextLine, true, getSha256String(content)); | 554 element, contextURL, contextLine, true, getSha256String(content)); |
| 555 } | 555 } |
| 556 return checkInline(operativeDirective(m_scriptSrc.get())); | 556 |
| 557 return !directive || directive->allowAllInline(); |
| 557 } | 558 } |
| 558 | 559 |
| 559 bool CSPDirectiveList::allowInlineStyle( | 560 bool CSPDirectiveList::allowInlineStyle( |
| 560 Element* element, | 561 Element* element, |
| 561 const String& contextURL, | 562 const String& contextURL, |
| 562 const String& nonce, | 563 const String& nonce, |
| 563 const WTF::OrdinalNumber& contextLine, | 564 const WTF::OrdinalNumber& contextLine, |
| 564 ContentSecurityPolicy::ReportingStatus reportingStatus, | 565 ContentSecurityPolicy::ReportingStatus reportingStatus, |
| 565 const String& content) const { | 566 const String& content) const { |
| 566 if (isMatchingNoncePresent(operativeDirective(m_styleSrc.get()), nonce)) | 567 SourceListDirective* directive = operativeDirective(m_styleSrc.get()); |
| 568 if (isMatchingNoncePresent(directive, nonce)) |
| 567 return true; | 569 return true; |
| 568 if (reportingStatus == ContentSecurityPolicy::SendReport) { | 570 if (reportingStatus == ContentSecurityPolicy::SendReport) { |
| 569 return checkInlineAndReportViolation( | 571 return checkInlineAndReportViolation( |
| 570 operativeDirective(m_styleSrc.get()), | 572 directive, |
| 571 "Refused to apply inline style because it violates the following " | 573 "Refused to apply inline style because it violates the following " |
| 572 "Content Security Policy directive: ", | 574 "Content Security Policy directive: ", |
| 573 element, contextURL, contextLine, false, getSha256String(content)); | 575 element, contextURL, contextLine, false, getSha256String(content)); |
| 574 } | 576 } |
| 575 return checkInline(operativeDirective(m_styleSrc.get())); | 577 |
| 578 return !directive || directive->allowAllInline(); |
| 576 } | 579 } |
| 577 | 580 |
| 578 bool CSPDirectiveList::allowEval( | 581 bool CSPDirectiveList::allowEval( |
| 579 ScriptState* scriptState, | 582 ScriptState* scriptState, |
| 580 ContentSecurityPolicy::ReportingStatus reportingStatus, | 583 ContentSecurityPolicy::ReportingStatus reportingStatus, |
| 581 ContentSecurityPolicy::ExceptionStatus exceptionStatus) const { | 584 ContentSecurityPolicy::ExceptionStatus exceptionStatus) const { |
| 582 if (reportingStatus == ContentSecurityPolicy::SendReport) { | 585 if (reportingStatus == ContentSecurityPolicy::SendReport) { |
| 583 return checkEvalAndReportViolation( | 586 return checkEvalAndReportViolation( |
| 584 operativeDirective(m_scriptSrc.get()), | 587 operativeDirective(m_scriptSrc.get()), |
| 585 "Refused to evaluate a string as JavaScript because 'unsafe-eval' is " | 588 "Refused to evaluate a string as JavaScript because 'unsafe-eval' is " |
| (...skipping 689 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1275 visitor->trace(m_imgSrc); | 1278 visitor->trace(m_imgSrc); |
| 1276 visitor->trace(m_mediaSrc); | 1279 visitor->trace(m_mediaSrc); |
| 1277 visitor->trace(m_manifestSrc); | 1280 visitor->trace(m_manifestSrc); |
| 1278 visitor->trace(m_objectSrc); | 1281 visitor->trace(m_objectSrc); |
| 1279 visitor->trace(m_scriptSrc); | 1282 visitor->trace(m_scriptSrc); |
| 1280 visitor->trace(m_styleSrc); | 1283 visitor->trace(m_styleSrc); |
| 1281 visitor->trace(m_workerSrc); | 1284 visitor->trace(m_workerSrc); |
| 1282 } | 1285 } |
| 1283 | 1286 |
| 1284 } // namespace blink | 1287 } // namespace blink |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2536713002:
Part 3.3: Is policy list subsumed under subsuming policy? (Closed)
