OLD | NEW |
---|---|
1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "core/frame/csp/CSPDirectiveList.h" | 5 #include "core/frame/csp/CSPDirectiveList.h" |
6 | 6 |
7 #include "bindings/core/v8/SourceLocation.h" | 7 #include "bindings/core/v8/SourceLocation.h" |
8 #include "core/dom/Document.h" | 8 #include "core/dom/Document.h" |
9 #include "core/dom/SecurityContext.h" | 9 #include "core/dom/SecurityContext.h" |
10 #include "core/dom/SpaceSplitString.h" | 10 #include "core/dom/SpaceSplitString.h" |
(...skipping 145 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
156 } | 156 } |
157 m_policy->reportViolation(directiveText, effectiveType, message, blockedURL, | 157 m_policy->reportViolation(directiveText, effectiveType, message, blockedURL, |
158 m_reportEndpoints, m_header, m_headerType, | 158 m_reportEndpoints, m_header, m_headerType, |
159 ContentSecurityPolicy::EvalViolation); | 159 ContentSecurityPolicy::EvalViolation); |
160 } | 160 } |
161 | 161 |
162 bool CSPDirectiveList::checkEval(SourceListDirective* directive) const { | 162 bool CSPDirectiveList::checkEval(SourceListDirective* directive) const { |
163 return !directive || directive->allowEval(); | 163 return !directive || directive->allowEval(); |
164 } | 164 } |
165 | 165 |
166 bool CSPDirectiveList::checkInline(SourceListDirective* directive) const { | 166 bool CSPDirectiveList::checkInline(SourceListDirective* directive) const { |
Mike West
2016/11/29 12:00:50
Can you just remove this method entirely, since it
| |
167 return !directive || | 167 return !directive || directive->allowAllInline(); |
168 (directive->allowInline() && !directive->isHashOrNoncePresent()); | |
169 } | 168 } |
170 | 169 |
171 bool CSPDirectiveList::isMatchingNoncePresent(SourceListDirective* directive, | 170 bool CSPDirectiveList::isMatchingNoncePresent(SourceListDirective* directive, |
172 const String& nonce) const { | 171 const String& nonce) const { |
173 return directive && directive->allowNonce(nonce); | 172 return directive && directive->allowNonce(nonce); |
174 } | 173 } |
175 | 174 |
176 bool CSPDirectiveList::checkHash(SourceListDirective* directive, | 175 bool CSPDirectiveList::checkHash(SourceListDirective* directive, |
177 const CSPHashValue& hashValue) const { | 176 const CSPHashValue& hashValue) const { |
178 return !directive || directive->allowHash(hashValue); | 177 return !directive || directive->allowHash(hashValue); |
(...skipping 203 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
382 const String& consoleMessage, | 381 const String& consoleMessage, |
383 Element* element, | 382 Element* element, |
384 const String& contextURL, | 383 const String& contextURL, |
385 const WTF::OrdinalNumber& contextLine, | 384 const WTF::OrdinalNumber& contextLine, |
386 bool isScript, | 385 bool isScript, |
387 const String& hashValue) const { | 386 const String& hashValue) const { |
388 if (checkInline(directive)) | 387 if (checkInline(directive)) |
389 return true; | 388 return true; |
390 | 389 |
391 String suffix = String(); | 390 String suffix = String(); |
392 if (directive->allowInline() && directive->isHashOrNoncePresent()) { | 391 if (directive->allowInline() && directive->isHashOrNoncePresent()) { |
amalika
2016/11/29 09:42:29
Left this as it is so that we display an appropria
| |
393 // If inline is allowed, but a hash or nonce is present, we ignore | 392 // If inline is allowed, but a hash or nonce is present, we ignore |
394 // 'unsafe-inline'. Throw a reasonable error. | 393 // 'unsafe-inline'. Throw a reasonable error. |
395 suffix = | 394 suffix = |
396 " Note that 'unsafe-inline' is ignored if either a hash or nonce value " | 395 " Note that 'unsafe-inline' is ignored if either a hash or nonce value " |
397 "is present in the source list."; | 396 "is present in the source list."; |
398 } else { | 397 } else { |
399 suffix = | 398 suffix = |
400 " Either the 'unsafe-inline' keyword, a hash ('" + hashValue + | 399 " Either the 'unsafe-inline' keyword, a hash ('" + hashValue + |
401 "'), or a nonce ('nonce-...') is required to enable inline execution."; | 400 "'), or a nonce ('nonce-...') is required to enable inline execution."; |
402 if (directive == m_defaultSrc) | 401 if (directive == m_defaultSrc) |
(...skipping 872 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1275 visitor->trace(m_imgSrc); | 1274 visitor->trace(m_imgSrc); |
1276 visitor->trace(m_mediaSrc); | 1275 visitor->trace(m_mediaSrc); |
1277 visitor->trace(m_manifestSrc); | 1276 visitor->trace(m_manifestSrc); |
1278 visitor->trace(m_objectSrc); | 1277 visitor->trace(m_objectSrc); |
1279 visitor->trace(m_scriptSrc); | 1278 visitor->trace(m_scriptSrc); |
1280 visitor->trace(m_styleSrc); | 1279 visitor->trace(m_styleSrc); |
1281 visitor->trace(m_workerSrc); | 1280 visitor->trace(m_workerSrc); |
1282 } | 1281 } |
1283 | 1282 |
1284 } // namespace blink | 1283 } // namespace blink |
OLD | NEW |