Chromium Code Reviews Chromium Code Reviews
Issue 2536713002:
Part 3.3: Is policy list subsumed under subsuming policy? (Closed)
| OLD | NEW |
|---|---|
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "core/frame/csp/SourceListDirective.h" | 5 #include "core/frame/csp/SourceListDirective.h" |
| 6 | 6 |
| 7 #include "core/frame/csp/CSPSource.h" | 7 #include "core/frame/csp/CSPSource.h" |
| 8 #include "core/frame/csp/ContentSecurityPolicy.h" | 8 #include "core/frame/csp/ContentSecurityPolicy.h" |
| 9 #include "platform/network/ContentSecurityPolicyParsers.h" | 9 #include "platform/network/ContentSecurityPolicyParsers.h" |
| 10 #include "platform/weborigin/KURL.h" | 10 #include "platform/weborigin/KURL.h" |
| (...skipping 561 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 572 const KURL& url, | 572 const KURL& url, |
| 573 ResourceRequest::RedirectStatus redirectStatus) const { | 573 ResourceRequest::RedirectStatus redirectStatus) const { |
| 574 for (size_t i = 0; i < m_list.size(); ++i) { | 574 for (size_t i = 0; i < m_list.size(); ++i) { |
| 575 if (m_list[i]->matches(url, redirectStatus)) | 575 if (m_list[i]->matches(url, redirectStatus)) |
| 576 return true; | 576 return true; |
| 577 } | 577 } |
| 578 | 578 |
| 579 return false; | 579 return false; |
| 580 } | 580 } |
| 581 | 581 |
| 582 bool SourceListDirective::allowAllInline() { | |
| 583 const ContentSecurityPolicy::DirectiveType& type = | |
| 584 ContentSecurityPolicy::getDirectiveType(m_directiveName); | |
| 585 if (type != ContentSecurityPolicy::DirectiveType::StyleSrc && | |
| 586 type != ContentSecurityPolicy::DirectiveType::ScriptSrc) { | |
| 587 return false; | |
| 588 } | |
| 589 return m_allowInline && !isHashOrNoncePresent() && | |
|
Mike West
2016/11/28 15:38:16
Can we use this when responding to `allowInline()`
amalika
2016/11/29 09:42:29
Made changes to call allowAllInline with comments
| |
| 590 (type != ContentSecurityPolicy::DirectiveType::ScriptSrc || | |
| 591 !m_allowDynamic); | |
| 592 } | |
| 593 | |
| 582 bool SourceListDirective::subsumes( | 594 bool SourceListDirective::subsumes( |
| 583 HeapVector<Member<SourceListDirective>> other) { | 595 HeapVector<Member<SourceListDirective>> other) { |
| 584 // TODO(amalika): Handle here special keywords. | 596 // TODO(amalika): Handle here special keywords. |
| 585 if (!m_list.size() || !other.size()) | 597 if (!m_list.size() || !other.size()) |
| 586 return !m_list.size(); | 598 return !m_list.size(); |
| 587 | 599 |
| 588 HeapVector<Member<CSPSource>> normalizedA = m_list; | 600 HeapVector<Member<CSPSource>> normalizedA = m_list; |
| 589 if (m_allowSelf) | 601 if (m_allowSelf) |
| 590 normalizedA.append(m_policy->getSelfSource()); | 602 normalizedA.append(m_policy->getSelfSource()); |
| 591 | 603 |
| 592 HeapVector<Member<CSPSource>> normalizedB = other[0]->m_list; | 604 HeapVector<Member<CSPSource>> normalizedB = other[0]->m_list; |
| 593 if (other[0]->m_allowSelf) | 605 if (other[0]->m_allowSelf) |
| 594 normalizedB.append(other[0]->m_policy->getSelfSource()); | 606 normalizedB.append(other[0]->m_policy->getSelfSource()); |
| 595 for (size_t i = 1; i < other.size(); i++) | 607 |
| 608 bool allowInlineOther = other[0]->m_allowInline; | |
| 609 bool allowDynamicOther = other[0]->m_allowDynamic; | |
| 610 bool isHashOrNoncePresentOther = other[0]->isHashOrNoncePresent(); | |
| 611 | |
| 612 for (size_t i = 1; i < other.size(); i++) { | |
| 613 allowInlineOther = allowInlineOther && other[i]->m_allowInline; | |
| 614 allowDynamicOther = allowDynamicOther && other[i]->m_allowDynamic; | |
| 615 isHashOrNoncePresentOther = | |
| 616 isHashOrNoncePresentOther && other[i]->isHashOrNoncePresent(); | |
| 596 normalizedB = other[i]->getIntersectCSPSources(normalizedB); | 617 normalizedB = other[i]->getIntersectCSPSources(normalizedB); |
| 618 } | |
| 619 | |
| 620 const ContentSecurityPolicy::DirectiveType type = | |
| 621 ContentSecurityPolicy::getDirectiveType(m_directiveName); | |
| 622 bool allowAllInlineOther = | |
| 623 allowInlineOther && !isHashOrNoncePresentOther && | |
| 624 (type != ContentSecurityPolicy::DirectiveType::ScriptSrc || | |
| 625 !allowDynamicOther); | |
| 626 if (!allowAllInline() && allowAllInlineOther) | |
| 627 return false; | |
| 597 | 628 |
| 598 return CSPSource::firstSubsumesSecond(normalizedA, normalizedB); | 629 return CSPSource::firstSubsumesSecond(normalizedA, normalizedB); |
| 599 } | 630 } |
| 600 | 631 |
| 601 HashMap<String, CSPSource*> SourceListDirective::getIntersectSchemesOnly( | 632 HashMap<String, CSPSource*> SourceListDirective::getIntersectSchemesOnly( |
| 602 HeapVector<Member<CSPSource>> other) { | 633 HeapVector<Member<CSPSource>> other) { |
| 603 HashMap<String, CSPSource*> schemesA; | 634 HashMap<String, CSPSource*> schemesA; |
| 604 for (const auto& sourceA : m_list) { | 635 for (const auto& sourceA : m_list) { |
| 605 if (sourceA->isSchemeOnly()) | 636 if (sourceA->isSchemeOnly()) |
| 606 addSourceToMap(schemesA, sourceA); | 637 addSourceToMap(schemesA, sourceA); |
| (...skipping 61 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 668 return normalized; | 699 return normalized; |
| 669 } | 700 } |
| 670 | 701 |
| 671 DEFINE_TRACE(SourceListDirective) { | 702 DEFINE_TRACE(SourceListDirective) { |
| 672 visitor->trace(m_policy); | 703 visitor->trace(m_policy); |
| 673 visitor->trace(m_list); | 704 visitor->trace(m_list); |
| 674 CSPDirective::trace(visitor); | 705 CSPDirective::trace(visitor); |
| 675 } | 706 } |
| 676 | 707 |
| 677 } // namespace blink | 708 } // namespace blink |
| OLD | NEW |
