OLD | NEW |
---|---|
1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "core/frame/csp/SourceListDirective.h" | 5 #include "core/frame/csp/SourceListDirective.h" |
6 | 6 |
7 #include "core/frame/csp/CSPSource.h" | 7 #include "core/frame/csp/CSPSource.h" |
8 #include "core/frame/csp/ContentSecurityPolicy.h" | 8 #include "core/frame/csp/ContentSecurityPolicy.h" |
9 #include "platform/network/ContentSecurityPolicyParsers.h" | 9 #include "platform/network/ContentSecurityPolicyParsers.h" |
10 #include "platform/weborigin/KURL.h" | 10 #include "platform/weborigin/KURL.h" |
(...skipping 561 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
572 const KURL& url, | 572 const KURL& url, |
573 ResourceRequest::RedirectStatus redirectStatus) const { | 573 ResourceRequest::RedirectStatus redirectStatus) const { |
574 for (size_t i = 0; i < m_list.size(); ++i) { | 574 for (size_t i = 0; i < m_list.size(); ++i) { |
575 if (m_list[i]->matches(url, redirectStatus)) | 575 if (m_list[i]->matches(url, redirectStatus)) |
576 return true; | 576 return true; |
577 } | 577 } |
578 | 578 |
579 return false; | 579 return false; |
580 } | 580 } |
581 | 581 |
582 bool SourceListDirective::allowAllInline() { | |
583 const ContentSecurityPolicy::DirectiveType& type = | |
584 ContentSecurityPolicy::getDirectiveType(m_directiveName); | |
585 if (type != ContentSecurityPolicy::DirectiveType::StyleSrc && | |
586 type != ContentSecurityPolicy::DirectiveType::ScriptSrc) { | |
587 return false; | |
588 } | |
589 return m_allowInline && !isHashOrNoncePresent() && | |
Mike West
2016/11/28 15:38:16
Can we use this when responding to `allowInline()`
amalika
2016/11/29 09:42:29
Made changes to call allowAllInline with comments
| |
590 (type != ContentSecurityPolicy::DirectiveType::ScriptSrc || | |
591 !m_allowDynamic); | |
592 } | |
593 | |
582 bool SourceListDirective::subsumes( | 594 bool SourceListDirective::subsumes( |
583 HeapVector<Member<SourceListDirective>> other) { | 595 HeapVector<Member<SourceListDirective>> other) { |
584 // TODO(amalika): Handle here special keywords. | 596 // TODO(amalika): Handle here special keywords. |
585 if (!m_list.size() || !other.size()) | 597 if (!m_list.size() || !other.size()) |
586 return !m_list.size(); | 598 return !m_list.size(); |
587 | 599 |
588 HeapVector<Member<CSPSource>> normalizedA = m_list; | 600 HeapVector<Member<CSPSource>> normalizedA = m_list; |
589 if (m_allowSelf) | 601 if (m_allowSelf) |
590 normalizedA.append(m_policy->getSelfSource()); | 602 normalizedA.append(m_policy->getSelfSource()); |
591 | 603 |
592 HeapVector<Member<CSPSource>> normalizedB = other[0]->m_list; | 604 HeapVector<Member<CSPSource>> normalizedB = other[0]->m_list; |
593 if (other[0]->m_allowSelf) | 605 if (other[0]->m_allowSelf) |
594 normalizedB.append(other[0]->m_policy->getSelfSource()); | 606 normalizedB.append(other[0]->m_policy->getSelfSource()); |
595 for (size_t i = 1; i < other.size(); i++) | 607 |
608 bool allowInlineOther = other[0]->m_allowInline; | |
609 bool allowDynamicOther = other[0]->m_allowDynamic; | |
610 bool isHashOrNoncePresentOther = other[0]->isHashOrNoncePresent(); | |
611 | |
612 for (size_t i = 1; i < other.size(); i++) { | |
613 allowInlineOther = allowInlineOther && other[i]->m_allowInline; | |
614 allowDynamicOther = allowDynamicOther && other[i]->m_allowDynamic; | |
615 isHashOrNoncePresentOther = | |
616 isHashOrNoncePresentOther && other[i]->isHashOrNoncePresent(); | |
596 normalizedB = other[i]->getIntersectCSPSources(normalizedB); | 617 normalizedB = other[i]->getIntersectCSPSources(normalizedB); |
618 } | |
619 | |
620 const ContentSecurityPolicy::DirectiveType type = | |
621 ContentSecurityPolicy::getDirectiveType(m_directiveName); | |
622 bool allowAllInlineOther = | |
623 allowInlineOther && !isHashOrNoncePresentOther && | |
624 (type != ContentSecurityPolicy::DirectiveType::ScriptSrc || | |
625 !allowDynamicOther); | |
626 if (!allowAllInline() && allowAllInlineOther) | |
627 return false; | |
597 | 628 |
598 return CSPSource::firstSubsumesSecond(normalizedA, normalizedB); | 629 return CSPSource::firstSubsumesSecond(normalizedA, normalizedB); |
599 } | 630 } |
600 | 631 |
601 HashMap<String, CSPSource*> SourceListDirective::getIntersectSchemesOnly( | 632 HashMap<String, CSPSource*> SourceListDirective::getIntersectSchemesOnly( |
602 HeapVector<Member<CSPSource>> other) { | 633 HeapVector<Member<CSPSource>> other) { |
603 HashMap<String, CSPSource*> schemesA; | 634 HashMap<String, CSPSource*> schemesA; |
604 for (const auto& sourceA : m_list) { | 635 for (const auto& sourceA : m_list) { |
605 if (sourceA->isSchemeOnly()) | 636 if (sourceA->isSchemeOnly()) |
606 addSourceToMap(schemesA, sourceA); | 637 addSourceToMap(schemesA, sourceA); |
(...skipping 61 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
668 return normalized; | 699 return normalized; |
669 } | 700 } |
670 | 701 |
671 DEFINE_TRACE(SourceListDirective) { | 702 DEFINE_TRACE(SourceListDirective) { |
672 visitor->trace(m_policy); | 703 visitor->trace(m_policy); |
673 visitor->trace(m_list); | 704 visitor->trace(m_list); |
674 CSPDirective::trace(visitor); | 705 CSPDirective::trace(visitor); |
675 } | 706 } |
676 | 707 |
677 } // namespace blink | 708 } // namespace blink |
OLD | NEW |